Skip to content

Releases: achref-soua/helio

v2.3.1

Choose a tag to compare

@achref-soua achref-soua released this 29 Jun 20:17
63d0ced

What's Changed

Full Changelog: v2.3.0...v2.3.1

Visual recap

Helio v2.3.1

Dashboard Journey canvas
Segment builder Email builder
Campaigns Contacts

More: subsystem diagrams · architecture · product guide PDF · setup guide PDF

v2.3.0

Choose a tag to compare

@achref-soua achref-soua released this 28 Jun 19:11
7610542

What's Changed

Full Changelog: v2.2.5...v2.3.0

Visual recap

Helio v2.3.0

Dashboard Journey canvas
Segment builder Email builder
Campaigns Contacts

More: subsystem diagrams · architecture · product guide PDF · setup guide PDF

v2.2.5

Choose a tag to compare

@achref-soua achref-soua released this 28 Jun 14:43
1f2b2bd

Documentation & CI release — full subsystem visual coverage plus a per-release visual recap. No application code change.

Highlights

  • Subsystem diagrams (17) — ingestion, CDP identity, analytics, segmentation, journeys (Temporal durability), multi-channel delivery, webhooks, landing/forms, widgets, AI copilot, churn, MCP, RLS isolation, credential vault, SSO/SCIM, scheduler, deployment profiles. Mermaid sources in docs/diagrams/ render to committed SVGs via task diagrams; gallery at docs/diagrams.md, linked from docs/architecture.md.
  • Visual recap on release — a visual-recap workflow montages the product screenshots, attaches the montage + a gallery markdown as release assets, and appends the gallery to these notes.

Changes: #324 (diagrams + workflow), #325 (version bump).

Visual recap

Helio v2.2.5

Dashboard Journey canvas
Segment builder Email builder
Campaigns Contacts

More: subsystem diagrams · architecture · product guide PDF · setup guide PDF

v2.2.4

Choose a tag to compare

@achref-soua achref-soua released this 28 Jun 12:15
5b030ce

Dependency advisories patched (hono → 4.12.27, undici override → 7.28.0, pydantic-settings → 2.14.2; pnpm audit --prod 5 high → 1 high) and a full production-readiness audit with measured load numbers — sustained ~20,000 events/s at p95 81 ms (4× the ≥5k target). See docs/production-readiness/v2.2.3.md.

v2.2.3

Choose a tag to compare

@achref-soua achref-soua released this 28 Jun 10:43
3bfcb7f

v2.2.3 — CI reliability

The Playwright e2e suite is now a hard gate in CI — green with zero retries across consecutive runs.

Fixed

  • e2e suite reliability — the four specs that flaked under the 2-core CI runner all failed for environment/correctness reasons, not timing:
    • BACKUPS_PANEL_ENABLED was set only in the dev .env, which next start doesn't read in CI, so the backups panel never rendered (backups + settings-sections specs). Now set in the e2e server env and documented in .env.example.
    • the scheduling test read the booking path from the "Copy link" button's label, which never contained a URL. Booking pages now render their public link as a visible, clickable element, and the test reads it.
    • the password-policy interactions could be dropped before hydration; routed through the hydration-robust retry helpers.
  • CI verify job@helio/workers branch coverage sat right on the 80% gate and tipped red non-deterministically (the source of the recurring CI-failure emails). Covered the real WebPushProvider adapter to restore a stable margin.

Changed

  • The e2e job is no longer continue-on-error: a red shard now fails the run.

v2.2.2

Choose a tag to compare

@achref-soua achref-soua released this 28 Jun 00:37
86692ad

Patch release — a journey send-safety fix and the /settings interactivity restore.

Fixes

  • No more journey double-sends on SMS, WhatsApp, or web push. A worker retry after a delivered send could re-send (real cost on SMS/WhatsApp, duplicate pushes); these channels are now idempotent like email and in-app already were.
  • /settings is snappier again. The panels render immediately and respond on the first click — the per-panel code-split that had slowed the lowest panels and broken first-click interaction on weak machines is reverted.

Under the hood

  • The repo now runs its end-to-end suite in CI on every change (informational for now).

Upgrade: helio update (or re-run the install script).

v2.2.1

Choose a tag to compare

@achref-soua achref-soua released this 27 Jun 21:52
d5559dc

Patch release — fixes a /settings regression in v2.2.0.

