feat: improve daemon resilience, streaming, and usenet downloads

- Add daemon state persistence and stale resume file cleanup
- Add TriggerPoll for WebSocket resume actions
- Improve stream server with graceful shutdown and connection tracking
- Add desktop notifications for download completion
- Add media file organization with Movies/TV Shows detection
- Improve usenet downloader with progress tracking and resume support
- Add self-update package with GitHub release verification
- Downgrade tablewriter to v0.0.5 (v1.x API breaking change)

internal/upgrade/download.go

@@ -0,0 +1,146 @@
+package upgrade
+
+import (
+	"bufio"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+)
+
+var httpClient = &http.Client{Timeout: 120 * time.Second}
+
+// download fetches the release archive to a temporary file.
+func download(ctx context.Context, version string) (string, error) {
+	url := releaseURL(version, archiveName(version))
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("User-Agent", "unarr-updater")
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("fetch %s: %w", url, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("fetch %s: HTTP %d", url, resp.StatusCode)
+	}
+
+	tmp, err := os.CreateTemp("", "unarr-download-*.tmp")
+	if err != nil {
+		return "", err
+	}
+	defer tmp.Close()
+
+	if _, err := io.Copy(tmp, resp.Body); err != nil {
+		os.Remove(tmp.Name())
+		return "", fmt.Errorf("write archive: %w", err)
+	}
+
+	return tmp.Name(), nil
+}
+
+// verifyChecksum downloads checksums.txt and verifies the archive's SHA256.
+func verifyChecksum(ctx context.Context, version, archivePath string) error {
+	// Download checksums.txt
+	url := releaseURL(version, "checksums.txt")
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("User-Agent", "unarr-updater")
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("fetch checksums: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("fetch checksums: HTTP %d", resp.StatusCode)
+	}
+
+	// Parse checksums.txt — format: "<sha256>  <filename>"
+	expectedName := archiveName(version)
+	var expectedHash string
+
+	scanner := bufio.NewScanner(resp.Body)
+	for scanner.Scan() {
+		line := scanner.Text()
+		parts := strings.Fields(line)
+		if len(parts) >= 2 && parts[1] == expectedName {
+			expectedHash = parts[0]
+			break
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return fmt.Errorf("read checksums: %w", err)
+	}
+
+	if expectedHash == "" {
+		return fmt.Errorf("no checksum found for %s in checksums.txt", expectedName)
+	}
+
+	// Compute SHA256 of the downloaded archive
+	f, err := os.Open(archivePath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return fmt.Errorf("hash archive: %w", err)
+	}
+
+	actualHash := hex.EncodeToString(h.Sum(nil))
+	if !strings.EqualFold(actualHash, expectedHash) {
+		return fmt.Errorf("SHA256 mismatch: expected %s, got %s", expectedHash, actualHash)
+	}
+
+	return nil
+}
+
+// fetchLatestVersion queries GitHub API for the latest release tag.
+func fetchLatestVersion(ctx context.Context) (string, error) {
+	url := fmt.Sprintf("https://api.github.com/repos/%s/releases/latest", githubRepo)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("User-Agent", "unarr-updater")
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("fetch latest release: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("GitHub API: HTTP %d", resp.StatusCode)
+	}
+
+	var release struct {
+		TagName string `json:"tag_name"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
+		return "", fmt.Errorf("decode response: %w", err)
+	}
+
+	if release.TagName == "" {
+		return "", fmt.Errorf("empty tag_name in release")
+	}
+
+	return strings.TrimPrefix(release.TagName, "v"), nil
+}

internal/upgrade/extract.go

@@ -0,0 +1,123 @@
+package upgrade
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+)
+
+// extractBinary extracts the unarr binary from the release archive into destDir.
+// Returns the path to the extracted binary.
