diff --git a/CHANGELOG.md b/CHANGELOG.md
index e218bc3..3b4d299 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,31 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 <!-- towncrier release notes start -->
 
+## [v1.15.7] - 2026-04-18
+
+### Bug Fixes
+
+- Fix borgmatic LaunchAgent failing silently due to macOS TCC permission dialogs. LaunchAgents now call borgmatic directly instead of routing through `mise x`, which triggered "wants to access Documents" dialogs that hung headless sessions. The ansible role now also manages borgmatic installation via `mise install`.
+
+### Infrastructure
+
+- Automate verification of Prowler MANUAL findings (kubelet file perms, kubelet config, etcd CA, RBAC cluster-admin) in `review-compliance-reports` and mute them with `node-config-automated-verification` compensating control.
+- Migrate transmission and transmission-exporter containers from Dockerfile to native Dagger builds (`container.py`). Updates base images to Alpine 3.23 and Python 3.14, pins uv to 0.11.6.
+- Switched Fly proxy to upstream keepalive pools, reducing forge.eblu.me latency from 35s+ p50 to sub-second. Added `mise run fly-reload` for DNS re-resolution without redeploy.
+- Upgrade Prowler from 5.22.0 to 5.23.0; remove init container workaround for broken `--registry` flag (upstream fix in PR #10470).
+- Added `robots.txt` to `forge.eblu.me` blocking crawlers from `/mirrors/` to reduce load from Facebook scraping.
+- Container builds are now manual-only via `mise run container-build-and-release`. Removed auto-trigger on push to main — shared Dagger helpers made path-based detection unreliable.
+- Migrate devpi container from Dockerfile to native Dagger build; bump devpi-server 6.19.1→6.19.3 and devpi-web 5.0.1→5.0.2.
+- Migrated kiwix-serve container from Dockerfile to native Dagger build, bumping Alpine base from 3.22 to 3.23.
+- Mitigated Forgejo archive endpoint DoS: redirect public archive requests to tailnet, expanded robots.txt, enabled archive cleanup cron, cached release downloads at proxy.
+- Refactored Dagger container pipelines: extended `go_build()` helper with `buildmode` and `extra_env` params, migrated miniflux and forgejo-runner to use it, and standardized all Alpine bases from 3.22 to 3.23.
+
+### Miscellaneous
+
+- Review compensating control `sso-gated-admin-tools`: tightened scope to ArgoCD only, removed Grafana reference.
+- container-build-and-release now verifies the commit exists on the remote before dispatching a build.
+
+
 ## [v1.15.6] - 2026-04-14
 
 ### Bug Fixes
diff --git a/argocd/manifests/docs/deployment.yaml b/argocd/manifests/docs/deployment.yaml
index 67de0c2..a3911e8 100644
--- a/argocd/manifests/docs/deployment.yaml
+++ b/argocd/manifests/docs/deployment.yaml
@@ -30,7 +30,7 @@ spec:
               name: http
           env:
             - name: DOCS_RELEASE_URL
-              value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.6/docs-v1.15.6.tar.gz"
+              value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.7/docs-v1.15.7.tar.gz"
           resources:
             requests:
               memory: "64Mi"
diff --git a/docs/changelog.d/+borgmatic-launchagent-tcc.bugfix.md b/docs/changelog.d/+borgmatic-launchagent-tcc.bugfix.md
deleted file mode 100644
index 0f941e9..0000000
--- a/docs/changelog.d/+borgmatic-launchagent-tcc.bugfix.md
+++ /dev/null
@@ -1 +0,0 @@
-Fix borgmatic LaunchAgent failing silently due to macOS TCC permission dialogs. LaunchAgents now call borgmatic directly instead of routing through `mise x`, which triggered "wants to access Documents" dialogs that hung headless sessions. The ansible role now also manages borgmatic installation via `mise install`.
diff --git a/docs/changelog.d/+container-manual-builds.infra.md b/docs/changelog.d/+container-manual-builds.infra.md
deleted file mode 100644
index 78a29f4..0000000
--- a/docs/changelog.d/+container-manual-builds.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Container builds are now manual-only via `mise run container-build-and-release`. Removed auto-trigger on push to main — shared Dagger helpers made path-based detection unreliable.
diff --git a/docs/changelog.d/+container-release-push-check.misc.md b/docs/changelog.d/+container-release-push-check.misc.md
deleted file mode 100644
index ab9aedc..0000000
--- a/docs/changelog.d/+container-release-push-check.misc.md
+++ /dev/null
@@ -1 +0,0 @@
-container-build-and-release now verifies the commit exists on the remote before dispatching a build.
