Download

[4.0.6] - 2026-06-17

AeroVault Crate Convergence

AeroFTP's AEROVAULT3 vault engine and its revision 4 Reed-Solomon error correction now live entirely in the published aerovault crate, so the desktop app, the standalone CLI and any third-party Rust project all run a single audited implementation instead of parallel copies. The app keeps only thin command wrappers over the crate, and the container format is now defined and tested in one place.

Changed

• AeroVault engine moved into the aerovault crate (0.6.0 on crates.io): the full AEROVAULT3 container (1024-byte header, gear content-defined chunking, per-chunk zstd, keyed-BLAKE3 deduplication, small-file packing, authenticated manifest) and revision 4 Reed-Solomon error correction are now owned by the crate. The app's vault_v3_* commands became thin wrappers over it, removing about four thousand three hundred lines of duplicated cryptography. A cross-implementation fixture pins the app and the crate to byte-for-byte identical containers, so a vault created by either side opens and extracts in the other and existing vaults are unaffected. AEROVAULT3 design and the unified .aerocorrect direction were driven by Ehud Kirsh. (@EhudKirsh, #162, #276)
• Benchmark profile picker uses a checkmark: the full-screen benchmark profile picker marks selected rows with [✓] instead of [x]. (@EhudKirsh, #277)

Fixed

• Folder uploads honor the skip and overwrite policy: uploading a folder to a cloud provider accepted a file-exists policy but silently ignored it, so re-uploading a tree re-sent unchanged files. The policy is now applied per file and the skipped count is reported. Found by an independent CLI security audit.

Contributors

<img src="https://github.com/EhudKirsh.png?size=48" width="48" height="48" alt="@EhudKirsh" />

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[4.0.5] - 2026-06-16

Two Encryption Pillars: AeroCrypt Overlay and AeroVault v4, plus an Interactive CLI, Server Groups and Hardening

This release stands on two encryption pillars. AeroCrypt is the workhorse: a native client-side encrypted overlay that turns any server, protocol or provider into a very high security, zero-knowledge vault, browsed in the very same dual panel as a normal server (rclone crypt rides the same surface as the labelled interop lane). AeroVault v4 is the second pillar: the v3 container plus Reed-Solomon error correction, so an encrypted vault not only stays private but survives bit-rot and partial corruption. Around the two, the CLI grows a full-screen interactive file manager and an inline interactive profiles menu, saved profiles can be organised into named groups, file versioning lands for Filen and MEGAcmd, and a wave of Windows and cross-platform fixes from the community is folded in.

AeroCrypt: Native Encrypted Overlay (turn any backend into a vault)

AeroCrypt is the workhorse of the release: it turns any server, protocol or provider into a very high security vault. Client-side encryption wraps the storage backend so the remote bucket only ever holds ciphertext and obfuscated names, while the decrypted view is browsed exactly like a normal server in the standard dual panel. On a provider that already encrypts at rest this is genuine double encryption keyed only by you, and on one that offers nothing of its own it still becomes zero-knowledge. rclone-crypt stays beside it as the labelled interop lane, and there is no default cipher: you actively choose AeroCrypt or rclone-crypt.

Added

• Native AeroCrypt overlay (format AECR): per-file encrypted blobs with deterministically encrypted names, so an encrypted scope stays listable, navigable and syncable object by object. Content is AES-256-GCM-SIV under a per-file random data key that is wrapped with AES-256-KW under an Argon2id (128 MiB, t=4, p=4) master key, and filenames use AES-256-SIV. At rest the bucket holds only obfuscated names and ciphertext. (@EhudKirsh, #272, #276)
• Shared crypto codec: the audited cipher core is extracted from the AeroVault v3 engine into one shared module, so the AeroVault container and the AeroCrypt overlay run on a single implementation and a single audit pass instead of two parallel cipher stacks. (#276)
• Folder-tree traversal for the native overlay, so an encrypted directory tree is walked and rendered with decrypted names at every level.
• Native GUI unlock modal and dual-panel integration: unlock an overlay from a styled window, after which the standard local-and-remote dual panel renders the decrypted overlay with full parity to a normal server (list, navigate, get, put), reaching feature parity with the existing CLI crypt subcommand.
• AeroCrypt Profile (per-profile binding): bind an overlay to a saved server profile so it auto-unlocks on connect, with a toggle in the connection form, per-session binding that survives a profile switch or reconnect, and edit-mode guards that lock the binding so it cannot be silently changed.
• UX polish: rclone-crypt auto-unlock, a decrypt animation, a stateful path-bar badge showing the active encrypted scope, long-encrypted-name wrapping in the status box, and the overlay anchored at the configured remote folder rather than the live working directory.
• i18n: the native AeroCrypt strings are translated across all 47 locales.

Changed

• Naming: the rclone-format overlay is now labelled "Rclone Crypt" and the "AeroCrypt" name is reserved for the native format, so the two encrypted lanes are unambiguous in the UI.

Fixed / Hardened (AECR v3 pre-release audit)

A five-reviewer pre-release audit of the overlay codec closed two live data-loss and downgrade classes, and the format was bumped to v3:

• Per-file length binding: every content block binds its block index AND the total block count as AAD, and the total count is also carried authenticated in the file header. Silent truncation (dropped tail or whole blocks) and append (trailing bytes or extra blocks) now fail closed instead of returning short or padded plaintext.
• Key-bound config MAC: the .aeroftp-crypt.json config carries an HKDF-SHA256 MAC bound to the master key (over version, block size, the Argon2 profile and the salt). A tampered or downgraded config is rejected on unlock, and a wrong password now gives a clean error instead of an empty listing.
• Init refuses to clobber: crypt init will not overwrite an existing overlay config unless --force is passed, because re-initialising rotates the salt and would orphan every file already in the overlay.
• Empty crypt password rejected, and the decrypted plaintext download is written atomically.
• Legacy formats are read-only: existing v1 and v2 overlays keep decrypting transparently, but every new object is written as v3, so a stale or downgraded config can never produce weaker ciphertext.

AeroVault v4 (v3 + Error Correction): Reed-Solomon Self-Healing Vaults

The second pillar of the release. AeroVault v4 is the audited v3 container plus a Reed-Solomon error-correction wrapper, so a vault survives bit-rot and partial corruption, not just eavesdropping. "v3 + EC = v4" is a forward-compatible, non-critical extension, and EC runs last in the four-wrapper pipeline (compression, chunking, crypt, EC) per the Ehud Kirsh #272/#276 design.

