codebeltnet · gimlichael · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
diff --git a/.docfx/docfx.json b/.docfx/docfx.json
@@ -45,7 +45,7 @@
     ],
     "globalMetadata": {
       "_appTitle": "Extensions for Asp.Versioning by Codebelt",
-      "_appFooter": "<span>Generated by <strong>DocFX</strong>. Copyright 2024-2026 Geekle. All rights reserved.</span>",
+      "_appFooter": "<span>Generated by <strong>DocFX</strong>. Copyright 2024-2026 Geekle. All rights reserved.</span><script src=\"https://context7.com/widget.js\" data-library=\"/codebeltnet/asp-versioning\" data-color=\"#059669\" data-position=\"bottom-right\" data-placeholder=\"Ask anything about the ASP Versioning docs\"></script>",
-      "_appFooter": "<span>Generated by <strong>DocFX</strong>. Copyright 2024-2026 Geekle. All rights reserved.</span><script src=\"https://context7.com/widget.js\" data-library=\"/codebeltnet/asp-versioning\" data-color=\"#059669\" data-position=\"bottom-right\" data-placeholder=\"Ask anything about the ASP Versioning docs\"></script>",
+      "_appFooter": "<span>Generated by <strong>DocFX</strong>. Copyright 2024-2026 Geekle. All rights reserved.</span><script src=\"https://context7.com/widget.js\" integrity=\"sha384-REPLACE_WITH_REAL_SRI_HASH\" crossorigin=\"anonymous\" data-library=\"/codebeltnet/asp-versioning\" data-color=\"#059669\" data-position=\"bottom-right\" data-placeholder=\"Ask anything about the ASP Versioning docs\"></script>",
-      "_appFooter": "<span>Generated by <strong>DocFX</strong>. Copyright 2024-2026 Geekle. All rights reserved.</span><script src=\"https://context7.com/widget.js\" data-library=\"/codebeltnet/asp-versioning\" data-color=\"#059669\" data-position=\"bottom-right\" data-placeholder=\"Ask anything about the ASP Versioning docs\"></script>",
+      "_appFooter": "<span>Generated by <strong>DocFX</strong>. Copyright 2024-2026 Geekle. All rights reserved.</span><script src=\"https://context7.com/widget.js\" integrity=\"sha384-REPLACE_WITH_REAL_SRI_HASH\" crossorigin=\"anonymous\" data-library=\"/codebeltnet/asp-versioning\" data-color=\"#059669\" data-position=\"bottom-right\" data-placeholder=\"Ask anything about the ASP Versioning docs\"></script>",
       "_appLogoPath": "images/50x50.png",
       "_appFaviconPath": "images/favicon.ico",
       "_googleAnalyticsTagId": "G-G15R2J7GBR",

diff --git a/.github/dispatch-targets.json b/.github/dispatch-targets.json
@@ -0,0 +1 @@
+[ "swashbuckle-aspnetcore" ]
diff --git a/.github/scripts/bump-nuget.py b/.github/scripts/bump-nuget.py
@@ -0,0 +1,133 @@
+#!/usr/bin/env python3
+"""
+Simplified package bumping for Codebelt service updates (Option B).
+
+Only updates packages published by the triggering source repo.
+Does NOT update Microsoft.Extensions.*, BenchmarkDotNet, or other third-party packages.
+Does NOT parse TFM conditions - only bumps Codebelt/Cuemon/Savvyio packages to the triggering version.
