Last updated: Feb 16, 2026, 09:00 AM UTC

Sasha Studio Release Notes: v1.0.1168 to v1.0.1220

Release Period: February 2026
Version Range: 1.0.1168 → 1.0.1220
Total Commits: 178+
Major Refactors: 3 (AWS infrastructure pivot, Meeting Room API, External Tasks API)

TL;DR - Business Summary

What's New in Plain English:

This release delivers 5 major capabilities that bring cloud hosting flexibility, external integrations, and enterprise-grade security to Sasha:

  1. AWS Regional Hosting - Deploy Sasha to any AWS region using ECS Fargate with persistent storage. Your data stays in the region you choose, with full HTTPS and auto-provisioning.

  2. Meeting Room API - External systems can now start, stop, and monitor meetings programmatically through a REST API with webhook callbacks. Build integrations that trigger transcription automatically.

  3. External Tasks API - Schedule and execute tasks programmatically from external systems, with a unified execution log tracking all activity.

  4. Security Hardening - Comprehensive vulnerability scanning (CodeQL, Semgrep, Trivy) runs nightly. 15 code scanning alerts resolved, path traversal protection centralized, and rate limiting added to public endpoints.

  5. Message Reliability - Five high-severity message drop scenarios fixed. Conversations no longer lose messages during streaming, and sessions recover gracefully from interruptions.

Business Value:

  • Data Sovereignty: Deploy Sasha in any AWS region to meet compliance and data residency requirements
  • Integration Ready: REST APIs let external systems trigger meetings and tasks without manual intervention
  • Enterprise Security: Nightly vulnerability scanning and comprehensive code hardening for regulated industries
  • Reliable Conversations: No more lost messages — critical for trust in AI-assisted knowledge work

Executive Summary

The headline change in this release is the AWS infrastructure pivot from App Runner to ECS Fargate with EFS persistent storage. This architectural shift enables Sasha deployments in any AWS region with proper data persistence, HTTPS via Application Load Balancer, and infrastructure auto-provisioning including VPC, security groups, IAM roles, and CloudWatch logging. The control panel gained a deployment script, crane binary support for ECR image push, and a collapsible AWS setup guide.

The Meeting Room External API introduces a generic API key system and REST endpoints for programmatic meeting management. External systems can start/stop meetings, retrieve transcripts, and receive webhook callbacks with HMAC-SHA256 signature verification and exponential backoff retry logic.

A parallel External Tasks API enables programmatic task execution with a unified execution log, schedule toggle controls, and on-demand task triggering.

Security hardening was a major theme: a centralized safePath() utility replaced 16 inline path traversal checks, CodeQL/Semgrep/Trivy nightly scans were configured, all 15 remaining CodeQL alerts were resolved, rate limiting was added to public endpoints, and leaked secrets were removed from git history.

On the reliability front, five HIGH-severity message drop scenarios (D, F, H, J, K) were identified and fixed in the streaming pipeline, session resume vicious cycles were broken, stub JSONL detection prevents metadata pollution, and the Bedrock model alias map was updated for Opus 4.6 and Sonnet 4.5.

The release also includes the GitHub organization migration from wapdat to context-is-everything, a new SF7 brand favicon, dark mode improvements, status bar enhancements, and numerous bug fixes across the platform.

Major Features & Improvements

AWS Regional Hosting (ECS Fargate + EFS)

  • Architecture Pivot - Replaced App Runner with ECS Fargate for production-grade AWS deployments
  • Persistent Storage - EFS volumes for home and appdata directories survive container restarts
  • Auto-Provisioning - VPC, security groups, ECS cluster, ALB, IAM roles, and CloudWatch logs created automatically
  • HTTPS/ACM - Application Load Balancer with host-based routing and SSL certificates
  • Pause/Unpause - ECS service controls with task sizing visibility
  • Regional Expansion - London and Ireland regions added to Bedrock dropdown
  • Control Panel Migration - AWS deployment logic moved from claudecodeui to control-panel for better separation
  • Crane Binary - Added crane for ECR image push operations
  • UI Enhancements - Collapsible AWS setup guide, region badges, EFS mount paths, version resolution from GitHub releases