diff --git a/docs/changelog.d/+dagger-go-build-refactor.infra.md b/docs/changelog.d/+dagger-go-build-refactor.infra.md
deleted file mode 100644
index af09d7f..0000000
--- a/docs/changelog.d/+dagger-go-build-refactor.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Refactored Dagger container pipelines: extended `go_build()` helper with `buildmode` and `extra_env` params, migrated miniflux and forgejo-runner to use it, and standardized all Alpine bases from 3.22 to 3.23.
diff --git a/docs/changelog.d/+devpi-dagger-migration.infra.md b/docs/changelog.d/+devpi-dagger-migration.infra.md
deleted file mode 100644
index 6c5f226..0000000
--- a/docs/changelog.d/+devpi-dagger-migration.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Migrate devpi container from Dockerfile to native Dagger build; bump devpi-server 6.19.1→6.19.3 and devpi-web 5.0.1→5.0.2.
diff --git a/docs/changelog.d/+forge-robots-txt.infra.md b/docs/changelog.d/+forge-robots-txt.infra.md
deleted file mode 100644
index fe96ad5..0000000
--- a/docs/changelog.d/+forge-robots-txt.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Added `robots.txt` to `forge.eblu.me` blocking crawlers from `/mirrors/` to reduce load from Facebook scraping.
diff --git a/docs/changelog.d/+forgejo-archive-dos-mitigation.infra.md b/docs/changelog.d/+forgejo-archive-dos-mitigation.infra.md
deleted file mode 100644
index 3b9ad84..0000000
--- a/docs/changelog.d/+forgejo-archive-dos-mitigation.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Mitigated Forgejo archive endpoint DoS: redirect public archive requests to tailnet, expanded robots.txt, enabled archive cleanup cron, cached release downloads at proxy.
diff --git a/docs/changelog.d/+kiwix-dagger-migration.infra.md b/docs/changelog.d/+kiwix-dagger-migration.infra.md
deleted file mode 100644
index 462e040..0000000
--- a/docs/changelog.d/+kiwix-dagger-migration.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Migrated kiwix-serve container from Dockerfile to native Dagger build, bumping Alpine base from 3.22 to 3.23.
diff --git a/docs/changelog.d/+review-sso-gated-admin-tools.misc.md b/docs/changelog.d/+review-sso-gated-admin-tools.misc.md
deleted file mode 100644
index 7e337df..0000000
--- a/docs/changelog.d/+review-sso-gated-admin-tools.misc.md
+++ /dev/null
@@ -1 +0,0 @@
-Review compensating control `sso-gated-admin-tools`: tightened scope to ArgoCD only, removed Grafana reference.
diff --git a/docs/changelog.d/automate-manual-prowler-checks.infra.md b/docs/changelog.d/automate-manual-prowler-checks.infra.md
deleted file mode 100644
index 07f132b..0000000
--- a/docs/changelog.d/automate-manual-prowler-checks.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Automate verification of Prowler MANUAL findings (kubelet file perms, kubelet config, etcd CA, RBAC cluster-admin) in `review-compliance-reports` and mute them with `node-config-automated-verification` compensating control.
diff --git a/docs/changelog.d/dagger-transmission-containers.infra.md b/docs/changelog.d/dagger-transmission-containers.infra.md
deleted file mode 100644
index 4937a06..0000000
--- a/docs/changelog.d/dagger-transmission-containers.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Migrate transmission and transmission-exporter containers from Dockerfile to native Dagger builds (`container.py`). Updates base images to Alpine 3.23 and Python 3.14, pins uv to 0.11.6.
diff --git a/docs/changelog.d/fly-proxy-keepalive.infra.md b/docs/changelog.d/fly-proxy-keepalive.infra.md
deleted file mode 100644
index 8853150..0000000
--- a/docs/changelog.d/fly-proxy-keepalive.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Switched Fly proxy to upstream keepalive pools, reducing forge.eblu.me latency from 35s+ p50 to sub-second. Added `mise run fly-reload` for DNS re-resolution without redeploy.
diff --git a/docs/changelog.d/upgrade-prowler-5.23.infra.md b/docs/changelog.d/upgrade-prowler-5.23.infra.md
deleted file mode 100644
index df2d0ab..0000000
--- a/docs/changelog.d/upgrade-prowler-5.23.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Upgrade Prowler from 5.22.0 to 5.23.0; remove init container workaround for broken `--registry` flag (upstream fix in PR #10470).