1.3.0-beta5 Second cache-correctness fix from the 1.3.0-beta4 retest on portal-master. The amended canary protocol (admin + editor + anon) confirmed beta4's BigPipe suppression resolved scenario (a) but surfaced a second leakage pattern: with private-cache mode on the homepage cache keyed identically for anonymous and authenticated requests, so whichever variant populated the cache first was served to everyone. Root cause was on the cache-key side: the module emitted X-LiteSpeed-Cache-Control: private but did not tell LSWS to vary the cache entry on the session cookie. The reporter shipped a patch and a 27-request canary confirming the fix. beta5 lands the patch plus the obvious follow-ups. - Response subscriber auto-appends the session cookie name to the X-LiteSpeed-Vary header whenever private_cache.enabled = TRUE. Cookie name discovered via SessionConfiguration so the fix needs no new config keys. - Three new unit tests in LscacheResponseSubscriberTest cover the auto-append, the no-append path in public-only mode, and the deduplication path. - New status report row parses CacheVary cookie= directives out of .htaccess and warns when they don't match the emitted cookies, with a copy-pasteable suggested directive. - New docs section in docs/htaccess-gotchas.md on authenticated cache differentiation, with a drush ev one-liner to discover the session cookie name and an example IfModule LiteSpeed block. Pure cache-correctness fix; no API contract changes. CI: pipeline 821549 green (phpunit, phpcs, cspell, phpstan, eslint, composer-lint, composer all passing).