diff --git a/CHANGELOG.md b/CHANGELOG.md
index 501e667..87e3144 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,16 +6,73 @@ All notable changes to Mission Control are documented in this file.
 
 ## [Unreleased]
 
-### Fixed
-- SQLite `SQLITE_BUSY` contention — added `busy_timeout` pragma and guarded build-phase eager DB initialisation (#337)
-- Skill registry path traversal and SSRF — extended `SECURITY_RULES` with directory traversal patterns and private-IP/metadata URL detection (#338, #336)
-
-### Tests
-- Vitest coverage threshold enforcement — added coverage for pure utility modules to satisfy the 60% global threshold; threshold now passes in CI (#339)
-
 ---
 
-## [2.0.1] - 2026-03-13
+## [2.0.1] - 2026-03-18
+
+Mission Control 2.0.1 is the first patch release after the v2 launch. It rolls up the full set of fixes and follow-on features that landed after `v2.0.0`, including HTTP/Tailscale login hardening, zero-config onboarding, internationalization, gateway/runtime stability fixes, deeper task-routing automation, and the latest OpenClaw compatibility updates.
+
+### Added
+- First-time setup wizard and zero-config startup flow for fresh installs
+- Full i18n coverage across the application with 10 language packs and panel-level translations
+- Trusted reverse proxy and header-auth support for more flexible self-hosted deployments
+- Gateway health history logging and timeline visibility
+- Port-based Tailscale Serve proxy detection and stronger public websocket URL handling
+- Task implementation-target persistence, session targeting, and complexity-based model-tier routing
+- GNAP sync for git-native task persistence
+- Hybrid dashboard mode for simultaneous gateway and local session visibility
+- Workspace skill root discovery, filtering, and per-agent skill-root display
+- Windows PowerShell installer support
+- `awaiting_owner` task status detection
+
+### Changed
+- Node runtime policy now accepts all versions `>=22` instead of a narrow allowlist
+- CSP and browser-security helpers were factored into dedicated modules for clearer hardening boundaries
+- Docker/image release automation now supports the official Docker Hub image when repository secrets are configured
+- Release metadata and docs now point to the Builderz Labs repository as the canonical source
+
+### Fixed
+- HTTP and Tailscale login regressions caused by unconditional HTTPS redirects and CSP nonce propagation gaps
+- Fresh HTTP Docker installs failing login because secure-cookie behavior did not follow the actual request protocol
+- Gateway auth and credential detection for mixed token/password setups
+- Task dispatch using display names instead of gateway agent IDs
+- Docker and gateway-optional regressions across Compose startup, health probes, public assets, `OPENCLAW_HOME`, and read-only config handling
+- SQLite `SQLITE_BUSY` contention by adding `busy_timeout` and guarding build-phase eager initialization
+- Doctor banner dismissal persistence, cron panel crash handling, and null-safe model config editing
+- Gateway connectivity and onboarding probe issues, including POST-based wizard health checks and explicit public websocket URL preference
+- Notification refresh timing, agent empty-state UX, duplicate task-title/delete handling, and several panel/runtime regressions
+- Memory diagnostics scoping, gateway notification delivery, session labels, and multiple i18n namespace gaps
+- Password generation now uses a CSPRNG in the Windows installer
+- Reagraph CSP rendering regression caused by nonce handling in `style-src`
+- `/api/spawn` now supports OpenClaw agents that rely on configured default models instead of requiring a runtime `model`
+- Gateway dashboard registration now has explicit regression coverage preserving device-auth posture
+
+### Security
+- Removed `unsafe-inline` in favor of nonce-based CSP handling
+- Strengthened skill-registry SSRF and path-traversal detection rules
+- Stopped forcing `dangerouslyDisableDeviceAuth` during Mission Control gateway registration
+
+### Tests
+- Coverage for pure utility modules to keep the Vitest threshold passing in CI
+- Gateway health history E2E and supporting utility tests
+- Docker-mode integration coverage for gateway connectivity regressions
+- Regression coverage for spawn-schema compatibility and gateway dashboard registration behavior
+
+### Contributors
+- @0xNyk
+- @Brixyy
+- @clintbaxley
+- @dk-blackfuel
+- @firefloc-nox
+- @HonzysClawdbot
+- @hectorse.88
+- @jonathan-squaredlemons
+- @jonboirama
+- @joshua-mo-143
+- @jrrcdev
+- @lucascr
+- @RazorFin
+- @topshelfmedia
 
 ### Fixed
 - HTTP and Tailscale login broken by unconditional HTTPS redirect — replaced with opt-in `NEXT_PUBLIC_FORCE_HTTPS=1` (#309)
diff --git a/README.md b/README.md
index b0445fd..c4c12c1 100644
--- a/README.md
+++ b/README.md
@@ -690,7 +690,7 @@ Trend alerts in the `trends.alerts` response are derived from current-vs-previou
 
 ## Roadmap
 
-See [open issues](https://github.com/builderz-labs/mission-control/issues) for planned work and the [v2.0.0 release notes](docs/releases/2.0.0.md) for the latest major release summary.
+See [open issues](https://github.com/builderz-labs/mission-control/issues) for planned work and the [v2.0.1 release notes](docs/releases/2.0.1.md) for the latest release summary.
 
