v0.2.5

Added

• Per-delivery refresh token TTL in hybrid mode --- new hybridPolicy.cookieRefreshExpiresIn and hybridPolicy.jsonRefreshExpiresIn config fields let you issue different refresh token lifetimes for cookie-delivered (web) vs JSON-delivered (mobile, workers) clients. Typical pairing: short cookie TTL (e.g. 7d) for browsers, long JSON TTL (e.g. 90d) for mobile. The resolved TTL drives both the refresh JWT's exp claim and the refresh cookie's Max-Age, and applies consistently across login, refresh, and MFA/social challenge completion. Both fields are optional; unset falls back to jwt.refreshToken.expiresIn. Fully backward-compatible --- existing configs are unchanged

tokenDelivery: {
  method: 'hybrid',
  hybridPolicy: {
    cookieRefreshExpiresIn: '7d',
    jsonRefreshExpiresIn:   '90d',
  },
},

The per-request TTL is selected by the route's @TokenDelivery() decorator (NestJS) or nauth.helpers.tokenDelivery() middleware (Express/Fastify) --- the same mechanism you already use to route /auth/* vs /mobile/auth/*.