diff --git a/CHANGELOG.md b/CHANGELOG.md
index e257c94..3345516 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0] - 2026-03-22
+
+First stable release. The plugin API (routes, sidebar entries, settings schema, and app bar action) is
+now frozen — no breaking changes without a new major version.
+
+### Security
+- Patched 8 of 9 npm audit vulnerabilities via `pnpm.overrides` (#92)
+
+### Added
+- **Dual-approval CI check**: PRs now require approval from both CTO and QA before merging (#98, #76)
+- **ExemptionManager test suite**: Full coverage of annotation-based exemption flows, exemption creation, and inline feedback (#82)
+- **Coverage threshold**: Vitest coverage threshold enforced in CI (#82)
+- **RBAC preflight check**: `deploy-e2e-headlamp.sh` now verifies runner RBAC before attempting E2E deploy (#80)
+
+### Fixed
+- **E2E infrastructure overhaul**: Replaced Dockerfile.e2e with ConfigMap volume mount for plugin loading; tests now run in the `privilegedescalation-dev` namespace (#73, #89, #94)
+- **E2E token auth**: Workflow uses GitHub App token auth and handles the `/token` redirect correctly (#97)
+- **E2E HTTP readiness**: `deploy-e2e-headlamp.sh` waits for HTTP reachability after rollout before running tests (#104)
+- **E2E runner label**: Updated to `runners-privilegedescalation` for self-hosted ARC runners (#71)
+- **Direct devDependencies**: Added `typescript`, `eslint`, `prettier`, and `@headlamp-k8s/eslint-config` as explicit direct devDependencies to prevent phantom-dep failures in clean installs (#95, #102)
+
+### Changed
+- **pnpm version pinned**: `packageManager` field in `package.json` pins the pnpm version used in CI (#103)
+- **GitHub Actions SHA pinning**: Renovate `pinDigests` enabled to SHA-pin all GitHub Actions (#105)
+- **ArtifactHub metadata polish**: Improved `install` instructions and `changes` section formatting (#82)
+
 ## [0.6.0] - 2026-03-04
 
 ### Fixed
@@ -270,7 +296,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Automated release workflow
 - Basic CI/CD pipeline
 
-[Unreleased]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v0.6.0...HEAD
+[Unreleased]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v1.0.0...HEAD
+[1.0.0]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v0.6.0...v1.0.0
 [0.6.0]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.6.0
 [0.3.5]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.3.5
 [0.3.4]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.3.4
diff --git a/artifacthub-pkg.yml b/artifacthub-pkg.yml
index 730cabc..2b7b881 100644
--- a/artifacthub-pkg.yml
+++ b/artifacthub-pkg.yml
@@ -1,4 +1,4 @@
-version: "0.7.2"
+version: "1.0.0"
 name: headlamp-polaris
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
@@ -50,23 +50,27 @@ install: |
 
   For more information, see the [README](https://github.com/privilegedescalation/headlamp-polaris-plugin/blob/main/README.md).
 changes:
+  - kind: security
+    description: Patched 8 npm audit vulnerabilities via pnpm.overrides
   - kind: added
-    description: ExemptionManager — apply Polaris annotation exemptions directly from the resource detail page
+    description: Dual-approval required CI check — PRs must be approved by both CTO and QA before merge
   - kind: added
-    description: Inline audit section on workload detail pages with per-check pass/fail breakdown
-  - kind: added
-    description: Namespace drill-down view with per-resource score list and filterable check table
-  - kind: added
-    description: App bar score badge showing overall cluster Polaris score
-  - kind: added
-    description: PolarisSettings page for configuring dashboard refresh interval
+    description: ExemptionManager test suite — full coverage of annotation-based exemption flows
+  - kind: fixed
+    description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based approach, tests run in privilegedescalation-dev namespace
+  - kind: fixed
+    description: E2E workflow uses token auth and waits for HTTP reachability before running tests
+  - kind: fixed
+    description: Added explicit direct devDependencies (typescript, eslint, prettier, @headlamp-k8s/eslint-config) to prevent phantom dep failures
   - kind: changed
-    description: Stable public API — routes, sidebar entries, settings schema, and app bar action are frozen
+    description: pnpm version pinned via packageManager field; GitHub Actions SHA-pinned via Renovate pinDigests
+  - kind: changed
+    description: v1.0.0 stable release — plugin API (routes, sidebar, settings schema, app bar action) is stable and will not change without a major version bump
 maintainers:
   - name: privilegedescalation
     email: "chris@farhood.org"
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.7.2/headlamp-polaris-0.7.2.tar.gz"
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v1.0.0/headlamp-polaris-1.0.0.tar.gz"
   headlamp/plugin/version-compat: ">=0.26"
   headlamp/plugin/archive-checksum: sha256:ce75449a05d3d3dd3c546db36a2257fae3e4601e466108182e64310a1a4f6d71
   headlamp/plugin/distro-compat: "in-cluster,web,desktop"
diff --git a/package-lock.json b/package-lock.json
index 1523bc0..1950821 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "headlamp-polaris",
-  "version": "0.7.2",
+  "version": "1.0.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "headlamp-polaris",
-      "version": "0.7.2",
+      "version": "1.0.0",
       "license": "Apache-2.0",
       "devDependencies": {
         "@kinvolk/headlamp-plugin": "^0.13.0",
@@ -23,6 +23,7 @@
         "react-dom": "^18.3.1",
         "react-router-dom": "^5.3.0",
         "tar": "^7.5.11",
+        "typescript": "~5.6.2",
         "undici": "^7.24.3",
         "vitest": "^3.0.5"
       },
diff --git a/package.json b/package.json
index ddfd8e9..797aba3 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "headlamp-polaris",
-  "version": "0.7.2",
+  "version": "1.0.0",
   "description": "Headlamp plugin for Fairwinds Polaris audit results",
   "repository": {
     "type": "git",