Fix

  • /settings no longer errors. In v2.2.0 the settings code-split rendered the About panel (a server component) in the client tree, throwing getTranslations is not supported in Client Components on every authenticated /settings load. The About panel is a server import again; the other panels stay code-split, so the first-load performance win is unchanged.

Caught by the new end-to-end CI gate. Self-hosters on v2.2.0 should update.

Upgrade: helio update (or re-run the install script).

v2.2.0

Choose a tag to compare

@achref-soua achref-soua released this 27 Jun 17:50
19fd375

Install friction was the focus: Docker is no longer a wall, and there are two new low-friction ways to stand Helio up.

Highlights

  • Bulletproof Docker UX — the installer and helio doctor now diagnose the real failures and fix the safe ones: Linux socket-permissions vs a stopped daemon, macOS engine start, and on Windows a missing WSL2 backend (offers wsl --install) or CPU virtualization disabled in the BIOS.
  • One-paste cloud-VM deploy — paste infra/cloud/helio-cloud-init.yaml as a Linux VM's user-data and Helio installs itself on first boot.
  • Self-resetting public demoinfra/cloud/helio-demo-cloud-init.yaml brings up a demo that restores a golden snapshot every 6 hours.
  • Faster /settings on weak machines — the settings panels are code-split, cutting first-load client JS by ~92 KB (−10%) with no UI change.
  • Track your bug reports — reported issues now show live status (synced from GitHub), and a resolved report nudges you to update once the fix ships.

Notes

v2.1.0

Choose a tag to compare

@achref-soua achref-soua released this 27 Jun 12:51
70a37c9

Highlights

  • 🔴 Critical fix — no double-sends. Journey email and in-app sends are now idempotent across Temporal retries; a retry after a delivered message no longer re-sends. Proven with a PostgreSQL integration regression. (#288)
  • 🔒 Security audit + live OWASP ZAP. Closed two High cross-tenant flaws (analytics BOLA over ClickHouse, idempotency-key response leak), a stored-XSS via javascript: CTA URLs, an unthrottled landing form, and header hardening. ZAP baseline: 0 High / 0 fail / 58 pass. Full report: docs/security/audit-2.1.0.md. (#290)
  • 📦 Install is now a plain script on every OS — no compiled binary. install.sh / install.ps1 drive Docker Compose directly (download + checksum-verify the bundle, generate secrets, bring the stack up) and save themselves as ~/.helio/helio for day-2 ops. Nothing for antivirus/SmartScreen to flag. (#291)
  • 🧪 First PR CI pipeline (lint, typecheck, tests, Python) so regressions are caught before merge. (#292, #293)
  • 🐛 Unbroke the end-to-end suite (password/credential selector regressions). (#289)

Install

curl -fsSL https://github.com/achref-soua/helio/releases/latest/download/install.sh | sh

Windows: irm https://github.com/achref-soua/helio/releases/latest/download/install.ps1 | iex

v2.0.9 — Security & performance

Choose a tag to compare

@achref-soua achref-soua released this 15 Jun 22:15
cf7331c

A security-hardening and performance release. No breaking changes; existing deployments update in place.

Security

  • SSRF guards on every server-side fetch of an operator-supplied URL — outbound webhooks and credential "test connection" probes now refuse private/loopback/metadata targets (opt back in for trusted LAN hosts). (#277#279)
  • Intelligence service token — the AI /v1 API now requires a shared INTEL_SERVICE_TOKEN (generated per install), closing the one tenant-data path that sat outside Postgres RLS. (#280)
  • Rate-limit resilience — the gateway limiter degrades gracefully instead of 500-ing the API when Redis is briefly down. (#281)
  • Kubernetes NetworkPolicy (opt-in) restricting the AI plane to web + workers, and pinned floating sidecar image tags. (#282)
  • Dependency advisories patched: protobufjs, js-yaml, cryptography, starlette. (#276)

Performance

  • Opt-in PgBouncer transaction pooling for the RLS app connection — verified safe (the tenant id is transaction-local). (#283, ADR-0022)
  • Shared write-key cache on the ingest hot path. (#284, ADR-0023)

Full write-up: docs/security/audit-2.0.9.md.