Summary

Adds the [0.1.10] release block to CHANGELOG.md with a Security section covering the watcher-path credential indexing fix, and bumps packages/memtomem/pyproject.toml to 0.1.10. The release itself (tag + GitHub Release + PyPI publish via Trusted Publishers OIDC) is intentionally deferred to a separate session.

Background context: the 2026-04-19 disclosure review declined filing a formal GHSA for this finding (near-zero user base); protection is delivered via a SECURITY: CHANGELOG section on upgrade and two public follow-up issues. Rationale preserved in the project forensics memo.

Scope

• CHANGELOG.md: insert ## [0.1.10] - UNRELEASED block with ### Security entry describing affected versions, the combined fix (PRs feat(indexing,security): user-configurable exclude_patterns + built-in secret denylist #225 / feat(indexing,security): add exclude_patterns + built-in secret denylist #226 / docs(config): document indexing edge cases (exclude_patterns, cloud-sync watcher, MMR, namespace) #251 / fix(indexing): apply built-in + user excludes at index_file entry point and against absolute paths #252), upgrade action, post-upgrade cleanup steps (mm purge --matching-excluded), rotation guidance for ~/.gemini / ~/.claude/projects / ~/.codex/memories, and Follow-up tracking links to RFC: make auto-discover of well-known memory dirs overridable (currently unconditional) #260 and Watcher re-indexed oauth_creds.json despite post-#252 engine guard (investigation) #261.
• CHANGELOG.md: remove the earlier [Unreleased] Added bullet for feat(indexing,security): user-configurable exclude_patterns + built-in secret denylist #225 — its content is absorbed (with additional detail preserved) into the new [0.1.10] Security block.
• packages/memtomem/pyproject.toml: version = "0.1.9" → version = "0.1.10".

Out of scope (follow-ups)

• git tag v0.1.10 + gh release create + PyPI publish — separate release session. The UNRELEASED placeholder in the heading is intentional and will be replaced with the actual date in a same-day follow-up commit when PyPI publish executes.
• CHANGELOG hygiene for other [Unreleased] gaps — PR feat(namespace): path-based policy rules for namespace auto-assignment #253 (NamespacePolicyRule) and PRs cli(init): surface non-default values preserved from previous config #254–fix(config): migrate remaining config.json writes to atomic _atomic_write_json #262 (config-side changes) currently have no [Unreleased] entries. Tracked separately as a CHANGELOG-sync PR; not bundled here to keep this PR security-only per the project's "one change per PR" norm.
• Footer compare-links — this CHANGELOG doesn't use the keep-a-changelog [version]: url reference-link footer block, so no footer updates are needed.

Cross-refs

• Issue RFC: make auto-discover of well-known memory dirs overridable (currently unconditional) #260 — RFC: make auto-discover of well-known memory dirs overridable (currently unconditional)
• Issue Watcher re-indexed oauth_creds.json despite post-#252 engine guard (investigation) #261 — Watcher re-indexed oauth_creds.json despite post-fix(indexing): apply built-in + user excludes at index_file entry point and against absolute paths #252 engine guard (investigation)
• PR fix(indexing): apply built-in + user excludes at index_file entry point and against absolute paths #252 — entry-point guard at IndexEngine.index_file
• PR feat(indexing,security): user-configurable exclude_patterns + built-in secret denylist #225 / PR feat(indexing,security): add exclude_patterns + built-in secret denylist #226 — built-in denylist + indexing.exclude_patterns + mm purge --matching-excluded
• PR docs(config): document indexing edge cases (exclude_patterns, cloud-sync watcher, MMR, namespace) #251 — configuration docs for exclude patterns and cloud-sync watcher

Gate runs

ruff check / ruff format --check / pytest -m "not ollama" included for project convention. CHANGELOG + pyproject is a text-only diff with no Python changes, so these checks trivially pass.