Added

• Real Reed-Solomon (reed-solomon-erasure 6, 10+2) on the concatenated live-block stream, with a fixed-grid v2 payload (AVEC magic, K=10 / P=2, clamped 4 KiB to 1 MiB shards, 16-byte per-shard BLAKE3 checksums for erasure including parity). Overhead is about 20% on incompressible data, down from about 200% in the v1 one-block-one-shard layout.
• scrub_vault / repair_vault with an all-or-nothing repair gate (every block is re-verified against its cipher_hash before persist; otherwise the vault is left untouched and rolled back).
• Tauri commands vault_v3_scrub and vault_v3_repair (with dry-run).
• CLI: vault create --error-correction (alias --ec), vault info (has_ecc plus an ecc object), vault scrub <path>, vault repair <path> [--dry-run], all with text and --json output and honest reports.
• GUI: a VaultCreate ECC toggle (experimental), conditional Scrub and Repair actions in VaultBrowse, draggable modals, and ECC telemetry in VaultReport and the receipt (shards generated, bytes protected, overhead, repair events).
• i18n keys for all new ECC UI strings across the locales.

Fixed / Hardened

• The repair path no longer trusts unverified reconstruction (CLAUDE-AV-ECC-01), closed by the all-or-nothing gate plus regression tests.
• The v1 overhead explosion is fixed by the v2 grid, and a latent repair truncation misalignment is fixed with fixed-length zero-pad buffers.

Security and quality audit (2026-06-11)

A post-implementation audit of the full v4 EC surface (vault and AeroSync) by four independent reviewers. All CRITICAL, HIGH and MEDIUM findings were fixed:

• Sidecar parsers hardened against untrusted-remote input: ErrorCorrectionPayload::from_bytes uses checked arithmetic and bounds before allocating (closing a remote DoS via overflow/OOM), AeroSyncEcSidecar::from_bytes bounds the segment count before allocating, and remote sidecar reads are size-capped.
• AeroSync correctness: compare always excludes the EC sidecars (no longer treating them as orphan data), remote-delete removes the paired sidecar, and the engine surfaces ec_verify_failed so an unrepairable download is not reported healthy.
• sync-doctor EC cost estimate now uses real v2 grid geometry (it was under-reporting small-file sidecars by up to about 600x).
• Cleanups: dead code removed, generation telemetry wired, reed-solomon-erasure pinned to 6.0.0, and 9 codec/estimate tests added including the overflow regression.

Unified .aerocorrect sidecar and windowed streaming (2026-06-12)

The two detached parity formats are unified into one .aerocorrect format (magic AEROCORR), per Ehud Kirsh's #276 request for a single error-correction sidecar usable on any file:

• Vault: the old .aerovault.rec recovery file is retired, the sidecar carries three fixed segments (header, manifest, data windows) bound by the container's content SHA-256, and the authenticated repair re-verify is preserved, so a foreign or stale sidecar can only make a repair fail, never overwrite.
• AeroSync: the sidecar becomes content-bound and windowed. Large files are tiled into 64 MiB windows (one Reed-Solomon parity segment each), generation, verification and repair stream one window at a time, repair rebuilds each window into a temp file and replaces the original atomically only if the whole repaired stream hashes back to the expected value, and the per-file cap becomes a configurable 1 GiB default.
• Self-healing (format v2): a lightly corrupted sidecar still recovers, because the locator directory is triplicated and per-copy checksummed and a rotted shard is routed around by the per-shard erasure instead of rejecting the whole sidecar.

AeroSync Error Correction Control

Added

• Error-correction control in the Plan tab, with the .aerocorrect (AERC1) EC sidecars wired into the sync pipeline and a default-on for the Backup preset.
• EC sidecar cost estimate in sync-doctor, and EC sidecars deleted together with remote sync deletes so they are never left orphaned.

Interactive CLI TUI, alpha preview (rev 1.0.3-alpha)

Secondary and experimental. A full-screen dual-pane file manager in the CLI (aeroftp tui) shipped as an early alpha preview, so the community can try it and send wishes before it is built out further. It already offers a GUI-style My Servers IntroHub (health dot, on-demand quota refresh, favourite toggle), a 50/50 dual-pane browser with cross get/put, a command palette, file-manager table stakes (sort, filter, select, view, edit), a live transfer queue with resumable downloads, and saved-server group management (#320). Feedback and feature requests are welcome.

Interactive profiles Shell

Added

• profiles -i inline action menu: a single-key inline action bar (re-index, favourite, connect, edit, delete, quit) replaces the separate full-screen view. (@EhudKirsh, #311)
• refresh command in the interactive profiles loop. (@EhudKirsh, #266)
• Group rename and delete from the interactive shell, and server groups mirrored in the profiles view. (#320)

Changed

• Reorder reprint split into old and new index columns for an unambiguous diff. (@EhudKirsh, #270)

Server Groups

Added

• Organise saved profiles into named groups on My Servers, in the FlashFXP-style Site Manager spirit. Groups are stored in the encrypted per-user vault, shown as chips with live counts, populated via add-to-group from the right-click menu, renamed and deleted from the chips, and membership is carried across convert and duplicate. The same groups are mirrored in the CLI profiles view and the TUI. (@timint, #320)

File Versioning

Added

• Filen and MEGAcmd-over-WebDAV file versioning (list, get, restore), with a versioning-bytes segment added to the storage-quota bar. (@EhudKirsh, #270)
• CLI versions group, plus versioning bytes reported in df. (@EhudKirsh, #270)

Quick Connect and Connection Improvements

Added

• Opt-in credential persistence per protocol: persist a profile's credentials for every protocol of one account across restarts, opt-in and per-mode, which unblocks multi-tab use of providers like MEGA and pCloud. (@EhudKirsh, #215)
• Per-mode credentials retained when switching provider tabs, and the Create-Account and Generate-Password links kept visible across mode tabs. (@EhudKirsh, #215)
• Docs link to docs.aeroftp.app on every Quick Connect page. (@EhudKirsh, #270)
• Custom icon picker on every Quick Connect page. (@EhudKirsh, #270)
• Unified MEGA Quick Connect page with a MEGAcmd Fetch-URL button that auto-fills the WebDAV bridge endpoint. (@EhudKirsh, #215)

Fixed

• OneDrive Get-credentials URL now points to the App Registrations list blade. (@EhudKirsh, #270)
• 4shared Get-credentials link opens reliably. (@EhudKirsh, #270)

CLI Extras

Added

• compress and extract for zip, 7z, tar, tar.gz, tar.xz and tar.bz2 (plus rar extract), with an AES-256 --password for zip and 7z, compression-level control, a format override, and --json. A zip entry is stored instead of deflated when deflate would not shrink it. (@EhudKirsh, #276)
• tree depth reporting with a labelled layer ruler and legend so 0-based depth is unambiguous, plus a layers field in JSON. (@EhudKirsh, #270)
• Benchmark many-small-files axis (--file-count / --file-size) reporting files/sec and per-file latency for upload, list, stat, download and delete. (@EhudKirsh, #277)
• --strict / AEROFTP_STRICT safety mode.
• CLI ECC scrub/repair and the --ec flag (covered under AeroVault v4 ECC above).