+
+Usage:
+    TRIGGER_SOURCE=cuemon TRIGGER_VERSION=10.3.0 python3 bump-nuget.py
+
+Behavior:
+- If TRIGGER_SOURCE is "cuemon" and TRIGGER_VERSION is "10.3.0":
+  - Cuemon.Core: 10.2.1 → 10.3.0
+  - Cuemon.Extensions.IO: 10.2.1 → 10.3.0
+  - Microsoft.Extensions.Hosting: 9.0.13 → UNCHANGED (not a Codebelt package)
+  - BenchmarkDotNet: 0.15.8 → UNCHANGED (not a Codebelt package)
+"""
+
+import re
+import os
+import sys
+from typing import Dict, List
+
+TRIGGER_SOURCE = os.environ.get("TRIGGER_SOURCE", "")
+TRIGGER_VERSION = os.environ.get("TRIGGER_VERSION", "")
+
+# Map of source repos to their package ID prefixes
+SOURCE_PACKAGE_MAP: Dict[str, List[str]] = {
+    "cuemon": ["Cuemon."],
+    "xunit": ["Codebelt.Extensions.Xunit"],
+    "benchmarkdotnet": ["Codebelt.Extensions.BenchmarkDotNet"],
+    "bootstrapper": ["Codebelt.Bootstrapper"],
+    "newtonsoft-json": [
+        "Codebelt.Extensions.Newtonsoft.Json",
+        "Codebelt.Extensions.AspNetCore.Mvc.Formatters.Newtonsoft",
+    ],
+    "aws-signature-v4": ["Codebelt.Extensions.AspNetCore.Authentication.AwsSignature"],
+    "unitify": ["Codebelt.Unitify"],
+    "yamldotnet": [
+        "Codebelt.Extensions.YamlDotNet",
+        "Codebelt.Extensions.AspNetCore.Mvc.Formatters.Text.Yaml",
+    ],
+    "globalization": ["Codebelt.Extensions.Globalization"],
+    "asp-versioning": ["Codebelt.Extensions.Asp.Versioning"],
+    "swashbuckle-aspnetcore": ["Codebelt.Extensions.Swashbuckle"],
+    "savvyio": ["Savvyio."],
+    "shared-kernel": [],
+}
+
+
+def is_triggered_package(package_name: str) -> bool:
+    """Check if package is published by the triggering source repo."""
+    if not TRIGGER_SOURCE:
+        return False
+    prefixes = SOURCE_PACKAGE_MAP.get(TRIGGER_SOURCE, [])
+    return any(package_name.startswith(prefix) for prefix in prefixes)
+
+
+def main():
+    if not TRIGGER_SOURCE or not TRIGGER_VERSION:
+        print(
+            "Error: TRIGGER_SOURCE and TRIGGER_VERSION environment variables required"
+        )
+        print(f"  TRIGGER_SOURCE={TRIGGER_SOURCE}")
+        print(f"  TRIGGER_VERSION={TRIGGER_VERSION}")
+        sys.exit(1)
+
+    # Strip 'v' prefix if present in version
+    target_version = TRIGGER_VERSION.lstrip("v")
+
-    target_version = TRIGGER_VERSION.lstrip("v")
+    target_version = TRIGGER_VERSION.lstrip("v").strip()
+
+    # Validate that the resulting version is a semantic version (e.g., 1.2.3, 1.2.3-alpha.1+build.5)
+    semver_pattern = re.compile(
+        r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)"
+        r"(?:-[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?"
+        r"(?:\+[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?$"
+    )
+    if not target_version or not semver_pattern.match(target_version):
+        print("Error: TRIGGER_VERSION is not a valid semantic version")
+        print(f"  TRIGGER_VERSION (raw) = {TRIGGER_VERSION!r}")
+        print(f"  Parsed target_version  = {target_version!r}")
+        sys.exit(1)
-    target_version = TRIGGER_VERSION.lstrip("v")
+    target_version = TRIGGER_VERSION.lstrip("v").strip()
+
+    # Validate that the resulting version is a semantic version (e.g., 1.2.3, 1.2.3-alpha.1+build.5)
+    semver_pattern = re.compile(
+        r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)"
+        r"(?:-[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?"
