diff --git a/changelog/index.mdx b/changelog/index.mdx
index 502f667..a28a9c0 100644
--- a/changelog/index.mdx
+++ b/changelog/index.mdx
@@ -4,6 +4,64 @@ description: "Release notes for Kosli products."
rss: true
---
+
+
+## New features
+
+- **Membership audit log page** — the membership/role-change history now has a dedicated **Audit Log** page under Settings → User Management, with search, filters (event type, role, source), date range, and sortable columns.
+- **Stronger code-review control (SDLC-CTRL-0007)** — now requires every commit in the merged PR to be signed (`verified == true`) and the PR to merge into the protected branch, building on the new `verified`, `signature_state`, and `base_ref` fields in `pull_request` attestations.
+- **`pull_request` attestation fields** — V2 `pull_request` attestations now carry per-commit `verified` / `signature_state` and a PR `base_ref` (populated by CLI v2.27.0+), enabling Rego policies for signed commits and "merged into main".
+- **Service account CRUD API** — new JSON endpoints under `/service-accounts/{org}` to create, list, get, update, and delete service accounts, complementing the existing API-key endpoints.
+
+## Updates
+
+- **Artifact name on control decisions** — the decisions list and decision tray now show a human-readable artifact name alongside the fingerprint.
+- **Decision list columns** — added **control version** and **attestation name** columns to the decisions list.
+- **Auto-run deletability check** — initiating an org-deletion plan now runs the deletability check automatically, with an approval-blocker warning banner on each plan card when checks fail; the manual button is renamed **Re-check deletability**.
+- **Archived date for shared orgs** — the Archived tab on `/organizations/shared` now shows an **Archived on** column.
+- **Controls UI refresh** — the controls list, control detail, control edit/new form, and version list pages have been restyled with new layouts, filtering, and interaction improvements.
+- **Faster environment snapshot listing** — `GET /api/v2/snapshots/{org}/{env_name}` (and `kosli list snapshots`) is significantly faster on large/long-lived environments by eliminating per-snapshot ordinal seeks and discarded counts.
+- **Display name fallback** — audit log, controls, and trail views now fall back to `login_name` when a user has no display name set.
+- **Signup form** — the welcome signup form now shows field labels.
+- **Wording** — "Logout" is now "Sign out" across the app.
+- **`base_ref` field placement** — in serialized `pull_request` attestation JSON, `base_ref` now sits next to `head_ref` (cosmetic; key order is not significant).
+
+## Bug fixes
+
+- **Concurrent create 500s** — fixed 500 errors on concurrent `PUT /api/v2/trails/{org}/{flow}` (begin trail) and `PUT /api/v2/policies/{org}/{name}` requests by retrying on duplicate-key races.
+- **"Added" date reset on role change** — fixed a regression where changing a user's role reset their **Added** date (and the service account **Created** date) to today; both now read the original `created_at`.
+
+
+
+
+
+## New features
+
+- **`kosli get trail --output markdown`** — `get trail` now supports GitHub-Flavored Markdown output, suitable for piping into CI job summaries (e.g. `$GITHUB_STEP_SUMMARY`). The output includes trail metadata, git commit info, attestation statuses with compliance indicators and links to the Kosli app, and an events table with linked commit SHAs, environment snapshots, and attestation references. See the [get trail reference](/client_reference/kosli_get_trail).
+
+[View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.28.0)
+
+
+
+
+
+## New features
+
+- **`pull_request` attestations capture commit signatures and PR base branch** — each commit now records `verified` and `signature_state` (GitHub and GitLab), and every PR records `base_ref` (GitHub, GitLab, Bitbucket, Azure DevOps), enabling Rego policies for signed commits and "merged into main". Bitbucket and Azure DevOps don't expose per-commit signature verification, so those fields are omitted for them.
+
+## Updates
+
+- **`pull_request` attestation commits** — record the git **author** identity and authored timestamp (not the committer) across all providers.
+- **API key rotation** — failures now clean up the duplicate key ID and include details in the error response.
+
+
+The new `base_ref` field is rejected by Kosli servers older than the matching server change. **Self-hosted users must upgrade their Kosli server before upgrading this CLI**, otherwise `pull_request` attestations will fail validation. Kosli SaaS (app.kosli.com / app.us.kosli.com) is already updated.
+
+
+[View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.27.0)
+
+
+
## New features