diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 58a0aef..c9e60ea 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -18,8 +18,12 @@ jobs:
       - uses: actions/checkout@v6.0.2
       - uses: actions/setup-node@v6.4.0
         with:
-          node-version: "22"   # npm OIDC trusted publishing requires Node >= 22.14.0
+          node-version: "22"
           registry-url: "https://registry.npmjs.org"
+      - name: Upgrade npm for OIDC trusted publishing
+        # OIDC trusted publishing needs npm >= 11.5.1; Node 22 still bundles
+        # npm 10.x, which silently falls back to anonymous publish and 404s.
+        run: npm install -g npm@latest
       - name: Verify tag matches package.json version
         run: |
           set -e
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23f2988..c4da6be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,29 @@ All notable changes to `codeforerunner` are documented here.
 The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/);
 this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.4.5] — 2026-05-29
+
+### Added
+
+- **Task Registry** (`src/codeforerunner/tasks.json`) — single source of truth for task identity, scan-exemption policy, the refresh sequence, and installable skill slugs. (#66)
+- Node installer (`bin/install.js`) now reads installable skill slugs from the Task Registry instead of a hardcoded list, backed by a Node↔Python parity test and a `node --test` suite wired into CI. (#70)
+- Scan-first gate persists across restarts via `.forerunner/` session state and is enforced consistently across the CLI and MCP server. (#56, #68)
+- `arch-review` task and skill surface.
+
+### Fixed
+
+- **npm publishing** — the publish workflow now upgrades the npm CLI before publishing. Node 22 bundles npm 10.x, which lacks OIDC trusted-publishing support and silently falls back to anonymous publish (registry returns `404`); OIDC trusted publishing requires npm ≥ 11.5.1. (`.github/workflows/npm-publish.yml`)
+- Socket badge version stays in sync on release. (#67)
+- Installer shim pins corrected, with future-drift detection.
+- Docker login credentials in the publish workflow. (#41)
+- `package.json` paths and README install instructions. (#40)
+
+### Changed
+
+- Retired `SPEC.md`; GitHub Issues now own work tracking.
+- `CONTEXT.md` and agent docs: added npm release and GitHub Issues glossary terms.
+- CodeRabbit automatic review disabled.
+
 ## [0.4.4] — 2026-05-26
 
 ### Added
@@ -164,7 +187,9 @@ Initial release-ready surface around the prompt pack.
 - `init` and `scan` are honest wrappers over the prompt pack; they emit bundled prompt text to stdout for the calling agent to act on.
 - Model invocation is out of scope; `provider` / `model` config fields are honored only by future wrappers.
 
-[Unreleased]: https://github.com/derek-palmer/codeforerunner/compare/v0.3.2...HEAD
+[Unreleased]: https://github.com/derek-palmer/codeforerunner/compare/v0.4.5...HEAD
+[0.4.5]: https://github.com/derek-palmer/codeforerunner/compare/v0.4.4...v0.4.5
+[0.4.4]: https://github.com/derek-palmer/codeforerunner/compare/v0.4.3...v0.4.4
 [0.3.2]: https://github.com/derek-palmer/codeforerunner/compare/v0.3.1...v0.3.2
 [0.3.1]: https://github.com/derek-palmer/codeforerunner/compare/v0.3.0...v0.3.1
 [0.3.0]: https://github.com/derek-palmer/codeforerunner/compare/v0.2.0...v0.3.0
diff --git a/README.md b/README.md
index 5f2b643..94e9bcc 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 # codeForerunner
 
-[![Socket Badge](https://badge.socket.dev/npm/package/codeforerunner/0.4.4)](https://socket.dev/npm/package/codeforerunner)
+[![Socket Badge](https://badge.socket.dev/npm/package/codeforerunner/0.4.5)](https://socket.dev/npm/package/codeforerunner)
 
 Model-agnostic repository documentation tooling. Ships a prompt pack for codebase analysis and doc generation, a thin Python CLI, an MCP server, drift-detection rules that keep docs honest — and native slash-command skills for Claude Code, Codex, Gemini CLI, and other agent CLIs.
 
@@ -121,7 +121,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6.0.2
-      - uses: derek-palmer/codeforerunner@v0.4.4
+      - uses: derek-palmer/codeforerunner@v0.4.5
         with:
           fail-on-drift: "true"   # set "false" to warn-only
 ```
diff --git a/install.ps1 b/install.ps1
index 0923192..c1eece0 100644
--- a/install.ps1
+++ b/install.ps1
@@ -13,9 +13,9 @@ param([Parameter(ValueFromRemainingArguments=$true)][string[]]$Args)
 $ErrorActionPreference = "Stop"
 
 # Security: pinned to a specific version so one-liners don't execute unreviewed code.
-$NpmPkg  = "codeforerunner@0.4.4"
+$NpmPkg  = "codeforerunner@0.4.5"
 $Repo    = "derek-palmer/codeforerunner"
-$RepoTag = "v0.4.4"
+$RepoTag = "v0.4.5"
 $ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
 $LocalJs = Join-Path $ScriptDir "bin\install.js"
 
diff --git a/install.sh b/install.sh
index d38d03a..1fe46c4 100755
--- a/install.sh
+++ b/install.sh
@@ -16,9 +16,9 @@ set -euo pipefail
 
 # Security: pinned to a specific version so curl|bash one-liners don't silently
 # execute whatever the npm registry or GitHub currently serves as "latest".
-NPM_PKG="codeforerunner@0.4.4"
+NPM_PKG="codeforerunner@0.4.5"
 REPO="derek-palmer/codeforerunner"
-REPO_TAG="v0.4.4"
+REPO_TAG="v0.4.5"
 
 # Locate bin/install.js relative to this script (works even when piped through bash)
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-install.sh}")" 2>/dev/null && pwd || echo "")"
diff --git a/package.json b/package.json
index a941bc1..f8ba7a5 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeforerunner",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "description": "Model-agnostic repository documentation tooling — installs /forerunner-* slash commands into 30+ agent CLIs",
   "main": "./bin/install.js",
   "bin": {
diff --git a/plugins/codex/marketplace.json b/plugins/codex/marketplace.json
index ca9c06a..2c26b2a 100644
--- a/plugins/codex/marketplace.json
+++ b/plugins/codex/marketplace.json
@@ -4,14 +4,14 @@
     "id": "codeforerunner",
     "name": "codeforerunner",
     "description": "Model-agnostic repo documentation prompts as an installable Codex plugin.",
-    "version": "0.4.4",
+    "version": "0.4.5",
     "homepage": "https://github.com/derek-palmer/codeforerunner"
   },
   "plugins": [
     {
       "id": "codeforerunner",
       "name": "codeforerunner",
-      "version": "0.4.4",
+      "version": "0.4.5",
       "description": "Prompt-first repository documentation skill.",
       "source": {
         "kind": "git",
diff --git a/pyproject.toml b/pyproject.toml
index 9c70e17..9dd9b8a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "codeforerunner"
-version = "0.4.4"
+version = "0.4.5"
 description = "Model-agnostic repository documentation tooling (prompt-first; thin CLI)."
 readme = "README.md"
 requires-python = ">=3.11"