Skip to content

Releases: he8um/daryaft

Daryaft v1.12.0

Choose a tag to compare

@he8um he8um released this 11 Jun 08:05

Daryaft v1.12.0

Daryaft v1.12.0 is a stable release focused on polishing the TUI download input experience.

Highlights

  • Added cleaner URL validation before TUI download planning.
  • Added cleaner .txt file path validation before TUI download planning.
  • Added actionable validation messages for empty, malformed, unsupported, missing, directory, and unreadable inputs.
  • Added clearer .txt file path guidance with full-path examples.
  • Added one-URL-per-line guidance for .txt download files.
  • Added compact safe defaults preview on URL and file input screens.
  • Improved visibility of configured output root / download_dir.
  • Updated TUI help text to mention Settings and the c shortcut.
  • Exported download.ValidateURL for shared URL validation.
  • Added tests for TUI validation, defaults preview, no-color rendering, prompt/help text, and exported URL validation.
  • Updated usage, command reference, manual QA, roadmap, index, and changelog docs.

TUI input validation

The TUI now catches common input mistakes earlier and shows shorter, more actionable messages.

Examples include:

URL cannot be empty.
URL must start with http:// or https://.
Invalid URL: host is required.
File path cannot be empty.
File not found: /path/to/urls.txt
Path is a directory: /path/to/dir
Cannot read file: /path/to/urls.txt

The core download planner remains authoritative for final validation.

.txt file guidance

The TUI now clarifies that file-based downloads expect a full path to a .txt file containing URLs.

Example:

/Users/amirhesampiri/Downloads/urls.txt

The .txt file should contain one URL per line.

Defaults preview

The URL and file input screens now show a compact safe defaults preview before the download setup continues.

The preview includes:

Output dir
Retries
Resume
User-Agent
Timeout

This helps users confirm the configured output root and common defaults before proceeding.

Security model

The defaults preview intentionally shows only safe non-secret values.

It does not display:

  • DARYAFT_USERNAME
  • DARYAFT_PASSWORD
  • usernames
  • passwords
  • tokens
  • API keys
  • Authorization headers
  • Proxy-Authorization headers
  • cookies
  • proxy values
  • arbitrary header values

This release does not add credential input or credential persistence.

Documentation

Updated or added:

  • docs/usage.md
  • docs/command-reference.md
  • docs/operations/manual-qa.md
  • docs/roadmap/v1.12.0-tui-download-input-ux.md
  • docs/index.md
  • CHANGELOG.md

Known limitations

  • Queue/session persistence is not implemented.
  • Config editing from TUI is not implemented.
  • Credential/auth/proxy/header input from TUI is not implemented.
  • File picker/autocomplete is not implemented.
  • Mouse support is not implemented.
  • user_agent and timeout are not newly wired into actual TUI download HTTP options unless already supported.
  • Auto-update is still not implemented.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.11.0

Choose a tag to compare

@he8um he8um released this 10 Jun 22:47

Daryaft v1.11.0

Daryaft v1.11.0 is a stable release focused on read-only TUI awareness of safe configuration settings.

Highlights

  • Added a read-only TUI Settings screen.
  • Added a Settings item to the TUI home menu before Quit.
  • Added c shortcut from the TUI home screen to open Settings.
  • Added TUI display of active config path.
  • Added TUI display of whether config was loaded from file or defaults are being used.
  • Added TUI display of safe effective config values:
    • download_dir
    • retries
    • resume
    • no_color
    • no_tui
    • theme
    • animations
    • hyperlinks
    • user_agent
    • timeout
  • Added display markers for default, unset, and reserved values.
  • Added tests for Settings rendering, Settings navigation, c shortcut, no-color rendering, and secret exclusion.
  • Updated TUI/config documentation and manual QA.

TUI Settings screen

The TUI now includes a read-only Settings screen.

