v0.11.0

This release adds a major new opt-in feature, Conversations, alongside a wave of improvements to access, moderation, and the everyday admin experience.

Conversations (new, experimental). You can now switch on real-time chat and a shared support inbox. Visitors message your team right from the widget and see when you're typing and when you've read their message, while your team handles every thread in one place, with assignment, priorities, labels, internal notes, and search. You can reply by email and keep it in the same thread, turn a conversation into a feedback post, and ask visitors how the chat went. It's off by default, so nothing changes until you turn it on.

Granular board access. Every board now controls who can view, vote, comment, and submit, independently. Open each to anyone, to signed-in users, to specific customer segments, or to your team only. So you can let everyone read a board but require sign-in to vote, or reserve submissions for a beta group. New Public and Private presets make setup quick, and your existing boards carry over exactly as they were.

Private portals. Make your feedback portal private with a single switch, then choose who gets in: your team, people on a trusted email domain, anyone you invite, a customer segment, or visitors who signed in through your widget. Private portals show a clean sign-in wall and stay out of search engines. Public portals are unaffected.

Moderation. Optionally hold posts and comments for review before they go public, with a queue to approve or reject. Set it per board or across your whole workspace. Off by default.

Nicer to use, everywhere. Brazilian Portuguese for the portal and widget, new ways to group customers into segments, a friendlier widget home screen with a peek at your latest changelog, a polish pass across the whole admin panel, and reactions that now show who reacted.

For self-hosters. A proper production Docker setup, an image that runs natively on both Intel and ARM machines, smoother running across multiple instances, and a batch of reliability and security fixes.

---

Features

• Conversations (new, experimental, off by default). A real-time chat channel in the widget plus a shared agent inbox. Visitors message your team and see typing indicators and read receipts; agents triage from one place with assignment, priority, status, labels, internal notes with @-mentions, message reactions, saved-for-later, and search. Turn it on from the Labs settings.
• Email replies for conversations. Agents can reply by email and the visitor's response threads back into the same conversation. Requires configuring an inbound email address.
• Convert a conversation into feedback. Turn a support chat into a feedback post, or upvote a similar existing post on the visitor's behalf, in one step.
• Customer satisfaction (CSAT). Visitors can rate a closed chat, rolled up in a new Support section of Analytics.
• Granular board access. A per-board permission matrix controlling view, vote, comment, and submit independently, each open to anyone, signed-in users, specific segments, or team only, with Public and Private presets. (#191)
• Private portals. Require sign-in to view the portal, with access granted by team membership, trusted email domains, email invites, customer segments, or widget sign-in. Private portals are excluded from search engines and feeds.
• Post and comment moderation. Optionally hold submissions for review before they publish, configurable per board or workspace-wide and separately for anonymous and signed-in authors, with an approve and reject queue.
• Brazilian Portuguese. The portal and widget are now available in pt-BR, served automatically based on browser language. Contributed by @arthurbarret0. (#194)
• More customer segments. Group people by country, language, last-active recency, and signup source.
• Widget home screen. A new landing tab that greets visitors, points them to the right section, and previews your latest changelog entry, with help articles and messaging combined under one Help surface.
• Reactions show who reacted. Hover a reaction on a comment or chat message to see who is behind it.
• Reworked authentication settings. Sign-in providers are managed from one place with a single toggle each, custom identity providers offer a preset picker with issuer auto-detection, and guardrails stop you from locking yourself out.
• Richer audit log. Each event now records the request ID, actor type, and sign-in method, all included in the CSV export.
• Multi-architecture Docker image. Official images now run natively on both Intel and ARM. (#195)

Bug fixes

• Widget hydration error behind font-proxying CDNs. Self-hosting the Inter font stops CDNs that rewrite font links from breaking the widget. (#133)
• Clearer sign-in rate-limit message. Hitting the sign-in limit now returns a proper "too many attempts" message with a retry hint instead of a misleading "invalid email or password" error.

Performance

• Faster public changelog. Visibility checks are pushed into the database query instead of loading every linked post and filtering in memory.

Security

• SSRF hardening for image rehosting. External image fetches now connect to the already-validated address instead of re-resolving DNS, closing a rebinding window reachable across posts, changelog, and help-center content.
• Integration webhook allowlist. Outbound integration webhooks route through the safe-fetch guard and enforce host allowlists. Thanks to @endscene665.
• Signed email reply addresses. Conversation reply addresses are cryptographically tied to their conversation, so an agent email cannot be used to inject a reply into someone else's thread.
• Verified-email guards on portal access. Email-based access grants require a verified email, so a segment rule cannot be used to walk into a private portal unverified.
• Email masking in logs. Email addresses are obfuscated in unstructured server log output.

Internal

• Multi-replica-safe background jobs. Background sweepers (audit-log prune, invite expiry, stuck-item recovery, AI summaries, duplicate detection) now run under a cross-instance lock so only one replica runs each tick.
• Duplicate-detection circuit breaker. The merge-suggestion sweep aborts after repeated failures instead of retrying in place.
• Hardened production Docker stack. A new docker-compose.prod.yml ships the app and datastores with no exposed database ports, required-secret checks, healthcheck-gated startup, and a private upload bucket; the root docker-compose.yml is now development-only. (#195)

Tests

• Extensive new coverage across live chat and the support inbox, board and portal access policy, moderation, and email-channel signature verification.

Upgrade notes

• Run database migrations on upgrade (0066 through 0104). All are additive or migrate existing data automatically; no manual data changes are required.
• Conversations is experimental and off by default. Enable it from the Labs settings. Inbound email replies additionally require the EMAIL_INBOUND_DOMAIN and EMAIL_INBOUND_SIGNING_SECRET environment variables.
• Some admin settings pages moved: API is now Developers, User Attributes and Segments are now People, and Portal auth now lives under Security. Update any bookmarks.
• The legacy board "audience" field was replaced by the new access model. Existing boards are migrated automatically; the REST API still exposes a read-only audience field, and vote endpoints now enforce each board's vote permission (a board that requires sign-in to vote will reject anonymous API votes).
• Self-hosters: use docker-compose.prod.yml for production (the root compose is now development-only), and note that values in .env files must be unquoted for Docker --env-file.

Contributors

Thank you to the community contributors in this release:

• @arthurbarret0 added the Brazilian Portuguese (pt-BR) translation. (#194)
• @endscene665 hardened outbound integration webhooks against SSRF.

Full changelog: v0.10.5...v0.11.0