v0.2.5

Summary

• Several audit-backed MFA, JWT, account, and API-token flows now succeed or fail as one unit instead of risking a data change without the matching audit row.
• Malformed refresh tokens fail earlier with {:error, :invalid_token} instead of going through the normal hash-and-lookup path first.
• Most apps do not need new upgrade steps for this release; it is mainly a safety, correctness, and observability improvement.

What's Changed

• chore: align release-please manifest with Hex 0.2.4 by @szTheory in #31

Full Changelog: v0.2.4...v0.2.5