Open it from the TUI home screen by either:

selecting Settings
pressing c

Return home with:

esc
backspace

Quit with:

q

What it shows

The Settings screen shows the active configuration path and whether a config file was loaded.

It also shows safe effective settings such as:

download_dir
retries
resume
no_color
no_tui
theme
animations
hyperlinks
user_agent
timeout

Empty/default values are presented clearly:

(default)
(none)
(reserved)

Security model

The Settings screen is read-only and intentionally excludes secrets.

It does not display:

  • DARYAFT_USERNAME
  • DARYAFT_PASSWORD
  • usernames
  • passwords
  • tokens
  • API keys
  • Authorization headers
  • Proxy-Authorization headers
  • cookies
  • proxy values
  • arbitrary header values

It does not edit config files.

It does not provide config set/reset actions.

It does not introduce any TUI credential or auth flow.

Documentation

Updated or added:

  • docs/configuration.md
  • docs/command-reference.md
  • docs/usage.md
  • docs/operations/manual-qa.md
  • docs/roadmap/v1.11.0-tui-config-awareness.md
  • docs/index.md
  • CHANGELOG.md

Known limitations

  • Settings screen is read-only.
  • TUI config editor is not implemented.
  • Config set/reset from TUI is not implemented.
  • Credential display is intentionally excluded.
  • Auth flow in TUI is not implemented.
  • Proxy/header persistence is not implemented.
  • Config profiles are not implemented.
  • Live config reload is not implemented.
  • Auto-update is still not implemented.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.10.0

Choose a tag to compare

@he8um he8um released this 10 Jun 21:22

Daryaft v1.10.0

Daryaft v1.10.0 is a stable release focused on safe configuration persistence improvements.

Highlights

  • Added user_agent configuration support for default download user-agent.
  • Added DARYAFT_USER_AGENT environment override.
  • Added timeout configuration support for overall download request timeout.
  • Added DARYAFT_TIMEOUT environment override.
  • Added --timeout <duration> download flag.
  • Added global --config <path> flag for explicit configuration file selection.
  • Added tests for config/env/CLI precedence.
  • Updated configuration, command reference, usage, manual QA, roadmap, and README documentation.
  • Preserved the security boundary: credentials and secret-bearing values are not persisted in config.

Configuration

Daryaft already supports YAML configuration at the platform-specific config path:

<UserConfigDir>/daryaft/config.yaml

Examples:

macOS: ~/Library/Application Support/daryaft/config.yaml
Linux: ~/.config/daryaft/config.yaml

This release adds two safe non-secret keys:

user_agent: ""
timeout: ""

user_agent sets the default download user-agent when --user-agent is not provided.

timeout sets the overall HTTP request timeout when --timeout is not provided. It uses Go duration syntax such as:

30s
2m
1m30s

Environment overrides

New environment variables:

DARYAFT_USER_AGENT
DARYAFT_TIMEOUT

Precedence remains:

CLI flags > environment variables > config file > built-in defaults

New flags

Global config path override:

daryaft --config ./config.yaml config show
daryaft --config ./config.yaml download https://example.com/file.zip

Download timeout override:

daryaft download https://example.com/file.zip --timeout 30s

Security model

Daryaft v1.10.0 intentionally does not persist secrets.

The following remain unsupported in config:

  • usernames
  • passwords
  • tokens
  • API keys
  • Authorization headers
  • Proxy-Authorization headers
  • cookies
  • proxy URLs
  • arbitrary headers

Use existing CLI flags or environment variables for per-invocation credentials where supported.

Validation

  • Invalid timeout values are rejected.
  • Zero or negative timeout values are rejected.
  • Invalid user-agent values are rejected.
  • Missing default config file remains non-error.
  • Missing explicit --config <path> is an error.
  • Unknown config fields remain rejected by strict YAML parsing.

