blank3rs/heso](https:

v0.1.6 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 7d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

ReleasePort's take

Light signal

editorial:auto 7d

The release removes internal project-document references from all public surfaces and updates the hygiene workflow to assert README copy at publish time.

Why it matters: These refactor changes affect documentation visibility and CI validation, impacting developers who rely on accurate public messages and automated checks during publishing.

Summary

AI summary

Updates Release Notes, Install heso-cli 0.1.6, and Hygiene across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Refactor	Low	Removed internal project-document references from all public surfaces. Removed internal project-document references from all public surfaces. Source: llm_adapter@2026-05-28 Confidence: high	—
Refactor	Low	Updated hygiene workflow to assert README copy step at publish time. Updated hygiene workflow to assert README copy step at publish time. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

Release Notes

Changed

Removed internal project-document references from public surfaces.
The verify-side stderr ("mode: live is not replay-safe ..."), the
cassette-miss errors emitted by the JS fetch() and XMLHttpRequest
shims, the Python wrapper docstrings, the TypeScript declarations,
the README, and the CONTRIBUTING notes no longer cite internal
project documents. User-facing prose now describes the behavior
directly.
README's heso run description drops the parenthetical project-doc
citation; receipts example no longer trails "per " on
the live-mode rejection.
Hygiene: .pre-commit-config.yaml and the hygiene workflow's .md
allowlist now admit the four standard meta files
(CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md,
CHANGELOG.md). The old readme-sync-blocks job (which assumed
npm/heso/README.md lived in the git tree) is replaced with a
positive assertion that .github/workflows/pypi.yml carries the
publish-time cp README.md npm/heso/README.md step. Drift between
the GitHub-displayed README and the npm-displayed README is now
structurally impossible — the file is generated at publish time
from the same root README.

Install heso-cli 0.1.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/blank3rs/heso/releases/download/v0.1.6/heso-cli-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/blank3rs/heso/releases/download/v0.1.6/heso-cli-installer.ps1 | iex"

Download heso-cli 0.1.6

| File | Platform | Checksum |
|--------|----------|----------|
| heso-cli-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| heso-cli-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| heso-cli-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| heso-cli-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| heso-cli-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |

Breaking Changes

Removed internal project-document references from public surfaces including verify-side stderr, cassette-miss errors, Python wrapper docstrings, TypeScript declarations, README, and CONTRIBUTING notes.
Replaced the `readme-sync-blocks` job with a publish‑time step that copies README.md to npm/heso/README.md, making drift between GitHub and npm READMEs impossible.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track blank3rs/heso](https:

Get notified when new releases ship.

About blank3rs/heso](https:

All releases →

Related context

Related tools

Earlier breaking changes

v0.3.0 `heso search` defaults to Mojeek, Brave, Marginalia, Wikipedia (plus SearXNG) instead of DuckDuckGo.
v0.2.0 Removes the plat registry, `publish`, `pull`, and `list` verbs.
v0.1.8 `run` now verifies input platform integrity before replaying and exits on mismatch (exit 1).
v0.1.8 `read` no longer fetches external `<script src=...>` by default; opt‑in with `--js-fetch`.