Security

Changed

• russh upgraded to 0.61.2 (with russh-sftp 2.1.2), clearing the long-deferred SSH advisories (HIGH GHSA-wwx6-x28x-8259 and MEDIUM GHSA-hpv4-5h6f-wqr3 plus the SFTP parsing advisories). The upgrade was gated on an SFTP live test (connect, listing, download, upload, stat, recursive delete including dotfiles, df) that passed byte-intact against a real server, and two suppressions are removed from the audit config.

AeroFile and Modal UX

Added

• Rubber-band selection and click-to-deselect in AeroFile: drag a selection box over the file area to select multiple items in all three views (list, grid, large icons), with Ctrl/Cmd/Shift to extend the selection and edge auto-scroll, and click an empty area to clear the selection. (@EhudKirsh, #270)
• AeroImage lossless or lossy labels: every image edit is marked lossless or lossy with an accurate per-operation and per-format mapping (JPEG and GIF re-encode lossy, PNG/WebP/BMP/TIFF stay lossless), plus a per-format note in the Save dialog. (@EhudKirsh, #270)
• Draggable dialogs everywhere: every single modal can now be moved by dragging its header, so a dialog never blocks the content underneath it.
• Guarded close on busy or unsaved modals: a modal that is running an operation (a transfer or a sync) or holding unsaved edits no longer closes on a stray click outside; closing it asks whether to stop or discard, or to keep working.
• Cancel a local AeroSync run: the AeroSync dialog's local mirror can be stopped mid-run from a Stop control, and the dialog guards its close while a sync is in flight. (extends @rockaut, #332)

Changed

• Crypt overlay entries are provider-aware: the AeroCrypt and rclone-crypt overlay open/create entries and the connection-form toggle now appear only on backends where a transparent encryption overlay applies, and are hidden on media-only APIs (Immich, ImageKit, Uploadcare, Cloudinary, Google Photos) and code hosting (GitHub, GitLab) where it does not.
• Account chooser readability: the account picker reuses the lock-screen backdrop so the chosen pattern stays visible in light mode and the account cards stand out, and the My Servers count reads "X / Y" consistently.

Windows and Cross-Platform Fixes

Fixed

• Cancelling a sync now stops it: the Stop control was not wired to the sync loop, and an individual download or upload already in progress could not be interrupted. Stop now halts the run at the next file and a force stop aborts the in-flight transfer, so a large item no longer keeps going. (@rockaut, #332)
• Removing the master password always completes: "unsecuring" the app could get stuck when the OS credential store rejected the write, leaving you locked in protected mode. It now falls back to a file-permission-protected on-disk key when the keyring is unavailable. (@rockaut, #333)
• Windows portable persists server profiles: the portable build could silently fail to save profiles when the Windows Credential Manager was unavailable, because the vault never initialized. It now falls back to a self-contained on-disk key so the vault initializes and profiles are saved. (@rockaut, #334)
• AeroFile decrypts .cryptomator vaults again: the unlock window prefills the correct vault root from the file you select, and a crypto feature flag that broke Cryptomator vault creation and GitHub App auth is fixed. (@EhudKirsh, #322)
• FTP recursive delete includes dotfiles: hidden files are no longer left behind, which previously could make a recursive delete fail on a non-empty directory.

Contributors

Thanks to the people who shaped this release:

<img src="https://github.com/rockaut.png?size=48" width="48" height="48" alt="@rockaut" /> <img src="https://github.com/EhudKirsh.png?size=48" width="48" height="48" alt="@EhudKirsh" /> <img src="https://github.com/timint.png?size=48" width="48" height="48" alt="@timint" />

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[4.0.4] - 2026-06-07

Reversible Restricted-Filename Encoding, CLI Polish and Stability

A focused follow-up to v4.0.3. Filenames that a provider would otherwise reject now round-trip transparently on Box, Dropbox, Jottacloud and OpenDrive; the interactive CLI absorbs the next wave of the community wishlist (#270); and three stability bugs are fixed, including a long-standing tray crash on suspend/resume, a zero-size main window on macOS Tahoe (#290), and an OAuth reconnect that re-ran the full browser flow every time (#270).

Added

• Reversible restricted-filename encoding (#272, #266): Box, Dropbox, Jottacloud and OpenDrive now transparently encode filename characters the provider rejects (control characters plus each provider's reserved set) using the rclone-compatible reversible scheme (fullwidth and control-picture mappings, a quote-collision escape, and position-dependent space and dot rules), then decode them back on listing. A name like a:b round-trips intact instead of failing silently. The encode/decode runs once at the provider boundary, so it covers the GUI, every CLI cmd_* handler, CLI sync/benchmark, the transfer engine and the session manager at once, and is property-tested decode(encode(s)) == s over tens of thousands of cases per provider. Providers whose only restriction is control characters keep the clear localized error from v4.0.3. (@EhudKirsh, #272/#266)
• CLI interactive shell polish (#270): the profiles -i user-switch now accepts the compact u3 / 3u tokens (it was the only action that still required the spaced u <N|name> form), and a # <selector> <N> reorder reprints the table with a visual diff: a red struck-through ghost at the old slot, the live row at the new slot joined by a left-gutter arrow, and old -> new markers on every row whose index shifted. (@EhudKirsh, #270)
• Lightweight CI checks job: a fast workflow runs cargo fmt --check, cargo audit (RustSec advisory scan) and the vitest React suite on every PR and push, outside the heavy Tauri build/release matrix, closing three gaps in CI coverage.

Changed

• Discover health-check toggle is now an icon-only button: the Activity icon is lit when health checks are on and dimmed when off, replacing the sliding switch for the same on/off affordance (role=switch and aria-checked kept). The manual Check button is unchanged.
• My Servers filters: My Servers gains a "Local bridge" filter chip. The free/paid and HQ-country signals stay on the Discover page, where they help before you sign up, and were dropped from My Servers, where an already-saved server makes them redundant.
• PixelUnion catalog corrected to 16 GB free storage with a free API, regenerating the CLI catalog, README and docs/PROVIDERS.md from the single source of truth.