Documentation

Updated or added:

  • docs/configuration.md
  • docs/command-reference.md
  • docs/usage.md
  • docs/operations/manual-qa.md
  • docs/roadmap/v1.10.0-config-persistence-safe-core.md
  • docs/index.md
  • README.md
  • CHANGELOG.md

Known limitations

  • Credentials are intentionally not persisted.
  • Auth headers are intentionally not persisted.
  • Proxy persistence is intentionally deferred.
  • Arbitrary header persistence is intentionally deferred.
  • Config profiles are not implemented.
  • TUI config editor is not implemented.
  • Auto-update is still not implemented.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.9.0

Choose a tag to compare

@he8um he8um released this 10 Jun 18:51

Daryaft v1.9.0

Daryaft v1.9.0 is a stable release focused on download retry and resume reliability hardening.

Highlights

  • Added HTTP 408 Request Timeout to retryable download responses.
  • Locked retry classification with deterministic tests.
  • Added deterministic integration coverage for 408 followed by successful retry.
  • Hardened resume behavior for oversized local partial files.
  • Locked missing/corrupt resume sidecar behavior with tests.
  • Documented safe restart behavior for 416, partial-overflow, and sidecar-loss cases.
  • Documented cancellation exit behavior.
  • Documented that 429 Retry-After is not honored yet.
  • Added v1.9.0 roadmap/scope documentation.

Retry behavior

Daryaft now retries these HTTP statuses:

408
429
500
502
503
504

These common client-side statuses remain non-retryable:

400
401
403
404
410

429 Retry-After headers are not honored yet. Daryaft continues to use its standard exponential backoff.

Resume behavior

Daryaft already supported safe resume behavior for Range downloads.

This release additionally hardens the case where a local partial file is larger than the known remote file size. In that case, Daryaft restarts safely from byte 0 instead of appending to an unsafe partial file.

Resume behavior remains:

  • 206 Partial Content: append when validators and content range are safe.
  • 200 OK after a Range request: restart from byte 0.
  • 416 Requested Range Not Satisfiable: restart from byte 0 as a safe default.
  • missing/corrupt sidecar metadata: restart safely or treat as non-resumable; no unsafe append.

Cancellation behavior

Cancellation exits non-zero and preserves partial download state where applicable.

Cancelled batch items remain cancelled, and remaining items are reported as not started.

Documentation

Updated or added:

  • docs/features/resume-and-retry.md
  • docs/command-reference.md
  • docs/usage.md
  • docs/operations/manual-qa.md
  • docs/roadmap/v1.9.0-download-reliability-hardening.md
  • docs/index.md
  • CHANGELOG.md

Known limitations

  • Retry-After headers are not honored yet.
  • 416 always restarts from byte 0 instead of treating the partial file as complete.
  • Concurrent batch downloads are not implemented.
  • Config persistence is not implemented.
  • Auto-update is still not implemented.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.8.0

Choose a tag to compare

@he8um he8um released this 10 Jun 13:57

Daryaft v1.8.0

Release date: 2026-06-10
Status: Stable

Daryaft v1.8.0 adds batch checksum verification via a manifest file and TUI
checksum status display. It builds on v1.7.0 which added single-target
--checksum verification.

Highlights

--checksum-file <path> — verify each download target against a manifest
of <algorithm>:<hex> <url> entries. Every target must have exactly one entry;
the command validates the manifest before any network request starts.

TUI checksum status — after a checksum-backed batch run, the queue shows
Checksum OK or Checksum Failed per item and the summary appends
Checksum verified: N.

What's New

--checksum-file flag

daryaft download URL1 URL2 --checksum-file checksums.txt
daryaft download --file urls.txt --checksum-file checksums.txt

Manifest format — one entry per line, blank lines and # comments ignored:

sha256:<hex> <url>
sha512:<hex> <url>

Validation rules (all checked before any network request):

  • Every download target must have exactly one manifest entry.
  • Every manifest entry must match a download target (no orphan entries).
  • Duplicate URLs in the manifest are rejected.
  • Malformed lines produce a line-numbered error.
  • --checksum and --checksum-file cannot be used together.

