chore: finalize changelog for v1.1.0

CHANGELOG.md

@@ -8,26 +8,11 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ### Added
 
-- [semver:minor] Added an `assessment` scan profile that sharpens govern-first action-path output for customer readouts while keeping raw findings and proof artifacts unchanged.
-- [semver:minor] Added an AI-first assessment summary to report output so customer readouts lead with governable paths, top control targets, and offline proof location.
-- [semver:minor] Added identity exposure summaries and first-review or first-revoke recommendations for non-human execution identities backing risky govern-first paths.
-- [semver:minor] Action paths now classify the business state they can change and flag shared or standing-privilege identity reuse on repeated risky paths.
-- [semver:minor] Added grouped `exposure_groups` summaries so repeated risky paths can be reviewed as stable report clusters without hiding raw path detail.
+- (none yet)
 
 ### Changed
 
-- Release prep now uses `scripts/finalize_release_changelog.py` to promote `## [Unreleased]` entries into a dated versioned section and reset `Unreleased` for the next cycle.
-- Tag workflows now use `scripts/validate_release_changelog.py` to fail closed when the prepared versioned changelog section does not match the release tag.
-- `scripts/resolve_release_version.py` now validates explicit release versions against the changelog-derived semver bump instead of accepting mismatched manual versions.
-- Planning skills now require every story to declare changelog impact, target changelog section, and draft `Unreleased` entry so release semver can be derived deterministically from implemented work.
-- Implementation skills now apply those planned changelog fields to `CHANGELOG.md` `## [Unreleased]` instead of re-deciding release-note scope during implementation.
-- Org scans now stream deterministic progress events to stderr during execution while preserving stdout JSON contracts.
-- Scan and report summaries now prioritize govern-first AI action paths ahead of generic supporting findings when risky paths are present.
-- Govern-first `recommended_action` output now differentiates inventory, approval, proof, and control based on path context instead of collapsing most paths to approval.
-- Clarified the public `action_paths[*].path_id` contract and aligned docs and contract tests with the shipped deterministic identifier format.
-- Clarified scan and report wording so Wrkr's customer-facing output stays explicitly scoped to static posture, risky paths, and offline-verifiable proof.
-- Govern-first summaries now highlight ownership quality and ownerless exposure so unresolved or conflicting ownership is explicit in top action paths.
-- Updated scan, evidence, campaign, and extension-detector docs plus regression coverage to match the hardened contract and boundary behavior.
+- (none yet)
 
 ### Deprecated
 
@@ -39,12 +24,11 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ### Fixed
 
-- Deduplicated govern-first `action_paths` so each deterministic action path emits one unique `path_id` row per scan.
-- Priority detectors now surface permission and stat failures consistently in scan output so incomplete visibility is explicit.
-- Made scan artifact publication transactional so failed late writes no longer leave mixed state, proof, and manifest generations on disk.
-- `wrkr campaign aggregate` now rejects non-scan JSON and incomplete artifacts with stable `invalid_input` errors instead of summarizing them as posture evidence.
-- Repo-local extension detectors now stay on additive finding surfaces by default and no longer create implicit tool identities, action paths, or regress state.
+- (none yet)
+
+### Security
 
+- (none yet)
 
 ## Changelog maintenance process
 
@@ -54,6 +38,40 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 4. Keep entries concise and operator-facing: what changed, why it matters, and any migration/action notes.
 5. Link release notes and tag artifacts to the finalized changelog section.
 
+## [v1.1.0] - 2026-03-31
+<!-- release-semver: minor -->
+
+### Added
+
+- Added an `assessment` scan profile that sharpens govern-first action-path output for customer readouts while keeping raw findings and proof artifacts unchanged.
+- Added an AI-first assessment summary to report output so customer readouts lead with governable paths, top control targets, and offline proof location.
+- Added identity exposure summaries and first-review or first-revoke recommendations for non-human execution identities backing risky govern-first paths.
+- Action paths now classify the business state they can change and flag shared or standing-privilege identity reuse on repeated risky paths.
+- Added grouped `exposure_groups` summaries so repeated risky paths can be reviewed as stable report clusters without hiding raw path detail.
+
+### Changed
+
+- Release prep now uses `scripts/finalize_release_changelog.py` to promote `## [Unreleased]` entries into a dated versioned section and reset `Unreleased` for the next cycle.
+- Tag workflows now use `scripts/validate_release_changelog.py` to fail closed when the prepared versioned changelog section does not match the release tag.
+- `scripts/resolve_release_version.py` now validates explicit release versions against the changelog-derived semver bump instead of accepting mismatched manual versions.
+- Planning skills now require every story to declare changelog impact, target changelog section, and draft `Unreleased` entry so release semver can be derived deterministically from implemented work.
+- Implementation skills now apply those planned changelog fields to `CHANGELOG.md` `## [Unreleased]` instead of re-deciding release-note scope during implementation.
+- Org scans now stream deterministic progress events to stderr during execution while preserving stdout JSON contracts.
+- Scan and report summaries now prioritize govern-first AI action paths ahead of generic supporting findings when risky paths are present.
+- Govern-first `recommended_action` output now differentiates inventory, approval, proof, and control based on path context instead of collapsing most paths to approval.
+- Clarified the public `action_paths[*].path_id` contract and aligned docs and contract tests with the shipped deterministic identifier format.
+- Clarified scan and report wording so Wrkr's customer-facing output stays explicitly scoped to static posture, risky paths, and offline-verifiable proof.
+- Govern-first summaries now highlight ownership quality and ownerless exposure so unresolved or conflicting ownership is explicit in top action paths.
+- Updated scan, evidence, campaign, and extension-detector docs plus regression coverage to match the hardened contract and boundary behavior.
+
+### Fixed
+
+- Deduplicated govern-first `action_paths` so each deterministic action path emits one unique `path_id` row per scan.
+- Priority detectors now surface permission and stat failures consistently in scan output so incomplete visibility is explicit.
+- Made scan artifact publication transactional so failed late writes no longer leave mixed state, proof, and manifest generations on disk.
+- `wrkr campaign aggregate` now rejects non-scan JSON and incomplete artifacts with stable `invalid_input` errors instead of summarizing them as posture evidence.
+- Repo-local extension detectors now stay on additive finding surfaces by default and no longer create implicit tool identities, action paths, or regress state.
+
 ## [v1.0.11] - 2026-03-26
 <!-- release-semver: patch -->