Meeting Room External API

  • REST API Endpoints - Start, stop, and monitor meetings programmatically via /api/v1/meetings/*
  • Generic API Key System - Shared infrastructure for all Sasha APIs with api_keys and api_key_usage tables
  • Webhook Callbacks - Event-driven architecture with HMAC-SHA256 signature verification
  • Retry Logic - Callback delivery with 4 attempts and exponential backoff
  • API Token Management - "API Tokens" tab in My Account UI for key CRUD operations
  • Project Integration - Enhanced endpoints with project context
  • Reference Client - Companion sasha-meeting-api-client repository for integration examples

External Tasks API

  • Unified Execution Log - Single executions table logging all execution types (scheduled tasks, API tasks, meetings)
  • REST API - Programmatic task CRUD and on-demand execution via /api/v1/tasks
  • Schedule Toggle - On/Off toggle replaces Active/Disabled badges in the UI
  • Always-Enabled Run Button - Tasks can be triggered manually regardless of schedule state
  • PATCH Support - Partial updates for scheduler endpoints
  • Localhost Bypass - Simplified development workflow for API testing

Security Hardening

  • Centralized safePath() Utility - Replaces 16 inline resolve+startsWith checks across 14+ files; throws on traversal attempts
  • CodeQL Integration - Custom sanitizers for safePath(), all 15 remaining alerts resolved (path-injection + command-injection)
  • Nightly Security Scans - OSV Scanner, Semgrep (543+ OWASP rules), and Trivy configured at 03:00 UTC with SARIF uploads to GitHub Security tab
  • Rate Limiting - Added to public endpoints to prevent abuse
  • Dependency Fixes - Resolved qs DoS vulnerability, updated axios (CVE-2026-25639), fixed lodash CVE
  • Secret Cleanup - Removed leaked API key and .env.sliplane from git tracking
  • Dependabot Expansion - Monitoring extended to Docker ecosystem

Message Reliability

  • Scenario D - Removed false content-equality dedup that dropped legitimate consecutive identical chunks (table rows, code patterns)
  • Scenario F - Replaced collision-prone makeKey signature with DJB2 hash for long content
  • Scenario H - Fixed tool activity skip logic — only skip reconciliation when assistant text is also present
  • Scenario J - Fixed lastRun assignment — empty fetch gets 2s cooldown instead of 8s for faster retry
  • Scenario K - Added debug logging for projectName lookup failure and skip cooldown penalty
  • Session Resume - Fixed vicious cycle in session resume flow
  • Stub JSONL Detection - Detect stub files and fall back to real session, preventing metadata pollution
  • Stream Stall Recovery - Clear loading state on stream-stall-timeout, halving hang time

UI/UX Improvements

Branding & Visual

  • New Favicon - SF7 brand design (purple S) with matching PWA icons
  • Dark Mode - Added dark mode support to reporting page components; fixed toggle to checkbox in quick settings

Status Bar Enhancements

  • Phase Display - Current processing phase shown in status bar
  • Tool Display - Active tool indicator
  • Token Display - Token usage with context percentage calculation
  • Cache Token Persistence - Cache token counts preserved across updates
  • 1M Context Indicator - Visual indicator for Bedrock 1M context window

File Manager

  • Tag Cloud Visibility - Hide tag cloud and Knowledge tags when search input is empty
  • Auth Token - Added authentication for knowledge document delete requests

Content Display

  • JSON/Code Truncation - Long JSON and code blocks truncated with expand/collapse toggle
  • Reporting Labels - Timestamp label clarified to "Most recent activity"

Settings

  • Community Skills Sync - New button in Settings > Version tab
  • API Documentation Link - Added to API Tokens settings panel

Stability & Reliability

Bedrock Integration

  • Model Alias Map - Added missing Opus 4.6 and Sonnet 4.5 model aliases
  • 1M Context Window - Full support for extended context
  • Haiku Warning - Alert when Haiku model uses thinking tokens

Bug Report System

  • Isolated Tokens - Bug report tokens separated from source code access
  • Expanded Diagnostics - Chat loading diagnostics, streaming state included in reports

Session Management

  • Session-Not-Found Handler - Client-side handling for missing sessions
  • Follow-Latest Guard - Prevent auto-navigate during active user interaction
  • Content Stall Indicator - Visual feedback during session validation loading

Database

  • Column Migration Fix - Fixed addColumnIfMissing to include column name in ALTER TABLE
  • Cascade Delete - Delete deployments before client in migration 010

