Releases: he8um/daryaft
Release list
Daryaft v1.12.0
Daryaft v1.12.0
Daryaft v1.12.0 is a stable release focused on polishing the TUI download input experience.
Highlights
- Added cleaner URL validation before TUI download planning.
- Added cleaner
.txtfile path validation before TUI download planning. - Added actionable validation messages for empty, malformed, unsupported, missing, directory, and unreadable inputs.
- Added clearer
.txtfile path guidance with full-path examples. - Added one-URL-per-line guidance for
.txtdownload files. - Added compact safe defaults preview on URL and file input screens.
- Improved visibility of configured output root /
download_dir. - Updated TUI help text to mention Settings and the
cshortcut. - Exported
download.ValidateURLfor shared URL validation. - Added tests for TUI validation, defaults preview, no-color rendering, prompt/help text, and exported URL validation.
- Updated usage, command reference, manual QA, roadmap, index, and changelog docs.
TUI input validation
The TUI now catches common input mistakes earlier and shows shorter, more actionable messages.
Examples include:
URL cannot be empty.
URL must start with http:// or https://.
Invalid URL: host is required.
File path cannot be empty.
File not found: /path/to/urls.txt
Path is a directory: /path/to/dir
Cannot read file: /path/to/urls.txt
The core download planner remains authoritative for final validation.
.txt file guidance
The TUI now clarifies that file-based downloads expect a full path to a .txt file containing URLs.
Example:
/Users/amirhesampiri/Downloads/urls.txt
The .txt file should contain one URL per line.
Defaults preview
The URL and file input screens now show a compact safe defaults preview before the download setup continues.
The preview includes:
Output dir
Retries
Resume
User-Agent
Timeout
This helps users confirm the configured output root and common defaults before proceeding.
Security model
The defaults preview intentionally shows only safe non-secret values.
It does not display:
DARYAFT_USERNAMEDARYAFT_PASSWORD- usernames
- passwords
- tokens
- API keys
- Authorization headers
- Proxy-Authorization headers
- cookies
- proxy values
- arbitrary header values
This release does not add credential input or credential persistence.
Documentation
Updated or added:
docs/usage.mddocs/command-reference.mddocs/operations/manual-qa.mddocs/roadmap/v1.12.0-tui-download-input-ux.mddocs/index.mdCHANGELOG.md
Known limitations
- Queue/session persistence is not implemented.
- Config editing from TUI is not implemented.
- Credential/auth/proxy/header input from TUI is not implemented.
- File picker/autocomplete is not implemented.
- Mouse support is not implemented.
user_agentandtimeoutare not newly wired into actual TUI download HTTP options unless already supported.- Auto-update is still not implemented.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.11.0
Daryaft v1.11.0
Daryaft v1.11.0 is a stable release focused on read-only TUI awareness of safe configuration settings.
Highlights
- Added a read-only TUI Settings screen.
- Added a
Settingsitem to the TUI home menu beforeQuit. - Added
cshortcut from the TUI home screen to open Settings. - Added TUI display of active config path.
- Added TUI display of whether config was loaded from file or defaults are being used.
- Added TUI display of safe effective config values:
download_dirretriesresumeno_colorno_tuithemeanimationshyperlinksuser_agenttimeout
- Added display markers for default, unset, and reserved values.
- Added tests for Settings rendering, Settings navigation,
cshortcut, no-color rendering, and secret exclusion. - Updated TUI/config documentation and manual QA.
TUI Settings screen
The TUI now includes a read-only Settings screen.
Open it from the TUI home screen by either:
selecting Settings
pressing c
Return home with:
esc
backspace
Quit with:
q
What it shows
The Settings screen shows the active configuration path and whether a config file was loaded.
It also shows safe effective settings such as:
download_dir
retries
resume
no_color
no_tui
theme
animations
hyperlinks
user_agent
timeout
Empty/default values are presented clearly:
(default)
(none)
(reserved)
Security model
The Settings screen is read-only and intentionally excludes secrets.
It does not display:
DARYAFT_USERNAMEDARYAFT_PASSWORD- usernames
- passwords
- tokens
- API keys
- Authorization headers
- Proxy-Authorization headers
- cookies
- proxy values
- arbitrary header values
It does not edit config files.
It does not provide config set/reset actions.