Fixed

• macOS Tahoe zero-size window (#290): the main window could come up at a 0x0 content size on macOS 26 Tahoe, leaving only a Dock icon. Two causes are addressed. First, a window-state file poisoned by the pre-v4.0.3 borderless builds saved a 0x0 size, so even after the v4.0.3 overlay title-bar fix the window was restored at zero size; the app now self-heals any restored inner size below the minimum (or zero) by resetting it to the computed initial size and re-centering, repairing already-poisoned state files without the user deleting anything (idempotent on healthy windows, cross-platform). Second, the reporter confirmed the WebKit content can still collapse to 0x0 at show() time even with a completely fresh config, so the size is now also re-asserted after the window is on screen (the documented WebKit workaround) and re-checked on a short delay, with timestamped [diag #290] lines added at four points to pinpoint exactly when a collapse lands. (@alexhorner, #290)
• Default account skipped welcome after tray Quit (#270): with more than one passphrase-free account the boot picker reappeared on every relaunch instead of entering the starred default, because a persisted password-free active user reported as already unlocked and bypassed the default-account fast path. The boot policy is now a pure, unit-tested decision that honors the default account on boot (the default wins over the last-active user); protected accounts still show their prompt and an explicit "switch account" still forces the picker. (@EhudKirsh, #270)
• OAuth reconnect re-authorized every time (#270): reconnecting an OAuth profile re-ran the full browser authorization instead of reusing the saved per-profile token, because a snake_case profile_id argument never bound through Tauri v2's camelCase mapping and the check fell back to the legacy singleton key. Passing profileId so it binds restores token reuse on reconnect. (@EhudKirsh, #270)
• Tray heap corruption on suspend/resume: tray badge updates mutated the StatusNotifierItem (over GDBus on Linux) directly from caller threads, including the background sync worker on a tokio worker thread, racing the GLib main loop and corrupting the GLib heap (the recurring malloc(): unaligned fastbin chunk detected abort). The RGBA icon is now generated off-thread and every tray mutation is marshalled onto the GTK main thread via run_on_main_thread.
• CLI bootstrap hardening + rclone FTPS export: --help, --version, agent-info, profiles, catalog and completions no longer depend prematurely on config / data-root / AIMD, the pre-clap parser no longer mistakes valued global options for subcommands, and a missing or unreadable default AIMD config no longer blocks metadata commands. rclone export now emits only explicit_tls = true for FTPS profiles; the previous tls = true meant implicit FTPS to rclone and produced an unusable remote.

Maintenance

• cargo fmt sweep across src-tauri (no semantic change, only re-wrapping and trailing-newline fixes) to bring the tree to cargo fmt --check compliance after several wishlist contributions, now enforced by the new CI checks job.

Contributors

Thanks to the people who shaped this release:

<img src="https://github.com/EhudKirsh.png?size=48" width="48" height="48" alt="@EhudKirsh" /> <img src="https://github.com/alexhorner.png?size=48" width="48" height="48" alt="@alexhorner" />

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[4.0.3] - 2026-06-05

Community Roadmap, CLI Security Audit & Transfer Hardening

A community-driven release: the Add Service catalog is rebuilt (#224), the Ehud wishlist lands across several waves (#270), the MEGAcmd WebDAV bridge is fixed end-to-end (#275/#264), and a two-stage independent CLI security audit hardens every destructive and agent-facing surface. It also fixes window presentation on macOS Tahoe (#290), isolates development from the released app's credentials (#302), and folds in the DAG transfer audit patch sets and the server-side-copy migration.

Added

• Add Service catalog overhaul (#224): the Add Service page becomes a company-centric catalog with a list view alongside the grid, per-protocol categories that split a company's products, available storage regions shown inline, a free/paid filter, in-grid search, and provider website links. A matching CLI catalog subcommand mirrors the same data from a single source of truth. (@EhudKirsh, #224)
• MEGAcmd WebDAV bridge auto-arm (#275, #264): connecting a MEGAcmd profile auto-arms the local WebDAV bridge with a warmup notice; keep-alive reuse is disabled and transport errors are detailed, fixing single-file image preview. (@EhudKirsh, #275)
• Connection UX: cancel an in-progress connection with Esc, plus a slow-connect modal while a connection is still establishing.
• Backblaze B2 concurrent Range download for the native provider.
• CLI: interactive tree depth control with a MEGAcmd warmup notice, a raw-mode arrow-key navigator in the interactive profiles -i shell, and dedupe --force / --max-delete for the destructive resolution modes.
• Wishlist items (#270): tray restore from minimize, view-as-text in the preview pane, Yandex storage quota, image-preview transparency background, multi-user welcome polish, an offline-users note, and assorted copy fixes. (@EhudKirsh, #270)

Changed

• Server-side copy unified: 14 native providers migrated from the legacy server_copy to server_side_copy; the multipart trait is documented as NotSupported-by-design on the remaining 8.
• Snap Store listing description refreshed.

Fixed

• CLI security audit (Codex + Opus, parallel then joint): closed the merged release-gate findings (W0/W1) and a second-pass follow-up (W0.6) across every destructive and agent-facing surface:
• Atomic download failure no longer deletes a pre-existing target file (get/pget).
• sync --delete refuses to run from an incomplete or partial directory scan, including a --from-reconcile plan produced from a partial reconcile; a default delete cap bounds the blast radius.
• The CLI remote-path resolver and the serve, speed and benchmark commands reject .. traversal and null bytes (exit 5) instead of operating on a substituted or escaped path.
• rm -r, sync --delete and the dedupe destructive modes fail closed in non-interactive (non-TTY) use without an explicit confirmation flag.
• MCP tool errors are scrubbed of API keys and bearer tokens before entering model context; the MCP line reader is bounded; debug snapshots redact secrets.
• Agent profile lookup is deterministic on duplicate names, accepts numeric selectors, and applies provider options; discovery output emits stable protocol lists.
• Roughly forty findings closed with new unit tests and a live read-only matrix.
• macOS 26.5 Tahoe no window (#290): a borderless main window could not become key, leaving only a Dock icon after the splash; the window now presents via an overlay title bar. (@alexhorner, #290)
• Dev/release data isolation (#302): debug builds use a sibling data root and -dev keyring accounts, with a release-only non-destructive migration, so a development run can no longer read or corrupt the released app's credentials. (@raelb, #302)
• DAG transfer audit: two patch sets correcting the multipart threshold (and growing the chunk when the part count clamps), an AIMD deficit race, a multipart commit leak, parallel-part dispatch, Nextcloud parallel chunks and chunked-v2 threshold (256 MiB), the Azure threshold, and WebDAV download routing.
• S3 (#196): request logging routed to debug so ls and tree stay clean. (@EhudKirsh, #196)
• Archive: archives are written to a temporary file and renamed on success; the compress_files command registration is restored.
• CLI: profile-copy-user / profile-move-user registered in the dispatcher allowlist; connection mode tabs persist across an in-edit protocol switch.

Contributors

Thanks to the people who shaped this release:

<img src="https://github.com/EhudKirsh.png?size=48" width="48" height="48" alt="@EhudKirsh" /> <img src="https://github.com/alexhorner.png?size=48" width="48" height="48" alt="@alexhorner" /> <img src="https://github.com/raelb.png?size=48" width="48" height="48" alt="@raelb" />

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[4.0.2] - 2026-06-04

Cross-Machine Keystore Portability & Agent-Facing Polish

Makes a multi-user keystore backup open correctly on a second computer, makes the
import reversible and legible, and lands the agent-breaking CLI/MCP fixes.

