[4.1.1] - 2026-07-01
Transparent Crypt Overlays, AeroShare Privacy Controls and 7z Encrypted Headers
A consolidation release built on the v4.1.0 feedback. Encrypted-overlay profiles (AeroCrypt and rclone-crypt) now stay encrypted through one transparent decorator wired at every provider chokepoint, so no surface can bypass the overlay and write plaintext into an encrypted store. AeroShare gains the two deferred P2P privacy controls (an anti-flood gate and a public-DHT opt-out), 7z can create archives with encrypted headers to hide filenames, Kilo Gateway joins the native AeroAgent providers, and a broad triage batch closes the confirmed bugs reported against v4.1.0. 47 languages translated.
Added
- Transparent crypt overlays end to end via a single decorator: encrypted-overlay profiles (native AeroCrypt and rclone-crypt) are now wrapped by one
CryptOverlayProviderwired at every provider resolver chokepoint (CLI, cross-profile, AeroAgent, MCP, GUI, AeroCloud background sync, the selective-sync folder tree), so a surface that resolves its own provider can no longer bypass the overlay and write plaintext into the encrypted store or read ciphertext back. The decorator is fail-closed: a bound-but-locked vault is refused, never downgraded to raw. This grew out of an AeroSync compare/sync mismatch on a crypt profile where the overlay was applied ad hoc per command. (@EhudKirsh) - Resume interrupted transfers: a Resume action continues an interrupted upload or download from where it stopped instead of restarting from zero.
- 7z create with encrypted header (-mhe) to hide filenames: opt-in like 7-Zip's "Encrypt file names" checkbox under the password. Off keeps content-only encryption (names readable); on hides the names too and then requires the password even to list the archive. Migrated from the unmaintained sevenz-rust 0.6 to sevenz-rust2 0.21. Wired into the Compress dialog and the CLI (
aeroftp compress --encrypt-names); encrypted-header archives open in the existing GUI browser and standalone extract window. (#365) - AeroShare anti-flood gate and public-DHT opt-out (the two AeroShare P2P follow-ups deferred from the v4.1.0 audit): inbound knocks, actions and file offers are gated before they reach the UI with a per-sender mute (always on), an optional friends-only allowlist (off by default to preserve first contact) and an in-memory sliding-window rate limit (default 20 signals per sender per minute, 0 disables). The long-term AFID can be kept off the public DHT with a new
nonediscovery mode, discovery is now a persisted per-partition setting (both/dht/n0/none, all in Settings), and a destructive AFID rotation is guarded by a two-step confirm and stops every live served share first. New AeroSharePrivacySettings panel and a Mute-sender action on the knock prompt, 29 i18n keys across 47 locales. (#284) - Kilo Gateway as a native AeroAgent AI provider: an OpenAI-compatible gateway routing to many open and free models behind one key, including the rotating Auto Free model (
kilo-auto/free, 256K context, no credits required), plus paid Anthropic, OpenAI and Mistral with a signup credit. Wired through the existing OpenAI-compatible dispatch with full CLI parity. (#382) - Benchmark group and all selection:
aero benchmark --group <NAME>(repeatable, comma-aware) benchmarks the members of a My Servers group and--allbenchmarks every saved profile, so a comparison needs no manual list. A profile-type column disambiguates multi-protocol profiles, the many-small-files run shows a live progress bar instead of a blind wait, and a mid-run public-IP change that reverts before the sweep ends still flags the comparison as not comparable. (@EhudKirsh, #277) - AeroSync receipt item total and JSON export: the sync success banner now prints the total item count (uploaded plus downloaded plus deleted plus folders created) so it reconciles at a glance with the compare difference count, and an Export JSON button saves the full run report as pretty JSON.
