v2.1.0
Highlights
- 🔴 Critical fix — no double-sends. Journey email and in-app sends are now idempotent across Temporal retries; a retry after a delivered message no longer re-sends. Proven with a PostgreSQL integration regression. (#288)
- 🔒 Security audit + live OWASP ZAP. Closed two High cross-tenant flaws (analytics BOLA over ClickHouse, idempotency-key response leak), a stored-XSS via
javascript:CTA URLs, an unthrottled landing form, and header hardening. ZAP baseline: 0 High / 0 fail / 58 pass. Full report:docs/security/audit-2.1.0.md. (#290) - 📦 Install is now a plain script on every OS — no compiled binary.
install.sh/install.ps1drive Docker Compose directly (download + checksum-verify the bundle, generate secrets, bring the stack up) and save themselves as~/.helio/heliofor day-2 ops. Nothing for antivirus/SmartScreen to flag. (#291) - 🧪 First PR CI pipeline (lint, typecheck, tests, Python) so regressions are caught before merge. (#292, #293)
- 🐛 Unbroke the end-to-end suite (password/credential selector regressions). (#289)
Install
curl -fsSL https://github.com/achref-soua/helio/releases/latest/download/install.sh | shWindows: irm https://github.com/achref-soua/helio/releases/latest/download/install.ps1 | iex