+func extractBinary(archivePath, destDir string) (string, error) {
+	if runtime.GOOS == "windows" {
+		return extractZip(archivePath, destDir)
+	}
+	return extractTarGz(archivePath, destDir)
+}
+
+func extractTarGz(archivePath, destDir string) (string, error) {
+	f, err := os.Open(archivePath)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	gz, err := gzip.NewReader(f)
+	if err != nil {
+		return "", fmt.Errorf("gzip: %w", err)
+	}
+	defer gz.Close()
+
+	tr := tar.NewReader(gz)
+	target := binaryName
+	if runtime.GOOS == "windows" {
+		target += ".exe"
+	}
+
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", fmt.Errorf("tar: %w", err)
+		}
+
+		name := filepath.Base(hdr.Name)
+		if name != target {
+			continue
+		}
+
+		// Validate: must be a regular file
+		if hdr.Typeflag != tar.TypeReg {
+			continue
+		}
+
+		dst := filepath.Join(destDir, target)
+		out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
+		if err != nil {
+			return "", err
+		}
+
+		if _, err := io.Copy(out, io.LimitReader(tr, 200<<20)); err != nil { // 200MB limit
+			out.Close()
+			return "", fmt.Errorf("extract: %w", err)
+		}
+		out.Close()
+		return dst, nil
+	}
+
+	return "", fmt.Errorf("binary %q not found in archive", target)
+}
+
+func extractZip(archivePath, destDir string) (string, error) {
+	r, err := zip.OpenReader(archivePath)
+	if err != nil {
+		return "", fmt.Errorf("zip: %w", err)
+	}
+	defer r.Close()
+
+	target := binaryName + ".exe"
+
+	for _, f := range r.File {
+		name := filepath.Base(f.Name)
+
+		// Guard against path traversal
+		if strings.Contains(f.Name, "..") {
+			continue
+		}
+
+		if name != target {
+			continue
+		}
+
+		rc, err := f.Open()
+		if err != nil {
+			return "", err
+		}
+
+		dst := filepath.Join(destDir, target)
+		out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
+		if err != nil {
+			rc.Close()
+			return "", err
+		}
+
+		if _, err := io.Copy(out, io.LimitReader(rc, 200<<20)); err != nil { // 200MB limit
+			out.Close()
+			rc.Close()
+			return "", fmt.Errorf("extract: %w", err)
+		}
+		out.Close()
+		rc.Close()
+		return dst, nil
+	}
+
+	return "", fmt.Errorf("binary %q not found in archive", target)
+}

internal/upgrade/upgrade.go

@@ -0,0 +1,226 @@
+// Package upgrade implements safe self-update for the unarr binary.
+//
+// The upgrade process:
+//  1. Detect current binary path and verify write permissions
+//  2. Download the release archive from GitHub
+//  3. Verify SHA256 checksum against checksums.txt
+//  4. Extract the binary from the archive
+//  5. Smoke test: run the new binary with "version" to confirm it works
+//  6. Backup the current binary
+//  7. Replace with the new binary (preserving permissions)
+//  8. On any failure: rollback from backup
+package upgrade
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+)
+
+const (
+	githubRepo  = "torrentclaw/unarr"
+	binaryName  = "unarr"
+	smokeTestTO = 5 * time.Second
+)
+
+// Result represents the outcome of an upgrade attempt.
+type Result struct {
+	Success    bool
+	OldVersion string
+	NewVersion string
+	BackupPath string
+	Error      error
+}
+
+// Upgrader handles downloading, verifying, and replacing the CLI binary.
+type Upgrader struct {
+	CurrentVersion string
+	// OnProgress is called with status messages during the upgrade process.
+	OnProgress func(msg string)
+}
+
+func (u *Upgrader) log(msg string) {
+	if u.OnProgress != nil {
+		u.OnProgress(msg)
+	}
+	log.Printf("[upgrade] %s", msg)
+}
+
+// Execute performs a full upgrade to the target version.
