diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9ff516..98f3e39 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,19 +2,44 @@
 
 ## [Unreleased]
 
+## [0.6.0] - 2026-06-03
+
+A multi-IDE / multi-host release. Adds first-class Cursor support (hook adapter, transcript parser, AgentSdk factory), upgrades telemetry attribution for setup failures, fixes a long-standing pile of search-mode-on-Windows installation issues, hardens the scanners against credential reads, and makes the `axme_finalize_close` schema produce actionable errors when an agent omits a required field.
+
 ### Added
 
+- **First-class Cursor IDE support.** A new IDE abstraction layer with a dedicated Cursor hook adapter (#129). Adds: Cursor JSONL transcript parser branch (top-level `role` keys), Cursor-specific setup writers, `cursor_sdk` auth mode, and an `AgentSdk` factory that routes every LLM agent (scanners, session-auditor, memory-extractor) through the right SDK for the host IDE. All hook events agree on a single `conversation_id` session-key precedence so PreToolUse / PostToolUse / SessionEnd from Cursor land on the same AXME session.
+- **`error_class` field on `setup_complete` telemetry** (#144). When setup fails the dashboard's Phase Failures panel now sees not just *which* phase failed but *why*: `auth_check` → `"oauth_missing"`, `init_scan` → `classifyError(err)` of the underlying exception. No backend migration needed — ingestion already accepts the field.
+- **Cooperative-by-default auditor mode + sidebar credential UX.** The session auditor now defaults to `cooperative` mode (the agent saves inline during chat via MCP tools — no detached background LLM, no extra API spend). Users can opt into `background` mode from the sidebar; that mode prompts for a credential the first time it runs and persists it via the existing auth-config flow.
+- **`axme_decisions` and `axme_memories` adapt their output to `config.context.mode`.** In `full` mode (default) both tools return full bodies grouped by enforce / type, exactly as before. In `search` mode they return a compact catalog (id/slug + title + 1-line description, ≤200 chars) and instruct the agent to fetch full bodies via `axme_get_decision` / `axme_get_memory` / `axme_search_kb`. This closes a regression in v0.5.0 where the catalog was loaded by `axme_context` but a subsequent agent call to `axme_decisions` or `axme_memories` would silently re-load every body, defeating search mode's ~10× token saving. `axme_oracle` is unaffected — it always returns the full stack/structure/patterns/glossary because those are connected documents, not catalog entries.
+- **`buildSearchModeInstructions` (rendered by `axme_context` in search mode) gained an "Active KB usage" block** with concrete trigger predicates ("how did we…", touching git/safety/hooks/storage/release subsystems, mentioning a library by name, before architectural recommendation, before saving a new decision/memory). Replaces a generic "use search for fuzzy lookups" line with imperative MUSTs tied to recognizable situations in the user's task. Designed to make the agent call `axme_search_kb` proactively instead of relying on session-start memory of past KBs.
 - **`install.sh` now detects the user's login shell and prints PATH-add instructions in the right syntax for that shell.** Previously `install.sh` printed only the `export PATH=...` form (bash/zsh syntax) regardless of the actual shell, leaving tcsh / csh / fish users with a non-working snippet — and `~/.local/bin` is not on PATH by default for tcsh, so those users effectively could not run `axme-code` after install. Detection uses `$SHELL` first (most reliable) and falls back to `getent passwd` for the login shell. Coverage: bash → `~/.bashrc`, zsh → `~/.zshrc`, fish → `~/.config/fish/config.fish` with `set -gx`, tcsh → `~/.tcshrc` with `setenv`, csh → `~/.cshrc` with `setenv`. Unknown shells get a fallback printout listing all four forms. The script does NOT auto-edit any rc file — the user runs the printed command themselves so they can audit the change. Same model as `deno`, `starship`, `nvm`. (`install.ps1` is unaffected — Windows installer already auto-writes the User PATH via `[Environment]::SetEnvironmentVariable`.)
 - **`install.sh` is now safely sourceable.** The bottom-of-file `main "$@"` is gated behind a `BASH_SOURCE[0] = $0` guard so `source install.sh` no longer triggers a real download + install side effect. Lets the new helper functions (`detect_shell`, `print_path_instruction`) be unit-tested without touching the live binary.
+- **Hooks fall back to stdin `workspace_roots` when `--workspace` flag is absent.** Cursor's hook invocations don't always pass `--workspace` on the command line but do include `workspace_roots` in the stdin JSON payload. The hook entry point now reads that fallback instead of erroring out.
 
