diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 00000000..9a921383
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
+
+## [1.4.0](https://github.com/optave/codegraph/compare/v1.3.0...v1.4.0) (2026-02-22)
+
+
+### Features
+
+* **config:** add apiKeyCommand for secure credential resolution ([f3ab237](https://github.com/optave/codegraph/commit/f3ab23790369df00b50c75ae7c3b6bba47fde2c6))
+* **mcp:** expand MCP server from 5 to 11 tools ([510dd74](https://github.com/optave/codegraph/commit/510dd74ed14d455e50aa3166fa28cf90d05925dd))
+
+
+### Bug Fixes
+
+* add napi-rs package.json for build-native workflow ([b9d7e0e](https://github.com/optave/codegraph/commit/b9d7e0e58dcf3e2a54645d87fdf1a5a90c7c7b98))
+* align native platform package versions with root ([93c9c4b](https://github.com/optave/codegraph/commit/93c9c4b31c7c01471c37277067fd095214a643b1))
+* **ci:** add --provenance to platform package publishes for OIDC auth ([bc595f7](https://github.com/optave/codegraph/commit/bc595f78ab35fe5db3a00711977ab2b963c4f3ef))
+* **ci:** add allowed_tools to Claude Code review action ([eb5d9f2](https://github.com/optave/codegraph/commit/eb5d9f270b446c2d2c72bb2ee7ffd0433463c720))
+* **ci:** grant write permissions to Claude workflows for PR comments ([aded63c](https://github.com/optave/codegraph/commit/aded63c19375ede0037ac62736c6049f6b77daba))
+* **ci:** prefix platform package path with ./ for npm 10 compatibility ([06fa212](https://github.com/optave/codegraph/commit/06fa212bba55b11d77e689c8d5e91faca4eef5a4))
+* **ci:** skip version bump when override matches current version ([df19486](https://github.com/optave/codegraph/commit/df19486ff30724791c71e49b130417e30281b659))
+* handle null baseUrl in native alias conversion, skip flaky native cache tests ([d0077e1](https://github.com/optave/codegraph/commit/d0077e175446fc27619b767d8fcf06b91d3a042c))
+* repair build-native workflow ([67d7650](https://github.com/optave/codegraph/commit/67d7650235e6291b002224a31dfc765df666a36a))
+* reset lockfile before npm version to avoid dirty-tree error ([6f0a40a](https://github.com/optave/codegraph/commit/6f0a40a48cbb589e672ea149ee5f920fb258e697))
+* **test:** make normalizePath test cross-platform ([36fa9cf](https://github.com/optave/codegraph/commit/36fa9cfa3a084af173c85fca47c5f5cd2ed3d700))
+* **test:** skip native engine parity tests for known Rust gaps ([7d89cd9](https://github.com/optave/codegraph/commit/7d89cd957c7cda937c4bc8a1e9d389e76807ceb2))
+
+
+### Refactoring
+
+* add LANGUAGE_REGISTRY for declarative parser dispatch ([cb08bb5](https://github.com/optave/codegraph/commit/cb08bb58adac8d7aa4d5fb6ea463ce6d3dba8007))
diff --git a/README.md b/README.md
index 7cabe9dc..27a4338f 100644
--- a/README.md
+++ b/README.md
@@ -467,7 +467,7 @@ const { results: fused } = await multiSearchData(
 See **[ROADMAP.md](ROADMAP.md)** for the full development roadmap. Current plan:
 
 1. ~~**Rust Core**~~ — **Complete** (v1.3.0) — native tree-sitter parsing via napi-rs, parallel multi-core parsing, incremental re-parsing, import resolution & cycle detection in Rust
-2. **Foundation Hardening** — ~~parser registry~~, complete MCP server, test coverage, enhanced config
+2. ~~**Foundation Hardening**~~ — **Complete** (v1.4.0) — parser registry, 11-tool MCP server, test coverage 62%→75%, `apiKeyCommand` secret resolution
 3. **Intelligent Embeddings** — LLM-generated descriptions, hybrid search
 4. **Natural Language Queries** — `codegraph ask` command, conversational sessions
 5. **Expanded Language Support** — 8 new languages (12 → 20)
diff --git a/ROADMAP.md b/ROADMAP.md
index 8f92f00c..6c5c4a66 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,6 +1,6 @@
 # Codegraph Roadmap
 
-> **Current version:** 1.3.0 | **Status:** Active development | **Updated:** February 2026
+> **Current version:** 1.4.0 | **Status:** Active development | **Updated:** February 2026
 
 Codegraph is a strong local-first code graph CLI. This roadmap describes planned improvements across seven phases — closing gaps with commercial code intelligence platforms while preserving codegraph's core strengths: fully local, open source, zero cloud dependency by default.
 
@@ -13,7 +13,7 @@ Codegraph is a strong local-first code graph CLI. This roadmap describes planned
 | Phase | Theme | Key Deliverables | Status |
 |-------|-------|-----------------|--------|
 | [**1**](#phase-1--rust-core) | Rust Core | Rust parsing engine via napi-rs, parallel parsing, incremental tree-sitter, JS orchestration layer | **Complete** (v1.3.0) |
-| [**2**](#phase-2--foundation-hardening) | Foundation Hardening | Parser registry, complete MCP, test coverage, enhanced config | Planned |
+| [**2**](#phase-2--foundation-hardening) | Foundation Hardening | Parser registry, complete MCP, test coverage, enhanced config | **Complete** (v1.4.0) |
 | [**3**](#phase-3--intelligent-embeddings) | Intelligent Embeddings | LLM-generated descriptions, hybrid search | Planned |
 | [**4**](#phase-4--natural-language-queries) | Natural Language Queries | `ask` command, conversational sessions | Planned |
 | [**5**](#phase-5--expanded-language-support) | Expanded Language Support | 8 new languages (12 → 20), parser utilities | Planned |
@@ -101,7 +101,9 @@ Ensure the transition is seamless.
 