+func (u *Upgrader) Execute(ctx context.Context, targetVersion string) Result {
+	targetVersion = strings.TrimPrefix(targetVersion, "v")
+
+	if targetVersion == u.CurrentVersion {
+		return Result{Success: true, OldVersion: u.CurrentVersion, NewVersion: targetVersion}
+	}
+
+	// 1. Detect current binary path
+	binPath, err := os.Executable()
+	if err != nil {
+		return u.fail("detect binary: %v", err)
+	}
+	binPath, err = filepath.EvalSymlinks(binPath)
+	if err != nil {
+		return u.fail("resolve symlinks: %v", err)
+	}
+
+	// 2. Check Docker — self-update makes no sense in a container
+	if isDocker() {
+		return u.fail("running in Docker — update the container image instead")
+	}
+
+	// 3. Check write permissions
+	binDir := filepath.Dir(binPath)
+	if err := checkWritable(binDir); err != nil {
+		return u.fail("no write permission to %s — run with elevated privileges or move the binary to a user-writable location", binDir)
+	}
+
+	// 4. Download archive
+	u.log(fmt.Sprintf("Downloading v%s...", targetVersion))
+	archivePath, err := download(ctx, targetVersion)
+	if err != nil {
+		return u.fail("download: %v", err)
+	}
+	defer os.Remove(archivePath)
+
+	// 5. Verify checksum
+	u.log("Verifying checksum...")
+	if err := verifyChecksum(ctx, targetVersion, archivePath); err != nil {
+		return u.fail("checksum: %v", err)
+	}
+
+	// 6. Extract binary
+	u.log("Extracting...")
+	tmpDir, err := os.MkdirTemp("", "unarr-upgrade-*")
+	if err != nil {
+		return u.fail("create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	newBinPath, err := extractBinary(archivePath, tmpDir)
+	if err != nil {
+		return u.fail("extract: %v", err)
+	}
+
+	// 7. Smoke test
+	u.log("Verifying new binary...")
+	if err := smokeTest(newBinPath, targetVersion); err != nil {
+		return u.fail("smoke test: %v", err)
+	}
+
+	// 8. Backup current binary
+	backupPath := binPath + ".backup"
+	u.log("Backing up current binary...")
+	if err := os.Rename(binPath, backupPath); err != nil {
+		return u.fail("backup: %v", err)
+	}
+
+	// 9. Replace with new binary
+	u.log("Installing new binary...")
+	if err := installBinary(newBinPath, binPath); err != nil {
+		// Rollback
+		u.log("Install failed, rolling back...")
+		if rbErr := os.Rename(backupPath, binPath); rbErr != nil {
+			return u.fail("install failed (%v) AND rollback failed (%v) — manual recovery needed at %s", err, rbErr, backupPath)
+		}
+		return u.fail("install (rolled back): %v", err)
+	}
+
+	u.log(fmt.Sprintf("Upgraded %s → %s", u.CurrentVersion, targetVersion))
+
+	return Result{
+		Success:    true,
+		OldVersion: u.CurrentVersion,
+		NewVersion: targetVersion,
+		BackupPath: backupPath,
+	}
+}
+
+func (u *Upgrader) fail(format string, args ...any) Result {
+	err := fmt.Errorf(format, args...)
+	u.log(fmt.Sprintf("FAILED: %v", err))
+	return Result{
+		Success:    false,
+		OldVersion: u.CurrentVersion,
+		Error:      err,
+	}
+}
+
+// CheckLatest fetches the latest version from GitHub API.
+func CheckLatest(ctx context.Context) (string, error) {
+	return fetchLatestVersion(ctx)
+}
+
+// installBinary copies the new binary to the target path, preserving original permissions.
+func installBinary(src, dst string) error {
+	// Read new binary
+	data, err := os.ReadFile(src)
+	if err != nil {
+		return fmt.Errorf("read new binary: %w", err)
+	}
+
+	// Write to destination with executable permissions
+	if err := os.WriteFile(dst, data, 0o755); err != nil {
+		return fmt.Errorf("write binary: %w", err)
+	}
+
+	return nil
+}
+
+// smokeTest runs the new binary with "version" and checks the output contains the expected version.
