diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5e711039..8c1c36f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,144 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.8.0-rc1] - 2026-03-11
+
+### Added
+
+#### W3C Identity & Credentials
+- W3C DID Core v1.0 compliant DID Document generation (`did:key` method)
+- DID Document verification and cross-node resolution over Tor
+- JSON-LD Verifiable Credentials (VC Data Model 2.0, Ed25519Signature2020 proofs)
+- Verifiable Presentation creation with selective disclosure
+- Credentials management UI at `/dashboard/web5/credentials`
+
+#### Decentralized Web Node (DWN)
+- DWN message store with CRUD, protocol registration, and query interface
+- DWN HTTP API (`POST /dwn`, `GET /dwn/health`)
+- Bidirectional peer sync over Tor via SOCKS proxy
+- DWN management UI in Web5 page with protocol browser
+
+#### Multi-Node Federation
+- Node federation protocol with invite codes (`fed1:` prefix), trust levels, state sync
+- Federation dashboard at `/dashboard/server/federation`
+- Federated app deployment to trusted peers over Tor
+- Architecture documented in `docs/multi-node-architecture.md`
+
+#### Decentralized Marketplace
+- NIP-78 Nostr-based app manifest discovery across relays
+- Trust scoring (0-100) based on DID verification, relay consensus, federation trust
+- App manifest publishing with Nostr secp256k1 signing
+- Community marketplace tab in App Store with trust score badges
+
+#### Networking
+- VPN integration (Tailscale + WireGuard) with keypair generation and status display
+- Mesh networking via Meshtastic LoRa devices with node discovery
+- DNS-over-HTTPS configuration (Cloudflare, Google, Quad9, Mullvad, Custom)
+- WiFi/Ethernet configuration via `nmcli` with scan-and-connect modal
+- Network interfaces display in Server page
+
+#### Hardware Wallet Support
+- PSBT signing flow (create, QR display, finalize, broadcast)
+- USB hardware wallet detection (ColdCard, Trezor, Ledger)
+- Hardware wallet signing UI in LND views
+
+#### System Management
+- System monitoring (CPU, RAM, disk gauges on Dashboard)
+- Automatic update system with download, apply, rollback, and scheduling
+- Disk space management with auto-cleanup at 90% usage
+- Container health monitoring with auto-recovery (max 3 restart attempts)
+- Crash recovery via PID-file detection and container snapshot restoration
+- Graceful shutdown with in-flight request draining (5s timeout)
+
+#### Backup & Restore
+- Full backup with tar.gz + ChaCha20-Poly1305 encryption
+- Backup create, list, verify, restore, delete via RPC
+- USB drive detection and backup-to-USB
+- Backup UI in Settings page
+
+#### Kiosk Mode
+- Chromium kiosk with auto-restart and watchdog service
+- Recovery page at `/recovery` (no auth required)
+- Kiosk keyboard shortcuts (Ctrl+Shift+R/H/Q)
+- Systemd services for kiosk and watchdog
+
+#### ARM64 Support
+- Cross-compilation for aarch64 with rustls-tls
+- All 6 core apps verified with multi-arch images
+- Parameterized ISO build script (`ARCH=arm64`)
+- RPi 5 testing guide
+
+#### Testing
+- 236 frontend tests across 17 test files (Vitest)
+- 124+ backend tests (cargo test)
+- Playwright visual regression suite (12 pages)
+- Chaos testing (SIGKILL recovery, concurrent RPC, rapid restarts)
+- App lifecycle testing and dependency chain verification
+- 1-week continuous uptime monitoring
+
+#### Documentation
+- Developer guide, API reference (100+ endpoints), app developer SDK guide
+- 5 Architecture Decision Records (Podman, DID:key, Nostr, Tor, ChaCha20)
+- Release process, canary deploy, quality baseline documentation
+
+### Changed
+- Settings sections use `glass-card` instead of `path-option-card`
+- Web3 card shows "Coming Soon" badges instead of fake data
+- Network diagnostics moved from Settings to Server page
+- Removed `core/startos/` (2MB of dead code, zero dependencies)
+
+### Fixed
+- CSRF protection on all state-changing RPC calls
+- CORS restricted to same-origin (removed `Access-Control-Allow-Origin: *`)
+- Nginx security headers (X-Frame-Options, CSP, X-Content-Type-Options)
+- All 24 silent catch blocks now log in dev mode
+- Zero `console.log` outside dev gate, zero `any` types
+
+### Security
+- CSRF token validation on all state-changing endpoints
+- Same-origin CORS policy
+- Nginx security headers (SAMEORIGIN, nosniff, CSP, Referrer-Policy)
+- Container security hardened (readonly root, dropped caps, non-root, no-new-privileges)
+- Secrets rotation with AES-256-GCM and automatic scheduling
+
+## [0.5.0-beta] - 2026-03-11
+
+### Added
+
+#### Security Hardening
+- Session inactivity expiry (24h), max 5 concurrent sessions with oldest eviction
+- Session rotation on password change (invalidates all other sessions)
+- Container security: `--cap-drop=ALL`, `--security-opt=no-new-privileges:true`, read-only root
+- Secrets rotation with AES-256-GCM encryption and metadata tracking
+- Path traversal prevention (nginx regex blocks + client-side sanitizePath)
+- Cookie-based auth for File Browser (removed token from URLs)
+- Login rate limiting (5 failures per 60s per IP)
+- TOTP two-factor authentication with backup codes
+
+#### Performance
+- Backend startup: ~100ms
+- Frontend bundle: ~105 KB gzipped initial load
+- WebSocket heartbeat (30s ping/pong) with exponential backoff reconnection
+- Server-side 5-minute inactivity timeout for stale WebSocket connections
+- Real-time install progress reporting via WebSocket during container pulls
+- Connection state machine (connecting/connected/disconnecting/disconnected)
+
+#### Apps & Integrations
+- Pinned all container images to specific versions (no `:latest` tags)
+- Fedimint and Fedimint Gateway with auto-LND detection
+- IndeedHub virtual app integration
+- Expanded read-only root filesystem support (electrs, nostr-relay, ollama)
+- Dependency chain validation (Bitcoin → Electrs → Mempool, Bitcoin → LND)
+
+#### Documentation
+- Comprehensive user guide (docs/user-guide.md)
+- Beta release checklist (docs/BETA-RELEASE-CHECKLIST.md)
+- 72-hour stability test script
+
+### Fixed
+- Penpot hardcoded secret key replaced with SHA256-derived key
+- WebSocket reconnection reliability after network interruption
+
 ## [0.1.0] - 2026-01-28
 
 ### 🎉 Initial Release