Checksum verification behavior

  • On match: item marked Checksum OK; batch summary shows Checksum verified: N.
  • On mismatch: item marked Checksum Failed, file kept in place, command exits non-zero.
  • Verification runs after each successful download; failed downloads are not verified.

TUI checksum status

After a checksum-backed batch completes:

  • Queue items show Checksum OK (✓ in color mode, [ok] in no-color mode) or
    Checksum Failed (✗ / [!]).
  • The execution summary appends Checksum verified: N.

Install

Homebrew:

brew update && brew upgrade daryaft
daryaft version

GitHub binary archives:

# Example: macOS Apple Silicon
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.8.0/daryaft_darwin_arm64.tar.gz
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.8.0/checksums.txt
shasum -a 256 --check checksums.txt
tar -xzf daryaft_darwin_arm64.tar.gz
./daryaft version

Available archives: daryaft_linux_amd64.tar.gz, daryaft_linux_arm64.tar.gz,
daryaft_darwin_amd64.tar.gz, daryaft_darwin_arm64.tar.gz.

Source:

git pull
go build .

Known Limitations

  • Checksum file URL matching is exact; URLs are not normalized. The URL in the
    manifest must match the URL passed to the command character-for-character.
  • GNU sha256sum-format files (digest-only lines without <algorithm>: prefix)
    are not supported.
  • Checksum auto-discovery (fetching .sha256 sidecar files) is not implemented.
  • TUI batch checksum input forms are not implemented; the TUI displays results
    only (results come from CLI --checksum-file).
  • Signature, PGP, and attestation verification are out of scope.
  • A checksum mismatch does not delete the downloaded file.

Upgrade Notes

  • No breaking changes. --checksum single-target behavior is unchanged.
  • --checksum and --checksum-file are mutually exclusive — passing both exits
    non-zero before any network request.

Daryaft v1.7.0

Choose a tag to compare

@he8um he8um released this 10 Jun 11:30

Daryaft v1.7.0

Daryaft v1.7.0 is a stable release focused on checksum verification for single-target CLI downloads.

Highlights

  • Added --checksum algorithm:hex for single-target CLI downloads.
  • Added SHA-256 checksum verification.
  • Added SHA-512 checksum verification.
  • Added checksum validation before network requests.
  • Added post-download checksum verification after successful downloads.
  • Added clear checksum success and mismatch output.
  • Added checksum dry-run display.
  • Added root URL mode support for --checksum.
  • Added clear validation for unsupported batch checksum usage.
  • Added checksum feature documentation and manual QA.

Usage

Verify a SHA-256 checksum:

daryaft download https://example.com/file.zip --checksum sha256:<hex>

Verify a SHA-512 checksum:

daryaft download https://example.com/file.zip --checksum sha512:<hex>

Root URL mode:

daryaft --checksum sha256:<hex> https://example.com/file.zip

Dry-run:

daryaft download https://example.com/file.zip --checksum sha256:<hex> --dry-run

Behavior

On match:

Checksum verified: sha256

On mismatch, Daryaft exits non-zero and reports:

  • file path
  • algorithm
  • expected digest
  • actual digest

The downloaded file is left in place for inspection/removal.

Batch limitation

--checksum is currently supported for single-target downloads only.

These are intentionally rejected in v1.7.0:

daryaft download URL1 URL2 --checksum sha256:<hex>
daryaft download --file urls.txt --checksum sha256:<hex>

Per-file batch checksums are not supported yet.

Security note

Checksum verification confirms file integrity against a known digest.

It does not prove who published the file. Publisher authenticity requires
signatures or attestations, which are out of scope for v1.7.0.

