docs: Update CHANGELOG and SECURITY for v0.6.0

Author: teycir

docs/CHANGELOG.md

@@ -7,6 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.0] - 2025-01-15
+
+### Added
+- Memory protection for Key A (XOR obfuscation in browser memory)
+- Browser extension detection and warnings
+- Built-in warrant canary at /canary (auto-updating)
+- Security dashboard with real-time alerts
+- Self-hosting guide for infrastructure independence
+- Multi-party time attestation (external time source verification)
+- Comprehensive hardening documentation
+- Admin interface for canary management
+- GitHub Actions workflow for monthly canary reminders
+- Transparency report template
+
+### Security
+- Key A now obfuscated in memory to prevent casual inspection
+- Extension detection warns users about potential memory access
+- Warrant canary provides legal coercion detection
+- Time attestation verifies Cloudflare time against external sources
+- Self-hosting option eliminates infrastructure trust dependency
+
+### Documentation
+- HARDENING.md - Complete threat mitigation guide
+- SELF-HOSTING.md - Deployment instructions for own infrastructure
+- TRANSPARENCY-REPORT-TEMPLATE.md - Quarterly legal disclosure template
+- HARDENING-SETUP.md - Quick setup guide
+
+### Threat Mitigation
+- Browser extension/malware memory access (detection + obfuscation)
+- Cloudflare infrastructure compromise (canary + time attestation)
+- Legal coercion (warrant canary + transparency)
+
 ## [0.5.1] - 2025-12-22
 
 ### Fixed

docs/SECURITY.md

@@ -189,14 +189,26 @@ Expected response time: 48 hours
 - [x] Key rotation procedures documented
 - [x] File upload limits (25MB Cloudflare Pages limit)
 - [x] Content-Security-Policy headers
+- [x] Memory protection for Key A (v0.6.0)
+- [x] Browser extension detection (v0.6.0)
+- [x] Warrant canary at /canary (v0.6.0)
+- [x] Security dashboard (v0.6.0)
 - [ ] Cloudflare WAF rules (optional)
 - [ ] IP reputation filtering (optional)
 - [ ] Geographic restrictions (optional)
 - [ ] Honeypot seals for enumeration detection (optional)
 
 ## Recent Security Enhancements
 
-**v0.5.1 (2025-12-22):**
+**v0.6.0 (2025-01-15):**
+- Memory protection for Key A (XOR obfuscation)
+- Browser extension detection and warnings
+- Built-in warrant canary at /canary
+- Security dashboard with real-time alerts
+- Multi-party time attestation
+- Self-hosting guide for infrastructure independence
+
+**v0.5.1 (2025-12-22):****
 - CRITICAL FIX: HKDF deterministic salt (all seals now decryptable)
 - Server-only pulse token generation (removed client UUID)
 - Time check ordering (prevents timing attacks)