Skip to content

v0.6.0 release#13

Merged
bethropolis merged 46 commits into
mainfrom
dev
Jun 23, 2026
Merged

v0.6.0 release#13
bethropolis merged 46 commits into
mainfrom
dev

Conversation

@bethropolis

Copy link
Copy Markdown
Owner

582c35d docs: add v0.6.0 changelog entry
814b5fd refactor: split 6 large files into 19 single-responsibility units
0348ddb chore: stable release prep — bugs, atomic writes, safety
b43e423 feat: add GitHub Pages docs site and online installer
16da01b fix: stability fixes and enhancements
51de7a2 fix: remove duplicate -p shorthand in devices command
53ffe3d feat(share): add TUI file picker, extract shared picker to pkg/cli
3d9c9bb fix: bug fix
c0edea8 fix: case-insensitive TLS fingerprint comparison
0f2c8ce chore: final state after protocol audit fixes
68d35a9 fix: improve TLS error diag, always prompt device picker, silence usage on errors
d1af3c1 fix(protocol): force HTTP for share command (browser download API)
221bfda fix(security): verify TLS certificate fingerprint during file transfer
52f39a8 fix(protocol): add port/protocol to prepare-upload info block
4825c46 refactor(dto): remove spec-noncompliant extra fields from DTO structs
0c4ea80 fix(protocol): use valid deviceType 'headless' in private mode, return no body on upload/cancel
fd65357 fix(protocol): validate ?sessionId in PrepareDownloadHandler
261b904 fix(protocol): implement session blocking, return 409 for concurrent sessions
beb3629 fix(discovery): use POST /register instead of deprecated GET /info for HTTP subnet scan
a08245a fix(security): use constant-time PIN comparison in DownloadHandler
01be941 fix(protocol): select correct fingerprint in HTTP mode (random string, not cert hash)
c5b3a8d fix(protocol): change ProtocolVersion from '2.1' to '2.0' to match spec
2f47675 fix(send): remove interactive clipboard prompt, filepicker is the default TUI fallback
cf37d46 fix(discover): fall back to HTTP subnet scan when multicast returns nothing
de481d0 fix(scan): filter local machine out of HTTP scan results
8d35b6c fix(discovery): send multicast response via multicast addr instead of unicast back
32a628d feat(network): add gateway-based LAN subnet prioritization for scan and send
47f61e2 fix: check xdg-open availability before opening download directory
3599891 feat(freebsd): add rc.d init script for localgo service
5f13a84 feat(freebsd): enable clipboard support via clipboard_unix.go (linux||freebsd)
7aaf291 feat(cli): add --no-color flag, respect NO_COLOR env in logging Init
97a0c4a docs(help): add completion cmd, missing flags for serve/share/send, --private/--config options
138952b fix(help): correct discover --timeout default from 5 to 10
8bfafe2 fix(security): bypass DiscoverDevices private mode in cmd/send.go
413bcd1 refactor(code quality): SortFunc, mutex-safe anonymize, saveTextAsFile, interfaces, tests
ad832f9 fix(concurrency): Device mutex for LastSeen/Available, ReceiveService ticker goroutine leak
64be12d fix(logic): config set parsing, scan/discover timeouts, share port order, CIDR range, RNG fallback
9144f42 fix(security): PIN constant-time compare, server timeouts, private mode DTO bypass, strip JPEG bounds
2a8a00b fix(scratch): add XDG_CACHE_HOME so peer cache is writable
f6ed6a5 fix(scratch): add LOCALSEND_AUTO_ACCEPT=true env var
b013c88 fix: create discovery DTOs after server binds port
37be6e8 fix(scratch): set LOCALSEND_DOWNLOAD_DIR and LOCALSEND_SECURITY_DIR env vars
c01ef58 fix: docker-start passes CMD args correctly (no double localgo)
be29c69 feat: add send --ip, scan --range flags, ParseCIDRRange, export SendToDevice
6f8a9cc feat: add private mode, progress bar fixes, metadata stripping, and core improvements

The protocol field 'version' in all payloads must be '2.0' (major.minor),
regardless of the spec document version (v2.1).
…, not cert hash)