Added

• Portable passphrase-less accounts: a keystore backup now carries a transport-wrapped key (Argon2id over the backup password) for each passphrase-less user partition, and the import re-keys it to the local device. An account that previously showed an empty "My Servers" after a cross-machine import now populates correctly.
• Repair multi-user data: a Settings panel that proactively detects accounts whose data key is bound to another machine and rebuilds them from this device's saved servers, always taking a timestamped snapshot first.
• Reversible keystore import: the import snapshots the existing user_partitions.db to a timestamped .bak before overwriting it, and a post-import summary modal surfaces the restart prompt, cross-machine re-key counts, and the snapshot path instead of a transient toast.
• Lean MCP list_servers: aeroftp_list_servers returns lean identity fields by default; pass include_capabilities: true to embed the full per-profile transfer-capabilities block. A vault of 80+ servers no longer overflows the agent tool-result cap on the default call.

Fixed

• MCP error readability: S3, WebDAV, and Azure XML error messages no longer leak '/&/< into JSON error fields; the final error formatter now emits raw UTF-8.
• Quiet JSON output: the path-resolution Note: line is now silenced in --json mode, matching the profile banner and Next: hints, so a machine-readable run stays quiet on both streams.

Changed

• Settings backup table: the legacy "Other Apps" and "Import Any" rows collapse into a single "Bridge" row with a FILE FORMAT column listing the supported export extensions.
• i18n style: replaced roughly 2024 em-dashes with ASCII hyphens across all 47 locale files (punctuation only, no meaning change).
• Dependencies: chrono 0.4.45, log 0.4.32, reqwest 0.13.4 (non-pinned patch updates).
• Merged wishlist slice 2/3 from main: OpenDrive Native API header label, MEGAcmd real-quota storage handling, Manage Users avatar edit, and switching the active user from the interactive profiles -i loop.

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[4.0.1] - 2026-06-04

S3 AssumeRole, AeroVault Audit Hardening and Settings Consolidation

This patch release pairs a new S3 connection mode with a round of security hardening and cleanup. It adds native AWS STS AssumeRole support for S3 (#301), lands the remediation from the AeroVault dual-independent audit, unifies the profile-bridge legacy clients, folds the redundant Servers settings tab into the Backup interoperability table (#270), and ships the first batch of community wishlist items (#300). It also closes a silent download-corruption edge case on embedded rsync servers such as WD MyCloud.

Added

• S3 native AssumeRole (#301): connect to S3 by assuming an IAM role. Set a Role ARN (plus optional External ID, session name, duration and MFA) and the access keys become base credentials that AeroFTP exchanges for temporary, role-scoped credentials via AWS STS at connect time, then signs every request with them. The temporary credentials are re-assumed automatically before they expire, so long browsing sessions and large multipart uploads never fail with an expired token. Built on a hand-rolled STS client (a single SigV4-signed AssumeRole POST, no AWS SDK dependency) feeding the existing data-plane signer. Also accepts an externally supplied session token for credentials already obtained from STS or SSO, emitted as x-amz-security-token on signed requests and presigned URLs, both covered by the signature. Shown only on the generic S3 tile; long-term IAM keys are unaffected. Co-authored with the reporter (kennysliding).
• Import before password: the .aeroftp import now loads the file before asking for the decryption password (KeePassXC pattern, #214/#300).
• Open any plain-text file in the editor directly from the preview pane.
• CLI: an --access privacy flag for put/mkdir (#252), a # reorder command in the interactive profiles shell, and a 2FA prompt on interactive master unlock.

Changed

• Profile bridge unified: rclone, WinSCP and FileZilla import/export now run through the single generic dispatcher and panel, with no loss of features.
• Settings consolidation (#270): the redundant "Servers" tab is folded into the "Backup" tab as an App / Format / Import / Export interoperability table; the Full Backup row reveals the keystore panel inline.
• rclone: remotes are listed in a stable alphabetical order, and Nextcloud/ownCloud DAV roots are appended correctly on export.
• macOS: per-architecture DMGs built from a universal2 binary.
• Transfer: DAG engine audit fixes and a corrected Nextcloud chunk threshold (#288).

Fixed

• AeroVault dual-audit remediation: closed the High-severity findings from the independent crypto/container audit (extract symlink write-through escape, reserved-key filter on credential read and delete, v1 format labeling) plus the remaining tranche-2 items. AeroVault crate hardened to v3 (0.4.x).
• Download integrity on embedded rsync servers: some embedded rsync firmwares (e.g. WD MyCloud) close the SSH channel before the trailing protocol marker, which the delta-sync path could accept as a clean end and commit a truncated file. The delta download now validates the reconstructed size against the remote file list and transparently falls back to the classic SFTP download on any shortfall, so a partial transfer can never overwrite the target with corrupt data.
• Profile duplicate keeps stored credentials: duplicating a saved server profile now copies its stored password or token regardless of the save-credentials flag, so the copy connects without re-entering the secret.
• TOTP throttle persistence: the vault 2FA lockout counter now survives restarts, with a replay guard and a bounded vault read.
• Security dependency hardening: tmp bumped to 0.2.7 for the path traversal fix (CVE-2026-44705), codecov-action bumped for the template-injection fix, plus routine dependency bumps.

Removed

• The legacy dedicated rclone/WinSCP/FileZilla Tauri commands and the duplicate Settings "Servers" tab, now superseded by the unified bridge and Backup table. The orphaned protocol.servers label string was also dropped from all 47 locales (T-BC-08 residual).

Download AeroFTP

[4.0.0] - 2026-05-27

Shaped Graph Transfer (DAG) and Multi-User Account Partition

v4.0.0 lands two architectural shifts in the same release.

The first is the promotion of the ready-frontier DAG transfer engine introduced in v3.8.4 to the single production path for every transfer surface. The three rollout flags that gated the engine during the v3.8.x cycle are gone, the hand-rolled JoinSet batch orchestrator has been deleted, and the shaped builders are now the single source of truth for every graph the executor schedules: single-file leaves, multi-file batches, sync sessions, intra-file segmented downloads, and cross-bucket copies. The release introduces a principled trait expansion on StorageProvider so the engine can dispatch the right shape per call from a provider's TransferCapabilities, ships the wiring + integration tests that prove the shapes work against live S3, B2, WebDAV, Azure, ImageKit, Google Drive, Dropbox, OneDrive, Box, MEGA, pCloud, kDrive, OpenDrive, Yandex Disk, Jottacloud, Drime, Uploadcare, Cloudinary, and Filen, and pairs the architectural shift with a power-user CLI surface that exposes 25+ runtime knobs over the same engine.

The second is the Multi-User Account Partition: the vault splits into per-user partitions while remaining fully backward-compatible with single-user installs. A boot-time Account Lock Screen presents the configured users, the vault is partition-aware end-to-end (server profiles, AeroSync settings, CLI --user flag), and an admin role with a self-or-admin gate plus an admin reset-passphrase backend rounds out the surface. Migration from a v3.8.x single-user keystore is automatic and idempotent, the admin role is opt-in with a last-admin guard, and the unlock prompts use honest crypto-stack labels (Argon2id key derivation, AES partition encryption). Sixteen commits cover the partition foundation, the boot picker, the CLI --user flag across profile and transfer commands, the cross-user dedup probe with HMAC keying, the migration of every existing keystore consumer (ConnectionScreen, SettingsPanel, IntroHub, ExportImport, KeystoreWizard, Cloud, SavedServers, App.tsx), the admin role, and the UX polish (logout, perceptible unlock spinner, refined L2 picker).

