Sasha Studio Release Notes: v1.0.1286 to v1.0.1326

Release Period: March 2026
Version Range: 1.0.1286 → 1.0.1326
Total Commits: 115

TL;DR - Business Summary

What's New in Plain English:

This release delivers 4 headline improvements — rock-solid streaming resilience, a major architectural cleanup, enhanced security, and a polished chat experience:

Bulletproof Session Streaming - Sasha now gracefully handles session interruptions, message loss, and context recovery. If a streaming connection drops, messages are automatically reconciled without losing your conversation — and sessions no longer flash or oscillate between states.
Workflows Unified Into Skills - The separate "Workflows" system has been merged into Skills. Everything is now a skill — simpler to manage, fewer menus to navigate, and one consistent way to create and run automations.
Proactive Memory Management - Sasha now dynamically sizes its memory based on your container, monitors pressure in real-time, and gracefully self-terminates with a reassuring message before running out of memory — instead of silently crashing.
Security Hardened - Multiple vulnerability patches including protection against code injection via file headers, regex denial-of-service fixes, and dependency updates addressing high-severity CVEs.

Business Value:

Reliability: Streaming resilience means fewer lost messages and smoother conversations, even on unstable connections
Simplicity: Unifying workflows into skills reduces complexity — one concept to learn, one place to manage automations
Stability: Proactive memory management prevents silent crashes during long or complex sessions
Security: Multiple CVE patches and injection protections keep your data safe

Executive Summary

The central theme of this release is resilience and simplification. The streaming layer received extensive hardening — session fallback no longer causes oscillation between sessions, message loss during fallback is prevented, reconciliation indicators show users when history is being refreshed, and the UI no longer flashes when sessions migrate. These changes make Sasha significantly more reliable during network interruptions and long-running sessions.

A major architectural cleanup unified workflows into skills, removing the standalone workflow infrastructure (separate database table, API routes, and template directory). Workflows are now simply skills with kind: agent-flow/workflow in their frontmatter. This eliminated ~3,800 lines of legacy SPA HTML generation code and removed the standalone workflow files, simplifying the codebase and the user experience.

Memory management was overhauled with dynamic CLI heap sizing based on container capacity, container-level memory diagnostics, and graceful self-termination with user-friendly messaging instead of silent OOM kills. The UI now shows blue-styled interruption notices and suppresses duplicate technical error messages.

Security received significant attention with gray-matter JS engine execution disabled to prevent code injection, ReDoS regex fixes, express-rate-limit and DOMPurify CVE patches, and multiple dependency bumps across MCP integrations.

Major Features & Improvements

Streaming Resilience & Session Management

Session Oscillation Fix - Stopped sending session-alias during fallback to prevent sessions bouncing between states (#105)
Screen Flash Prevention - Removed pendingNavigation from MIGRATE_SESSION to stop screen flashing (#104)
Silent Message Loss Prevention - Messages are no longer silently lost during session fallback (#96)
Session Migration URL Sync - selectedSessionId and URL now update correctly when a session migrates via fallback
Context Recovery - Session context recovers automatically when JSONL is missing, with 1M context ensured from first request
Reconciliation Indicator - Subtle visual indicator during message reconciliation so users know history is refreshing
Tool Result Recovery - Tool results are now recovered during force-reconcile after streaming drops (#46)
Stall Timeout Fix - Deferred stall timeout reconciliation to avoid stale streaming reference issues (#45)

Workflow-to-Skills Unification

Unified Architecture - Workflows merged into the skills system; no more separate workflow infrastructure
Legacy Removal - Removed standalone workflow database, API routes, and template directory
SPA Cleanup - Removed ~3,800 lines of legacy SPA HTML generation code
Example Skills - Example workflows (client review, document pipeline, multi-channel analysis) now live as skill templates
Workflow Editor Skill - Moved to deployed-md-files as canonical source and aligned with actual parser/serializer behaviour

Memory & Performance

Dynamic CLI Heap Sizing - CLI heap now scales automatically to container memory capacity, preventing OOM kills (#56)
Server Pressure Thresholds - Memory pressure thresholds scale to container size (#65)
ESM Import Fix - Replaced require('fs') with ESM imports to fix silent monitoring failure (#63)
Message Stream Caps - Capped message streams and added memory diagnostics (#48)
Separate Memory Reporting - Child CLI memory reported separately from server memory (#56/#57)
Backwards-Compatible Diagnostics - memoryAtClose backwards compatibility for older UI versions (#61)