+        r"(?:\+[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?$"
+    )
+    if not target_version or not semver_pattern.match(target_version):
+        print("Error: TRIGGER_VERSION is not a valid semantic version")
+        print(f"  TRIGGER_VERSION (raw) = {TRIGGER_VERSION!r}")
+        print(f"  Parsed target_version  = {target_version!r}")
+        sys.exit(1)
+    print(f"Trigger: {TRIGGER_SOURCE} @ {target_version}")
+    print(f"Only updating packages from: {TRIGGER_SOURCE}")
+    print()
+
+    try:
+        with open("Directory.Packages.props", "r") as f:
+            content = f.read()
+    except FileNotFoundError:
+        print("Error: Directory.Packages.props not found")
+        sys.exit(1)
+
+    changes = []
+    skipped_third_party = []
+
+    def replace_version(m: re.Match) -> str:
+        pkg = m.group(1)
+        current = m.group(2)
+
+        if not is_triggered_package(pkg):
+            skipped_third_party.append(f"  {pkg} (skipped - not from {TRIGGER_SOURCE})")
+            return m.group(0)
+
+        if target_version != current:
+            changes.append(f"  {pkg}: {current} → {target_version}")
+            return m.group(0).replace(
+                f'Version="{current}"', f'Version="{target_version}"'
+            )
+
+        return m.group(0)
+
+    # Match PackageVersion elements (handles multiline)
+    pattern = re.compile(
+        r"<PackageVersion\b"
+        r'(?=[^>]*\bInclude="([^"]+)")'
+        r'(?=[^>]*\bVersion="([^"]+)")'
+        r"[^>]*>",
+        re.DOTALL,
-    # Match PackageVersion elements (handles multiline)
-    pattern = re.compile(
-        r"<PackageVersion\b"
-        r'(?=[^>]*\bInclude="([^"]+)")'
-        r'(?=[^>]*\bVersion="([^"]+)")'
-        r"[^>]*>",
-        re.DOTALL,
+    # Match PackageVersion elements (handles multiline and flexible whitespace)
+    pattern = re.compile(
+        r"<PackageVersion\b"
+        r'(?=[^>]*\bInclude\s*=\s*"([^"]+)")'
+        r'(?=[^>]*\bVersion\s*=\s*"([^"]+)")'
+        r"[^>]*>",
-    # Match PackageVersion elements (handles multiline)
-    pattern = re.compile(
-        r"<PackageVersion\b"
-        r'(?=[^>]*\bInclude="([^"]+)")'
-        r'(?=[^>]*\bVersion="([^"]+)")'
-        r"[^>]*>",
-        re.DOTALL,
+    # Match PackageVersion elements (handles multiline and flexible whitespace)
+    pattern = re.compile(
+        r"<PackageVersion\b"
+        r'(?=[^>]*\bInclude\s*=\s*"([^"]+)")'
+        r'(?=[^>]*\bVersion\s*=\s*"([^"]+)")'
+        r"[^>]*>",
+    )
+    new_content = pattern.sub(replace_version, content)
+
+    # Show results
+    if changes:
+        print(f"Updated {len(changes)} package(s) from {TRIGGER_SOURCE}:")
+        print("\n".join(changes))
+    else:
+        print(f"No packages from {TRIGGER_SOURCE} needed updating.")