Documentation

Updated or added:

  • docs/features/checksum-verification.md
  • docs/operations/checksum-verification-qa.md
  • docs/roadmap/v1.7.0-checksum-verification.md
  • CHANGELOG.md

Known limitations

  • Per-file batch checksums are not supported.
  • TUI checksum entry is not implemented.
  • Signature/PGP/attestation verification is not implemented.
  • Checksum verification proves integrity against a known digest, not publisher authenticity.
  • Auto-update is still not implemented.
  • Config persistence is not implemented.
  • Concurrent batch download is not implemented.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.6.0

Choose a tag to compare

@he8um he8um released this 10 Jun 10:44

Daryaft v1.6.0

Daryaft v1.6.0 is a stable release focused on CLI download UX polish and TUI queue UX polish.

Highlights

  • Improved CLI download completion messages with final size and elapsed time.
  • Added clearer in-band failure messages for single-download failures.
  • Added clearer Resuming: and Restarting: CLI messages.
  • Renamed unfinished batch-summary items from Skipped to Not started.
  • Added TUI queue history during execution.
  • Added TUI queue status markers for completed, failed/cancelled, in-progress, and other states.
  • Improved TUI post-run wording and summary labels.

CLI download UX

Single-download completion output now includes both final size and elapsed time, for example:

Completed: file.zip (512 B in 1.2s)

Failure events now show an in-band message:

Failed: <error>

Resume/restart events are easier to scan:

Resuming: <message>
Restarting: <message>

Batch summaries now use:

Not started

for items that never ran.

TUI queue UX

During batch execution, the TUI now shows a queue history above the current item detail block.

Status markers:

State Color mode No-color mode
Completed [ok]
Failed / Cancelled [!]
In progress [>]
Other · [-]

The post-run hint now says:

enter/h new download • q quit

Documentation

Updated:

  • CHANGELOG.md
  • docs/usage.md
  • docs/command-reference.md
  • docs/operations/manual-qa.md
  • docs/roadmap/v1.6.0-download-tui-ux-polish.md

Known limitations

  • Auto-update is still not implemented.
  • No OAuth support.
  • No token manager support.
  • No cookie jar/session persistence.
  • No credential storage.
  • No .netrc support.
  • No TUI auth/config flow.
  • No SOCKS5 proxy support.
  • No config persistence.
  • No checksum verification.
  • No concurrent batch download.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.5.0

Choose a tag to compare

@he8um he8um released this 10 Jun 09:06

Daryaft v1.5.0

Daryaft v1.5.0 is a stable release focused on HTTP customization QA, security, and UX polish.

Highlights

  • Improved dry-run Basic Auth display to show the username while redacting the password.
  • Added optional DARYAFT_USERNAME and DARYAFT_PASSWORD fallback for CLI Basic Auth.
  • Improved invalid header and proxy error messages.
  • Expanded sensitive-header redaction test coverage.
  • Expanded HTTP customization QA documentation.

HTTP credential fallback

DARYAFT_USERNAME and DARYAFT_PASSWORD can now be used as fallback Basic Auth credentials for CLI download and inspect flows.

CLI flags still take precedence:

  • --username
  • --password

The env fallback applies to:

  • root URL download
  • daryaft download
  • daryaft inspect

It does not apply to TUI.

Security

  • Raw CLI passwords are not printed.
  • Raw env passwords are not printed.
  • Sensitive headers remain redacted.
  • DARYAFT_PASSWORD without a username is rejected.
  • CLI flags override env credentials.
  • Basic Auth plus explicit Authorization header remains rejected.
  • SOCKS5 proxy remains unsupported.

Documentation

Updated:

  • docs/features/http-request-customization.md
  • docs/operations/http-customization-qa.md
  • CHANGELOG.md

Known limitations

  • No OAuth support.
  • No token manager support.
  • No cookie jar/session persistence.
  • No credential storage.
  • No .netrc support.
  • No TUI auth/config flow.
  • No SOCKS5 proxy support.
  • Auto-update is still not implemented.
  • GoReleaser Homebrew publishing remains disabled.
  • Windows is not officially supported.