UI & UX Polish

Graceful Self-Termination - Reassuring message shown when CLI self-terminates due to low memory (#65)
Blue Interruption Styling - CLI self-termination interruptions styled in blue instead of alarming red (#65)
Duplicate Error Suppression - Prevented duplicate technical error messages on system kills (#67)
Optimistic Message Display - User messages appear immediately on new session submit
Status Badge Spacing - Small gap added between consecutive status badges in chat
Tool Status Inline - Tool status text moved inline with header to reduce vertical space
Sidebar Sort - New projects now sort to top of list instead of bottom
Done Bar Stability - Prevented Done bar from being cancelled by elapsedTime reset
Auto Bug Reports - Bug reports automatically filed on session interruption

File Manager & Navigation

Parent Directory Navigation - Added parent directory navigation and fixed sidebar file opening
Knowledge Link Loading - Clicking knowledge links in FileTree now loads project docs correctly
All File Types in Knowledge - Knowledge sidebar shows all file types, not just .md
Auto-Collapse Sidebar - Sidebar auto-collapses when workflow or skill editor opens

Workflow Editor Enhancements

Conversational Wizard - Template picker replaced with a conversational workflow creation wizard
Code Dependency Callouts - Side callout nodes showing code dependencies on workflow canvas
Inline Code Nodes - Inline code callout nodes added to canvas visualisation
Fan-Out/Fan-In Indicators - Visual indicators for parallel workflow steps with highway-split design
Inline Schedule Picker - Schedule picker added directly to workflow manager cards
Copy Hints - Copy icon added to workflow inspector "Try:" hints
Drag-to-Resize Panels - Tools panel and right-side panels now support drag-to-resize
Panel Width - Removed hard max-width cap on File Manager panel
Self-Contained Hints - "Try:" hints now include file context and .md extension
Error Handling Toggle - Toggleable error handling added to workflow toolbar
Close Button - Universal X close button replaces back arrow

Stability & Reliability

Security

Gray-Matter Code Injection - Disabled JS engine execution in gray-matter to prevent code injection via file headers
ReDoS Regex Fix - Fixed regular expression denial-of-service vulnerability and sanitised image file extensions
CVE Patches - Updated express-rate-limit and DOMPurify for high-severity CVE patches
Hono Updates - Updated @hono/node-server to patch high-severity vulnerabilities
Dependency Overrides - Overrode vulnerable transitive dependencies
API Key Validation - Updated validation to use current Haiku model
GitHub Scanning - Resolved GitHub code scanning security alerts

Bug Fixes

Skills Panel Recovery - Fixed Skills panel not responding after viewing Workflows
Workflow Edge Styling - Removed teal colour from fan-out/fan-in connector edges and matched decoration style
Bug Report Screenshots - Shows 'skipped' instead of 'no' for screenshot field in auto bug reports
Workflow Skill Alignment - Aligned workflow-editor skill with actual parser, serializer, and UI behaviour

Developer Experience & Docs

Documentation Updates

Release Pipeline - New operations guide for the release pipeline process
HTML Generation Archive - Legacy HTML auto-generation docs moved to archive

Development Tools

Claude CLI Upgrade - Updated to Claude CLI 2.1.63
safeMatter Utility - New safe frontmatter parsing utility preventing code injection
Tool Call Grouping - New ToolCallGroup component and messageGrouping utility for cleaner chat rendering
Dockerfile Cleanup - Removed 12 lines from docker-entrypoint.sh (legacy workflow setup)

Upgrade Notes

Workflows → Skills Migration

Automatic: Standalone workflow files have been removed. All workflows now live as skills with kind: agent-flow/workflow in their frontmatter. Existing workflows created in the UI were already stored as skills, so no user action is needed.
The Workflows panel in the UI now reads from the skills API.

Removed Legacy HTML Generation

Automatic: The SPA HTML generation system (generate-spa-html.js, generate-initial-html.js, generate-standalone-html.js) has been removed. Documentation is now served via doc-builder. No user action needed.