+
+    if skipped_third_party:
+        print()
+        print(f"Skipped {len(skipped_third_party)} third-party package(s):")
+        print("\n".join(skipped_third_party[:5]))  # Show first 5
+        if len(skipped_third_party) > 5:
+            print(f"  ... and {len(skipped_third_party) - 5} more")
+
+    with open("Directory.Packages.props", "w") as f:
+        f.write(new_content)
+
+    return 0 if changes else 0  # Return 0 even if no changes (not an error)
-    return 0 if changes else 0  # Return 0 even if no changes (not an error)
+    return 0  # Return 0 even if no changes (not an error)
-    return 0 if changes else 0  # Return 0 even if no changes (not an error)
+    return 0  # Return 0 even if no changes (not an error)
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/.github/workflows/service-update.yml b/.github/workflows/service-update.yml
@@ -0,0 +1,139 @@
+name: Service Update
+
+on:
+  repository_dispatch:
+    types: [codebelt-service-update]
+  workflow_dispatch:
+    inputs:
+      source_repo:
+        description: 'Triggering source repo name (e.g. cuemon)'
+        required: false
+        default: ''
+      source_version:
+        description: 'Version released by source (e.g. 10.3.0)'
+        required: false
+        default: ''
+      dry_run:
+        type: boolean
+        description: 'Dry run — show changes but do not commit or open PR'
+        default: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  service-update:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
-          fetch-depth: 0
+          fetch-depth: 1
-          fetch-depth: 0
+          fetch-depth: 1
+
+      - name: Resolve trigger inputs
+        id: trigger
+        run: |
+          SOURCE="${{ github.event.client_payload.source_repo || github.event.inputs.source_repo }}"
+          VERSION="${{ github.event.client_payload.source_version || github.event.inputs.source_version }}"
+          echo "source=$SOURCE"   >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          SOURCE="${{ github.event.client_payload.source_repo || github.event.inputs.source_repo }}"
-          VERSION="${{ github.event.client_payload.source_version || github.event.inputs.source_version }}"
-          echo "source=$SOURCE"   >> $GITHUB_OUTPUT
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+      - name: Resolve trigger inputs
+        id: trigger
+        env:
+          _SOURCE: ${{ github.event.client_payload.source_repo || github.event.inputs.source_repo }}
+          _VERSION: ${{ github.event.client_payload.source_version || github.event.inputs.source_version }}
+        run: |
+          echo "source=$_SOURCE"   >> $GITHUB_OUTPUT
+          echo "version=$_VERSION" >> $GITHUB_OUTPUT
-          SOURCE="${{ github.event.client_payload.source_repo || github.event.inputs.source_repo }}"
-          VERSION="${{ github.event.client_payload.source_version || github.event.inputs.source_version }}"
-          echo "source=$SOURCE"   >> $GITHUB_OUTPUT
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+      - name: Resolve trigger inputs
+        id: trigger
+        env:
+          _SOURCE: ${{ github.event.client_payload.source_repo || github.event.inputs.source_repo }}
+          _VERSION: ${{ github.event.client_payload.source_version || github.event.inputs.source_version }}
+        run: |
+          echo "source=$_SOURCE"   >> $GITHUB_OUTPUT
+          echo "version=$_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Determine new version for this repo
+        id: newver
+        run: |
+          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
-          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
+          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
+          if [ -z "$CURRENT" ]; then
+            echo "Error: Could not determine current version from CHANGELOG.md. Expected headings like '## [1.2.3]'." >&2
+            exit 1
+          fi
+          if ! echo "$CURRENT" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Error: Current version '$CURRENT' from CHANGELOG.md is not in 'MAJOR.MINOR.PATCH' format." >&2
+            exit 1
+          fi
-          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
