release: cut project v0.9

First public preview tag for the bundled Compose stack. Adds a
top-level CHANGELOG.md (separate from api/ and ui/ component
changelogs) and surfaces the project version on the admin Settings
page in a new About section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CHANGELOG.md

@@ -0,0 +1,64 @@
+# Changelog — IRDB
+
+This is the **project-wide** changelog for the IRDB stack as a whole — a
+high-level record of what shipped in each cut of the bundled
+`docker-compose` deployment.
+
+The `api` and `ui` containers are versioned independently and have their
+own changelogs:
+
+- [`api/CHANGELOG.md`](./api/CHANGELOG.md)
+- [`ui/CHANGELOG.md`](./ui/CHANGELOG.md)
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+Project-wide tags use the `v<MAJOR>.<MINOR>.<PATCH>` form so they don't
+collide with the per-component `api-v…` / `ui-v…` tags in this monorepo.
+
+## [Unreleased]
+
+## [0.9] — 2026-05-06
+
+First public preview of the bundled stack. Everything specified in
+[`SPEC.md`](./SPEC.md) milestones M1–M14 is in place; the `0.9` cut is
+the integration milestone where `api` 1.0.0 and `ui` 1.0.0 have been
+shipped together, hardened against the `SEC_REVIEW` findings, and
+verified end-to-end via the demo seed flow.
+
+The remaining gap to a `1.0` project tag is operational rather than
+functional — exercising the stack against real reporters/consumers,
+finalising the upgrade story, and locking down the Compose defaults for
+production deployment.
+
+### Highlights
+- Self-hosted abuse-report ingestion + tailored, decay-weighted blocklist
+  distribution as a Compose stack: `api` (Slim 4 / FrankenPHP JSON
+  backend), `ui` (Slim 4 / FrankenPHP PHP+Twig BFF), and optional
+  `mysql` and `scheduler` sidecars.
+- Four-kind token model (`reporter`, `consumer`, `admin`, `service`)
+  with SHA-256 hashing and a service-token + impersonation-header
+  pattern between the UI BFF and the api.
+- Reputation engine with linear and exponential decay, per-reporter
+  trust weighting, manual blocks and allowlist evaluated at distribution
+  time, and a 365-day hard cutoff.
+- GeoIP enrichment with MaxMind GeoLite2 and IPinfo adapters, refreshed
+  via an internal job.
+- OIDC login (Microsoft Entra ID, authorization code + PKCE) plus a
+  local admin form with Argon2id password validation.
+- Full admin UI: dashboard, IPs, subnets/allowlist, policies, reporters,
+  consumers, tokens, categories, audit log, and the settings page used
+  to display this version.
+- Public-endpoint audit emission with global + per-entity toggles so the
+  high-volume `report.received` / `blocklist.requested` rows can be
+  silenced without a container restart.
+- Hardening pass against the `SEC_REVIEW` queue (F1–F74 at time of
+  writing): security headers, secret scrubbing, request body caps,
+  bounded caches, rate limiting on public endpoints.
+
+### Container versions in this release
+- `api` — 1.0.0 (see [api/CHANGELOG.md](./api/CHANGELOG.md))
+- `ui` — 1.0.0 (see [ui/CHANGELOG.md](./ui/CHANGELOG.md))
+
+[Unreleased]: https://github.com/your-org/irdb/compare/v0.9...HEAD
+[0.9]: https://github.com/your-org/irdb/releases/tag/v0.9

ui/resources/views/pages/settings/index.twig

@@ -10,6 +10,19 @@
         <span class="text-xs text-slate-500 dark:text-slate-400">Admin only · read-only · masked secrets</span>
     </div>
 
+    {% if project_version %}
+        <section class="rounded-2xl border border-slate-200 bg-white p-5 shadow-sm dark:border-slate-800 dark:bg-slate-900">
+            <h2 class="text-sm font-semibold uppercase tracking-wider text-slate-500 dark:text-slate-400">About</h2>
+            <p class="mt-1 text-xs text-slate-500 dark:text-slate-400">Project release of the bundled stack. Per-container versions live in <code>api/CHANGELOG.md</code> and <code>ui/CHANGELOG.md</code>.</p>
+            <dl class="mt-3 grid grid-cols-3 gap-2 text-sm">
+                <dt class="text-slate-500 dark:text-slate-400">IRDB version</dt>
+                <dd class="col-span-2">
+                    <span class="rounded bg-emerald-100 px-2 py-0.5 font-mono text-xs text-emerald-900 dark:bg-emerald-900 dark:text-emerald-100">v{{ project_version }}</span>
+                </dd>
+            </dl>
+        </section>
+    {% endif %}
+
     {% if error %}
         <div class="rounded-md border border-red-300 bg-red-50 px-4 py-2 text-sm text-red-800 dark:border-red-800 dark:bg-red-950 dark:text-red-300">{{ error }}</div>
     {% endif %}

ui/src/Controllers/SettingsController.php

@@ -31,6 +31,8 @@ final class SettingsController
 {
     use CrudControllerSupport;
 
+    public const PROJECT_VERSION = '0.9';
+
     public function __construct(
         private readonly Twig $twigEngine,
         private readonly SessionManager $sessionManager,
@@ -81,6 +83,7 @@ final class SettingsController
             'config' => $config,
             'jobs' => $jobs,
             'app_settings' => $appSettings,
+            'project_version' => self::PROJECT_VERSION,
             'error' => $error,
         ]);
     }