diff --git a/CHANGELOG.md b/CHANGELOG.md
index 760c670..58eecd2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,34 @@
 # Changelog
 
+## v4.8.6 — Security hardening patch release
+
+This patch release strengthens SecureBit.chat across verification, sanitization, privacy, transport abuse resistance, cache safety, and repository hygiene.
+
+### Security hardening
+
+- Bound SAS verification to the actual DTLS fingerprint strings of both peers.
+- Replaced regex-based chat sanitization with DOMPurify-backed sanitization.
+- Made WebRTC privacy mode explicit and kept relay-only state synchronized at runtime.
+- Removed production exposure of internal debug/control hooks.
+- Added receiver-side rate limiting for inbound chat messages.
+- Added receiver-side throttling for inbound file chunks.
+
+### Runtime and privacy safety
+
+- Hardened service-worker caching so only explicitly allowlisted safe assets are cached.
+- Removed an untracked disconnect timer so teardown no longer leaves delayed callbacks behind.
+- Preserved relay-only TURN behavior while making privacy implications clearer when relay-only mode is disabled or TURN is unavailable.
+
+### Repository hygiene
+
+- Stopped tracking `node_modules` in Git so platform-specific dependency binaries no longer pollute the repository or break cross-platform builds.
+
+### Validation
+
+- Full regression suite passes.
+- Clean install succeeds with `npm ci`.
+- Production build succeeds with `npm run build`.
+
 ## v4.8.5 — Security hardening release
 
 This release consolidates several months of security, privacy, and lifecycle hardening work by the SecureBit.chat team.
diff --git a/README.md b/README.md
index d52650d..755c92f 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# SecureBit.chat v4.8.5
+# SecureBit.chat v4.8.6
 
 SecureBit.chat is a browser-based peer-to-peer chat application built on WebRTC and Web Crypto APIs. It is designed for direct encrypted communication, explicit peer verification, and a small operational footprint without account registration or server-side message storage.
 
@@ -15,20 +15,18 @@ SecureBit.chat uses:
 
 A session is not treated as verified until both peers complete the interactive SAS flow. Each user must compare the displayed code with the peer through an out-of-band channel and enter the matching code manually. Three failed SAS attempts terminate the session.
 
-## Highlights in v4.8.5
+## Highlights in v4.8.6
 
-This release consolidates several months of security hardening work by the project team:
+This patch release strengthens the existing security model with a focused hardening pass:
 
-- mandatory interactive SAS verification instead of passive click-through confirmation
-- deterministic SAS computation from shared session material
-- protocol version `4.1` negotiation with mismatch rejection
-- optional TURN relay-only privacy mode with clear warnings when TURN is unavailable
-- encrypted IndexedDB metadata with lazy migration from legacy plaintext records
-- explicit file-transfer consent before any receive buffers are allocated
-- strict file-type allowlist using both MIME type and extension checks
-- incoming decrypted message sanitization before UI delivery
-- improved disconnect, timer, file-transfer, and React UI cleanup behavior
-- pinned dependency versions and a clean `npm audit` baseline
+- SAS verification is bound to the actual DTLS fingerprint strings of both peers
+- chat sanitization uses DOMPurify-backed text-only output
+- WebRTC privacy mode is explicit and relay-only state stays synchronized at runtime
+- production debug window hooks are gated behind an explicit debug flag
+- receiver-side throttling covers inbound messages and file chunks
+- service-worker caching is restricted to an explicit safe-asset allowlist
+- disconnect cleanup leaves no orphaned delayed timer behind
+- `node_modules` is no longer tracked in Git
 
 ## Quick start
 
diff --git a/manifest.json b/manifest.json
index 396141b..53c009a 100644
--- a/manifest.json
+++ b/manifest.json
@@ -1,5 +1,5 @@
 {
-  "name": "SecureBit.chat v4.7.56 - ECDH + DTLS + SAS",
+  "name": "SecureBit.chat v4.8.6 - ECDH + DTLS + SAS",
   "short_name": "SecureBit",
   "description": "P2P messenger with ECDH + DTLS + SAS security, military-grade cryptography and Lightning Network payments",
   "start_url": "./",
@@ -114,4 +114,4 @@
       ]
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/package-lock.json b/package-lock.json
index a05fb32..3d2d3ea 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "securebit-chat",
-  "version": "4.8.5",
+  "version": "4.8.6",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "securebit-chat",
-      "version": "4.8.5",
+      "version": "4.8.6",
       "license": "MIT",
       "dependencies": {
         "base64-js": "1.5.1",
diff --git a/package.json b/package.json
index e7d788c..3382af0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "securebit-chat",
-  "version": "4.8.5",
+  "version": "4.8.6",
   "description": "Secure P2P Communication Application with End-to-End Encryption",
   "main": "index.html",
   "scripts": {