diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index e60bf2a..0ee8c01 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.2.9"
+  ".": "0.3.0"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..b87fdb8
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,90 @@
+# Changelog
+
+## [0.3.0](https://github.com/synsoftworks/depgraph-cli/compare/depgraph-cli-v0.2.9...depgraph-cli-v0.3.0) (2026-04-14)
+
+
+### Features
+
+* add canonical label resolution and resolved review state ([2dd68f3](https://github.com/synsoftworks/depgraph-cli/commit/2dd68f33f210145c3d6d01901d97e3ebb827f309))
+* add canonical label resolution and resolved review state ([6144e26](https://github.com/synsoftworks/depgraph-cli/commit/6144e2610c3ac6761b93baa832a3c62bf29135f1))
+* add explicit review targets for findings and edge findings ([fac97eb](https://github.com/synsoftworks/depgraph-cli/commit/fac97ebee7d5fdf755efa7297a264d1395bc53de))
+* add first-class edge findings and metadata coverage observability ([f48bdbb](https://github.com/synsoftworks/depgraph-cli/commit/f48bdbbf510c8eb15325595ce2e49fac68948728))
+* add first-class edge findings, baseline identity, and metadata coverage stats ([e39d575](https://github.com/synsoftworks/depgraph-cli/commit/e39d575e2ab8e81020d2ef945a596c85faedadbc))
+* add package-lock project scanning ([9778d32](https://github.com/synsoftworks/depgraph-cli/commit/9778d3292807fa5d9c627e6f33d221dab7b7974b))
+* add package-lock project scanning support ([85eb563](https://github.com/synsoftworks/depgraph-cli/commit/85eb563c57e08bf83495b3ac9f7430096208a60d))
+* add scan history, edge-level delta, review events, and eval command ([d98a231](https://github.com/synsoftworks/depgraph-cli/commit/d98a231591f6ba0e989d65b9c7fbacebb6cb156b))
+* add scan history, edge-level delta, review events, and eval command ([951bce3](https://github.com/synsoftworks/depgraph-cli/commit/951bce39821b2f2d2c104e5ecbb630d8ed5d68e4))
+* **benchmark:** add benchmark runner and manifest-driven evaluation pipeline ([9b4fb64](https://github.com/synsoftworks/depgraph-cli/commit/9b4fb643a2dde09d5de0a73b7defdc474c77a3e8))
+* **benchmark:** add internal benchmark runner and execution pipeline ([a197cae](https://github.com/synsoftworks/depgraph-cli/commit/a197caeff6e9300b1d707f969ef13a36a96a6a8c))
+* **eval:** add ADR-012 data readiness reporting ([884f441](https://github.com/synsoftworks/depgraph-cli/commit/884f441bf186991761eebf0a41942a113a6122f0))
+* **eval:** add explicit export readiness semantics to eval ([bf9c3f6](https://github.com/synsoftworks/depgraph-cli/commit/bf9c3f659bfd1c08e38747403f1eb047098c7218))
+* **eval:** add failure surfacing for persisted scan history ([7584259](https://github.com/synsoftworks/depgraph-cli/commit/75842595fc05c57ff57218e641fb93a36cd58738))
+* **eval:** add failure surfacing for persisted scan history ([009ab81](https://github.com/synsoftworks/depgraph-cli/commit/009ab810697aaf8880477b29841d6898123ea4b7))
+* **eval:** eval data readiness reporting with explicit denominator semantics ([2886b1e](https://github.com/synsoftworks/depgraph-cli/commit/2886b1ea4d2ded5ae00388cbf0839e8c83c148f5))
+* **eval:** harden export readiness reporting with explicit denominator semantics ([fa042e4](https://github.com/synsoftworks/depgraph-cli/commit/fa042e4bc0ca7c31c58f89a1b7afb00c6a3ce3ca))