---

What's new

Capability-aware shape per transfer

The shaped graph builder picks the transfer-core shape per call from the provider's capability snapshot:

• Native multipart upload fan-out on S3, Backblaze B2, Google Drive, Dropbox, OneDrive, and Box: an upload above one preferred chunk now produces N UploadPart graph nodes (one per chunk). The runner orchestrates the lifecycle end-to-end. Per-provider live validation: Drive 500 MiB in 34.6 s (63 parts x 8 MiB), Dropbox 500 MiB in 54.2 s (63 parts x 8 MiB concurrent), OneDrive 500 MiB in 63.8 s (50 parts x 10 MiB sequential), Box 100 MiB in 24.6 s (13 parts x 8 MiB, SHA-1 per chunk + whole-file SHA-1 commit).
• Server-side copy on every backend that advertises the capability: S3 x-amz-copy-source, B2 b2_copy_file, WebDAV RFC 4918 COPY, ImageKit copyFile, plus 14 other native providers. The shaped-copy graph collapses to a single ServerSideCopy node that reserves only an api_slot: no file slot, no disk I/O, no local host bytes. The server moves the data. S3 sources above the 5 GiB CopyObject limit fan out into parallel UploadPartCopy requests (T-DEBT-08).
• Intra-file segmented downloads through the shared shaped_ranges builder: when a provider proves it honours HTTP Range, the segmented download fans out into N DownloadRange nodes with no inter-segment dependencies, governed by the shared chunk / HTTP / disk-write budget.

For users on backends that advertise none of these capabilities the engine degrades honestly to the same single-transfer-core path that shipped pre-v4.0.0, byte-identical with the legacy provider.upload / provider.download.

Provider trait expansion

Five new methods extend StorageProvider:

• begin_multipart_upload(remote_path, total_size, content_type, local_source_path)
• upload_part(handle, part_number, data)
• complete_multipart_upload(handle, parts)
• abort_multipart_upload(handle)
• server_side_copy(from, to) (alongside the existing supports_server_side_copy() capability gate).

Default implementations return NotSupported, so a provider that never advertises a capability never reaches the new methods. Nineteen native backends already implement them: S3 (multipart + server-side copy), B2 (multipart + 5 GB-capped server-side copy), Azure Blob (Put Block / Put Block List), WebDAV (Nextcloud chunked v2 + RFC 4918 COPY), ImageKit (copyFile / copyFolder), Google Drive (resumable session), Dropbox (concurrent upload_session + explicit close), OneDrive (Microsoft Graph createUploadSession), Box (chunked v2 with per-chunk SHA-1 + whole-file SHA-1 commit), MEGA (gfs canonical chunk ramp), pCloud (chunked upload session), kDrive (upload-session API), OpenDrive (chunked upload session), Yandex Disk (upload-target API), Jottacloud (allocate API), Drime (S3 multipart), Uploadcare (multipart API), Cloudinary (chunked upload), Filen v3 (chunked AES-GCM encrypted upload). ImageKit / Internxt / MEGA / 4shared / FileLu document the trait as NotSupported-by-design for cases where the protocol does not offer a real multipart surface.

Power-user CLI knob expansion (PR #261)

Twenty-five new flags expose the same DAG engine to scripted workflows and CI pipelines without touching code:

• Generic (Sprint K1 Pacchetto A): --sftp-concurrency, --checkers, --tpslimit / --tpslimit-burst, --no-traverse, --order-by.
• S3 surface (KE-B1): --s3-upload-concurrency, --s3-no-check-bucket, --s3-disable-checksum, --s3-acl, --s3-storage-class.
• Retry-After parsing extensions (KE-E): S3, Azure and Filen now parse and honour server-issued Retry-After on 429 / 503 throttle responses (joining Google Drive, Dropbox, OneDrive and Box from T-DEBT-05).
• Drive non-AIMD knobs + AIMD config (KE-B2): pacer / abuse acknowledgement / copy-related runtime settings for Google Drive.
• OneDrive (KE-B3): --onedrive-no-versions, --onedrive-list-chunk, --onedrive-link-scope.
• Azure (KE-B4): --azure-upload-concurrency, --azure-disable-checksum, --azure-access-tier, --azure-archive-tier-delete.
• AIMD adaptive concurrency (KE-D): --aimd-disable kill switch, --aimd-min / --aimd-max / --aimd-step-window overrides + per-class TOML configuration, hint table propagation through the executor.
• FUSE mount surface (Sprint K3 / T-DEBT-13): --cache-mode={off|minimal|writes|full} policy preset, polling / timeout knobs, --write-back-cache via Filesystem::init capability negotiation, --fuse-threads multi-threaded session loop. fuser bumped 0.16 to 0.17.

AeroCloud catch-up (PR #262)

• Koofr background sync dispatch fix. Koofr was already a stable provider in the AeroCloud wizard but cloud_provider_factory.rs did not route it to the background sync path, so a Koofr profile selected from the wizard would surface "provider not implemented" at first scheduled sync. One-line factory dispatch fix.
• Four providers exposed in the AeroCloud wizard: ImageKit, Uploadcare, Cloudinary, Backblaze B2. They were already wired through the factory since v3.x but never appeared as selectable presets in the wizard UI, leaving them reachable only by hand-rolled config.

Convergence cleanup

• The three AEROFTP_TRANSFER_ENGINE_DAG_ environment-variable flags are removed.
• The matching dag_single_file_enabled() / dag_batch_enabled() / dag_sync_enabled() functions are removed.
• should_route_sync_to_dag(dry_run) collapses to !dry_run.
• The four engine-routing shims in provider_commands, the CLI, the batch orchestrator and the sync path drop their flag check.
• The hand-rolled JoinSet sliding-window orchestrator in transfer_orchestrator::execute_batch (130+ lines including spawn_transfer_task) is removed: execute_batch_dag is the entire body.

Multi-User Account Partition (PR #279)

A second architectural pillar that splits the vault into per-user partitions while keeping single-user installs fully backward-compatible:

• Encrypted partition foundation with per-user data isolation, Argon2id key derivation, and AES partition encryption.
• Boot-time Account Lock Screen that presents the configured users and accepts a per-user passphrase, with honest crypto-stack labels in the unlock prompts.
• Partition-aware vault wiring end-to-end: SavedServers, App.tsx, ConnectionScreen, SettingsPanel, IntroHub, ExportImport, KeystoreWizard, Cloud, favicon.
• Per-user AeroSync settings CRUD on top of the partition layer.
• Admin role with a self-or-admin gate and an admin reset-passphrase backend, last-admin guard so an installation cannot lock itself out.
• CLI --user flag across profile and transfer commands; optional everywhere, defaults to the active profile.
• Cross-user dedup probe with HMAC keying.
• UX polish: logout flow, perceptible unlock spinner, refined L2 picker, account avatars with emoji/color customization.
• Migration from a v3.8.x single-user keystore is automatic, idempotent, and preserves all existing data; the admin role is opt-in.

