diff --git a/.grype.yaml b/.grype.yaml
index e145053..7d1ca7e 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -1,6 +1,11 @@
 ignore:
-  # CVE-2026-41589: SCP path traversal in charmbracelet/wish.
+  # SCP path traversal in charmbracelet/wish — same flaw, two ids: grype has
+  # matched it as CVE-2026-41589 and as GHSA-xjvp-7243-rg9h depending on db
+  # version, and ignore matching is exact-id, so both stay listed.
   # We only import wish/bubbletea for the SSH TUI server — the vulnerable
-  # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in.
-  # No fix available for wish v1; v2 (charm.land/wish/v2) patched in 2.0.1.
+  # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in
+  # (govulncheck reachability agrees). No fix for wish v1; v2
+  # (charm.land/wish/v2 >= 2.0.1) requires the bubbletea-v2 stack migration,
+  # tracked in issue #126. Remove both entries when that lands.
   - vulnerability: CVE-2026-41589
+  - vulnerability: GHSA-xjvp-7243-rg9h
diff --git a/cliff.toml b/cliff.toml
index 84f7642..25e135f 100644
--- a/cliff.toml
+++ b/cliff.toml
@@ -24,6 +24,10 @@ split_commits = false
 protect_breaking_commits = false
 filter_commits = false
 tag_pattern = "v[0-9].*"
+# rc tags are pipeline rehearsals, not releases — without this, the final
+# tag's notes would only cover commits since the last rc (near-empty for
+# v0.1.0). Ignored tags fold their commits into the next real release.
+ignore_tags = "v.*-rc.*"
 topo_order = false
 sort_commits = "oldest"