Fixed
- v4.1.0 feedback triage batch (six confirmed bugs): Filen S3 rename and delete of emoji or non-ASCII names no longer return a 401 signature error (Filen's already percent-encoded keys were double-encoded, breaking the SigV4 copy-source); OpenDrive API upload no longer fails with "Incorrect chunk offset" (its multipart protocol is strictly sequential, so fan-out is capped at 1); the benchmark no longer leaves an empty scratch folder on Google Drive, MEGA and kDrive (best-effort emptiness-guarded cleanup plus idempotent mkdir); the
--tuipicker no longer flickers when the help row wraps in split-screen; AeroFile eject no longer flashes a console window on Windows (a shared CREATE_NO_WINDOW spawn helper now also covers rclone import and the schtasks autostart); and a just-ejected drive no longer lingers in Other Locations. (@EhudKirsh, #368, #351, #277) - FTPS and other TLS connections from
aeroftp-clino longer crash on connect: the CLI never installed a rustlsCryptoProviderwhile bothaws-lc-rsandringwere in the dependency tree, so the first TLS handshake panicked; fixed by pinning aws-lc-rs once at startup. Alongside, suppaftp was bumped 8.0.3 to 10.0.0, replacing its internal panics on malformed server responses with proper error results and closing RUSTSEC-2026-0009 (stack exhaustion viatime). Validated live on plain FTP and explicit FTPS put/get round-trips. - The 7z compression level now takes effect: the Compress dialog's Fast/Normal/Maximum buttons and the CLI's
--levelwere handed to the encoder but then dropped, so every 7z used the library default; the create path now maps the 0-9 level onto LZMA2's preset in both the password and the plain branch. (#365) - Duplicating a saved profile now copies every stored secret, not just the main password: the copy dropped the per-mode credential snapshot, the Filen CLI key and the AeroCrypt overlay password and salt, so the copy opened blank and could not connect. A shared vault-secrets helper now copies each per-profile vault key on duplicate and purges the full key set on delete, recomputing every has-stored flag from what actually copied (audit F-01/F-02). (@EhudKirsh, #366)
- Profile import keeps distinct profiles that share an account: import skipped any profile whose host, port and username matched an existing one, silently dropping legitimately distinct profiles that differ by protocol, crypt overlay, bound folder or auth mode. Only a true re-import (same stable profile id) is now skipped; a profile that merely resembles an existing one is kept and reported.
- An rclone-crypt overlay connection now opens at the configured Remote Path instead of the provider root: the post-unlock decrypted reload listed with a null path and fell back to the root; it now anchors to the session's bound overlay scope.
- A 2FA-protected connection to an encrypted-overlay profile now unlocks the overlay after the code is entered: the 2FA retry re-entered through the Quick Connect path, which had none of the saved-profile overlay logic; it now runs the same overlay activation as the saved-server connect.
- AeroCrypt overlays unlock on OAuth backends: a crypt password saved on an OAuth profile (Google Drive, Dropbox, OneDrive, Box, pCloud, 4shared) was never unlocked because both OAuth connect paths returned early before the overlay logic; the credential-provider sequence is now mirrored on both OAuth branches. (@EhudKirsh)
- AeroCrypt v3 reports decrypted sizes and preserves the upload mtime: the overlay now advertises plaintext sizes for v3 items and keeps the original modification time across an encrypted upload.
- AeroShare "reveal received file" selects the file in the file manager on Linux instead of opening it, via the D-Bus
org.freedesktop.FileManager1.ShowItemsmethod (Nautilus, Dolphin, Nemo, Caja), falling back to opening the parent folder on minimal distros. Matches the Windows/select,and macOS-Rpaths. - The "Open Cloud Folder" tray entry is now disabled when AeroCloud is off, guarding the stale-enabled case where the menu opened the non-existent
~/AeroClouddefault path. - The folder picker no longer crashes on a stale or non-existent start path: handing a non-existent
defaultPathto the native GTK folder chooser crashed the app with heap corruption (common after importing a profile from another machine); the chooser is now fixed at the point of use so it still opens for picking a new folder. - The AeroTools bottom panel and the text preview now follow the Ice theme instead of rendering dark, and the AI Settings, Add/Edit Model and AeroAgent model modals are draggable by their header; the text-preview scrollbar is widened. (@EhudKirsh, #347)
- The master-password lock screen now has the window controls and a top drag region, mirroring the account picker, so the window can be moved and controlled before unlocking. Clicking a line number in the text preview selects that whole line, IDE-gutter style. (@EhudKirsh, #347)
- The remote file panel deselects on an empty-area click (matching the local panel) and the toolbar Stop button shows a cancel spinner while an AeroSync run is being stopped.
- The AeroSync receipt no longer undercounts created folders: parent-directory creations are now counted into the report so the total reconciles with the compare difference count.
- v4.1.1 pre-release audit hardening: crypt compare and reconcile no longer double-handle an already wrapped CLI/MCP overlay provider; shaped multipart Stop cancels begin/part/commit and aborts the provider session; crypt-wrapped GitHub profiles use the generic encrypting write path instead of failing a GitHub-only downcast; the GitHub executor upload is cancel-aware; and Google Drive folder-only mkdir is idempotent.
Changed
- Retired the legacy per-command crypt layer: the crypt-overlay decorator subsumes the old unlock-dialog mini-browser and the per-command crypt folder, mkdir and rename commands, which have been removed.
Contributors
Downloads:
- Windows:
.msiinstaller,.exe, or.zipportable (no installation required) - macOS:
.dmgdisk image - Linux:
.deb,.rpm,.snap, or.AppImage