diff --git a/CHANGELOG.md b/CHANGELOG.md
index cd0666b..aedf3f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,19 @@
 # Changelog
 
-## Unreleased
-
-- Grade history: cardId/userId stored in grade logs, GET /api/grades/mine, DELETE /api/grades/:id
-- POST /api/grade returns gradeId for share links + grade management
-- Front-only uploads now get v3 results (no longer falls back to v2)
+## 1.4.0 (2026-05-20)
+
+- SBOM attestation: Syft SPDX generated from built container image, cosign-attested to digest
+- RASP middleware: runtime detection for SQLi, XSS, command injection, path traversal, NoSQL injection, prototype pollution
+- Per-IP anomaly scoring with exponential decay, bot fingerprinting, Firestore event logging
+- ML dataset collection from all sold sources (eBay, magi, search), grade parsed from title
+- Global JSON 404/error handlers (sanitized responses, no HTML leaks)
+- CPU throttling enabled, API dropped to 1 vCPU
+- OWASP ZAP DAST scan in deploy pipeline
+- Grade history: GET /api/grades/mine, DELETE /api/grades/:id, share links via gradeId
+- Front-only uploads get v3 8-subgrade results
 - Card detection resilient to failures (continues without cropping)
-- Firestore composite indexes managed in Terraform (5 indexes, import blocks for existing)
+- Firestore composite indexes managed in Terraform (5 indexes)
+- 486 tests (312 unit, 103 API, 71 smoke)
 
 ## 1.3.0 (2026-05-15)
 
diff --git a/README.md b/README.md
index d4e6100..a8d6c3f 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,13 @@
 # <img src="logos/casecomp-logo.svg" width="32" height="32" alt="Casecomp logo" /> Casecomp
 
-[![Version](https://img.shields.io/badge/version-1.3.0-d9b676)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-1.4.0-d9b676)](CHANGELOG.md)
 [![CI](https://github.com/Pyronewbic/casecomp/actions/workflows/ci.yml/badge.svg)](https://github.com/Pyronewbic/casecomp/actions/workflows/ci.yml)
 [![Deploy](https://github.com/Pyronewbic/casecomp/actions/workflows/deploy.yml/badge.svg)](https://github.com/Pyronewbic/casecomp/actions/workflows/deploy.yml)
 [![License](https://img.shields.io/badge/license-MIT-blue)](LICENSE)
 [![API](https://img.shields.io/badge/API-docs-d9b676)](https://api.casecomp.xyz/docs)
 [![SLSA 3](https://img.shields.io/badge/SLSA-Level%203-green)](https://slsa.dev)
 [![Sigstore](https://img.shields.io/badge/signed-sigstore-blue)](https://www.sigstore.dev/)
+[![SBOM](https://img.shields.io/badge/SBOM-SPDX-blue)](https://spdx.dev)
 
 **[casecomp.xyz](https://casecomp.xyz)** | **[API Docs](https://api.casecomp.xyz/docs)** | **[Admin](https://api.casecomp.xyz/admin)** | **[Changelog](CHANGELOG.md)**
 
diff --git a/package.json b/package.json
index cd5ad87..52a597d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "casecomp",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Pokemon TCG card research — live listings from eBay, magi.camp, Yahoo Auctions & SNKRDUNK with AI pre-grading and PSA signals",
   "type": "module",
   "engines": {