 **Completed:**
 
diff --git a/docs/releases/2.0.1.md b/docs/releases/2.0.1.md
new file mode 100644
index 0000000..582b960
--- /dev/null
+++ b/docs/releases/2.0.1.md
@@ -0,0 +1,94 @@
+# Mission Control 2.0.1
+
+Released: 2026-03-18
+
+Mission Control 2.0.1 is the patch release that consolidates everything shipped after the `v2.0.0` launch. It includes the operational fixes that stabilized HTTP/Tailscale deployments, a zero-config first-run path, full application internationalization, broader task-routing automation, and the latest OpenClaw compatibility updates needed for current self-hosted installs.
+
+## Highlights
+
+### HTTP, Tailscale, and gateway stability
+- Login now works reliably on HTTP Docker installs and Tailscale-served deployments.
+- CSP handling was tightened so SSR nonces, theme bootstrapping, and inline script policy stay aligned during login and chunk loading.
+- Public websocket URL selection and Tailscale Serve detection were hardened for proxied gateway setups.
+- Gateway startup and runtime checks now better tolerate read-only configs, missing `OPENCLAW_HOME`, and container health-probe requirements.
+
+### Better first-run setup
+- A first-time setup wizard now guides fresh installs through bootstrap and initial configuration.
+- Zero-config startup paths reduce the amount of manual environment setup needed for local and Docker-based installs.
+- Doctor and onboarding follow-ups are more resilient, including banner persistence and safer health-check behavior.
+
+### Stronger task and automation flow
+- Task routing now preserves implementation metadata, targets the correct gateway session/agent identifiers, and can classify complexity for model-tier routing.
+- GNAP sync landed for git-native task persistence.
+- `awaiting_owner` state detection and other dispatch/runtime fixes improve workflow accuracy after the v2 cut.
+
+### Broader self-hosted platform support
+- Full app localization now ships across 10 languages.
+- Windows setup improved with a PowerShell installer and stronger password-generation behavior.
+- Workspace skill-root discovery and filtering are now surfaced throughout the app for operators running mixed local/gateway environments.
+- The Docker/image pipeline now supports publishing the official image to Docker Hub when release secrets are configured.
+
+## Full Changelog
+
+### Added
+- First-time setup wizard and zero-config startup flow
+- Full i18n across the app with 10 language packs
+- Trusted reverse proxy/header-auth support
+- Gateway health history timeline
+- Port-based Tailscale Serve proxy detection
+- Task implementation-target persistence, session targeting, and complexity-based model-tier routing
+- GNAP sync for git-native task persistence
+- Hybrid gateway/local dashboard mode
+- Workspace skill-root discovery and per-agent display
+- Windows PowerShell installer
+- `awaiting_owner` task status detection
+
+### Changed
+- Node runtime support is now `>=22`
+- CSP/browser-security helpers were split into dedicated modules
+- Release automation now supports Docker Hub publishing when configured
+- Repository/release metadata now consistently points at `builderz-labs/mission-control`
+
+### Fixed
+- HTTP/Tailscale login and CSP nonce regressions
+- Fresh HTTP Docker login failures caused by secure-cookie mismatch
+- Gateway auth/token detection in mixed runtime setups
+- Task dispatch using display names instead of gateway IDs
+- Docker/runtime regressions around Compose, assets, probes, `OPENCLAW_HOME`, and read-only configs
+- SQLite `SQLITE_BUSY` contention during build/runtime crossover
+- Doctor banner persistence, cron panel crash handling, and null-safe model config editing
+- Public websocket URL preference and onboarding gateway health probe handling
+- Notification refresh timing, agent empty-state UX, delete handling, and duplicate task-title behavior
+- Memory diagnostics scoping, gateway notification delivery, session labels, and missing i18n namespaces
+- Windows installer password generation via CSPRNG
+- Reagraph CSP regression from `style-src` nonce handling
+- OpenClaw spawn compatibility when agents use configured default models
+- Regression coverage for gateway dashboard registration preserving device-auth posture
+
+### Security
+- Removed `unsafe-inline` in favor of nonce-based CSP
+- Added stronger SSRF/path-traversal detection in the skill registry
+- Stopped forcing `dangerouslyDisableDeviceAuth` when registering Mission Control as a dashboard
+
+### Tests
+- Utility coverage improvements to satisfy the Vitest coverage threshold
+- Gateway health history E2E coverage
+- Docker-mode integration coverage for gateway connectivity regressions
+- Regression tests for spawn compatibility and gateway registration behavior
+
+## Contributors
+
+- @0xNyk
+- @Brixyy
+- @clintbaxley
+- @dk-blackfuel
+- @firefloc-nox
+- @HonzysClawdbot
+- @hectorse.88
+- @jonathan-squaredlemons
+- @jonboirama
+- @joshua-mo-143
+- @jrrcdev
+- @lucascr
+- @RazorFin
+- @topshelfmedia
diff --git a/package.json b/package.json
index 53c87c4..4066bf9 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "mission-control",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "OpenClaw Mission Control — open-source agent orchestration dashboard",
   "scripts": {
     "verify:node": "node scripts/check-node-version.mjs",