+* implement depgraph scan MVP (end-to-end dependency risk analysis) ([b076353](https://github.com/synsoftworks/depgraph-cli/commit/b07635396f08ff435e9be4d7a30e06944b0b24b7))
+* implement depgraph scan MVP end to end ([cde220b](https://github.com/synsoftworks/depgraph-cli/commit/cde220b96a1c4af6c998d320908a549cdcaec9ab))
+* improve risk scoring and introduce rich Ink-based scan UI ([b8ef1d0](https://github.com/synsoftworks/depgraph-cli/commit/b8ef1d03a51170003377da2ecf71d6e10bd95f5b))
+* improve supply-chain risk signals and introduce rich Ink scan UI ([9bda0c0](https://github.com/synsoftworks/depgraph-cli/commit/9bda0c03532790107acd52c6d8a3d19ca48898b6))
+* initialize depgraph CLI with clean architecture scaffold ([3530ad6](https://github.com/synsoftworks/depgraph-cli/commit/3530ad68229b839f6a322905ae182fb3ae483a3d))
+* make review targets explicit for findings and edge events ([eaead2b](https://github.com/synsoftworks/depgraph-cli/commit/eaead2b54658d8cff83ecd8bdda9b48f8c595633))
+* **metadata:** add explicit missingness contract for metadata fields ([0b128b3](https://github.com/synsoftworks/depgraph-cli/commit/0b128b3e5c7a2b140248f4e8d1dad928353e0d41))
+* **metadata:** add explicit missingness contract for metadata fields ([4717ed5](https://github.com/synsoftworks/depgraph-cli/commit/4717ed5b887c2cf8249734fa9ec09d2dafb9a136))
+* refine new package risk signals for supply-chain detection ([b91a625](https://github.com/synsoftworks/depgraph-cli/commit/b91a625593a53375c10fd6f49ffae89e35f10874))
+* refine new package risk signals for supply-chain detection ([dc2c63b](https://github.com/synsoftworks/depgraph-cli/commit/dc2c63b0da9313bbb3460c6de76207720459661d))
+* **scan:** add ADR-012 field reliability policy to scan results ([155205b](https://github.com/synsoftworks/depgraph-cli/commit/155205bcf17a355969c1a66b7f95f1ec24c36f1b))
+* **scan:** add ADR-012 field reliability policy to scan results ([0d37114](https://github.com/synsoftworks/depgraph-cli/commit/0d37114087694d96d7e87a2be200594a284fef85))
+* **scan:** add pnpm lockfile scan mode and traversal support ([e659108](https://github.com/synsoftworks/depgraph-cli/commit/e659108932a021445602547c6d7f954dabad2e34))
+* **scan:** add pnpm lockfile scanning support ([6419a0e](https://github.com/synsoftworks/depgraph-cli/commit/6419a0e5068f054098476d3875531d1a0da32be7))
+* **scan:** add summary mode for compact scan output ([86ab58c](https://github.com/synsoftworks/depgraph-cli/commit/86ab58cd0b921d97926401c50dbc0a485695df15))
+* **scan:** add summary mode for compact scan output ([806e950](https://github.com/synsoftworks/depgraph-cli/commit/806e9505ede505212693f14771dcc939487e4cfa))
+* **scan:** add warning for weekly downloads lookup fallback ([a1261c2](https://github.com/synsoftworks/depgraph-cli/commit/a1261c2fed1896e29fc90d05e6889842a44081a7))
+* **scan:** add warning for weekly downloads lookup fallback ([3e1f136](https://github.com/synsoftworks/depgraph-cli/commit/3e1f1368bc640b51a5d0cb6bd711610409791cc6))
+* **scan:** polish TUI and plain-text scan presentation ([5a303b8](https://github.com/synsoftworks/depgraph-cli/commit/5a303b8f7da27f826563e251f507617b7c87717e))