+          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
+          if [ -z "$CURRENT" ]; then
+            echo "Error: Could not determine current version from CHANGELOG.md. Expected headings like '## [1.2.3]'." >&2
+            exit 1
+          fi
+          if ! echo "$CURRENT" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Error: Current version '$CURRENT' from CHANGELOG.md is not in 'MAJOR.MINOR.PATCH' format." >&2
+            exit 1
+          fi
+          NEW=$(echo "$CURRENT" | awk -F. '{printf "%s.%s.%d", $1, $2, $3+1}')
+          BRANCH="v${NEW}/service-update"
+          echo "current=$CURRENT" >> $GITHUB_OUTPUT
+          echo "new=$NEW"         >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH"   >> $GITHUB_OUTPUT
-          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
-          NEW=$(echo "$CURRENT" | awk -F. '{printf "%s.%s.%d", $1, $2, $3+1}')
-          BRANCH="v${NEW}/service-update"
-          echo "current=$CURRENT" >> $GITHUB_OUTPUT
-          echo "new=$NEW"         >> $GITHUB_OUTPUT
-          echo "branch=$BRANCH"   >> $GITHUB_OUTPUT
+          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
+          if [ -z "$CURRENT" ]; then
+            echo "Error: could not determine current version from CHANGELOG.md"
+            exit 1
+          fi
+          NEW=$(echo "$CURRENT" | awk -F. '{printf "%s.%s.%d", $1, $2, $3+1}')
+          BRANCH="v${NEW}/service-update"
+          echo "current=$CURRENT" >> $GITHUB_OUTPUT
+          echo "new=$NEW"         >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH"   >> $GITHUB_OUTPUT
-          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
-          NEW=$(echo "$CURRENT" | awk -F. '{printf "%s.%s.%d", $1, $2, $3+1}')
-          BRANCH="v${NEW}/service-update"
-          echo "current=$CURRENT" >> $GITHUB_OUTPUT
-          echo "new=$NEW"         >> $GITHUB_OUTPUT
-          echo "branch=$BRANCH"   >> $GITHUB_OUTPUT
+          CURRENT=$(grep -oP '(?<=## \[)[\d.]+(?=\])' CHANGELOG.md | head -1)
+          if [ -z "$CURRENT" ]; then
+            echo "Error: could not determine current version from CHANGELOG.md"
+            exit 1
+          fi
+          NEW=$(echo "$CURRENT" | awk -F. '{printf "%s.%s.%d", $1, $2, $3+1}')
+          BRANCH="v${NEW}/service-update"
+          echo "current=$CURRENT" >> $GITHUB_OUTPUT
+          echo "new=$NEW"         >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH"   >> $GITHUB_OUTPUT
+
+      - name: Generate codebelt-aicia token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.CODEBELT_AICIA_APP_ID }}
+          private-key: ${{ secrets.CODEBELT_AICIA_PRIVATE_KEY }}
+          owner: codebeltnet
+
+      - name: Bump NuGet packages
+        run: python3 .github/scripts/bump-nuget.py
+        env:
+          TRIGGER_SOURCE:  ${{ steps.trigger.outputs.source }}
+          TRIGGER_VERSION: ${{ steps.trigger.outputs.version }}
+
+      - name: Update PackageReleaseNotes.txt
+        run: |
+          NEW="${{ steps.newver.outputs.new }}"
+          for f in .nuget/*/PackageReleaseNotes.txt; do
+            [ -f "$f" ] || continue
+            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //' || echo ".NET 10, .NET 9 and .NET Standard 2.0")
-            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //' || echo ".NET 10, .NET 9 and .NET Standard 2.0")
+            DEFAULT_TFM=".NET 10, .NET 9 and .NET Standard 2.0"
+            RAW_AVAIL_LINE=$(grep -m1 "^Availability:" "$f" || true)
+            TFM=""
+            if [ -n "$RAW_AVAIL_LINE" ]; then
+              # Strip the 'Availability:' prefix and trim surrounding whitespace
+              TFM="${RAW_AVAIL_LINE#Availability: }"
+              TFM="$(printf '%s\n' "$TFM" | xargs)"
+            fi
+            # Validate that TFM is non-empty and matches an expected pattern; otherwise, fall back to default
+            if [ -z "$TFM" ] || ! printf '%s\n' "$TFM" | grep -Eq '^\.NET [0-9]+(, \.NET [0-9]+)*( and \.NET Standard 2\.0)?$'; then
+              TFM="$DEFAULT_TFM"
+            fi
-            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //' || echo ".NET 10, .NET 9 and .NET Standard 2.0")