It does not introduce any TUI credential or auth flow.
Documentation
Updated or added:
docs/configuration.mddocs/command-reference.mddocs/usage.mddocs/operations/manual-qa.mddocs/roadmap/v1.11.0-tui-config-awareness.mddocs/index.mdCHANGELOG.md
Known limitations
- Settings screen is read-only.
- TUI config editor is not implemented.
- Config set/reset from TUI is not implemented.
- Credential display is intentionally excluded.
- Auth flow in TUI is not implemented.
- Proxy/header persistence is not implemented.
- Config profiles are not implemented.
- Live config reload is not implemented.
- Auto-update is still not implemented.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.10.0
Daryaft v1.10.0
Daryaft v1.10.0 is a stable release focused on safe configuration persistence improvements.
Highlights
- Added
user_agentconfiguration support for default download user-agent. - Added
DARYAFT_USER_AGENTenvironment override. - Added
timeoutconfiguration support for overall download request timeout. - Added
DARYAFT_TIMEOUTenvironment override. - Added
--timeout <duration>download flag. - Added global
--config <path>flag for explicit configuration file selection. - Added tests for config/env/CLI precedence.
- Updated configuration, command reference, usage, manual QA, roadmap, and README documentation.
- Preserved the security boundary: credentials and secret-bearing values are not persisted in config.
Configuration
Daryaft already supports YAML configuration at the platform-specific config path:
<UserConfigDir>/daryaft/config.yaml
Examples:
macOS: ~/Library/Application Support/daryaft/config.yaml
Linux: ~/.config/daryaft/config.yaml
This release adds two safe non-secret keys:
user_agent: ""
timeout: ""user_agent sets the default download user-agent when --user-agent is not provided.
timeout sets the overall HTTP request timeout when --timeout is not provided. It uses Go duration syntax such as:
30s
2m
1m30s
Environment overrides
New environment variables:
DARYAFT_USER_AGENT
DARYAFT_TIMEOUT
Precedence remains:
CLI flags > environment variables > config file > built-in defaults
New flags
Global config path override:
daryaft --config ./config.yaml config show
daryaft --config ./config.yaml download https://example.com/file.zipDownload timeout override:
daryaft download https://example.com/file.zip --timeout 30sSecurity model
Daryaft v1.10.0 intentionally does not persist secrets.
The following remain unsupported in config:
- usernames
- passwords
- tokens
- API keys
- Authorization headers
- Proxy-Authorization headers
- cookies
- proxy URLs
- arbitrary headers
Use existing CLI flags or environment variables for per-invocation credentials where supported.
Validation
- Invalid timeout values are rejected.
- Zero or negative timeout values are rejected.
- Invalid user-agent values are rejected.
- Missing default config file remains non-error.
- Missing explicit
--config <path>is an error. - Unknown config fields remain rejected by strict YAML parsing.
Documentation
Updated or added:
docs/configuration.mddocs/command-reference.mddocs/usage.mddocs/operations/manual-qa.mddocs/roadmap/v1.10.0-config-persistence-safe-core.mddocs/index.mdREADME.mdCHANGELOG.md
Known limitations
- Credentials are intentionally not persisted.
- Auth headers are intentionally not persisted.
- Proxy persistence is intentionally deferred.
- Arbitrary header persistence is intentionally deferred.
- Config profiles are not implemented.
- TUI config editor is not implemented.
- Auto-update is still not implemented.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.9.0
Daryaft v1.9.0
Daryaft v1.9.0 is a stable release focused on download retry and resume reliability hardening.
Highlights
- Added HTTP
408 Request Timeoutto retryable download responses. - Locked retry classification with deterministic tests.
- Added deterministic integration coverage for
408followed by successful retry. - Hardened resume behavior for oversized local partial files.
- Locked missing/corrupt resume sidecar behavior with tests.
- Documented safe restart behavior for
416, partial-overflow, and sidecar-loss cases. - Documented cancellation exit behavior.
- Documented that
429 Retry-Afteris not honored yet. - Added v1.9.0 roadmap/scope documentation.
Retry behavior
Daryaft now retries these HTTP statuses:
408
429
500
502
503
504
These common client-side statuses remain non-retryable:
400
401
403
404
410
429 Retry-After headers are not honored yet. Daryaft continues to use its standard exponential backoff.
Resume behavior
Daryaft already supported safe resume behavior for Range downloads.