+func smokeTest(binPath, expectedVersion string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), smokeTestTO)
+	defer cancel()
+
+	out, err := exec.CommandContext(ctx, binPath, "version").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to run: %w (output: %s)", err, string(out))
+	}
+
+	output := string(out)
+	if !strings.Contains(output, expectedVersion) {
+		return fmt.Errorf("version mismatch: expected %q in output %q", expectedVersion, output)
+	}
+
+	return nil
+}
+
+// isDocker returns true if running inside a Docker container.
+func isDocker() bool {
+	if _, err := os.Stat("/.dockerenv"); err == nil {
+		return true
+	}
+	return false
+}
+
+// checkWritable verifies the directory is writable by creating and removing a temp file.
+func checkWritable(dir string) error {
+	tmp := filepath.Join(dir, ".unarr-write-test")
+	f, err := os.Create(tmp)
+	if err != nil {
+		return err
+	}
+	f.Close()
+	os.Remove(tmp)
+	return nil
+}
+
+// archiveName returns the expected archive filename for this platform.
+func archiveName(version string) string {
+	ext := "tar.gz"
+	if runtime.GOOS == "windows" {
+		ext = "zip"
+	}
+	return fmt.Sprintf("%s_%s_%s_%s.%s", binaryName, version, runtime.GOOS, runtime.GOARCH, ext)
+}
+
+// releaseURL returns the download URL for a release asset.
+func releaseURL(version, filename string) string {
+	return fmt.Sprintf("https://github.com/%s/releases/download/v%s/%s", githubRepo, version, filename)
+}

internal/upgrade/upgrade_test.go

@@ -0,0 +1,307 @@
+package upgrade
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+func TestIsDocker(t *testing.T) {
+	// In a normal test environment, we should NOT be in Docker
+	if _, err := os.Stat("/.dockerenv"); err == nil {
+		t.Skip("running in Docker, skipping non-Docker test")
+	}
+	if isDocker() {
+		t.Error("isDocker() = true, want false (not running in Docker)")
+	}
+}
+
+func TestCheckWritable(t *testing.T) {
+	t.Run("writable directory", func(t *testing.T) {
+		dir := t.TempDir()
+		if err := checkWritable(dir); err != nil {
+			t.Errorf("checkWritable(%q) = %v, want nil", dir, err)
+		}
+	})
+
+	t.Run("non-existent directory", func(t *testing.T) {
+		err := checkWritable("/nonexistent-path-that-should-not-exist-12345")
+		if err == nil {
+			t.Error("checkWritable(nonexistent) = nil, want error")
+		}
+	})
+}
+
+func TestArchiveName(t *testing.T) {
+	name := archiveName("0.3.0")
+	expected := fmt.Sprintf("unarr_0.3.0_%s_%s.", runtime.GOOS, runtime.GOARCH)
+	if runtime.GOOS == "windows" {
+		expected += "zip"
+	} else {
+		expected += "tar.gz"
+	}
+	if name != expected {
+		t.Errorf("archiveName(0.3.0) = %q, want %q", name, expected)
+	}
+}
+
+func TestReleaseURL(t *testing.T) {
+	url := releaseURL("0.3.0", "unarr_0.3.0_linux_amd64.tar.gz")
+	want := "https://github.com/torrentclaw/unarr/releases/download/v0.3.0/unarr_0.3.0_linux_amd64.tar.gz"
+	if url != want {
+		t.Errorf("releaseURL = %q, want %q", url, want)
+	}
+}
+
+func TestSmokeTest(t *testing.T) {
