fix: two bugs found in code review

Bug 1 — soft_ap_ssid buffer overflow (Politician.cpp begin())
  wifi_ap_config_t::ssid is uint8_t[32]. The previous memcpy used raw
  strlen() without any guard, so a caller-supplied SSID longer than 32
  bytes would write past the ssid[] field into the adjacent password[]
  field of the stack-allocated wifi_config_t. Added:
    if (ap_ssid_len > 32) ap_ssid_len = 32;
  before the memcpy.

Bug 2 — TOCTOU race in setTargetBySsid() (Politician.cpp)
  The function released _lock before dereferencing _apCache[best].bssid
  and _apCache[best].channel. On a dual-core ESP32, the worker task on
  Core 0 can evict or overwrite that cache slot between the lock release
  and the setTarget() call, causing the engine to lock onto the wrong AP.
  Fix: copy bssid/channel into local variables before xSemaphoreGive,
  then call setTarget() with the local copies.

Note: ClientFoundCb signature change
  ClientFoundCb changed from (bssid, sta, rssi) to (const ClientRecord &).
  Added migration note at top of README.

Author: 0ldev

README.md

@@ -7,6 +7,22 @@
 
 Politician is an embedded C++ library designed for WiFi security auditing on ESP32 platforms. It provides a clean, modern API for capturing WPA/WPA2/WPA3 handshakes and harvesting enterprise credentials using advanced 802.11 protocol techniques.
 
+## Migration Notes
+
+### ClientFoundCb signature change (develop)
+
+`ClientFoundCb` was changed from `(const uint8_t *bssid, const uint8_t *sta, int8_t rssi)` to `(const ClientRecord &rec)`. Update existing callbacks:
+
+```cpp
+// Before
+engine.setClientFoundCallback([](const uint8_t *bssid, const uint8_t *sta, int8_t rssi) { … });
+
+// After
+engine.setClientFoundCallback([](const ClientRecord &rec) {
+    // rec.bssid, rec.sta, rec.rssi — same data plus rand_mac, vendor, timestamps
+});
+```
+
 ## Key Capabilities
 
 - **PMKID Capture** — Extract PMKIDs via fake association without disconnecting any client

src/Politician.cpp

@@ -146,8 +146,10 @@ Error Politician::begin(const Config &cfg) {
 
         wifi_config_t ap_cfg = {};
         const char *ap_ssid = _cfg.soft_ap_ssid ? _cfg.soft_ap_ssid : "WiFighter";
-        memcpy(ap_cfg.ap.ssid, ap_ssid, strlen(ap_ssid));
-        ap_cfg.ap.ssid_len        = (uint8_t)strlen(ap_ssid);
+        size_t ap_ssid_len = strlen(ap_ssid);
+        if (ap_ssid_len > 32) ap_ssid_len = 32; // wifi_ap_config_t::ssid is uint8_t[32]
+        memcpy(ap_cfg.ap.ssid, ap_ssid, ap_ssid_len);
+        ap_cfg.ap.ssid_len        = (uint8_t)ap_ssid_len;
         ap_cfg.ap.ssid_hidden     = _cfg.soft_ap_ssid ? 0 : 1;
         ap_cfg.ap.max_connection  = 4;
         ap_cfg.ap.authmode        = WIFI_AUTH_OPEN;
@@ -573,22 +575,27 @@ void Politician::setChannelBands(bool ghz24, bool ghz5) {
 Error Politician::setTargetBySsid(const char *ssid) {
     if (!_initialized) return ERR_NOT_ACTIVE;
     uint8_t ssid_len = (uint8_t)strlen(ssid);
-    int best = -1;
-    int8_t best_rssi = INT8_MIN;
+    uint8_t found_bssid[6] = {};
+    uint8_t found_channel   = 0;
+    bool    found           = false;
+    int8_t  best_rssi       = INT8_MIN;
     if (_lock && xSemaphoreTakeRecursive(_lock, pdMS_TO_TICKS(100)) == pdTRUE) {
         for (int i = 0; i < MAX_AP_CACHE; i++) {
             if (!_apCache[i].flags.active) continue;
             if (_apCache[i].ssid_len != ssid_len) continue;
             if (memcmp(_apCache[i].ssid, ssid, ssid_len) != 0) continue;
             if (_apCache[i].rssi > best_rssi) {
                 best_rssi = _apCache[i].rssi;
-                best = i;
+                // Copy out before releasing lock — avoids TOCTOU with worker task
+                memcpy(found_bssid, _apCache[i].bssid, 6);
+                found_channel = _apCache[i].channel;
+                found = true;
             }
         }
         xSemaphoreGiveRecursive(_lock);
     }
-    if (best == -1) return ERR_NOT_FOUND;
-    return setTarget(_apCache[best].bssid, _apCache[best].channel);
+    if (!found) return ERR_NOT_FOUND;
+    return setTarget(found_bssid, found_channel);
 }
 
 void Politician::setAutoTarget(bool enable) {