When encryption is off (HTTP), the fingerprint must be RandomFingerprint,
not CertificateHash. Fixes send.go prepare-upload, info handler, and
register handler response.
DownloadHandler was using a direct string comparison (timing attack
vulnerable). PrepareDownloadHandler already used subtle.ConstantTimeCompare.
…r HTTP subnet scan

Per spec section 3.2, legacy HTTP discovery must use POST /api/localsend/v2/register,
not GET /api/localsend/v2/info (which is deprecated and for debugging only).
…sessions

Per spec section 4.1, a 409 'Blocked by another session' must be returned
when another session is active. CreateSession now rejects new sessions
if any session already exists (fixes dead code path in handler).
Per spec section 5.2, if ?sessionId is provided, the handler should
validate it matches the actual session (use GetSessionByID). If omitted,
fall back to GetSession() as before.
…n no body on upload/cancel

- Private mode now uses 'headless' (valid spec enum) instead of 'other'
- Upload and cancel success responses return no body (w.WriteHeader) per spec
PrepareUploadRequestDto: removed sendZipped, forceBulk, targetPath,
keepFolders, token (extensions not in spec section 4.1)
FileDto: removed legacy field
PrepareUploadResponseDto: removed token field
DeviceType: removed laptop/tablet/other (not in spec section 7.1)
Per spec section 4.1, prepare-upload requests require port and protocol
in the info block. Added fields to InfoDto with omitempty so /info and
/prepare-download responses remain clean.
Adds a VerifyConnection callback that SHA-256 hashes the peer certificate
and compares it against the device's advertised fingerprint, preventing
LAN MitM attacks. InsecureSkipVerify remains true (self-signed LAN certs)
but the fingerprint check ensures the connection matches the discovered
device.
Per spec section 5, the browser download API must use HTTP because
browsers reject self-signed certificates. share command now forces
Cfg.HttpsEnabled = false unconditionally. Added --https flag for users
who explicitly want HTTPS (with warning in description). The --http
flag is now a deprecated no-op.
…ge on errors

- Include both expected and actual fingerprints in TLS mismatch error
- PickDevice no longer auto-selects when only 1 device is found
- send command sets SilenceUsage to hide help text on errors
hex.EncodeToString produces lowercase, but old security context files
may have uppercase CertificateHash. Use strings.EqualFold for the
comparison.
- Extract FilePickerModel and LaunchFilePicker to pkg/cli/filepicker.go
- send command now uses cli.LaunchFilePicker instead of local model
- share command launches file picker when --file is omitted
- share auto-enables --zip when a directory is selected via picker
--probe used -p which conflicted with the global --private/-p flag,
causing a panic when Cobra merged flagsets.
- docs/index.html: docsify-based documentation site with search
- docs/_coverpage.md: landing page with short install one-liner
- .github/workflows/deploy-docs.yml: CI to deploy docs/ to Pages
- scripts/online-install.sh: zero-dependency curl|bash installer from GitHub Releases

The short URL https://bethropolis.github.io/localgo/install.sh replaces
the long raw.githubusercontent.com URL for one-liner installs.
- progress.go: fix scrollback erasure overshoot (use actual bar count)
- storage_windows.go: lazy DLL loading (NewLazyDLL) to avoid runtime panics
- storage.go: atomic file transfers via .tmp rename pattern
- output.go: bounds-safe FormatBytes (no panic on >EB sizes)
- README: add short one-line install URL
Split files exceeding 300 LOC:
  pkg/send/send.go           -> send.go + filepath.go + verify.go + anonymize.go + upload.go
  pkg/server/handlers/...    -> receive_handlers.go + receive_upload.go + prompt.go + exec.go + history_log.go
  pkg/cli/output.go          -> output.go + format.go + notify.go + print.go
  pkg/discovery/multicast.go -> multicast.go + announce.go + config.go
  cmd/localgo/cmd/share.go   -> share.go + share_zip.go
  pkg/help/help.go           -> help.go + commands.go
@bethropolis bethropolis merged commit 605319f into main Jun 23, 2026
0 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant