docs: add per-component changelogs and cut 1.0.0 baseline

Both containers are feature-complete against SPEC.md M1–M14, so freeze
this point as the 1.0.0 baseline for each. The api and ui are versioned
independently — the HTTP contract is the boundary between them — and
their tags use distinct prefixes (api-vX.Y.Z, ui-vX.Y.Z) to coexist in
this monorepo.

Composer's `version` field is intentionally omitted; the git tag is the
authoritative version per Composer's own guidance for VCS-tracked
projects.

api/CHANGELOG.md

@@ -0,0 +1,38 @@
+# Changelog — `api`
+
+All notable changes to the **api** container are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and the container adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+The `api` and `ui` containers are versioned independently. The HTTP wire
+contract (endpoints, token kinds, RBAC roles, response envelope) is the
+boundary between them — bumping the **major** here implies a breaking
+change to that contract that consumers must adapt to.
+
+Tags use the `api-v<MAJOR>.<MINOR>.<PATCH>` form so they don't collide
+with the UI's tags in this monorepo.
+
+## [1.0.0] — 2026-05-01
+
+First stable release. Implements every milestone of `SPEC.md` from the
+api side (M1–M7, M11–M14) plus shared concerns from M12.
+
+### Added
+- Slim 4 + FrankenPHP JSON backend on `:8081` with healthcheck.
+- Doctrine DBAL data layer supporting **SQLite** (default) and **MySQL 8 / MariaDB 10.6+**, selected via `DB_DRIVER`. WAL + tuned PRAGMAs on SQLite, transactional writes throughout.
+- Phinx migrations and idempotent seeders for every table in `SPEC.md` §4: `reporters`, `consumers`, `api_tokens`, `categories`, `reports`, `ip_scores`, `job_locks`, `job_runs`, `ip_enrichment`, `manual_blocks`, `allowlist`, `policies`, `policy_category_thresholds`, `users`, `oidc_role_mappings`, `audit_log`.
+- Four-kind token model (`reporter`, `consumer`, `admin`, `service`) with SHA-256 hashing, `irdb_<kind>_<32 base32>` formatting, and a `RbacMiddleware` driving role enforcement on every admin endpoint.
+- `X-Acting-User-Id` impersonation header — only honoured in combination with a `service` token; ignored on every other kind.
+- **Public API**: `POST /api/v1/report` (token-bucket rate limiter, 60 req/s/token by default); `GET /api/v1/blocklist` (text + JSON, ETag, 30 s per-consumer cache).
+- **Admin API**: full CRUD for reporters, consumers, tokens, categories, policies; manual blocks and allowlist (Operator+ for writes); IP search + IP detail with timeline; dashboard stats; effective-config and jobs-status endpoints; audit-log search; manual job triggers; demo-data seed and operational `purge`.
+- **Auth API**: `upsert-oidc`, `upsert-local`, `users/{id}` — service-token-only, used by the UI BFF to translate browser identities into stable user records and roles.
+- **Internal jobs**: `recompute-scores`, `cleanup-audit`, `cleanup-expired-manual-blocks`, `enrich-pending`, `refresh-geoip`, `tick`, `status`. Loopback / RFC1918 only via `InternalNetworkMiddleware`; bearer-gated by `INTERNAL_JOB_TOKEN`. Single-shot lock acquisition via `job_locks` with crash-tolerant expiry and `job_runs` history per execution.
+- **Reputation engine**: linear and exponential decay, weighted by per-reporter trust at report time. 365-day hard cutoff. Manual blocks and allowlist evaluated at distribution time, not folded into scores; allowlist always wins.
+- **Enrichment**: MaxMind GeoLite2-Country/ASN and IPinfo adapters, downloaded at build or refreshed via job; missing-DB scenarios degrade cleanly.
+- **Audit log**: every write through admin/auth endpoints emits an entry attributed to the acting user (not the service token), with field-level before/after diffs on updates and human-readable entity labels frozen at write time.
+- **Hardening**: security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy), token entropy verified, secrets scrubbed from logs.
+- **Documentation**: OpenAPI 3.0.3 served at `/api/v1/openapi.yaml` with viewer at `/api/docs`; canonical reference for request/response schemas.
+- CLI `bin/console`: `db:migrate`, `db:rollback`, `db:seed`, `auth:bootstrap-service-token`, `auth:create-token`, `jobs:run`, `jobs:status`, `scores:rebuild`.
+
+[1.0.0]: https://github.com/your-org/irdb/releases/tag/api-v1.0.0