+            DEFAULT_TFM=".NET 10, .NET 9 and .NET Standard 2.0"
+            RAW_AVAIL_LINE=$(grep -m1 "^Availability:" "$f" || true)
+            TFM=""
+            if [ -n "$RAW_AVAIL_LINE" ]; then
+              # Strip the 'Availability:' prefix and trim surrounding whitespace
+              TFM="${RAW_AVAIL_LINE#Availability: }"
+              TFM="$(printf '%s\n' "$TFM" | xargs)"
+            fi
+            # Validate that TFM is non-empty and matches an expected pattern; otherwise, fall back to default
+            if [ -z "$TFM" ] || ! printf '%s\n' "$TFM" | grep -Eq '^\.NET [0-9]+(, \.NET [0-9]+)*( and \.NET Standard 2\.0)?$'; then
+              TFM="$DEFAULT_TFM"
+            fi
+            ENTRY="Version: ${NEW}\nAvailability: ${TFM}\n \n# ALM\n- CHANGED Dependencies have been upgraded to the latest compatible versions for all supported target frameworks (TFMs)\n \n"
+            { printf "$ENTRY"; cat "$f"; } > "$f.tmp" && mv "$f.tmp" "$f"
+          done
-          for f in .nuget/*/PackageReleaseNotes.txt; do
-            [ -f "$f" ] || continue
-            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //' || echo ".NET 10, .NET 9 and .NET Standard 2.0")
-            ENTRY="Version: ${NEW}\nAvailability: ${TFM}\n \n# ALM\n- CHANGED Dependencies have been upgraded to the latest compatible versions for all supported target frameworks (TFMs)\n \n"
-            { printf "$ENTRY"; cat "$f"; } > "$f.tmp" && mv "$f.tmp" "$f"
-          done
+          for f in .nuget/*/PackageReleaseNotes.txt; do
+            [ -f "$f" ] || continue
+            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //')
+            TFM="${TFM:-.NET 10, .NET 9 and .NET Standard 2.0}"
+            ENTRY="Version: ${NEW}\nAvailability: ${TFM}\n \n# ALM\n- CHANGED Dependencies have been upgraded to the latest compatible versions for all supported target frameworks (TFMs)\n \n"
+            { printf "$ENTRY"; cat "$f"; } > "$f.tmp" && mv "$f.tmp" "$f"
+          done
-          for f in .nuget/*/PackageReleaseNotes.txt; do
-            [ -f "$f" ] || continue
-            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //' || echo ".NET 10, .NET 9 and .NET Standard 2.0")
-            ENTRY="Version: ${NEW}\nAvailability: ${TFM}\n \n# ALM\n- CHANGED Dependencies have been upgraded to the latest compatible versions for all supported target frameworks (TFMs)\n \n"
-            { printf "$ENTRY"; cat "$f"; } > "$f.tmp" && mv "$f.tmp" "$f"
-          done
+          for f in .nuget/*/PackageReleaseNotes.txt; do
+            [ -f "$f" ] || continue
+            TFM=$(grep -m1 "^Availability:" "$f" | sed 's/Availability: //')
+            TFM="${TFM:-.NET 10, .NET 9 and .NET Standard 2.0}"
+            ENTRY="Version: ${NEW}\nAvailability: ${TFM}\n \n# ALM\n- CHANGED Dependencies have been upgraded to the latest compatible versions for all supported target frameworks (TFMs)\n \n"
+            { printf "$ENTRY"; cat "$f"; } > "$f.tmp" && mv "$f.tmp" "$f"
+          done
+
+      - name: Update CHANGELOG.md
+        run: |
+          python3 - <<'EOF'
+          import os, re
+          from datetime import date
+          new_ver = os.environ['NEW_VERSION']
+          today   = date.today().isoformat()
+          entry   = f"## [{new_ver}] - {today}\n\nThis is a service update that focuses on package dependencies.\n\n"
+          with open("CHANGELOG.md") as f:
+              content = f.read()
+          idx = content.find("## [")
+          content = (content[:idx] + entry + content[idx:]) if idx != -1 else (content + entry)
-          content = (content[:idx] + entry + content[idx:]) if idx != -1 else (content + entry)
+          if idx == -1:
+              raise SystemExit("CHANGELOG.md does not contain the expected '## [' version header pattern; aborting update. Please fix the changelog format and rerun.")
+          content = content[:idx] + entry + content[idx:]
-          content = (content[:idx] + entry + content[idx:]) if idx != -1 else (content + entry)
+          if idx == -1:
+              raise SystemExit("CHANGELOG.md does not contain the expected '## [' version header pattern; aborting update. Please fix the changelog format and rerun.")