Infrastructure & DevOps

GitHub Organization Migration

  • wapdat → context-is-everything - All GitHub references migrated to new organization
  • Registry Update - Docker images now at ghcr.io/context-is-everything/sasha-ai-knowledge-management
  • CI/CD Updates - Workflows, documentation, and control panel references updated

Docker

  • MCP Build Isolation - MCP package builds moved to separate Docker stages
  • Tag Push Optimization - Skip unnecessary Docker builds on tag push events
  • Environment Sanitization - Sanitize and restore .env.sliplane for Docker builds

CI/CD Workflows

  • Rationalized Naming - Grouped Actions sidebar navigation with consistent naming
  • Workflow Dispatch - Manual triggers added to multiple workflows
  • Branch Filtering - Prevent workflows running on all branches

Control Panel

  • Environment Variables - Added SASHA_GITHUB_TOKEN and PostHog env vars
  • Bug Report Integration - Bug report token env vars added to control panel

Developer Experience & Docs

Documentation Updates

  • AWS Hosting Guide - Complete documentation rewrite with hosting models and setup recipe
  • Meeting Room API - Reference docs at docs-developer/features/meeting-api/ and docs/integrations/api/meeting-room.md
  • Tasks API - Full API reference at docs/integrations/api/tasks.md
  • Security Scanning - Setup docs at docs-developer/decisions/security-scans/
  • Code Scanning Baseline - Post-remediation baseline report for February 2026
  • Feature Doc Organization - Loose feature docs reorganized into logical subdirectories

Knowledge System

  • Prefetch - Knowledge docs prefetched for projects with no sessions
  • Auth Token Passthrough - Auth token passed to docs iframe for protected content

Upgrade Notes

AWS Regional Hosting

  • New Capability: Deploy Sasha to any AWS region via the control panel
  • Migration Required: Existing App Runner clients should be migrated to ECS Fargate
  • Control Panel: AWS deployment logic has moved from claudecodeui to the control-panel repository

Meeting Room API

  • New Capability: External systems can manage meetings via REST API
  • Setup: Generate API keys from My Account > API Tokens
  • Webhooks: Configure callback URLs for event notifications with HMAC-SHA256 verification

External Tasks API

  • New Capability: Programmatic task execution via REST API
  • Schedule Toggle: Tasks now have explicit On/Off toggle instead of Active/Disabled badges

Security

  • Nightly Scans: CodeQL, Semgrep, and Trivy run automatically at 03:00 UTC
  • GitHub Security Tab: Scan results visible in repository Security tab

GitHub Organization

  • URL Change: All references updated from wapdat to context-is-everything
  • Docker Registry: Pull from ghcr.io/context-is-everything/sasha-ai-knowledge-management

Breaking Changes

  • AWS Deployment: App Runner clients must be migrated to ECS Fargate
  • Control Panel: AWS deployment logic moved to separate control-panel repository

Changelog Summary (since v1.0.1168)

Features

  • AWS Regional Hosting with ECS Fargate and EFS persistent storage
  • Auto-provisioning of VPC, security groups, ALB, IAM roles, CloudWatch
  • Meeting Room External REST API with webhook callbacks
  • Generic API key system with CRUD management UI
  • External Tasks API with unified execution log
  • Schedule On/Off toggle for tasks
  • Centralized safePath() path traversal protection
  • Nightly security scans (CodeQL, Semgrep, Trivy, OSV)
  • Rate limiting on public endpoints
  • SF7 brand favicon and PWA icons
  • Dark mode for reporting pages
  • Status bar with phase, tool, token, and context displays
  • 1M context window indicator for Bedrock
  • JSON/code block truncation with expand/collapse
  • Community Skills sync button
  • Collapsible AWS setup guide
  • AWS region badges in client listing
  • Crane binary for ECR image push

Fixes

  • Five HIGH-severity message drop scenarios (D, F, H, J, K)
  • Session resume vicious cycle
  • Stub JSONL detection and metadata pollution prevention
  • Stream stall timeout recovery (halves hang time)
  • Bedrock model alias map (Opus 4.6, Sonnet 4.5)
  • VPC selection for environments without default VPC
  • ECS task role for EFS access
  • Idempotent EFS access point and target group creation
  • Duplicate callback listener prevention in Meeting API
  • addColumnIfMissing column name in ALTER TABLE
  • Tag cloud visibility when search is empty
  • Auth token for knowledge document deletes
  • Follow-latest auto-navigate during active interaction
  • Dark mode toggle checkbox in quick settings
  • Context percentage calculation
  • Cache token persistence

