diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28cc38d..53e68f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,34 @@
 # Hermes Web UI -- Changelog
 
+## [v0.50.39] fix: orphan gateway sessions + first-password-enablement session continuity
+
+Two bug fixes:
+
+**PR #423 — Fix orphan gateway sessions in sidebar (@aronprins, fix by maintainer)**
+`gateway_watcher.py`'s `_get_agent_sessions_from_db()` was missing the
+`HAVING COUNT(m.id) > 0` clause that `get_cli_sessions()` already had. Sessions
+with no messages (e.g. created then abandoned before any turns) would appear in the
+sidebar via the SSE watcher stream even after the initial page load filtered them out.
+One-line SQL fix applied to both query paths.
+
+**PR #434 — First-password-enablement session continuity (@SaulgoodMan-C)**
+When a user enables a password for the first time via POST `/api/settings`,
+the current browser session was being terminated — requiring the user to log in
+again immediately after setting their password. Fix: the response now includes
+`auth_enabled`, `logged_in`, and `auth_just_enabled` fields, and issues a
+`hermes_session` cookie when auth is first enabled, so the browser remains logged in.
+Also: legacy `assistant_language` key is now dropped from settings on next save.
+New i18n keys for password replacement/keep-existing states (en, es, de, zh, zh-Hant).
+
+- `api/config.py`: `_SETTINGS_LEGACY_DROP_KEYS` removes `assistant_language` on load
+- `api/routes.py`: first-password-enable session continuity with `auth_just_enabled` flag
+- `static/panels.js`: `_setSettingsAuthButtonsVisible()` + `_applySavedSettingsUi()` helpers
+- `static/i18n.js`: password state i18n keys across 5 locales
+- `tests/test_sprint45.py`: 3 new integration tests (auth continuity + legacy key cleanup)
+
+- Total tests: 1078 (was 1075)
+
+
 ## [v0.50.38] feat: mobile nav cleanup, Prism syntax highlighting, zh-CN/zh-Hant i18n
 
 Three community contributions combined:
diff --git a/TESTING.md b/TESTING.md
index 9921b8d..e547d67 100644
--- a/TESTING.md
+++ b/TESTING.md
@@ -8,7 +8,7 @@
 > Prerequisites: SSH tunnel is active on port 8787. Open http://localhost:8787 in browser.
 > Server health check: curl http://127.0.0.1:8787/health should return {"status":"ok"}.
 >
-> Automated tests: 1075 total (1075 passing, 0 known failures). Includes onboarding coverage for bootstrap/static wizard presence, real provider config persistence (`config.yaml` + `.env`), the `/api/onboarding/*` backend, and the onboarding skip/existing-config guard.
+> Automated tests: 1078 total (1078 passing, 0 known failures). Includes onboarding coverage for bootstrap/static wizard presence, real provider config persistence (`config.yaml` + `.env`), the `/api/onboarding/*` backend, and the onboarding skip/existing-config guard.
 > Run: `pytest tests/ -v --timeout=60`
 
 ---
diff --git a/static/index.html b/static/index.html
index cd47457..18da691 100644
--- a/static/index.html
+++ b/static/index.html
@@ -536,7 +536,7 @@
                 <div class="settings-section-title">System</div>
                 <div class="settings-section-meta">Instance version and access controls.</div>
               </div>
-              <span class="settings-version-badge">v0.50.38</span>
+              <span class="settings-version-badge">v0.50.39</span>
             </div>
             <div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px">
               <label for="settingsPassword" data-i18n="settings_label_password">Access Password</label>