Add changelog to README

README.md

@@ -468,6 +468,25 @@ The `atom:fix-gamedata-symlinks` command creates symlinks in the Gamedata direct
 
 ---
 
+## Changelog (May 26, 2026)
+
+- **Removed auto-recovery** — caused race conditions by running `view:clear` during live traffic, fixed `filemtime(): stat failed` errors
+- **Fixed debug banner** — now uses `config('app.debug')` with proper `(bool)` cast, no more false positives
+- **Added `(bool)` casts** to all `env()` calls with boolean defaults across 6 config files (habbo, activitylog, database, filesystems, log-viewer, session)
+- **Removed dangerous public scripts** — `check_icons.php` and `test_open_basedir.php` (public Laravel bootstrap + DB queries)
+- **Removed root `index.php`** — duplicate front controller, unsafe if docroot misconfigured
+- **Cleaned Clockwork debug data** — 42 JSON files with SQL queries, tokens, and paths
+- **Hardened `.htaccess`** — block `.env`/`.git`/`composer.json` access + security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
+- **Fixed `robots.txt`** — blocks crawlers from `/admin`, `/filament`, `/log-viewer`
+- **Disabled Log Viewer by default** — no longer accessible without explicit config
+- **Disabled Boost browser logs watcher** — stopped logging JS errors from every visitor to disk
+- **Fixed `REDIS_PASSWORD`** — was literal string `"null"`, now empty
+- **Fixed Session `same_site`** — now reads from `.env` instead of being hardcoded
+- **Fixed non-existent model import** — `App\Models\Article` didn't exist, now aliased to `WebsiteArticle`
+- **Removed unused traits** — `HasNotificationUrl` and `HasCommonScopes` (dead code)
+- **Restricted CORS headers** — from wildcard `['*']` to specific allowed list
+- **Rebuilt all caches** — config, views, routes, opcache reset, PHP-FPM restart
+
 ## Credits
 
 - **Remco (Epicnabbo)** — Core Maintainer, System Architecture