---

Fixed

DAG engine

• Per-provider chunk size honoured verbatim: the runner consumes the provider's advertised multipart_part_size as the per-part length verbatim (last part takes the remainder); the legacy div_ceil distribution stays as the fallback. Fixes Google Drive 256-KiB alignment and OneDrive 320-KiB alignment that previously hit HTTP 503 mid-stream.
• Serial chain for max_chunk_slots = 1 providers: the builder chains UploadPart nodes serially whenever the cap is one, preserving Drive's monotonic Content-Range contract; providers with parallel chunk fan-out (S3, B2, Dropbox concurrent, Box chunked v2) keep the unconstrained shape.
• Dropbox concurrent session explicit close: complete_multipart_upload now emits the no-op upload_session/append_v2 with close: true before the finish call, so Dropbox no longer returns HTTP 409 concurrent_session_not_closed.
• DAG single-file lock race (closes #233): provider_disconnect and provider_connect drain a per-transfer in-flight counter via TransferOperationGuard before mutating the provider slot.
• DAG batch progress accounting (closes #234): a transient session_pool.acquire() failure during a batch transfer now increments the failed counter on the BatchProgressSnapshot and emits a batch_progress event before the node completes.
• AIMD honours server-provided Retry-After (T-DEBT-05): Google Drive, Dropbox, OneDrive and Box now parse their flavour of the hint and propagate it across the provider/executor boundary through a marker convention. The executor extracts it and forwards it to AimdController::on_congestion_with_hint, clamped to a [1 s, 10 x default cooldown] safety band.

Community-reported fixes

• Image preview clipped edges after zoom-in then zoom-out (#239, reported by @EhudKirsh). Scrolling the wheel on a previewed image silently switched the viewer out of Fit-to-screen mode. Wheel and toolbar zoom now act purely as a multiplier on top of the active Fit / Actual-size mode; the pan offset is reset when zoom returns to fit.
• Windows installer overwrote user PATH (#240, reported by @miguelsotobaez). Critical regression affecting every Windows installer from v3.6.4 through v3.8.5. The post-install NSIS ReadRegStr + WriteRegExpandStr pattern silently truncated user PATH values larger than NSIS_MAX_STRLEN (8192 chars in the Tauri large-strings build), wiping every previously registered toolchain entry. Replaced with the EnVar NSIS plugin (zlib licence) which talks to the Win32 registry directly, preserves the original value type, and is idempotent.
• AeroFTP did not boot on macOS Intel (#241, reported by @reset131). A lookbehind regex from mdast-util-gfm-autolink-literal@2.0.1 shipped untranspiled in the production bundle threw SyntaxError: Invalid regular expression: invalid group specifier name on JavaScriptCore <= 16.4 (Big Sur Safari 15), leaving React unmounted. Patched via patch-package to substitute \b for the lookbehind; the previous() helper in the same file already gates on the previous character so the substitution preserves all match offsets. Also clamps the initial window size to the primary monitor, pins chrome rows and main / panel flex children for small-screen layouts, and rebuilds the macOS icon.icns from the rocket source so Finder stops showing the stale orbit-only mark.

Changed

• macOS Intel build restored (x86_64-apple-darwin). The Intel DMG, dropped earlier in the v3.6.x cycle as a recurring source of flaky bundle_dmg.sh failures, is back now that the Big Sur boot regression (#241) is fixed and confirmed working on a Big Sur Intel MacBook. The release ships a native Intel DMG (built on the macos-13 Ventura runner) alongside the Apple Silicon DMG (macos-14 Sonoma, aarch64); minimumSystemVersion stays at 10.13 so Big Sur is covered. A single universal binary is planned for a later release.
• My Servers screen lagged on Windows (#221, reported by @raelb). Five optimisations let React.memo skip re-rendering server cards whose own data did not change: stable drag callbacks (signature change to (idx, e) => void), useMemo'd id maps for findIndex and crossProfileSelection, search-text cache, pre-allocated context menu icons.
• OpenDrive folder privacy returned HTTP 400 (#252, reported by @EhudKirsh). folder/setaccess.json requires with_child_files alongside session_id / folder_id / folder_is_public; the matching file/access.json endpoint does not, which is why setAsPrivate / setAsPublic worked on files but failed on folders. Pass with_child_files=true so the requested privacy propagates to inner files.
• OpenDrive privacy state not surfaced in the GUI (#252 pts 3 and 4, reported by @EhudKirsh, PR #280). OpenDrive was stashing the raw Access value under metadata but never populating RemoteEntry.permissions, so the context menu rendered both Set as Private and Set as Public with one disabled and the Properties Permissions tab showed the Not available empty state for files that actually carried visibility metadata. A new access_to_permissions(raw) helper maps the documented numeric levels (0 = private, 1 = public, 2 = hidden) to AeroFTP-canonical tokens, the raw integer stays under metadata["opendrive_access"] for diagnostics, and both folder_to_entry and file_to_entry now populate entry.permissions. The Properties Permissions tab gained a privacy-aware branch that renders a labeled Visibility row with a human description, and OpenDrive + 4shared context menus now render the applicable item conditionally instead of greying out the inapplicable one (matching the FileLu precedent from #161).
• OpenDrive hidden visibility level unreachable from the GUI (#252 pt 2, reported by @EhudKirsh, PR #282). OpenDrive documents three visibility levels for both files and folders (0 = private, 1 = public, 2 = hidden) via the official API samples; the existing binary Set as Private / Set as Public toggle only flipped between two of them, leaving hidden unreachable. A new Privacy... entry in the OpenDrive context menu opens a three-option chooser dialog (radio list with per-level description, current badge on the active level, Save disabled until the user changes the selection). The new OpenDriveAccessLevel enum and set_file_access / set_folder_access methods drive the same file/access.json and folder/setaccess.json endpoints with the typed level; the existing binary set_file_privacy / set_folder_privacy become thin wrappers, so the wire shape of the toggle does not change. OpenDrive accepts the richer per-axis flags (folder_public_upl, folder_public_display, folder_public_dnl) only on folder/create.json, never on folder/setaccess.json, so modifying them after creation is intentionally not exposed.
• MEGAcmd non-WebDAV: recursive delete timed out and Windows uploads failed (#263, reported by @EhudKirsh). Folder deletes hit a daemon timeout before completion, and uploads dispatched from a Windows local path (Ctrl+C / Paste workflow) never resolved the source. PR #265 unblocks both paths on the non-WebDAV MegaCmd flavor.
• MEGAcmd WebDAV bridge: image preview failed on single-file resources (#264, reported by @EhudKirsh). The WebDAV client only knew how to PROPFIND a collection root and walk children, so the MEGAcmd WebDAV bridge, which serves a single file per URL, broke on every preview attempt. PR #269 adds a single-file-mode probe at connect(): a PROPFIND on the configured URL returns 207 with a non-collection resourcetype, the parsed entry is cached, and list / stat / build_url short-circuit to operate on the URL verbatim. Traditional WebDAV servers fall through to the existing PROPFIND / flow unchanged.