+* **scan:** polish TUI and plain-text scan presentation ([87184d6](https://github.com/synsoftworks/depgraph-cli/commit/87184d68c7803a700c5fc49fd2c6177acc96485e))
+* **scan:** refine plain-text and TUI presentation layering ([0947fe7](https://github.com/synsoftworks/depgraph-cli/commit/0947fe7090e20485f9b0ef8d3415927b9928a349))
+* **scan:** refine plain-text and TUI presentation layering ([e83e889](https://github.com/synsoftworks/depgraph-cli/commit/e83e88920843498e214de6591d21e899b9b2759f))
+* **scorer:** add security deprecation language signal ([5ec2873](https://github.com/synsoftworks/depgraph-cli/commit/5ec2873b59be7494d0af76d6e7e49f0406eb76e7))
+* **scorer:** add security deprecation language signal ([28ce356](https://github.com/synsoftworks/depgraph-cli/commit/28ce356548db9a220ef5226b4771fed344cc9656))
+* **scorer:** calibrate freshness and churn interaction ([6b16e0a](https://github.com/synsoftworks/depgraph-cli/commit/6b16e0a1f73f4f39d0fb8550c0d7796bb53bca67))
+* **scorer:** calibrate freshness and churn interaction ([50352da](https://github.com/synsoftworks/depgraph-cli/commit/50352daa35b2b3c0936f87a52d78724a4019e4f1))
+* **scorer:** calibrate freshness signal for mature packages ([78364d5](https://github.com/synsoftworks/depgraph-cli/commit/78364d54d3c898c49a11ee3f01e8005836f499cb))
+* **scorer:** calibrate freshness signal for mature packages ([6d769ac](https://github.com/synsoftworks/depgraph-cli/commit/6d769ac1903b40b503b8e0d1e04162c1aa1185c8))
+* surface unresolved registry metadata in package-lock scans ([5739446](https://github.com/synsoftworks/depgraph-cli/commit/57394464945e2350bba99d5fe661a41ec19b2cc3))
+* surface unresolved registry metadata in package-lock scans ([278485d](https://github.com/synsoftworks/depgraph-cli/commit/278485da81473da30575b8f468e17c70d5b5da16))
+
+
+### Bug Fixes
+
+* add source precedence to canonical label resolution ([a877769](https://github.com/synsoftworks/depgraph-cli/commit/a877769b52277e6b5bfe673258cd55e005ececaf))
+* adjust Node mascot asset sizing ([cc324ce](https://github.com/synsoftworks/depgraph-cli/commit/cc324ceec149c436b997d42a0f6837861a0c2165))
+* clean up duplicate unresolved metadata handling ([7fb40c3](https://github.com/synsoftworks/depgraph-cli/commit/7fb40c386d7093384292a1acf1fcf7fdb15329cb))
+* **eval:** normalize legacy eval history and add readiness blocker breakdown ([fd735b4](https://github.com/synsoftworks/depgraph-cli/commit/fd735b4f0b0e5195498277e298567892c0dea8fe))
+* **eval:** normalize legacy scan history and add blocker breakdown ([8c824d5](https://github.com/synsoftworks/depgraph-cli/commit/8c824d5d039b9aaa81ec86523c48657f4e5a10b6))
+* expose depgraph and depgraph-cli bins ([172c24a](https://github.com/synsoftworks/depgraph-cli/commit/172c24aca6c3e35f8efd8f321d55615b99845039))
+* expose depgraph and depgraph-cli bins ([6bf718f](https://github.com/synsoftworks/depgraph-cli/commit/6bf718fec1f85e3d56bda986588f4837b9457d03))
+* expose depgraph and depgraph-cli bins ([9ffbbad](https://github.com/synsoftworks/depgraph-cli/commit/9ffbbadaf618a7ea40eae0cf83bc88c00b857704))
+* harden canonical label resolution behavior ([6c526df](https://github.com/synsoftworks/depgraph-cli/commit/6c526df8b3346382640f8c0ecae1eaab556c4bb6))
