diff --git a/.watermark.json b/.watermark.json
new file mode 100644
index 0000000..3abc657
--- /dev/null
+++ b/.watermark.json
@@ -0,0 +1,7 @@
+{
+  "source_repo": "golang/go",
+  "last_digest_sha": "0e9a844b0d110deb6821df45b260332b923615f3",
+  "last_digest_at": "2026-04-30T14:01:00Z",
+  "last_refresh_sha": null,
+  "last_refresh_at": null
+}
diff --git a/changelog/2026-04-30.md b/changelog/2026-04-30.md
new file mode 100644
index 0000000..c3ddf87
--- /dev/null
+++ b/changelog/2026-04-30.md
@@ -0,0 +1,91 @@
+# Go Daily Digest — 2026-04-30
+
+13 commits merged to master. Security-heavy day with 3 CVEs fixed.
+
+## Security Fixes
+
+### html/template: fix escaping of URLs in meta content attributes
+- **CVE:** CVE-2026-39823
+- **Issue:** [#78913](https://github.com/golang/go/issues/78913)
+- **Author:** Neal Patel
+- **Reviewed by:** Roland Shoemaker
+- **What:** Bypass of CVE-2026-27142 fix. WHATWG shared declarative refresh steps algorithm skips ASCII whitespace between `url` and `=` in meta content; escaper didn't account for that.
+- **Impact:** XSS via meta refresh redirect templates. Update if using html/template with meta redirects.
+
+### html/template: fix escaper bypass via empty script type
+- **CVE:** CVE-2026-39826
+- **Issue:** [#78981](https://github.com/golang/go/issues/78981)
+- **Author:** Neal Patel
+- **Reviewed by:** Roland Shoemaker
+- **What:** `<script type="">`, `<script type=" ">`, and `<script type="\t">` execute as JavaScript per spec, but escaper treated them as non-JS.
+- **Impact:** XSS vector. Browser quirks continue to be security bugs.
+
+### net/mail: fix quadratic consumePhrase behavior
+- **CVE:** CVE-2026-42499
+- **Issue:** [#78987](https://github.com/golang/go/issues/78987)
+- **Author:** Neal Patel
+- **Reviewed by:** Nicholas Husin
+- **What:** O(n²) string concatenation in email address parsing.
+- **Impact:** CPU exhaustion on untrusted email headers.
+
+## Tooling
+
+### cmd/go: set a HTTP user agent
+- **Author:** Sean Liao
+- **Issue:** [#78891](https://github.com/golang/go/issues/78891), Updates [#35699](https://github.com/golang/go/issues/35699)
+- **What:** cmd/go now sends a fixed user-agent string. Original proposal declined for privacy (no version info), but static identifier useful for module proxies/CDNs.
+
+### cmd/go: add go1.24 requirement when running go get with tools
+- **Author:** Olivier Mengué
+- **Issue:** Fixes [#74739](https://github.com/golang/go/issues/74739)
+- **What:** Tool directives enforce minimum go1.24 in go.mod. Prevents confusing failures with older toolchains.
+
+### cmd/go: loosen go work sync version requirements
+- **Author:** Michael Matloob
+- **Issue:** Fixes [#65363](https://github.com/golang/go/issues/65363)
+- **What:** Workspace replace directives could hide requirements causing conflicts during sync. Requirements are now additive; errors surfaced properly instead of silently dropped.
+
+## Compiler & Linker
+
+### cmd/compile, go/types: disable constant string size check
+- **Author:** Cherry Mui
+- **Issue:** Updates [#78346](https://github.com/golang/go/issues/78346)
+- **What:** Recently-added string constant size check eagerly constructed strings via constant.StringVal, causing massive memory usage with exponential doubling patterns. Rolled back pending lazy-length API.
+- **Lesson:** Performance-sensitive checks need lazy evaluation.
+
+### cmd/link: make -f flag actually ignore version mismatch
+- **Author:** Cherry Mui
+- **What:** The -f flag was documented as "ignore version mismatch" but didn't. Now it does.
+
+## Crypto
+
+### crypto/fips140: add package docs
+- **Author:** Filippo Valsorda
+- **Issue:** Fixes [#77879](https://github.com/golang/go/issues/77879)
+- **What:** FIPS 140 package now has proper documentation.
+
+### crypto/sha3: ensure unwrapped *sha3.Digest are usable
+- **Author:** Neal Patel
+- **Issue:** Updates [#75154](https://github.com/golang/go/issues/75154)
+
+### crypto/mlkem: enrich DecapsulationKey768|1024 doc comments
+- **Author:** Neal Patel
+- **What:** Better docs for post-quantum ML-KEM decapsulation key types.
+
+## Documentation
+
+### os/signal: add Notify windows documentation
+- **Author:** Alex Brainman
+- **Issue:** Updates [#77076](https://github.com/golang/go/issues/77076)
+- **What:** Clarifies that only os.Interrupt is supported on Windows.
+
+### encoding/json/jsontext: add TODO about removing Internal symbol
+- **Author:** Joe Tsai
+- **Issue:** Updates [#73435](https://github.com/golang/go/issues/73435)
+- **What:** Internal symbol is a hack for module-only visibility. TODO to replace with type aliases when pkgsite supports forwarded symbol docs.
+
+## Patterns to Extract
+
+- **Browser quirk security:** Any HTML spec edge case (whitespace handling, empty attributes) that browsers implement literally is a potential escaper bypass. The html/template package keeps getting hit by these.
+- **Lazy evaluation for safety checks:** When adding correctness checks to compilers, the check itself must not trigger the expensive operation it's guarding against (see constant string size check OOM).
+- **"Works as documented" audit:** The linker -f flag bug shows value in periodically verifying that documented behavior actually works. Fuzz the docs, not just the code.