ui/CHANGELOG.md

@@ -0,0 +1,44 @@
+# Changelog — `ui`
+
+All notable changes to the **ui** container are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and the container adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+The `api` and `ui` containers are versioned independently. The UI is
+deliberately replaceable; bumping the **major** here implies a breaking
+change to UI-internal surfaces (route paths under `/app/*`, Twig
+templates, internal class names). The HTTP wire contract it speaks to
+the api is owned by the `api` container's changelog.
+
+Tags use the `ui-v<MAJOR>.<MINOR>.<PATCH>` form so they don't collide
+with the api's tags in this monorepo.
+
+## [1.0.0] — 2026-05-01
+
+First stable release. Implements every milestone of `SPEC.md` from the
+UI side (M8–M10, M12–M14) plus shared concerns from M13.
+
+### Added
+- Slim 4 + FrankenPHP BFF on `:8080`. Twig 3 templates, Tailwind CSS 3 (build-time, no CDN), Alpine.js for interactions, htmx for forms, no client-side framework heavier than that.
+- OIDC redirect/callback flow against Microsoft Entra ID (authorization code + PKCE, ID-token validation, `groups` claim mapping); local admin login form with Argon2id password validation against `LOCAL_ADMIN_PASSWORD_HASH`.
+- PHP-native session manager, file-backed inside the container; CSRF middleware on every state-changing form.
+- `ApiClient` (Guzzle) plus `ImpersonationHeaderMiddleware` adding `Authorization: Bearer <UI_SERVICE_TOKEN>` and `X-Acting-User-Id: <user_id>` to every outgoing api call.
+- **Pages**:
+  - **Dashboard** with Chart.js summaries.
+  - **IPs** search/filter table and per-IP detail page with timeline, scores per category, manual/allowlist status, and enrichment.
+  - **Subnets / Allowlist** CRUD with confirmation modals on every destructive action.
+  - **Policies** editor (category × threshold matrix), live preview of resulting blocklist count, score-distribution chart with threshold-region shading.
+  - **Reporters / Consumers** CRUD with last-activity tables; **Tokens** CRUD with raw-token-shown-once modal and copy-to-clipboard.
+  - **Categories** editor with linear/exponential decay-curve preview.
+  - **Audit log** view, filterable, locale-aware date inputs.
+  - **Settings** page: effective config (secrets masked), per-job status with overdue badges, admin-only manual-trigger buttons.
+- Light/dark mode toggle persisted in `localStorage`, defaults to system preference.
+- Locale-aware date/time rendering: templates emit ISO 8601 UTC inside `<time class="irdb-dt" datetime="…">…</time>` and a small client pass replaces the text after every page load and htmx swap, with `UI_LOCALE` BCP 47 fallback.
+- Mobile-responsive sidebar (drawer below `md`).
+- Friendly degraded states when the api is briefly unreachable; api-side validation errors surfaced as inline messages rather than raw JSON; toasts for success/failure feedback.
+- Login throttling and brute-force lockout on the local admin form.
+- Health endpoint (`GET /healthz`) returns 200 even when the api is briefly unreachable, reporting `{status, api_reachable, last_api_check_at}`.
+- **Hardening**: security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy), session cookie flagged `SameSite=Lax`/`Secure` in production.
+
+[1.0.0]: https://github.com/your-org/irdb/releases/tag/ui-v1.0.0