This release additionally hardens the case where a local partial file is larger than the known remote file size. In that case, Daryaft restarts safely from byte 0 instead of appending to an unsafe partial file.
Resume behavior remains:
206 Partial Content: append when validators and content range are safe.200 OKafter aRangerequest: restart from byte0.416 Requested Range Not Satisfiable: restart from byte0as a safe default.- missing/corrupt sidecar metadata: restart safely or treat as non-resumable; no unsafe append.
Cancellation behavior
Cancellation exits non-zero and preserves partial download state where applicable.
Cancelled batch items remain cancelled, and remaining items are reported as not started.
Documentation
Updated or added:
docs/features/resume-and-retry.mddocs/command-reference.mddocs/usage.mddocs/operations/manual-qa.mddocs/roadmap/v1.9.0-download-reliability-hardening.mddocs/index.mdCHANGELOG.md
Known limitations
Retry-Afterheaders are not honored yet.416always restarts from byte0instead of treating the partial file as complete.- Concurrent batch downloads are not implemented.
- Config persistence is not implemented.
- Auto-update is still not implemented.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.8.0
Daryaft v1.8.0
Release date: 2026-06-10
Status: Stable
Daryaft v1.8.0 adds batch checksum verification via a manifest file and TUI
checksum status display. It builds on v1.7.0 which added single-target
--checksum verification.
Highlights
--checksum-file <path> — verify each download target against a manifest
of <algorithm>:<hex> <url> entries. Every target must have exactly one entry;
the command validates the manifest before any network request starts.
TUI checksum status — after a checksum-backed batch run, the queue shows
Checksum OK or Checksum Failed per item and the summary appends
Checksum verified: N.
What's New
--checksum-file flag
daryaft download URL1 URL2 --checksum-file checksums.txt
daryaft download --file urls.txt --checksum-file checksums.txtManifest format — one entry per line, blank lines and # comments ignored:
sha256:<hex> <url>
sha512:<hex> <url>
Validation rules (all checked before any network request):
- Every download target must have exactly one manifest entry.
- Every manifest entry must match a download target (no orphan entries).
- Duplicate URLs in the manifest are rejected.
- Malformed lines produce a line-numbered error.
--checksumand--checksum-filecannot be used together.
Checksum verification behavior
- On match: item marked
Checksum OK; batch summary showsChecksum verified: N. - On mismatch: item marked
Checksum Failed, file kept in place, command exits non-zero. - Verification runs after each successful download; failed downloads are not verified.
TUI checksum status
After a checksum-backed batch completes:
- Queue items show
Checksum OK(✓ in color mode,[ok]in no-color mode) or
Checksum Failed(✗ /[!]). - The execution summary appends
Checksum verified: N.
Install
Homebrew:
brew update && brew upgrade daryaft
daryaft versionGitHub binary archives:
# Example: macOS Apple Silicon
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.8.0/daryaft_darwin_arm64.tar.gz
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.8.0/checksums.txt
shasum -a 256 --check checksums.txt
tar -xzf daryaft_darwin_arm64.tar.gz
./daryaft versionAvailable archives: daryaft_linux_amd64.tar.gz, daryaft_linux_arm64.tar.gz,
daryaft_darwin_amd64.tar.gz, daryaft_darwin_arm64.tar.gz.
Source:
git pull
go build .Known Limitations
- Checksum file URL matching is exact; URLs are not normalized. The URL in the
manifest must match the URL passed to the command character-for-character. - GNU
sha256sum-format files (digest-only lines without<algorithm>:prefix)
are not supported. - Checksum auto-discovery (fetching
.sha256sidecar files) is not implemented. - TUI batch checksum input forms are not implemented; the TUI displays results
only (results come from CLI--checksum-file). - Signature, PGP, and attestation verification are out of scope.
- A checksum mismatch does not delete the downloaded file.
Upgrade Notes
- No breaking changes.
--checksumsingle-target behavior is unchanged. --checksumand--checksum-fileare mutually exclusive — passing both exits
non-zero before any network request.
Daryaft v1.7.0
Daryaft v1.7.0
Daryaft v1.7.0 is a stable release focused on checksum verification for single-target CLI downloads.