Upgrade

Homebrew:

brew update && brew upgrade daryaft

GitHub binary users:

Download the matching archive from GitHub Releases.

Source users:

git pull
go build .

Daryaft v1.4.0

Choose a tag to compare

@he8um he8um released this 07 Jun 11:47

Daryaft v1.4.0

Status: RELEASED — Stable release. Tag: v1.4.0.

Summary

Daryaft v1.4.0 is a reliability and test-determinism release. It makes
go test ./... and make rc-check fully deterministic by eliminating all
real GitHub API calls from the default test suite. It also improves the
user-facing error messages for the daryaft update --check command when the
GitHub API is unavailable, rate-limited, or returns unexpected responses.

No new end-user features are added. No new dependencies are introduced.

The release ships binary archives for linux/amd64, linux/arm64, darwin/amd64,
and darwin/arm64. The Homebrew formula at he8um/homebrew-tap has been updated
to v1.4.0.

What's New

Deterministic Test Suite

go test ./... no longer calls the real GitHub Releases API under any
circumstances. All update-check tests drive a local httptest.Server via the
new hidden --api-base-url flag and the APIBaseURL field on
update.CheckOptions. Real-network update tests are preserved but require the
opt-in environment variable:

DARYAFT_RUN_NETWORK_TESTS=1 go test ./cmd -run TestUpdateCommand_RealNetwork

Deterministic make rc-check

make rc-check is now safe from GitHub API rate-limit failures. Previously,
running the full test suite without -short could trigger real GitHub API calls
and fail with 403 Forbidden in CI or local environments with exhausted rate
limits. This is fully resolved.

Improved Update Check Error Messages

daryaft update --check now reports clear, actionable error messages for each
failure category:

Condition Error Message
GitHub API rate limit / 403 "GitHub API returned 403 Forbidden, likely due to rate limiting or access restrictions. Try again later"
Repository not found / 404 "GitHub release repository was not found (404 Not Found)"
GitHub server error / 5xx "GitHub API is temporarily unavailable (500 Internal Server Error). Try again later"
Request timeout "request to GitHub timed out. Check your network and try again"
Network unreachable "could not reach GitHub Releases API. Check your network and try again"
Invalid API response "GitHub API returned an invalid response"

Error Classification Tests

New deterministic tests in cmd/update_test.go cover:

  • TestUpdateCommand_403Error — rate-limit message
  • TestUpdateCommand_404Error — not-found message
  • TestUpdateCommand_500Error — unavailability message
  • TestUpdateCommand_InvalidJSONError — invalid response message
  • TestUpdateCommand_403_JSONOutput--json error output is valid JSON
  • TestUpdateCommand_HiddenAPIBaseURLFlag — hidden flag exists and is hidden

Hidden Test Injection Flag

A hidden --api-base-url flag is available on daryaft update for test
injection only. It does not appear in --help output and is not intended for
end-user use.

User-Facing Behavior

  • daryaft update --check remains read-only. It never downloads, installs, or
    replaces the current binary.
  • All existing CLI flags (--check, --json, --include-prerelease) are
    unchanged.
  • Error messages are now clearer when GitHub is unavailable or rate-limited.
  • No GitHub authentication or token support has been added.

Known Limitations

  • Auto-update is not implemented. Use daryaft update --check to check for
    updates and the appropriate command for your install channel to upgrade.
  • GitHub auth/token support is not implemented. Unauthenticated API calls are
    subject to GitHub's public rate limits (60 requests/hour per IP).
  • Real-network update smoke can still hit GitHub rate limits when run manually
    without DARYAFT_RUN_NETWORK_TESTS=1.
  • GoReleaser Homebrew publishing remains disabled. The Homebrew formula is
    manually maintained at he8um/homebrew-tap.
  • Windows is not officially supported.

Upgrade Instructions

Homebrew

brew update && brew upgrade daryaft
daryaft version

GitHub Binary

Download the v1.4.0 archive for your platform from
GitHub Releases,
extract, and replace your existing binary.

