diff --git a/CHANGELOG.md b/CHANGELOG.md
index b7f8b56..8a5997f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,33 @@
 All notable changes to Void 2.0 are documented here.
 Format: [Keep a Changelog](https://keepachangelog.com).
 
+## [2.0.0-alpha.7] — 2026-06-02
+
+### Security & hardening
+
+- **`pending_changes.action` CHECK fix** (migration 009): `upsert` is now a valid
+  suggestion action (approval dispatches to `refsRepo.upsertByExternal`); resource
+  dependency mutations (`add_dependency`/`remove_dependency`) are now owner-only.
+- **Constant-time owner-token comparison** (`lib/auth/safe_compare.js`) — replaces
+  `===`, closing a timing side-channel on `OWNER_TOKEN`.
+- **O(1) token verification** (migration 010): selector+verifier split replaces the
+  O(n) bcrypt scan over all tokens. New format `vk_<selector>.<verifier>`; legacy
+  tokens still verify. Dropped the useless `idx_agent_tokens_hash`.
+- **`pool.js` error handler** — an idle pooled-client error no longer crashes the
+  process.
+- **`context` tool** projects a safe column allow-list for resources (no
+  `monitoring`/`metadata` blobs); now also handles `resource` views.
+- **`applyPendingChange`** guards the `upsert` arm (clear `ValidationError`).
+
+### Added (Yerin — security agent)
+
+- Read-only `securityRegistry` (`lib/ai/agent/tools/security/`) with five tools:
+  `audit_log`, `agent_inventory`, `pending_review`, `resource_exposure`,
+  `token_audit` — no secret material in any output.
+- Migration 011 seeds the read-only `yerin` agent.
+- The stdio MCP server selects its toolset via `VOID_TOOL_REGISTRY`
+  (`security` → Yerin's tools; default → Dross's companion tools).
+
 ## [2.0.0-alpha.6] — 2026-06-01
 
 ### Changed (Plan 5b: companion backend → Claude CLI subprocess)
diff --git a/package.json b/package.json
index 18425b8..80a0020 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "void-server",
-  "version": "2.0.0-alpha.6",
+  "version": "2.0.0-alpha.7",
   "type": "module",
   "private": true,
   "scripts": {
diff --git a/server.js b/server.js
index cb989d9..8c6e015 100644
--- a/server.js
+++ b/server.js
@@ -8,7 +8,7 @@ import { registerWorkers } from './lib/jobs/index.js';
 import { router as ingestRouter } from './lib/api/routes/ingest.js';
 import { startCron } from './lib/cron/index.js';
 
-const VERSION = '2.0.0-alpha.6';
+const VERSION = '2.0.0-alpha.7';
 
 export function createApp() {
   const app = express();