Highlights
- Added
--checksum algorithm:hexfor single-target CLI downloads. - Added SHA-256 checksum verification.
- Added SHA-512 checksum verification.
- Added checksum validation before network requests.
- Added post-download checksum verification after successful downloads.
- Added clear checksum success and mismatch output.
- Added checksum dry-run display.
- Added root URL mode support for
--checksum. - Added clear validation for unsupported batch checksum usage.
- Added checksum feature documentation and manual QA.
Usage
Verify a SHA-256 checksum:
daryaft download https://example.com/file.zip --checksum sha256:<hex>Verify a SHA-512 checksum:
daryaft download https://example.com/file.zip --checksum sha512:<hex>Root URL mode:
daryaft --checksum sha256:<hex> https://example.com/file.zipDry-run:
daryaft download https://example.com/file.zip --checksum sha256:<hex> --dry-runBehavior
On match:
Checksum verified: sha256
On mismatch, Daryaft exits non-zero and reports:
- file path
- algorithm
- expected digest
- actual digest
The downloaded file is left in place for inspection/removal.
Batch limitation
--checksum is currently supported for single-target downloads only.
These are intentionally rejected in v1.7.0:
daryaft download URL1 URL2 --checksum sha256:<hex>
daryaft download --file urls.txt --checksum sha256:<hex>Per-file batch checksums are not supported yet.
Security note
Checksum verification confirms file integrity against a known digest.
It does not prove who published the file. Publisher authenticity requires
signatures or attestations, which are out of scope for v1.7.0.
Documentation
Updated or added:
docs/features/checksum-verification.mddocs/operations/checksum-verification-qa.mddocs/roadmap/v1.7.0-checksum-verification.mdCHANGELOG.md
Known limitations
- Per-file batch checksums are not supported.
- TUI checksum entry is not implemented.
- Signature/PGP/attestation verification is not implemented.
- Checksum verification proves integrity against a known digest, not publisher authenticity.
- Auto-update is still not implemented.
- Config persistence is not implemented.
- Concurrent batch download is not implemented.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.6.0
Daryaft v1.6.0
Daryaft v1.6.0 is a stable release focused on CLI download UX polish and TUI queue UX polish.
Highlights
- Improved CLI download completion messages with final size and elapsed time.
- Added clearer in-band failure messages for single-download failures.
- Added clearer
Resuming:andRestarting:CLI messages. - Renamed unfinished batch-summary items from
SkippedtoNot started. - Added TUI queue history during execution.
- Added TUI queue status markers for completed, failed/cancelled, in-progress, and other states.
- Improved TUI post-run wording and summary labels.
CLI download UX
Single-download completion output now includes both final size and elapsed time, for example:
Completed: file.zip (512 B in 1.2s)
Failure events now show an in-band message:
Failed: <error>
Resume/restart events are easier to scan:
Resuming: <message>
Restarting: <message>
Batch summaries now use:
Not started
for items that never ran.
TUI queue UX
During batch execution, the TUI now shows a queue history above the current item detail block.
Status markers:
| State | Color mode | No-color mode |
|---|---|---|
| Completed | ✓ |
[ok] |
| Failed / Cancelled | ✗ |
[!] |
| In progress | → |
[>] |
| Other | · |
[-] |
The post-run hint now says:
enter/h new download • q quit
Documentation
Updated:
CHANGELOG.mddocs/usage.mddocs/command-reference.mddocs/operations/manual-qa.mddocs/roadmap/v1.6.0-download-tui-ux-polish.md
Known limitations
- Auto-update is still not implemented.
- No OAuth support.
- No token manager support.
- No cookie jar/session persistence.
- No credential storage.
- No
.netrcsupport. - No TUI auth/config flow.
- No SOCKS5 proxy support.
- No config persistence.
- No checksum verification.
- No concurrent batch download.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.5.0
Daryaft v1.5.0
Daryaft v1.5.0 is a stable release focused on HTTP customization QA, security, and UX polish.
Highlights
- Improved dry-run Basic Auth display to show the username while redacting the password.
- Added optional
DARYAFT_USERNAMEandDARYAFT_PASSWORDfallback for CLI Basic Auth. - Improved invalid header and proxy error messages.
- Expanded sensitive-header redaction test coverage.