Security Updates

Recommended: Update your container to get gray-matter injection protection and CVE patches. Standard docker pull and redeploy.

No Breaking Changes

All existing skills, workflows, and configurations continue to work without modification.

Changelog Summary (since v1.0.1286)

Features

Reconciliation indicator during message history refresh
Fan-out/fan-in visual indicators for parallel workflow steps
Code dependency side callouts and inline code nodes on workflow canvas
Conversational workflow creation wizard replacing template picker
Inline schedule picker on workflow manager cards
Drag-to-resize for Tools panel and right-side panels
Parent directory navigation in file manager
All file types visible in Knowledge sidebar
Auto-collapse sidebar when editors open
Copy icon on workflow inspector hints
Self-contained "Try:" hints with file context
Toggleable error handling in workflow toolbar
Optimistic user message display on new session submit
Auto-file bug reports on session interruption
Blue-styled CLI self-termination with reassuring message

Bug Fixes

Session oscillation during streaming fallback (#105)
Screen flashing on session migration (#104)
Silent message loss during session fallback (#96)
Session context recovery when JSONL missing
Tool result recovery during force-reconcile (#46)
Stall timeout with stale streaming reference (#45)
Dynamic CLI heap sizing to prevent OOM kills (#56)
Server memory pressure scaling to container size (#65)
Silent monitoring failure from require('fs') (#63)
Message stream caps with memory diagnostics (#48)
Duplicate technical error messages (#67)
Skills panel not responding after viewing Workflows
Done bar cancelled by elapsedTime reset
Sidebar sort order for new projects

Security

Gray-matter JS engine execution disabled (code injection prevention)
ReDoS regex fix with image extension sanitisation
express-rate-limit and DOMPurify CVE patches
Hono high-severity vulnerability patches
Vulnerable transitive dependency overrides
GitHub code scanning alert resolution

Refactoring

Unified workflows into skills — removed standalone workflow infrastructure
Removed ~3,800 lines of legacy SPA HTML generation
Moved workflow-editor skill to deployed-md-files as canonical source

Looking Ahead

Workflow Execution Dashboard: Real-time monitoring of running workflows with logs and progress tracking
Skill Marketplace: Share and discover reusable skills across Sasha instances
Enhanced Reconciliation: Automatic conflict resolution when multiple sessions interact with the same context
Container Health Dashboard: Surfacing memory diagnostics and performance metrics to admin users

Jargon Buster - Technical Terms Explained

Session Fallback

When a streaming connection to the AI drops, the system automatically reconnects and recovers your conversation
Like a phone call that drops and redials — you pick up where you left off without repeating yourself
This release fixed several edge cases where fallback could cause message loss or screen flashing

Reconciliation

The process of syncing the chat UI with the server's record of the conversation after a connection interruption
Like checking your notes match your colleague's notes after a meeting — making sure nothing was missed
A new visual indicator now shows when reconciliation is happening so you're not left wondering

OOM Kill (Out Of Memory)

When the operating system forcefully terminates a process because it's using too much memory
Like a circuit breaker tripping when too many appliances are running — sudden shutdown to protect the system
Sasha now prevents this by dynamically sizing its memory and gracefully shutting down before hitting the limit

Gray-Matter

A JavaScript library used to parse metadata headers (frontmatter) at the top of markdown files
Like reading the label on a file folder before opening it — extracting title, date, tags
A security fix disabled its built-in code execution engine, which could have been exploited via malicious file headers

CVE (Common Vulnerabilities and Exposures)

A standardised identifier for publicly known security vulnerabilities (e.g., CVE-2024-XXXX)
Like a product recall notice — an identified flaw that needs patching
This release patched CVEs in express-rate-limit, DOMPurify, and Hono

Fan-Out/Fan-In

A workflow pattern where one step splits into multiple parallel steps (fan-out) that later merge back (fan-in)
Like a manager delegating tasks to team members who work simultaneously, then collecting all results
The workflow editor now shows this visually with a highway-split design on the canvas

Thanks for upgrading. This release makes Sasha more resilient, simpler, and more secure — conversations survive interruptions, workflows and skills are one unified concept, and multiple security vulnerabilities have been patched.