v0.0.18

REST-attest — Update

• Token-based protection: endpoints now require an access token for restricted routes.
• Configurable mask: a single mask defines which routes are public vs token-protected.
• Unified coverage: the mask applies to both API endpoints and their HTML views.