- Expanded HTTP customization QA documentation.
HTTP credential fallback
DARYAFT_USERNAME and DARYAFT_PASSWORD can now be used as fallback Basic Auth credentials for CLI download and inspect flows.
CLI flags still take precedence:
--username--password
The env fallback applies to:
- root URL download
daryaft downloaddaryaft inspect
It does not apply to TUI.
Security
- Raw CLI passwords are not printed.
- Raw env passwords are not printed.
- Sensitive headers remain redacted.
DARYAFT_PASSWORDwithout a username is rejected.- CLI flags override env credentials.
- Basic Auth plus explicit
Authorizationheader remains rejected. - SOCKS5 proxy remains unsupported.
Documentation
Updated:
docs/features/http-request-customization.mddocs/operations/http-customization-qa.mdCHANGELOG.md
Known limitations
- No OAuth support.
- No token manager support.
- No cookie jar/session persistence.
- No credential storage.
- No
.netrcsupport. - No TUI auth/config flow.
- No SOCKS5 proxy support.
- Auto-update is still not implemented.
- GoReleaser Homebrew publishing remains disabled.
- Windows is not officially supported.
Upgrade
Homebrew:
brew update && brew upgrade daryaftGitHub binary users:
Download the matching archive from GitHub Releases.
Source users:
git pull
go build .Daryaft v1.4.0
Daryaft v1.4.0
Status: RELEASED — Stable release. Tag:
v1.4.0.
Summary
Daryaft v1.4.0 is a reliability and test-determinism release. It makes
go test ./... and make rc-check fully deterministic by eliminating all
real GitHub API calls from the default test suite. It also improves the
user-facing error messages for the daryaft update --check command when the
GitHub API is unavailable, rate-limited, or returns unexpected responses.
No new end-user features are added. No new dependencies are introduced.
The release ships binary archives for linux/amd64, linux/arm64, darwin/amd64,
and darwin/arm64. The Homebrew formula at he8um/homebrew-tap has been updated
to v1.4.0.
What's New
Deterministic Test Suite
go test ./... no longer calls the real GitHub Releases API under any
circumstances. All update-check tests drive a local httptest.Server via the
new hidden --api-base-url flag and the APIBaseURL field on
update.CheckOptions. Real-network update tests are preserved but require the
opt-in environment variable:
DARYAFT_RUN_NETWORK_TESTS=1 go test ./cmd -run TestUpdateCommand_RealNetworkDeterministic make rc-check
make rc-check is now safe from GitHub API rate-limit failures. Previously,
running the full test suite without -short could trigger real GitHub API calls
and fail with 403 Forbidden in CI or local environments with exhausted rate
limits. This is fully resolved.
Improved Update Check Error Messages
daryaft update --check now reports clear, actionable error messages for each
failure category:
| Condition | Error Message |
|---|---|
| GitHub API rate limit / 403 | "GitHub API returned 403 Forbidden, likely due to rate limiting or access restrictions. Try again later" |
| Repository not found / 404 | "GitHub release repository was not found (404 Not Found)" |
| GitHub server error / 5xx | "GitHub API is temporarily unavailable (500 Internal Server Error). Try again later" |
| Request timeout | "request to GitHub timed out. Check your network and try again" |
| Network unreachable | "could not reach GitHub Releases API. Check your network and try again" |
| Invalid API response | "GitHub API returned an invalid response" |
Error Classification Tests
New deterministic tests in cmd/update_test.go cover:
TestUpdateCommand_403Error— rate-limit messageTestUpdateCommand_404Error— not-found messageTestUpdateCommand_500Error— unavailability messageTestUpdateCommand_InvalidJSONError— invalid response messageTestUpdateCommand_403_JSONOutput—--jsonerror output is valid JSONTestUpdateCommand_HiddenAPIBaseURLFlag— hidden flag exists and is hidden
Hidden Test Injection Flag
A hidden --api-base-url flag is available on daryaft update for test
injection only. It does not appear in --help output and is not intended for
end-user use.
User-Facing Behavior
daryaft update --checkremains read-only. It never downloads, installs, or
replaces the current binary.- All existing CLI flags (
--check,--json,--include-prerelease) are
unchanged. - Error messages are now clearer when GitHub is unavailable or rate-limited.
- No GitHub authentication or token support has been added.