+          content = content[:idx] + entry + content[idx:]
+          with open("CHANGELOG.md", "w") as f:
+              f.write(content)
+          print(f"CHANGELOG updated for v{new_ver}")
+          EOF
+        env:
+          NEW_VERSION: ${{ steps.newver.outputs.new }}
+
+      # Note: Docker image bumps removed in favor of manual updates
+      # The automated selection was picking wrong variants (e.g., mono-* instead of standard)
+      # TODO: Move to hosted service for smarter image selection
+
+      - name: Show diff (dry run)
+        if: ${{ github.event.inputs.dry_run == 'true' }}
+        run: git diff
+
+      - name: Create branch and open PR
+        if: ${{ github.event.inputs.dry_run != 'true' }}
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          NEW="${{ steps.newver.outputs.new }}"
+          BRANCH="${{ steps.newver.outputs.branch }}"
+          SOURCE="${{ steps.trigger.outputs.source }}"
+          SRC_VER="${{ steps.trigger.outputs.version }}"
+
+          git config user.name  "codebelt-aicia[bot]"
+          git config user.email "codebelt-aicia[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
-
-          git config user.name  "codebelt-aicia[bot]"
-          git config user.email "codebelt-aicia[bot]@users.noreply.github.com"
-          git checkout -b "$BRANCH"
+          BASE_BRANCH="$BRANCH"
+
+          # Ensure branch name is unique in case multiple runs target the same version
+          if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+            BRANCH="${BASE_BRANCH}-${GITHUB_RUN_ID}"
+          fi
+
+          git config user.name  "codebelt-aicia[bot]"
+          git config user.email "codebelt-aicia[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH" || git checkout "$BRANCH"
-
-          git config user.name  "codebelt-aicia[bot]"
-          git config user.email "codebelt-aicia[bot]@users.noreply.github.com"
-          git checkout -b "$BRANCH"
+          BASE_BRANCH="$BRANCH"
+
+          # Ensure branch name is unique in case multiple runs target the same version
+          if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
+            BRANCH="${BASE_BRANCH}-${GITHUB_RUN_ID}"
+          fi
+
+          git config user.name  "codebelt-aicia[bot]"
+          git config user.email "codebelt-aicia[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH" || git checkout "$BRANCH"
+          git add -A
+          git diff --cached --quiet && echo "Nothing changed - skipping PR." && exit 0
+          git commit -m "V${NEW}/service update"
+          git push origin "$BRANCH"
+
+          echo "This is a service update that focuses on package dependencies." > pr_body.txt
+          echo "" >> pr_body.txt
+          echo "Automated changes:" >> pr_body.txt
+          echo "- Codebelt/Cuemon package versions bumped to latest compatible" >> pr_body.txt
+          echo "- PackageReleaseNotes.txt updated for v${NEW}" >> pr_body.txt
+          echo "- CHANGELOG.md entry added for v${NEW}" >> pr_body.txt
+          echo "" >> pr_body.txt
+          echo "Note: Third-party packages (Microsoft.Extensions.*, BenchmarkDotNet, etc.) are not auto-updated." >> pr_body.txt
+          echo "Use Dependabot or manual updates for those." >> pr_body.txt
+          echo "" >> pr_body.txt
+          echo "Generated by codebelt-aicia" >> pr_body.txt
+          if [ -n "$SOURCE" ] && [ -n "$SRC_VER" ]; then
+            echo "Triggered by: ${SOURCE} @ ${SRC_VER}" >> pr_body.txt
-            echo "Triggered by: ${SOURCE} @ ${SRC_VER}" >> pr_body.txt
+            # Sanitize potentially user-controlled values to prevent command substitution
+            SAFE_SOURCE="${SOURCE//\`/\\\`}"
+            SAFE_SOURCE="${SAFE_SOURCE//\$/\\\$}"
+            SAFE_SRC_VER="${SRC_VER//\`/\\\`}"
+            SAFE_SRC_VER="${SAFE_SRC_VER//\$/\\\$}"
+            echo "Triggered by: ${SAFE_SOURCE} @ ${SAFE_SRC_VER}" >> pr_body.txt
-            echo "Triggered by: ${SOURCE} @ ${SRC_VER}" >> pr_body.txt
+            # Sanitize potentially user-controlled values to prevent command substitution
