From f27fdb2832ba5c482f82979b7f5a5de7e3cbdf80 Mon Sep 17 00:00:00 2001
From: Imran Siddique <imran.siddique@opaque.co>
Date: Mon, 15 Jun 2026 15:04:56 -0700
Subject: [PATCH] docs: add v0.2.0 CHANGELOG entry and fix Quick Start package
 name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CHANGELOG was frozen at v0.1.0 despite v0.2.0 shipping June 12.
Adds the full v0.2.0 entry (bearer auth, audit store, TRACE Trust Record,
Cedar deny advice, cmcp-verify, fail-closed verifiers, dev-mode, silent mode).
Also fixes Quick Start install command: cmcp-gateway → cmcp-runtime.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md | 19 +++++++++++++++++--
 README.md    |  2 +-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 011e411..3b3f543 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [0.1.0] - 2026-06-23
+## [0.2.0] - 2026-06-12
+
+### Added
+
+- Bearer-token auth (`Authorization: Bearer`) wired into the live gateway server
+- Upstream MCP forwarding: AGT pre-call interception, JSON-RPC forward to the attested catalog server, response size guard, injection/credential/PII response scanning
+- Durable SQLite audit store (WAL mode, synchronous) with TEE-anchored hash chains and orphaned-session detection
+- `POST /sessions/{id}/close` issues the signed TRACE Trust Record and rotates the session
+- Cedar `@annotation` metadata returned as structured advice on deny decisions (HITL payloads)
+- `cmcp-verify`: one-command verification of claims and signed audit bundles, tamper-evident
+- Fail-closed hardware verifiers (TPM, SEV-SNP, TDX, Opaque): no attestation evidence means no verification
+- Dev-mode records carry `platform: software-only`, never `tpm2` (requires `agentrust-trace>=0.1.1`)
+- Silent mode contract: operational logs quiet, audit evidence always recorded
+
+## [0.1.0] - 2026-06-09
 
 ### Added
 
@@ -17,5 +31,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `cmcp-verify` standalone verifier for validating TRACE Claims offline
 - Audit chain with Ed25519 signing for tamper-evident log integrity
 
-[Unreleased]: https://github.com/agentrust-io/cmcp/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/agentrust-io/cmcp/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/agentrust-io/cmcp/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/agentrust-io/cmcp/releases/tag/v0.1.0
diff --git a/README.md b/README.md
index db24ad1..b9ef0a4 100644
--- a/README.md
+++ b/README.md
@@ -51,7 +51,7 @@ Unlike tunnel-based connectivity solutions, the cMCP Runtime processes tool-call
 ## Quick Start
 
 ```bash
-pip install cmcp-gateway
+pip install cmcp-runtime
 ```
 
 Create `cmcp-config.yaml`: