diff --git a/HISTORY.md b/HISTORY.md
index 8fae12c..efb63ec 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,5 +1,17 @@
 # Bill Tracker — Changelog
 
+## v0.22.2
+
+### Added
+- **Session Invalidation on Password Change** — All other sessions are terminated when you change your password; current session gets a new ID
+- **Logout All Devices** — New `POST /api/auth/logout-all` endpoint to sign out from every device at once
+
+### Changed
+- `invalidateOtherSessions()` helper in authService.js
+- Both change-password routes (auth + profile) now rotate session ID
+- Added `last_password_change_at` to auth.js change-password for consistency with profile.js
+- Audit logging for `logout.all` and `password.change` events
+
 ## v0.22.1
 
 ### Changed