+* make package-lock scans resilient to unresolved dependencies ([5af643e](https://github.com/synsoftworks/depgraph-cli/commit/5af643e7e9b7bdda76c86c2f0898f91bb8f84f8b))
+* make package-lock scans resilient to unresolved dependencies ([2328813](https://github.com/synsoftworks/depgraph-cli/commit/23288135b472a9dc2165840c2c1b60e2603d29dc))
+* **persistence:** align scan-level explanation with primary finding ([16fdd84](https://github.com/synsoftworks/depgraph-cli/commit/16fdd846cfefab41cb1685e5b5a0def8a0ef47e6))
+* **persistence:** align scan-level explanation with primary finding ([43d2e11](https://github.com/synsoftworks/depgraph-cli/commit/43d2e118fe42bfc40c3e1a7623ac52de4279a000))
+* **persistence:** suppress no-op scan record appends ([c641e32](https://github.com/synsoftworks/depgraph-cli/commit/c641e32e562e78ee078698cb7434a431e78a7722))
+* **persistence:** suppress no-op scan record appends ([86faef9](https://github.com/synsoftworks/depgraph-cli/commit/86faef99baec45a8d10eb810149c65cb27dbfd20))
+* removed architecture.md file ([bd42ec0](https://github.com/synsoftworks/depgraph-cli/commit/bd42ec062865bd8faa08b7d816c46ed4491e8fbe))
+* removed image from readme ([5247015](https://github.com/synsoftworks/depgraph-cli/commit/52470151f0ebae7f72b47a5db5c710870fb3fd21))
+* removed image from readme ([8beb981](https://github.com/synsoftworks/depgraph-cli/commit/8beb981fc4dfe07b8496b880e625401e1411c95d))
+* require publish timestamps in npm metadata source ([38894ad](https://github.com/synsoftworks/depgraph-cli/commit/38894ad9dddcd4926f396e2811e2a5a52fd00ac9))
+* require publish timestamps in npm metadata source ([69e7dfd](https://github.com/synsoftworks/depgraph-cli/commit/69e7dfd793a948f130f09a384ad9cf31ad42e6e2))
+* resolve CLI entrypoint correctly through symlinks ([75c05ef](https://github.com/synsoftworks/depgraph-cli/commit/75c05efa79ab51cb716dfdaa8ca966259c71246d))
+* resolve CLI entrypoint correctly through symlinks ([29cfbce](https://github.com/synsoftworks/depgraph-cli/commit/29cfbce5b3bc2722ccaea265bda286ad56b9bcf7))
+* tighten README mascot and title spacing ([d38473f](https://github.com/synsoftworks/depgraph-cli/commit/d38473ff4defb0998225cc8b3b50702adf6fa796))
+* trimmed JSON ([af4d81e](https://github.com/synsoftworks/depgraph-cli/commit/af4d81e61578e5f1f2a1defe1407029a09c96a43))
+* use import.meta.main for CLI entrypoint detection ([eb93358](https://github.com/synsoftworks/depgraph-cli/commit/eb9335852d9b7c3986731093f9bc351694ea6ecc))
+* use import.meta.main for CLI entrypoint detection ([3d54fcc](https://github.com/synsoftworks/depgraph-cli/commit/3d54fcc69bc770e87175229387a1ada478915cd9))
+
+
+### Performance Improvements
+
+* parallelize package metadata fetching with graceful download fallback ([c8f948c](https://github.com/synsoftworks/depgraph-cli/commit/c8f948cd07036f9485fcec3dc24706d12cca203d))
+* parallelize package metadata fetching with graceful download fallback ([ee748a3](https://github.com/synsoftworks/depgraph-cli/commit/ee748a3a2ec603b30f342477c2e4702be9524b79))
diff --git a/package.json b/package.json
index 054122f..5c65c17 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@synsoftworks/depgraph-cli",
-  "version": "0.2.9",
+  "version": "0.3.0",
   "description": "Graph-first dependency risk analysis for npm packages and dependency trees",
   "type": "module",
   "keywords": [