 ---
 
-## Phase 2 — Foundation Hardening
+## Phase 2 — Foundation Hardening ✅
+
+> **Status:** Complete — shipped in v1.4.0
 
 **Goal:** Fix structural issues that make subsequent phases harder.
 
@@ -119,32 +121,33 @@ Replace scattered parser init/selection logic with a single declarative registry
 
 **Affected files:** `src/parser.js`, `src/constants.js`
 
-### 2.2 — Complete MCP Server
+### 2.2 — Complete MCP Server ✅
 
 Expose all CLI capabilities through MCP, going from 5 → 11 tools.
 
 | New tool | Wraps | Description |
 |----------|-------|-------------|
-| `fn_deps` | `fnDepsData` | Function-level dependency chain |
-| `fn_impact` | `fnImpactData` | Function-level blast radius |
-| `diff_impact` | `diffImpactData` | Git diff impact analysis |
-| `semantic_search` | `searchData` | Embedding-powered search |
-| `export_graph` | export functions | DOT/Mermaid/JSON export |
-| `list_functions` | — | List functions in a file or by pattern |
+| ✅ `fn_deps` | `fnDepsData` | Function-level dependency chain |
+| ✅ `fn_impact` | `fnImpactData` | Function-level blast radius |
+| ✅ `diff_impact` | `diffImpactData` | Git diff impact analysis |
+| ✅ `semantic_search` | `searchData` | Embedding-powered search |
+| ✅ `export_graph` | export functions | DOT/Mermaid/JSON export |
+| ✅ `list_functions` | — | List functions in a file or by pattern |
 
 **Affected files:** `src/mcp.js`
 
-### 2.3 — Test Coverage Gaps
+### 2.3 — Test Coverage Gaps ✅
 
 Add tests for currently untested modules.
 
 | New test file | Coverage |
 |---------------|----------|
-| `tests/mcp/mcp.test.js` | All MCP tools (mock stdio transport) |
-| `tests/config/config.test.js` | Config loading, defaults, invalid configs |
-| `tests/integration/cli.test.js` | End-to-end CLI smoke tests |
+| ✅ `tests/unit/mcp.test.js` | All MCP tools (mock stdio transport) |
+| ✅ `tests/unit/config.test.js` | Config loading, defaults, env overrides, apiKeyCommand |
+| ✅ `tests/integration/cli.test.js` | End-to-end CLI smoke tests |
+| ✅ `tests/unit/*.test.js` | Unit tests for 8 core modules (coverage 62% → 75%) |
 
-### 2.4 — Enhanced Configuration
+### 2.4 — Enhanced Configuration ✅
 
 New configuration options in `.codegraphrc.json`:
 
@@ -155,14 +158,16 @@ New configuration options in `.codegraphrc.json`:
     "provider": "openai",
     "model": "gpt-4o-mini",
     "baseUrl": null,
-    "apiKey": null
+    "apiKey": null,
+    "apiKeyCommand": "op read op://vault/openai/api-key"
   },
   "search": { "defaultMinScore": 0.2, "rrfK": 60, "topK": 15 },
   "ci": { "failOnCycles": false, "impactThreshold": null }
 }
 ```
 
-Environment variable fallbacks: `CODEGRAPH_LLM_PROVIDER`, `CODEGRAPH_LLM_API_KEY`, `CODEGRAPH_LLM_MODEL`
+- ✅ Environment variable fallbacks: `CODEGRAPH_LLM_PROVIDER`, `CODEGRAPH_LLM_API_KEY`, `CODEGRAPH_LLM_MODEL`
+- ✅ `apiKeyCommand` — shell out to external secret managers (1Password, Bitwarden, Vault, pass, macOS Keychain) at runtime via `execFileSync` (no shell injection). Priority: command output > env var > file config > defaults. Graceful fallback on failure.
 
 **Affected files:** `src/config.js`
 
diff --git a/package-lock.json b/package-lock.json
index 2ffb97aa..5444dad4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@optave/codegraph",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@optave/codegraph",
-      "version": "1.3.0",
+      "version": "1.4.0",
       "license": "Apache-2.0",
       "dependencies": {
         "better-sqlite3": "^12.6.2",
diff --git a/package.json b/package.json
index fb3fa665..a7810701 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@optave/codegraph",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Local code graph CLI — parse codebases with tree-sitter, build dependency graphs, query them",
   "type": "module",
   "main": "src/index.js",
@@ -61,10 +61,10 @@
   "optionalDependencies": {
     "@huggingface/transformers": "^3.8.1",
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "@optave/codegraph-darwin-arm64": "1.3.0",
-    "@optave/codegraph-darwin-x64": "1.3.0",
-    "@optave/codegraph-linux-x64-gnu": "1.3.0",
-    "@optave/codegraph-win32-x64-msvc": "1.3.0"
+    "@optave/codegraph-darwin-arm64": "1.4.0",
+    "@optave/codegraph-darwin-x64": "1.4.0",
+    "@optave/codegraph-linux-x64-gnu": "1.4.0",
+    "@optave/codegraph-win32-x64-msvc": "1.4.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.4",