Security

  • Centralized safePath() utility across 14+ files
  • Resolved all 15 CodeQL alerts (path-injection + command-injection)
  • Nightly CodeQL, Semgrep, Trivy, and OSV scans
  • Rate limiting on public endpoints
  • Fixed qs DoS vulnerability (GHSA-w7fw-mjwx-w883)
  • Updated axios (CVE-2026-25639)
  • Resolved lodash CVE
  • Removed leaked API key and .env.sliplane from git
  • Dependabot monitoring expanded to Docker ecosystem

Infrastructure

  • GitHub org migration: wapdat → context-is-everything
  • AWS pivot from App Runner to ECS Fargate
  • Control panel deployment script for AWS
  • Crane binary for ECR operations
  • MCP build isolation in Docker stages
  • Rationalized CI/CD workflow naming and branch filtering
  • GHCR authentication fixes for private images

Looking Ahead

  • AWS Self-Service Portal - Customer-facing deployment interface for AWS regional hosting
  • Meeting Intelligence Reports - AI-generated summaries and action items from meeting transcripts
  • Google Meet Production Support - Resolving data center deployment limitations for Google Meet bot
  • API Rate Limiting Dashboard - Visibility into API usage and rate limit status
  • Extended Webhook Events - Additional event types for Meeting and Tasks APIs

Jargon Buster - Technical Terms Explained

ECS Fargate

  • Amazon's serverless container service that runs Docker containers without managing servers
  • Like renting a kitchen that comes fully equipped — you just bring your recipe (container image)
  • Replaced App Runner for more control over networking, storage, and scaling

EFS (Elastic File System)

  • Amazon's managed network file storage that persists across container restarts
  • Like a shared USB drive that's always plugged in, even when you restart your computer
  • Ensures Sasha's data survives container updates and restarts

Application Load Balancer (ALB)

  • A traffic director that routes incoming requests to the right container with HTTPS encryption
  • Like a receptionist who checks IDs (SSL certificates) and directs visitors to the right office
  • Handles host-based routing so multiple Sasha instances can share infrastructure

Webhook Callback

  • A notification sent to your system when something happens in Sasha (like a meeting ending)
  • Like a restaurant buzzer that vibrates when your table is ready — you don't have to keep checking
  • The Meeting Room API sends callbacks with HMAC signatures so you can verify they're authentic

HMAC-SHA256

  • A cryptographic method to verify that a webhook message really came from Sasha and wasn't tampered with
  • Like a wax seal on a letter — you can verify the sender and that it hasn't been opened
  • Each API key has a corresponding secret used to sign webhook payloads

safePath()

  • A security utility that prevents attackers from accessing files outside allowed directories
  • Like a door lock that only opens to specific rooms — even if someone tries to pick a different lock
  • Replaces 16 separate security checks with one centralized, tested function

CodeQL / Semgrep / Trivy

  • Automated security scanning tools that analyze code for vulnerabilities
  • Like having three different home inspectors each checking for different problems
  • CodeQL finds logic bugs, Semgrep matches dangerous code patterns, Trivy checks dependencies

DJB2 Hash

  • A fast algorithm for generating unique fingerprints from text content
  • Like a fingerprint scanner for messages — two different messages almost never get the same fingerprint
  • Replaced a collision-prone method that was causing messages to be incorrectly identified as duplicates

Pipeline Message Drops

  • Scenarios where messages sent by the AI were lost before reaching the user's screen
  • Like a phone call where the other person's words cut out mid-sentence
  • Five specific drop patterns (labeled D, F, H, J, K) were identified and fixed in this release

SARIF (Static Analysis Results Interchange Format)

  • A standard format for security scan results that GitHub understands
  • Like a standardized medical test form that any doctor can read, regardless of which lab ran the test
  • Security scan results upload to GitHub's Security tab in this format

Crane Binary

  • A command-line tool for pushing container images to registries without needing Docker installed
  • Like a delivery truck that can move packages (container images) between warehouses (registries) efficiently
  • Used to push Sasha images to Amazon ECR for AWS deployments

This release marks a significant architectural evolution for Sasha Studio — from single-cloud deployment to multi-region AWS hosting, from internal-only features to external REST APIs, and from reactive security fixes to proactive nightly scanning. The message reliability work resolves five critical drop scenarios, ensuring conversations are trustworthy for enterprise knowledge work.