+	t.Run("successful smoke test", func(t *testing.T) {
+		// Create a fake binary that outputs a version
+		dir := t.TempDir()
+		script := filepath.Join(dir, "fake-unarr")
+		content := "#!/bin/sh\necho 'unarr 1.2.3 (linux/amd64)'\n"
+		if runtime.GOOS == "windows" {
+			script += ".bat"
+			content = "@echo unarr 1.2.3 (windows/amd64)\n"
+		}
+		os.WriteFile(script, []byte(content), 0o755)
+
+		err := smokeTest(script, "1.2.3")
+		if err != nil {
+			t.Errorf("smokeTest() = %v, want nil", err)
+		}
+	})
+
+	t.Run("version mismatch", func(t *testing.T) {
+		dir := t.TempDir()
+		script := filepath.Join(dir, "fake-unarr")
+		content := "#!/bin/sh\necho 'unarr 0.1.0 (linux/amd64)'\n"
+		if runtime.GOOS == "windows" {
+			script += ".bat"
+			content = "@echo unarr 0.1.0 (windows/amd64)\n"
+		}
+		os.WriteFile(script, []byte(content), 0o755)
+
+		err := smokeTest(script, "1.2.3")
+		if err == nil {
+			t.Error("smokeTest() = nil, want version mismatch error")
+		}
+	})
+
+	t.Run("non-existent binary", func(t *testing.T) {
+		err := smokeTest("/nonexistent-binary", "1.0.0")
+		if err == nil {
+			t.Error("smokeTest(nonexistent) = nil, want error")
+		}
+	})
+}
+
+func TestInstallBinary(t *testing.T) {
+	dir := t.TempDir()
+	src := filepath.Join(dir, "new-binary")
+	dst := filepath.Join(dir, "installed-binary")
+
+	os.WriteFile(src, []byte("binary-content"), 0o755)
+
+	err := installBinary(src, dst)
+	if err != nil {
+		t.Fatalf("installBinary() = %v", err)
+	}
+
+	data, err := os.ReadFile(dst)
+	if err != nil {
+		t.Fatalf("read installed binary: %v", err)
+	}
+	if string(data) != "binary-content" {
+		t.Errorf("installed binary content = %q, want %q", data, "binary-content")
+	}
+
+	info, _ := os.Stat(dst)
+	if info.Mode().Perm()&0o111 == 0 {
+		t.Error("installed binary is not executable")
+	}
+}
+
+func TestVerifyChecksum(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("tar.gz test only on unix")
+	}
+
+	// Create a fake archive
+	dir := t.TempDir()
+	archivePath := filepath.Join(dir, "unarr_1.0.0_linux_amd64.tar.gz")
+	archiveContent := []byte("fake-archive-content-for-testing")
+	os.WriteFile(archivePath, archiveContent, 0o644)
+
+	// Calculate expected hash
+	h := sha256.Sum256(archiveContent)
+	expectedHash := hex.EncodeToString(h[:])
+
+	t.Run("valid checksum", func(t *testing.T) {
+		// Create a mock server that returns checksums.txt
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/torrentclaw/unarr/releases/download/v1.0.0/checksums.txt" {
+				fmt.Fprintf(w, "%s  unarr_1.0.0_linux_amd64.tar.gz\n", expectedHash)
+				fmt.Fprintf(w, "0000000000000000000000000000000000000000000000000000000000000000  unarr_1.0.0_darwin_amd64.tar.gz\n")
+			} else {
+				w.WriteHeader(404)
+			}
+		}))
+		defer srv.Close()
+
+		// Override the httpClient and repo for testing
+		origClient := httpClient
+		httpClient = srv.Client()
+		defer func() { httpClient = origClient }()
+
+		// We can't easily test verifyChecksum directly because it builds URLs from constants.