+            SAFE_SOURCE="${SOURCE//\`/\\\`}"
+            SAFE_SOURCE="${SAFE_SOURCE//\$/\\\$}"
+            SAFE_SRC_VER="${SRC_VER//\`/\\\`}"
+            SAFE_SRC_VER="${SAFE_SRC_VER//\$/\\\$}"
+            echo "Triggered by: ${SAFE_SOURCE} @ ${SAFE_SRC_VER}" >> pr_body.txt
+          else
+            echo "Triggered by: manual workflow dispatch" >> pr_body.txt
+          fi
+
+          gh pr create --title "V${NEW}/service update" --body-file pr_body.txt --base main --head "$BRANCH" --assignee gimlichael
-          gh pr create --title "V${NEW}/service update" --body-file pr_body.txt --base main --head "$BRANCH" --assignee gimlichael
+          DEFAULT_BRANCH=$(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')
+          gh pr create --title "V${NEW}/service update" --body-file pr_body.txt --base "$DEFAULT_BRANCH" --head "$BRANCH"
-          gh pr create --title "V${NEW}/service update" --body-file pr_body.txt --base main --head "$BRANCH" --assignee gimlichael
+          DEFAULT_BRANCH=$(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')
+          gh pr create --title "V${NEW}/service update" --body-file pr_body.txt --base "$DEFAULT_BRANCH" --head "$BRANCH"
diff --git a/.github/workflows/trigger-downstream.yml b/.github/workflows/trigger-downstream.yml
@@ -0,0 +1,78 @@
+name: Trigger Downstream Service Updates
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  dispatch:
+    if: github.event.release.prerelease == false
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout (to read dispatch-targets.json)
+        uses: actions/checkout@v4
+
+      - name: Check for dispatch targets
+        id: check
+        run: |
+          if [ ! -f .github/dispatch-targets.json ]; then
+            echo "No dispatch-targets.json found, skipping."
+            echo "has_targets=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          COUNT=$(python3 -c "import json; print(len(json.load(open('.github/dispatch-targets.json'))))")
+          echo "has_targets=$([ $COUNT -gt 0 ] && echo true || echo false)" >> $GITHUB_OUTPUT
+
+      - name: Extract version from release tag
+        if: steps.check.outputs.has_targets == 'true'
+        id: version
+        run: |
+          VERSION="${{ github.event.release.tag_name }}"
+          VERSION="${VERSION#v}"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Generate codebelt-aicia token
+        if: steps.check.outputs.has_targets == 'true'
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.CODEBELT_AICIA_APP_ID }}
+          private-key: ${{ secrets.CODEBELT_AICIA_PRIVATE_KEY }}
+          owner: codebeltnet
+
+      - name: Dispatch to downstream repos
+        if: steps.check.outputs.has_targets == 'true'
+        run: |
+          python3 - <<'EOF'
+          import json, urllib.request, os, sys
+
+          targets = json.load(open('.github/dispatch-targets.json'))
+          token   = os.environ['GH_TOKEN']
+          version = os.environ['VERSION']
+          source  = os.environ['SOURCE_REPO']
+
+          for repo in targets:
+              url     = f'https://api.github.com/repos/codebeltnet/{repo}/dispatches'
+              payload = json.dumps({
+                  'event_type': 'codebelt-service-update',
+                  'client_payload': {
+                      'source_repo':    source,
+                      'source_version': version
+                  }
+              }).encode()
+              req = urllib.request.Request(url, data=payload, method='POST', headers={
+                  'Authorization':  f'Bearer {token}',
+                  'Accept':         'application/vnd.github+json',
+                  'Content-Type':   'application/json',
+                  'X-GitHub-Api-Version': '2022-11-28'
+              })
+              with urllib.request.urlopen(req) as r:
+                  print(f'✓ Dispatched to {repo}: HTTP {r.status}')
+          EOF
+        env:
+          GH_TOKEN:    ${{ steps.app-token.outputs.token }}
+          VERSION:     ${{ steps.version.outputs.version }}
+          SOURCE_REPO: ${{ github.event.repository.name }}