From 1e69be430146690e04d7d9fe042472d559ef2400 Mon Sep 17 00:00:00 2001
From: Ivo Oskamp <ivooskamp@oskamp.info>
Date: Thu, 28 May 2026 16:40:45 +0200
Subject: [PATCH] release: v0.2.0

---
 .../clearview/src/clearview_app/version.py    |  4 +--
 docs/changelog-develop.md                     |  7 ++++++
 docs/changelog.md                             | 25 +++++++++++++++++++
 version.txt                                   |  1 -
 4 files changed, 34 insertions(+), 3 deletions(-)
 delete mode 100644 version.txt

diff --git a/containers/clearview/src/clearview_app/version.py b/containers/clearview/src/clearview_app/version.py
index bdc6d71..5e296ba 100644
--- a/containers/clearview/src/clearview_app/version.py
+++ b/containers/clearview/src/clearview_app/version.py
@@ -6,8 +6,8 @@ history, so operators can see exactly which image build is running.
 """
 from __future__ import annotations
 
-VERSION = "v0.1.0"
-BUILD = 3
+VERSION = "v0.2.0"
+BUILD = 0
 
 
 def display_version() -> str:
diff --git a/docs/changelog-develop.md b/docs/changelog-develop.md
index df174ae..7040b88 100644
--- a/docs/changelog-develop.md
+++ b/docs/changelog-develop.md
@@ -2,6 +2,13 @@
 
 This file documents changes on the develop branch of this project.
 
+## 2026-05-28 — Released as v0.2.0
+
+## 2026-05-28 — Release: drop unused `version.txt`
+
+### Changed
+- Removed `version.txt` at repo root. The build script reads the release version from `docs/changelog.md` and the running app reads it from `clearview_app/version.py`; the legacy `version.txt` had no remaining consumer.
+
 ## 2026-05-28 — Settings: move Users + Audit under Settings tabs
 
 ### Changed
diff --git a/docs/changelog.md b/docs/changelog.md
index 00a9938..17f5b01 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -4,6 +4,31 @@ This file is the **release-summary** changelog used by `build-and-push.sh` to de
 
 For day-by-day development history see [`changelog-develop.md`](changelog-develop.md).
 
+## v0.2.0 — 2026-05-28
+
+### Added
+- **Authentication** — session-based login (Argon2id, HttpOnly cookie, 8h sliding / 30d remember-me), first-run setup page, admin/user roles, user-management UI under Settings (CRUD + password reset), and an audit log. All API endpoints now require an authenticated session.
+- **Mailbox permission scanning** — new `scan_type=mailbox` enumerates Exchange Online delegated access (Full Access, Send As, Send on Behalf, Calendar/Inbox folder delegations) via PowerShell + `ExchangeOnlineManagement`. Supports manual UPNs, CSV import, and "all mailboxes in tenant".
+- **Entra Group scanning** — new `scan_type=entra_groups` enumerates Microsoft 365 / Azure AD group memberships (Members + Owners, with nested-group expansion). Manual IDs, CSV import, and "all groups in tenant".
+- **SharePoint root-permissions mode** — `scan_type=sharepoint_root` inventories site-root role assignments without traversing libraries/folders/files; recursive expansion of SharePoint groups, AAD/M365 groups, and readable UPNs for directly-assigned users.
+- **Resolve sharing links / groups** — post-scan actions to expand SharingLinks recipients and SharePoint/AAD group memberships into the deviation rows.
+- **Connection preflight per target** with persisted last-probe status and a manual "Test" button.
+- **Excel export** of Targets + Deviations sheets, with type-aware sheet names and columns.
+- **Tenant `primary_domain` field**, expanded mailbox onboarding instructions, and English-only UI.
+- **Sidebar layout** — fixed left sidebar with hash-based routing.
+
+### Changed
+- `main.py` split into per-route modules (`api_tenants`, `api_jobs`, `api_onboarding`) with shared helpers; behaviour-preserving.
+- Scanner split into `scanners/` package (sharepoint, mailbox, entra).
+- Token cache now has TTL + lock + MSAL app reuse; worker job claim is atomic (`SELECT … FOR UPDATE SKIP LOCKED`); all datetimes are timezone-aware UTC (`timestamptz` migration).
+- Schema management moved from startup `create_all` to **Alembic migrations** (baseline + timestamptz + auth tables).
+- Build number visible in the UI; build script reads version from `docs/changelog.md`.
+- Dockerfile now installs PowerShell 7 + `ExchangeOnlineManagement` (~150 MB).
+
+### Fixed
+- SharePoint REST `$filter=HasUniqueRoleAssignments` (unsupported as OData filter) — now client-side.
+- Dead CSS removed; accessibility focus styles strengthened; risk badge colours made distinct.
+
 ## v0.1.0 — 2026-04-13
 
 ### Added
diff --git a/version.txt b/version.txt
deleted file mode 100644
index b82608c..0000000
--- a/version.txt
+++ /dev/null
@@ -1 +0,0 @@
-v0.1.0