This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Summary
AI summaryUpdates Release Notes, Install heso-cli 0.1.9, and Install heso-verify 0.1.9 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
A plat body now records the `seed` it ran under. A plat body now records the `seed` it ran under. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Low |
Adds `heso-verify`: a standalone HESO/1.0 Grade‑0 verifier crate. Adds `heso-verify`: a standalone HESO/1.0 Grade‑0 verifier crate. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Bugfix | Medium |
Fixes PyPI wheel build failure caused by binary tokenization errors. Fixes PyPI wheel build failure caused by binary tokenization errors. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Bugfix | Medium |
`heso run` replays using the recorded seed instead of hardcoded 0. `heso run` replays using the recorded seed instead of hardcoded 0. Source: llm_adapter@2026-05-28 Confidence: low |
— |
| Bugfix | Low |
`heso run` replays using seed recorded in input plat; falls back to 0 if missing; `--seed` still overrides. `heso run` replays using seed recorded in input plat; falls back to 0 if missing; `--seed` still overrides. Source: granite4.1:30b@2026-05-28-audit Confidence: low |
— |
| Refactor | Medium |
`heso run` delegates verification logic to the new `heso-verify` crate, centralizing open/verify code. `heso run` delegates verification logic to the new `heso-verify` crate, centralizing open/verify code. Source: granite4.1:30b@2026-05-28-audit Confidence: low |
— |
Full changelog
Release Notes
Added
- A plat body now records the
seedit ran under (FetchPage.seed,
default 0), an ordinary field covered byplat_hash, so a run is
self-describingly reproducible (HESO/1.0 §4). heso-verify: a standalone HESO/1.0 Grade-0 verifier crate that owns
the canonicalization,plat_hash, and sealed-envelope open/verify
logic with a minimal dependency set (serde, serde_json, serde_jcs,
blake3, ed25519-dalek verify-only, base64) — no engine, DOM, or
network crate. The engine's verify path now delegates to it, so the
open/verify logic lives in exactly one place. The verb surface
(heso unseal/heso verify) is unchanged.
Changed
heso runreplays under the seed recorded in the input plat rather
than a hardcoded 0, so a deterministic replay reproduces the same DOM
an independent verifier would. An explicit--seedstill overrides;
legacy plats with no recorded seed fall back to 0. Replaying an
unmodified plat stays byte-identical (the stamp → runplat_hash
contract holds).
Fixed
- The PyPI wheel builds again. setup.py hands the native
hesobinary
to setuptools as ascriptsentry; setuptools'build_scripts
command tried to tokenize it as Python and failed the wheel build
(source code cannot contain null byteson Linux,invalid or missing encoding declarationon Windows). The binary is now copied
into the wheel's*.data/scripts/directory verbatim. 0.1.8 shipped
to npm but not PyPI for this reason; 0.1.9 restores PyPI.
heso-cli 0.1.9
Install heso-cli 0.1.9
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/blank3rs/heso/releases/download/v0.1.9/heso-cli-installer.sh | sh
Install prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://github.com/blank3rs/heso/releases/download/v0.1.9/heso-cli-installer.ps1 | iex"
Download heso-cli 0.1.9
| File | Platform | Checksum |
|--------|----------|----------|
| heso-cli-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| heso-cli-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| heso-cli-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| heso-cli-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| heso-cli-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |
heso-verify 0.1.9
Install heso-verify 0.1.9
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/blank3rs/heso/releases/download/v0.1.9/heso-verify-installer.sh | sh
Install prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://github.com/blank3rs/heso/releases/download/v0.1.9/heso-verify-installer.ps1 | iex"
Download heso-verify 0.1.9
| File | Platform | Checksum |
|--------|----------|----------|
| heso-verify-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| heso-verify-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| heso-verify-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| heso-verify-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| heso-verify-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About blank3rs/heso](https:
All releases →Related context
Related tools
Earlier breaking changes
- v0.3.0 `heso search` defaults to Mojeek, Brave, Marginalia, Wikipedia (plus SearXNG) instead of DuckDuckGo.
- v0.2.0 Removes the plat registry, `publish`, `pull`, and `list` verbs.
- v0.1.8 `run` now verifies input platform integrity before replaying and exits on mismatch (exit 1).
- v0.1.8 `read` no longer fetches external `<script src=...>` by default; opt‑in with `--js-fetch`.
Beta — feedback welcome: [email protected]