- Bump golang.org/x/{net,crypto,sys,text,term} to latest patches to
clear GHSA module advisories flagged by Docker Scout.
- Add Docker Scout CVE gate to the release workflow (fails only on
FIXABLE critical/high; unfixed upstream ffmpeg codec CVEs are accepted
and documented in SECURITY.md).
- Add weekly + manual docker-rebuild workflow so newly fixed base/
ffmpeg/Go patches land on :latest between tagged releases.
- Document container image vuln-scanning policy and hardening in
SECURITY.md.
- DOCKERHUB.md: update stale 0.3.5 examples to 0.9.0, multi-arch note, mirrors
section (.com/.to/.onion), point all links to torrentclaw.com (GitHub 404s
anonymously under the org shadow-ban)
- release.yml: add peter-evans/dockerhub-description step so a tag push also
syncs the Docker Hub page from DOCKERHUB.md (continue-on-error)
Phase 2 security audit follow-up. Three independent hardenings against
the unauthenticated daemon surface, the long-lived agent SSE stream
and the self-update channel.
UPnP is now opt-in. The stream port + /hls endpoints have no auth, so
publishing them on the WAN via the gateway was a default that exposed
active downloads to anyone scanning the operator's external IP. New
config downloads.enable_upnp (default false) gates the mapping; LAN
and Tailscale clients continue to work unchanged. A startup log makes
the new default visible.
The agent SSE reader now uses a bounded bufio.Scanner instead of an
unbounded ReadString. A hostile or buggy server can no longer grow
daemon memory by streaming a single line forever or by emitting
unbounded data: continuation lines — both are capped at 256 KiB and
1 MiB respectively, and an error is surfaced so SignalLoop reconnects.
Self-update now verifies an ed25519 signature over checksums.txt when
the binary was built with a release public key embedded (injected via
goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion
scripts/sign-checksums runs in the release workflow when both the
public-key variable and the private-key secret are present, uploading
checksums.txt.sig next to the existing checksums file. Builds without
the embedded key continue to update with SHA256-only verification; a
--allow-unsigned flag is provided so users on a signed build can
still install pre-signing releases or recover from an accidental
unsigned release.
A new scripts/gen-release-key helper documents the one-time keypair
generation procedure required before flipping signing on.
The go-client dependency is resolved from the Go module proxy (no
replace directive in go.mod). The checkout steps were leftover from
a local replace setup and fail on actions/checkout@v6 which no
longer allows paths outside the workspace.
Docker job builds multi-arch images (amd64/arm64) and pushes to
DockerHub on each tagged release. VirusTotal job scans all release
artifacts and appends results table to release notes.
- Consolidate 3 maps (active, taskDirs, taskTrackers) into single
activeDownload struct — eliminates out-of-sync state on mid-function panic
- Cancel() runs os.RemoveAll in background goroutine (non-blocking)
- Flush(): clear dirty before unlock to prevent concurrent flush race on
same tmp file; remove fragile re-mark-on-error pattern
- Revert RWMutex → Mutex in ProgressTracker (negligible benefit under
write-heavy workload, higher overhead)
- Remove file.Sync() from debrid and usenet downloaders (Close flushes
kernel buffers; fsync blocks for seconds on large files)
- Pin golangci-lint to v2.1.6 in CI (was floating with `latest`)
- Fix CI matrix: Go 1.25+1.26 (was 1.24+1.25, but go.mod requires 1.25)
- Go deps: cobra 1.10.2, fatih/color 1.19, tablewriter 1.1.4,
anacrolix/torrent 1.61, charmbracelet/huh 1.0, pion/webrtc 4.2.11
- GitHub Actions: checkout v6, setup-go v6, golangci-lint-action v9,
codecov-action v5, ghaction-upx v4, goreleaser-action v7
- CI matrix: drop Go 1.22, test on 1.24 + 1.25
- Migrate tablewriter API from v0 to v1 (breaking change)
- Fix data race in WSTransport.readLoop (pass conn as parameter)
- Add file.Sync() before close in debrid and usenet downloaders
- Improve progress tracker: dedup MarkDone, re-mark dirty on flush error