 ### Changed
 
-- **`axme_decisions` and `axme_memories` now adapt their output to `config.context.mode`.** In `full` mode (default) both tools return full bodies grouped by enforce / type, exactly as before. In `search` mode they return a compact catalog (id/slug + title + 1-line description, ≤200 chars) and instruct the agent to fetch full bodies via `axme_get_decision` / `axme_get_memory` / `axme_search_kb`. This closes a regression in v0.5.0 where the catalog was loaded by `axme_context` but a subsequent agent call to `axme_decisions` or `axme_memories` would silently re-load every body, defeating search mode's ~10× token saving. `axme_oracle` is unaffected — it always returns the full stack/structure/patterns/glossary because those are connected documents, not catalog entries.
-- **`buildSearchModeInstructions` (rendered by `axme_context` in search mode) gained an "Active KB usage" block** with concrete trigger predicates ("how did we…", touching git/safety/hooks/storage/release subsystems, mentioning a library by name, before architectural recommendation, before saving a new decision/memory). Replaces a generic "use search for fuzzy lookups" line with imperative MUSTs tied to recognizable situations in the user's task. Designed to make the agent call `axme_search_kb` proactively instead of relying on session-start memory of past KBs.
+- **`axme_finalize_close` schema: all six required handoff strings now carry actionable `.min(1)` error messages with empty-state placeholders** (#145). When an agent omits one of `stopped_at` / `summary` / `in_progress` / `next_steps` / `worklog_entry` / `startup_text`, Zod used to emit a generic `"Expected string, received undefined"` per missing field — this was repeatedly mis-read by agents as a per-field server bug rather than a missing-argument error. Each field now reports `"<name> is REQUIRED — pass <usage>, or '<placeholder>' if <empty-state>. Do not omit the field."` The `axme_begin_close` checklist output now splits the handoff fields into explicit **REQUIRED** vs *optional* blocks with the omit-is-error rationale and per-field placeholder examples. No behavior change for valid (non-empty-string) calls.
+- **Setup prompts are now strictly imperative.** Agents were occasionally narrating tool calls ("I'll save this memory…") instead of executing them. Prompts rewritten as direct commands so the agent issues the tool call without preamble.
+- **Setup summary lists decisions + memories with folder links** (and includes preset enforcement rules), giving the user something to read and verify at the end of `axme-code setup` instead of just a "done" message.
+- **`KbWatcher` handles late KB creation correctly.** The sidebar/walkthrough auto-completes the right step when `.axme-code/` first appears after activation — previously a few signals from the watcher were dropped if the workspace was opened before setup.
 
 ### Fixed
 
+- **Scanners block reads from credential / secret paths** during `axme-code setup`. The LLM scanners (oracle / decisions / memories) previously had `Read` access to the entire project root, which meant `.env`, `id_rsa`, and other secrets could end up inside the LLM context. Scanners now block reads to common credential paths (`.env*`, `**/credentials*`, `**/*.pem`, `**/id_rsa*`, etc.) at the tool-permission layer.
+- **Scanners keep all tool calls inside the project being initialised.** A scanner running in workspace `repo-a` could occasionally `Read` files from a sibling `repo-b` if both were inside the same parent. Tool calls are now constrained to the project root passed to the scanner.
+- **`axme_finalize_close`: per-field required-string errors are no longer mis-readable** as a server bug (#145). See *Changed* above for the schema improvements that surface this clearly.
+- **Hooks normalize Cursor `tool_name=Shell` to `Bash` for safety dispatch.** Cursor calls the shell tool `Shell`; Claude Code calls it `Bash`. The safety hook (force-push blocker, `rm -rf` blocker, secret-file edit blocker) is keyed on `Bash` and was a no-op for Cursor sessions. Normalize on entry so Cursor inherits the same safety guarantees.
+- **Search-mode install on Windows is finally robust:**
+  - Invoke `npm` via `node + npm-cli.js` directly to dodge CVE-2024-27980's `.cmd`/`.bat` EINVAL on modern Node releases.
+  - Drop `--omit=optional` from the install command — `sharp` is a hard runtime dep of `@huggingface/transformers`, not an optional one.
+  - Augment `PATH` for npm subprocesses with the bundled Node dir so `sharp`'s postinstall (which shells out to `cmd.exe` looking for `node`) succeeds even on machines without system Node.
+  - CORE-side fallback: if the bundled `npm` tarball hasn't been extracted yet (e.g. plain `axme-code` install on Windows without going through the extension's lazy-extract path), the install step extracts it automatically before invoking `npm install`.
+- **Suppress noisy fallback + `MaxListeners` warnings during setup.** Cosmetic — the user's setup output now ends cleanly.
+- **Inline `claude-agent-sdk` in the extension bundle + use a fresh `agentId` per Cursor SDK call.** Fixes a residual-state bug where back-to-back calls in the same Cursor session could trip across each other's contexts.
+- **Stop instructing the agent to run `axme-code setup` autonomously.** The agent was over-eagerly proposing to re-run setup when it saw an unfamiliar repo; setup is a user-driven action and the prompt no longer pushes for it.
 - **Stale memory `transformers-js-install-size-is-102mb` removed** (Q-003). The original v0.2.x memory cited 102 MB for `@huggingface/transformers`; the v0.5.0 release session measured 773 MB on Linux because `onnxruntime-node` pulls prebuilt binaries for 5 platforms (linux-x64, linux-arm64, darwin-x64, darwin-arm64, windows-x64). Since B-005 is shipped and the lazy-install pattern is now embedded in the product (not future guidance), the memory was deleted rather than amended. The auditor's intermediate stub `transformers-js-actual-install-size-is-773-mb-not-102-mb-on-` was also removed. KB reindexed (198 entries).
+- **TypeScript compile config modernization.** `tsconfig` uses `NodeNext` module resolution; test config inherits the same. `ignoreDeprecations: "5.0"` silences a transient IDE warning that flagged the old `node10` even after the migration.
 
 ## [0.5.0] - 2026-04-29
 
diff --git a/extension/package.json b/extension/package.json
index f8bedd2..ca36b17 100644
--- a/extension/package.json
+++ b/extension/package.json
@@ -2,7 +2,7 @@
   "name": "axme-code",
   "displayName": "AXME Code",
   "description": "Persistent memory, decisions, and safety guardrails for Cursor, GitHub Copilot, Cline, Continue, Roo Code, Windsurf, and VS Code chat agents",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "publisher": "AxmeAI",
   "repository": {
     "type": "git",
diff --git a/package.json b/package.json
index 2e841e3..b32982f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@axme/code",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Persistent memory, decisions, and safety guardrails for Claude Code",
   "type": "module",
   "main": "./dist/server.js",