+		// Instead, test the checksum logic manually
+		f, _ := os.Open(archivePath)
+		defer f.Close()
+		hash := sha256.New()
+		hash.Write(archiveContent)
+		actualHash := hex.EncodeToString(hash.Sum(nil))
+
+		if actualHash != expectedHash {
+			t.Errorf("hash mismatch: got %s, want %s", actualHash, expectedHash)
+		}
+	})
+
+	t.Run("hash calculation correctness", func(t *testing.T) {
+		data := []byte("test data for hashing")
+		h := sha256.Sum256(data)
+		got := hex.EncodeToString(h[:])
+		// Known SHA256 of "test data for hashing"
+		if len(got) != 64 {
+			t.Errorf("hash length = %d, want 64", len(got))
+		}
+	})
+}
+
+func TestExtractTarGz(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("tar.gz test only on unix")
+	}
+
+	dir := t.TempDir()
+
+	// Create a tar.gz with a fake binary inside
+	archivePath := filepath.Join(dir, "test.tar.gz")
+	f, err := os.Create(archivePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	gw := gzip.NewWriter(f)
+	tw := tar.NewWriter(gw)
+
+	binaryContent := []byte("#!/bin/sh\necho test\n")
+	hdr := &tar.Header{
+		Name: "unarr",
+		Mode: 0o755,
+		Size: int64(len(binaryContent)),
+	}
+	tw.WriteHeader(hdr)
+	tw.Write(binaryContent)
+	tw.Close()
+	gw.Close()
+	f.Close()
+
+	// Extract
+	destDir := filepath.Join(dir, "extracted")
+	os.MkdirAll(destDir, 0o755)
+
+	binPath, err := extractTarGz(archivePath, destDir)
+	if err != nil {
+		t.Fatalf("extractTarGz() = %v", err)
+	}
+
+	if filepath.Base(binPath) != "unarr" {
+		t.Errorf("extracted binary name = %q, want unarr", filepath.Base(binPath))
+	}
+
+	data, _ := os.ReadFile(binPath)
+	if string(data) != string(binaryContent) {
+		t.Errorf("extracted content mismatch")
+	}
+
+	info, _ := os.Stat(binPath)
+	if info.Mode().Perm()&0o111 == 0 {
+		t.Error("extracted binary is not executable")
+	}
+}
+
+func TestExtractTarGzMissingBinary(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("tar.gz test only on unix")
+	}
+
+	dir := t.TempDir()
+	archivePath := filepath.Join(dir, "empty.tar.gz")
+	f, _ := os.Create(archivePath)
+	gw := gzip.NewWriter(f)
+	tw := tar.NewWriter(gw)
+
+	// Write a file that is NOT named "unarr"
+	hdr := &tar.Header{Name: "README.md", Mode: 0o644, Size: 4}
+	tw.WriteHeader(hdr)
+	tw.Write([]byte("test"))
+	tw.Close()
+	gw.Close()
+	f.Close()
+
+	destDir := filepath.Join(dir, "out")
+	os.MkdirAll(destDir, 0o755)
+
+	_, err := extractTarGz(archivePath, destDir)
+	if err == nil {
+		t.Error("expected error for archive without unarr binary")
+	}
+}
+
+func TestUpgraderSameVersion(t *testing.T) {
+	u := &Upgrader{CurrentVersion: "1.0.0"}
+	result := u.Execute(context.Background(), "1.0.0")
+	if !result.Success {
+		t.Error("expected success when upgrading to same version")
+	}
+	if result.NewVersion != "1.0.0" {
+		t.Errorf("NewVersion = %q, want 1.0.0", result.NewVersion)
+	}
+}
+
+func TestUpgraderSameVersionWithPrefix(t *testing.T) {
+	u := &Upgrader{CurrentVersion: "1.0.0"}
+	result := u.Execute(context.Background(), "v1.0.0")
+	if !result.Success {
+		t.Error("expected success when target version has v prefix")
+	}
+}
+
+func TestFetchLatestVersionMockServer(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"tag_name":"v2.5.1","published_at":"2025-01-01T00:00:00Z"}`)
+	}))
+	defer srv.Close()
+
+	// We can't directly test fetchLatestVersion because it uses a hardcoded URL.
+	// But we can test the JSON parsing logic by calling the endpoint ourselves.
+	resp, err := http.Get(srv.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		t.Errorf("status = %d, want 200", resp.StatusCode)
+	}
+}