Source

git pull && go build .
./daryaft version

Validation Summary

  • go test ./... — PASS (deterministic, no real GitHub calls)
  • go test -short ./... — PASS
  • go build ./... — PASS
  • go test -race ./internal/downloader — PASS
  • go test -race ./internal/tui — PASS
  • make lint — PASS (0 issues)
  • make security — PASS (govulncheck: no vulnerabilities; gosec: 0 issues)
  • goreleaser check — PASS
  • make rc-check — PASS (deterministic)
  • GoReleaser artifact build — PASS
  • Extracted binary version: 1.4.0, built_by: goreleaser
  • Checksum verification — PASS
  • Homebrew formula updated to v1.4.0
  • Homebrew install/upgrade validated

Security Behavior

HTTP request customization redaction (from v1.3.0) is unchanged:

  • --password values are always displayed as [REDACTED]
  • Headers matching authorization, cookie, token, key, and related patterns are
    displayed as [REDACTED]
  • No credentials appear in error messages, logs, or dry-run output

Daryaft v1.3.0

Choose a tag to compare

@he8um he8um released this 07 Jun 11:06

Daryaft v1.3.0

Status: RELEASED — Stable release. Tag: v1.3.0.

Summary

Daryaft v1.3.0 adds HTTP request customization to the CLI download and inspect
flows. It ships --proxy, repeatable --header "Name: Value", --user-agent,
and HTTP Basic Auth via --username/--password. All five flags apply to root
URL downloads, the download subcommand, inspect, and batch downloads. No new
external dependencies are introduced.

The release ships binary archives for linux/amd64, linux/arm64, darwin/amd64,
and darwin/arm64. The Homebrew formula at he8um/homebrew-tap has been updated
to v1.3.0.

What's New

HTTP Request Customization

Five new flags are available on daryaft download (and bare URL invocation) and
daryaft inspect:

Flag Description
--proxy <url> HTTP or HTTPS proxy URL
--header "Name: Value" Custom request header (repeatable)
--user-agent <value> Override the default User-Agent
--username <value> HTTP Basic Auth username
--password <value> HTTP Basic Auth password

Usage examples

# Proxy
daryaft download https://example.com/file.zip --proxy http://proxy.corp:8080

# Custom headers (repeatable)
daryaft download https://example.com/file.zip \
  --header "X-API-Token: mytoken" \
  --header "Accept: application/zip"

# User-Agent override
daryaft download https://example.com/file.zip --user-agent "MyApp/2.0"

# HTTP Basic Auth
daryaft download https://restricted.example.com/file.zip \
  --username alice --password s3cr3t

# Inspect with custom header
daryaft inspect https://api.example.com/artifact \
  --header "Authorization: Bearer mytoken"

# Dry-run preview (password shown as [REDACTED])
daryaft download https://example.com/file.zip \
  --username alice --password s3cr3t --dry-run

Batch download support

All flags apply uniformly to every item in a batch download:

daryaft download -f urls.txt --header "X-Batch: yes" --proxy http://proxy:8080

Proxy transport

The proxy wraps the existing transport, preserving all existing timeouts. Only
http:// and https:// proxy schemes are supported.

Security and Redaction

  • Passwords are always redacted. --password values never appear in output,
    logs, dry-run summaries, or verbose diagnostics. The raw value only reaches
    req.SetBasicAuth() internally.
  • Sensitive headers are redacted. Header names matching authorization,
    proxy-authorization, cookie, set-cookie, x-api-key, x-token,
    x-auth-token, or names containing secret, token, password, key, or
    authorization are shown as [REDACTED] in dry-run and verbose output.

