diff --git a/RELEASE_NOTES_v1.7.13.md b/RELEASE_NOTES_v1.7.13.md
new file mode 100644
index 0000000..72a5e72
--- /dev/null
+++ b/RELEASE_NOTES_v1.7.13.md
@@ -0,0 +1,34 @@
+# AOC v1.7.13 Release Notes
+
+**Release Date:** 2026-04-27
+
+## Security Hardening: Alpine.js CSP Build
+
+This release removes `unsafe-eval` from the Content-Security-Policy by switching the frontend to Alpine.js's CSP-compatible build.
+
+### Changes
+
+- **Frontend:** Switched from `alpinejs@3.x.x/dist/cdn.min.js` to `alpinejs@3.x.x/dist/csp.min.js`
+- **Frontend:** Added explicit `Alpine.start()` call on `DOMContentLoaded` (required by CSP build)
+- **Backend CSP:** Removed `'unsafe-eval'` from `script-src` directive
+
+### Why this matters
+
+The previous v1.7.11–1.7.12 releases included `'unsafe-eval'` in the CSP because the standard Alpine.js CDN build uses `new Function()` internally for reactive expression evaluation. The CSP build eliminates this requirement, further hardening the application against XSS and injection attacks.
+
+### Compatibility
+
+All existing Alpine.js directives (`x-data`, `x-init`, `x-show`, `x-text`, `x-for`, `x-if`, `x-model`, event handlers) continue to work unchanged. The CSP build uses a safe expression evaluator that produces identical behavior without `eval`/`new Function`.
+
+## Files Changed
+
+| File | Change |
+|------|--------|
+| `backend/frontend/index.html` | Alpine.js src → `csp.min.js`; added `Alpine.start()` |
+| `backend/main.py` | Removed `'unsafe-eval'` from `script-src` CSP |
+| `VERSION` | Bumped to 1.7.13 |
+
+## Test Results
+
+- **80/80 pytest tests passing**
+- Ruff lint/format clean
diff --git a/VERSION b/VERSION
index e6a68e9..36c5cb9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.7.12
+1.7.13
diff --git a/backend/frontend/index.html b/backend/frontend/index.html
index d49c4bc..42feb48 100644
--- a/backend/frontend/index.html
+++ b/backend/frontend/index.html
@@ -5,7 +5,7 @@
Admin Operations Center
-
+
@@ -1274,5 +1274,13 @@
};
}
+