Known Limitations
- Auto-update is not implemented. Use
daryaft update --checkto check for
updates and the appropriate command for your install channel to upgrade. - GitHub auth/token support is not implemented. Unauthenticated API calls are
subject to GitHub's public rate limits (60 requests/hour per IP). - Real-network update smoke can still hit GitHub rate limits when run manually
withoutDARYAFT_RUN_NETWORK_TESTS=1. - GoReleaser Homebrew publishing remains disabled. The Homebrew formula is
manually maintained athe8um/homebrew-tap. - Windows is not officially supported.
Upgrade Instructions
Homebrew
brew update && brew upgrade daryaft
daryaft versionGitHub Binary
Download the v1.4.0 archive for your platform from
GitHub Releases,
extract, and replace your existing binary.
Source
git pull && go build .
./daryaft versionValidation Summary
go test ./...— PASS (deterministic, no real GitHub calls)go test -short ./...— PASSgo build ./...— PASSgo test -race ./internal/downloader— PASSgo test -race ./internal/tui— PASSmake lint— PASS (0 issues)make security— PASS (govulncheck: no vulnerabilities; gosec: 0 issues)goreleaser check— PASSmake rc-check— PASS (deterministic)- GoReleaser artifact build — PASS
- Extracted binary version:
1.4.0,built_by: goreleaser - Checksum verification — PASS
- Homebrew formula updated to
v1.4.0 - Homebrew install/upgrade validated
Security Behavior
HTTP request customization redaction (from v1.3.0) is unchanged:
--passwordvalues are always displayed as[REDACTED]- Headers matching authorization, cookie, token, key, and related patterns are
displayed as[REDACTED] - No credentials appear in error messages, logs, or dry-run output
Daryaft v1.3.0
Daryaft v1.3.0
Status: RELEASED — Stable release. Tag:
v1.3.0.
Summary
Daryaft v1.3.0 adds HTTP request customization to the CLI download and inspect
flows. It ships --proxy, repeatable --header "Name: Value", --user-agent,
and HTTP Basic Auth via --username/--password. All five flags apply to root
URL downloads, the download subcommand, inspect, and batch downloads. No new
external dependencies are introduced.
The release ships binary archives for linux/amd64, linux/arm64, darwin/amd64,
and darwin/arm64. The Homebrew formula at he8um/homebrew-tap has been updated
to v1.3.0.
What's New
HTTP Request Customization
Five new flags are available on daryaft download (and bare URL invocation) and
daryaft inspect:
| Flag | Description |
|---|---|
--proxy <url> |
HTTP or HTTPS proxy URL |
--header "Name: Value" |
Custom request header (repeatable) |
--user-agent <value> |
Override the default User-Agent |
--username <value> |
HTTP Basic Auth username |
--password <value> |
HTTP Basic Auth password |
Usage examples
# Proxy
daryaft download https://example.com/file.zip --proxy http://proxy.corp:8080
# Custom headers (repeatable)
daryaft download https://example.com/file.zip \
--header "X-API-Token: mytoken" \
--header "Accept: application/zip"
# User-Agent override
daryaft download https://example.com/file.zip --user-agent "MyApp/2.0"
# HTTP Basic Auth
daryaft download https://restricted.example.com/file.zip \
--username alice --password s3cr3t
# Inspect with custom header
daryaft inspect https://api.example.com/artifact \
--header "Authorization: Bearer mytoken"
# Dry-run preview (password shown as [REDACTED])
daryaft download https://example.com/file.zip \
--username alice --password s3cr3t --dry-runBatch download support
All flags apply uniformly to every item in a batch download:
daryaft download -f urls.txt --header "X-Batch: yes" --proxy http://proxy:8080Proxy transport
The proxy wraps the existing transport, preserving all existing timeouts. Only
http:// and https:// proxy schemes are supported.
Security and Redaction
- Passwords are always redacted.
--passwordvalues never appear in output,
logs, dry-run summaries, or verbose diagnostics. The raw value only reaches
req.SetBasicAuth()internally. - Sensitive headers are redacted. Header names matching
authorization,
proxy-authorization,cookie,set-cookie,x-api-key,x-token,
x-auth-token, or names containingsecret,token,password,key, or
authorizationare shown as[REDACTED]in dry-run and verbose output.
