diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md
index 5229b11..69a5a5d 100644
--- a/projects/business/memory/sessions.md
+++ b/projects/business/memory/sessions.md
@@ -1128,3 +1128,10 @@
   - Add `customer.updated` AND `customer.subscription.updated` to Stripe webhook events
   - Fix MX DNS record (BUG-050)
   - Enable Stripe invoice emails (BUG-049)
+
+## Session 48d — 2026-02-17 11:38 UTC (Security Hardening)
+- **REMOVED Change Email feature entirely** (investor decision — security issue: leaked API key = account hijack)
+  - Deleted: change-email.html page, email-change.ts API routes, footer links, sitemap entry
+  - Kept: Stripe `customer.updated` webhook for Pro email sync, `updateEmailByCustomer()` in keys.ts
+  - Commit f5cea97 deployed, verified: /change-email returns 404, zero references in HTML
+- Free tier users can create new key with new email; Pro users get email synced from Stripe