From 7ff61843ca77d7ec1c4713d3f1c2df5fa82b65ec Mon Sep 17 00:00:00 2001
From: sacha <sacha@scojhconsult.com>
Date: Sun, 26 Apr 2026 15:53:27 +0200
Subject: [PATCH 1/3] docs(changelog): correct preview.2 retroactively + cut
 preview.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #23 incorrectly bumped CHANGELOG to [1.0.0-preview.2] - 2026-04-26
with the quality-sweep entries, but tag v1.0.0-preview.2 was already
cut on 2026-04-25 from a different commit set (PRs #1-7) and
published to nuget.org.

This commit:
- Rewrites [1.0.0-preview.2] - 2026-04-25 with the actual published
  content (Adapters.Shared, OSS governance, security fixes #1-3,
  Dependabot bumps #4-7) — derived from the auto-generated GitHub
  release notes for v1.0.0-preview.2.
- Adds [1.0.0-preview.3] - 2026-04-26 with everything since
  v1.0.0-preview.2: documentation buildout (#14, #15, #17, #20-22),
  CodeQL extended query suite, softprops/action-gh-release SHA pin
  (#16, alert #28).

After merge, tag v1.0.0-preview.3 will be cut to publish.
---
 CHANGELOG.md | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf39b3d..98dd1bb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [1.0.0-preview.2] - 2026-04-26
+## [1.0.0-preview.3] - 2026-04-26
+
+### Added
+
+- Documentation site (DocFX, multi-version, GitHub Pages) (#17).
+- 5 Architecture Decision Records (#14).
+- Public `ROADMAP.md` (#15).
+- Getting-started guide and 3 runnable samples (#20).
+- 4 concept pages: event sourcing, hexagonal architecture, Result pattern, multi-tenancy (#21).
+- 8 adapter how-to guides (AspNetCore, LemonSqueezy, Listmonk, OpenRouter, PostgreSQL, Redis, Stripe, Zitadel) (#22).
 
 ### Changed
 
@@ -15,7 +24,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
-- Pinned `softprops/action-gh-release` to commit SHA in `.github/workflows/release.yml` (CodeQL `actions/unpinned-tag`, CWE-829). 3rd-party action refs are now immutable.
+- Pinned `softprops/action-gh-release` to commit SHA in `.github/workflows/release.yml` (#16, CodeQL `actions/unpinned-tag`, CWE-829, alert #28). 3rd-party action refs are now immutable.
+
+## [1.0.0-preview.2] - 2026-04-25
+
+### Added
+
+- `Compendium.Adapters.Shared` — PII masking utilities used across adapters (introduced in #3).
+
+### Changed
+
+- Dependabot updates: `actions/upload-artifact` 4→7 (#4), `softprops/action-gh-release` 2→3 (#5), `actions/checkout` 4→6 (#6), `actions/cache` 4→5 (#7).
+- OSS governance: CODEOWNERS, PR/issue templates, `SECURITY.md`, Code of Conduct, Dependabot config.
+
+### Security
+
+- CI: minimal `permissions:` block on workflows (#1, CodeQL `actions/missing-workflow-permissions`).
+- Sanitize user-controlled path in tenant validation logs (#2, CodeQL `cs/log-forging`).
+- Remove email from adapter logs for GDPR data minimization (#3, CodeQL `cs/exposure-of-sensitive-information`, 14 alerts closed).
 
 ## [1.0.0-preview.1] - 2026-04-24
 
@@ -61,6 +87,7 @@ First public preview release of Compendium, extracted from the
 - Git history preserved from the originating Nexus monorepo via `git filter-repo`.
 - Full MIT license.
 
-[Unreleased]: https://github.com/sassy-solutions/compendium/compare/v1.0.0-preview.2...HEAD
+[Unreleased]: https://github.com/sassy-solutions/compendium/compare/v1.0.0-preview.3...HEAD
+[1.0.0-preview.3]: https://github.com/sassy-solutions/compendium/releases/tag/v1.0.0-preview.3
 [1.0.0-preview.2]: https://github.com/sassy-solutions/compendium/releases/tag/v1.0.0-preview.2
 [1.0.0-preview.1]: https://github.com/sassy-solutions/compendium/releases/tag/v1.0.0-preview.1

From 8f3b70764449f4cc2040e8074910e017d46f68bc Mon Sep 17 00:00:00 2001
From: sacha <sacha@scojhconsult.com>
Date: Sun, 26 Apr 2026 16:38:19 +0200
Subject: [PATCH 2/3] chore(deps): defer .NET 10 major bumps in Dependabot
 config

Microsoft.Extensions.* 10.x and Serilog.Settings.Configuration 10.x pull
in transitive System.Text.Json 10.x, which breaks the .NET 9 pin with
NU1605 (package downgrade detected).

Need to coordinate the major bump with Nexus (downstream consumer)
before flipping the framework. Until then, ignore semver-major bumps
on:
- Microsoft.Extensions.*
- Microsoft.AspNetCore.*
- Serilog.Settings.Configuration
- System.Text.Json

Patch and minor bumps stay enabled. Lift this once Nexus is on .NET 10.

Closes the open Dependabot major bumps (#8, #9) which would have
required corresponding pin work to merge cleanly.
---
 .github/dependabot.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a2056a8..e98d1d0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,6 +11,18 @@ updates:
     open-pull-requests-limit: 5
     reviewers:
       - "Pomdapis"
+    # Defer .NET 10 major bumps until Nexus (downstream consumer) is also
+    # ready to move; otherwise transitive System.Text.Json / Configuration.Binder
+    # downgrades break the build (NU1605). Lift this once Nexus pins .NET 10.
+    ignore:
+      - dependency-name: "Microsoft.Extensions.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "Microsoft.AspNetCore.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "Serilog.Settings.Configuration"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "System.Text.Json"
+        update-types: ["version-update:semver-major"]
     groups:
       microsoft-extensions:
         patterns:

From 44c1d6367d4960b12b7cb745ebc8428c5e1b3c8f Mon Sep 17 00:00:00 2001
From: sacha <sacha@scojhconsult.com>
Date: Sun, 26 Apr 2026 16:46:35 +0200
Subject: [PATCH 3/3] docs(changelog): note .NET 10 major bump deferral under
 preview.3 (Copilot review feedback)

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0d47284..d1187e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -50,6 +50,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - CodeQL Default Setup switched from `default` to `extended` query suite — adds maintainability/quality queries on top of security (csharp + actions).
+- Dependabot now skips semver-major bumps on `Microsoft.Extensions.*`, `Microsoft.AspNetCore.*`, `Serilog.Settings.Configuration`, and `System.Text.Json` until the project moves to .NET 10 alongside Nexus (#25). Patch and minor bumps continue to flow.
 
 ### Security