Dry-run example

$ daryaft download https://example.com/file.zip \
    --username alice --password topsecret \
    --header "Authorization: Bearer tok" \
    --header "X-Custom: visible" \
    --dry-run
# Output:
# HTTP
#   Headers:
#     Authorization: [REDACTED]
#     X-Custom: visible
#   Auth: [REDACTED]

Validation Rules

  • --proxy: http:// or https:// only. socks5:// and other schemes are
    rejected with a clear error.
  • --header "Name: Value": colon separator required; empty values are allowed.
    Repeatable.
  • --password without --username: rejected with error --password requires --username.
  • --username/--password combined with an explicit Authorization header:
    rejected with error use either --username/--password or an Authorization header, not both.
  • --user-agent overrides any User-Agent custom header.

New Internal Package

internal/httpopts is a new shared package providing:

  • Options types (Header, Options, RedactedOptions)
  • Header parsing and validation
  • Proxy URL validation
  • Auth consistency checks
  • Redaction (Redact())
  • Request application (ApplyToRequest())
  • Proxy client factory (NewClient()) — clones base transport, preserves timeouts

TUI Isolation

HTTP customization flags are CLI-only in v1.3.0. All five flags are registered
in hasDownloadFlagChanges(), so passing any of them on the command line routes
to CLI download mode, not the TUI. The TUI is unaffected.

Upgrade Instructions

Homebrew

brew update
brew upgrade daryaft
daryaft version
daryaft download --help

GitHub Binary Archives

Download v1.3.0 assets from the
v1.3.0 GitHub release:

# Example: macOS Apple Silicon
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.3.0/daryaft_darwin_arm64.tar.gz
curl -L -O https://github.com/he8um/daryaft/releases/download/v1.3.0/checksums.txt
shasum -a 256 --check checksums.txt
tar -xzf daryaft_darwin_arm64.tar.gz
./daryaft version

Available archives:

File Platform
daryaft_linux_amd64.tar.gz Linux x86-64
daryaft_linux_arm64.tar.gz Linux ARM64
daryaft_darwin_amd64.tar.gz macOS Intel
daryaft_darwin_arm64.tar.gz macOS Apple Silicon
checksums.txt SHA-256 checksums for all archives

Source Build

git pull
go build .
./daryaft version

Known Limitations

  • TUI HTTP customization not implemented. --proxy, --header,
    --user-agent, --username, and --password are CLI-only. The interactive
    TUI does not support HTTP options in this release.
  • SOCKS5 proxy not supported. socks5:// scheme is rejected. SOCKS5
    requires golang.org/x/net/proxy; adding it would introduce an external
    dependency which is out of scope.
  • OAuth and token manager not implemented. Bearer token support requires an
    explicit --header "Authorization: Bearer <token>".
  • Cookie jar and session persistence not implemented.
  • Credential storage not implemented. Passwords are not persisted to keychain,
    config file, or environment. Use shell environment variables or OS-level
    credential managers externally if needed.
  • .netrc not implemented.
  • Auto-update not implemented. daryaft update without --check exits
    non-zero. A future release will implement in-place binary upgrade.
  • Windows not officially supported. No Windows binaries are published.
  • GoReleaser Homebrew publishing remains disabled. The brews: block in
    .goreleaser.yml is still commented out. The Homebrew formula is manually
    maintained, assisted by scripts/update-homebrew-formula.sh.
  • No signed checksums. checksums.txt contains plain SHA-256 hashes.

Validation Summary

All required checks passed before release:

Check Result
go test ./... PASS
go build ./... PASS
go test -race ./internal/downloader PASS
go test -race ./internal/tui PASS
make lint (golangci-lint) 0 issues
make security (govulncheck) no vulnerabilities
make security (gosec) Issues: 0
goreleaser check 1 config validated
make rc-check PASS
git diff --check PASS
Invalid header rejection smoke PASS
SOCKS5 rejection smoke PASS
Password redaction smoke PASS
GoReleaser artifact build PASS
Extracted binary version 1.3.0
built_by goreleaser
Checksum verification PASS
daryaft doctor smoke PASS
Homebrew formula update PASS
brew upgrade daryaft PASS

References