Dry-run example
$ daryaft download https://example.com/file.zip \
--username alice --password topsecret \
--header "Authorization: Bearer tok" \
--header "X-Custom: visible" \
--dry-run
# Output:
# HTTP
# Headers:
# Authorization: [REDACTED]
# X-Custom: visible
# Auth: [REDACTED]Validation Rules
--proxy:http://orhttps://only.socks5://and other schemes are
rejected with a clear error.--header "Name: Value": colon separator required; empty values are allowed.
Repeatable.--passwordwithout--username: rejected with error--password requires --username.--username/--passwordcombined with an explicitAuthorizationheader:
rejected with erroruse either --username/--password or an Authorization header, not both.--user-agentoverrides anyUser-Agentcustom header.
New Internal Package
internal/httpopts is a new shared package providing:
- Options types (
Header,Options,RedactedOptions) - Header parsing and validation
- Proxy URL validation
- Auth consistency checks
- Redaction (
Redact()) - Request application (
ApplyToRequest()) - Proxy client factory (
NewClient()) — clones base transport, preserves timeouts
TUI Isolation
HTTP customization flags are CLI-only in v1.3.0. All five flags are registered
in hasDownloadFlagChanges(), so passing any of them on the command line routes
to CLI download mode, not the TUI. The TUI is unaffected.
Upgrade Instructions
Homebrew
brew update
brew upgrade daryaft
daryaft version
daryaft download --helpGitHub Binary Archives
Download v1.3.0 assets from the
v1.3.0 GitHub release:
# Example: macOS Apple Silicon
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.3.0/daryaft_darwin_arm64.tar.gz
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.3.0/checksums.txt
shasum -a 256 --check checksums.txt
tar -xzf daryaft_darwin_arm64.tar.gz
./daryaft versionAvailable archives:
| File | Platform |
|---|---|
daryaft_linux_amd64.tar.gz |
Linux x86-64 |
daryaft_linux_arm64.tar.gz |
Linux ARM64 |
daryaft_darwin_amd64.tar.gz |
macOS Intel |
daryaft_darwin_arm64.tar.gz |
macOS Apple Silicon |
checksums.txt |
SHA-256 checksums for all archives |
Source Build
git pull
go build .
./daryaft versionKnown Limitations
- TUI HTTP customization not implemented.
--proxy,--header,
--user-agent,--username, and--passwordare CLI-only. The interactive
TUI does not support HTTP options in this release. - SOCKS5 proxy not supported.
socks5://scheme is rejected. SOCKS5
requiresgolang.org/x/net/proxy; adding it would introduce an external
dependency which is out of scope. - OAuth and token manager not implemented. Bearer token support requires an
explicit--header "Authorization: Bearer <token>". - Cookie jar and session persistence not implemented.
- Credential storage not implemented. Passwords are not persisted to keychain,
config file, or environment. Use shell environment variables or OS-level
credential managers externally if needed. .netrcnot implemented.- Auto-update not implemented.
daryaft updatewithout--checkexits
non-zero. A future release will implement in-place binary upgrade. - Windows not officially supported. No Windows binaries are published.
- GoReleaser Homebrew publishing remains disabled. The
brews:block in
.goreleaser.ymlis still commented out. The Homebrew formula is manually
maintained, assisted byscripts/update-homebrew-formula.sh. - No signed checksums.
checksums.txtcontains plain SHA-256 hashes.
Validation Summary
All required checks passed before release:
| Check | Result |
|---|---|
go test ./... |
PASS |
go build ./... |
PASS |
go test -race ./internal/downloader |
PASS |
go test -race ./internal/tui |
PASS |
make lint (golangci-lint) |
0 issues |
make security (govulncheck) |
no vulnerabilities |
make security (gosec) |
Issues: 0 |
goreleaser check |
1 config validated |
make rc-check |
PASS |
git diff --check |
PASS |
| Invalid header rejection smoke | PASS |
| SOCKS5 rejection smoke | PASS |
| Password redaction smoke | PASS |
| GoReleaser artifact build | PASS |
| Extracted binary version | 1.3.0 |
built_by |
goreleaser |
| Checksum verification | PASS |
daryaft doctor smoke |
PASS |
| Homebrew formula update | PASS |
brew upgrade daryaft |
PASS |