CLI hardening

• aeroftp-cli Windows stack overflow at launch (PR #267). The ~80-variant clap-derived enum overflowed the 1 MB Windows default thread stack before main() could run. Adds /STACK:8388608 link arg via build.rs, gated on target_os = "windows" and scoped to the aeroftp-cli binary only. Pre-existing latent bug, surfaced and patched during PR #265 validation by the Windows debug runner.

Added

• MEGAcmd storage quota via mega-df (#253, reported by @EhudKirsh). A helper that surfaces storage quota for MEGA accounts through the official MEGAcmd daemon, with automatic daemon warm-up on first request. Replaces the WebDAV walk for MEGAcmd profiles (which missed Device Centre) and adds the same surface to the non-WebDAV MegaCmd flavor. Translated across all 47 locales.

---

Documentation

• New canonical technical reference at docs/DAG-TRANSFER-ENGINE.md.
• New long-form architecture walk-through at docs.aeroftp.app/architecture/dag-transfer-engine.
• AGENTS.md gains a Transfer Engine section spelling out the three shapes the engine picks per call.
• New Privacy and Visibility Controls section in docs/PROTOCOL-FEATURES.md (#252 pts 6 and 7, reported by @EhudKirsh, PR #281). Documents the independent axes that contribute to privacy in a cloud-sync app (encryption at rest, default visibility on create, granular toggles, share-link semantics, IP controls, AeroVault overlay), per-provider behavior for OpenDrive / 4shared / FileLu / Filen / Internxt / MEGA / OAuth catch-all, an OpenDrive REST-API-vs-WebDAV reliability note covering the per-IP rate-limit and blacklist behavior on session/login.json, and the explicit disclosure that the extended OpenDrive flags (folder_public_upl, folder_public_display, folder_public_dnl) are accepted only on folder/create.json. The Advanced Operations matrix Privacy Toggle row, previously listing only FileLu, now also lists 4shared and OpenDrive.

Compatibility

The MCP tool surface is unchanged: same names, same arguments, same notifications. Progress events are now sourced from the engine's per-node lifecycle, but downstream consumers see the same JSON shape and the same event cadence. The CLI exit codes and the GUI transfer_event channel are likewise unchanged. The Multi-User migration is forward-only and idempotent: existing single-user installs keep their data on the first boot under a synthesised default user; invocations of aeroftp-cli without --user continue to target that user, so existing scripts keep working.

Why v4.0.0

The version bump reflects the architectural shift: the production transfer path is now a single, provider-agnostic, capability-aware DAG scheduler with five new trait methods on the public StorageProvider API, paired with a power-user CLI knob surface that exposes the same engine over 25+ runtime flags. Three flags, four shims, and the legacy batch orchestrator are gone. The Multi-User Account Partition is a schema-level change in the vault and an authorization-level change on the management API; bumping to v4.0.0 makes both the migration and the surface change explicit. The destructive admin reset, the last-admin guard and the OS-style lock screen are the load-bearing pieces of the new account surface, every one of them audited (MU-SEC P1) before landing. The convergence is complete; the cleanup pass for provider_transfer_executor.rs is filed as accepted technical debt for the post-v4.0.0 window (see docs/dev/roadmap/APPENDIX-DAG-ENGINE/STATUS_TODO.md).

---

Dependency updates landed in this release

• serde_json 1.0.149 to 1.0.150
• similar 3.1.0 to 3.1.1
• rpassword 7.5.2 to 7.5.3
• tar 0.4.45 to 0.4.46
• postcss 8.5.14 to 8.5.15
• vitest 4.1.6 to 4.1.7
• dompurify 3.4.2 to 3.4.5
• fuser 0.16 to 0.17 (T-DEBT-13)

Held back intentionally: russh 0.60.3 to 0.61.1 (pre-tag risk on the SFTP path, post-v4.0.0 candidate), codecov/codecov-action 6.0.0 to 6.0.1 (CI workflow check is failing on every PR, needs a separate investigation).

---

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[3.8.5] - 2026-05-23

AeroSync Unification, FTP Reliability and DAG Engine Foundation

v3.8.5 is a consolidation release on top of v3.8.4. It collapses the three legacy sync surfaces (the standalone Sync panel, the AeroFile compare dialog and the Sync Presets entry) into a single unified AeroSync panel with three tabs that share state, lands four reliability fixes on the FTP transfer path, closes the cross-platform AeroRsync Z.4.3.f6 deadlock, and stages the foundation for a new shared transfer execution engine (default off, behind environment flags). It also picks up the v3.8.4 follow-ups: a pCloud WebDAV registry preset, an optional Filen CLI API key to skip 2FA on reconnect, a WebDAV User-Agent fingerprinting fix, and the OAuth refresh-token re-auth fix for Google providers.

---

What's new

Unified AeroSync panel

The three previously disconnected sync surfaces collapse into one AeroSync dialog with three tabs: Compare, Plan and Sync. The same dialog covers local-to-local pairs, local-to-remote pairs and remote-to-remote pairs (with a connected profile), backed by a shared in-process runner and a recursive compare scan that uses each provider's native listing instead of a folder-by-folder walk. The Plan tab carries the Speed mode and Verify policy knobs (including Maniac), the retry/budget/versioning controls, the canary mode with keep-both rename execution, and a bandwidth control row. The Sync tab now ships a per-file results table. Journal History and the Scheduler are launched from inside the unified panel, and journal resume is wired into the Sync tab UI. The toolbar entry point and the F4 shortcut both open this same dialog.

The previous Local Sync, Compare Panels and Sync Presets View-menu entries have been removed.

Provider-native recursive compare scan

The Compare scan now uses each provider's native recursive listing where one exists (S3 ListObjectsV2, Azure flat listing, Dropbox list_folder recursive, Filen tree, GDrive q=trashed=false with parents traversal, OneDrive children pagination, B2 b2_list_file_names, MEGA tree, pCloud listfolder recursive flag, koofr/kdrive recursive, OpenDrive list-tree, OAuth providers' batch listing), and falls back to a depth-bounded BFS walk on protocols that do not. Compare results are now exportable as JSON or CSV. The deepest-first ordering of recursive deletes prevents "directory not empty" failures on remote backends.

Bandwidth, scheduler and canary in one place

The unified panel surfaces the bandwidth control row directly in the Sync tab, the Scheduler launcher inside the panel header, and a canary mode that runs a single representative file first and confirms before committing the full batch. Canary uses the keep-both rename strategy on conflict so the source side stays untouched until the user accepts.

FTP transfer reliability

Four user-visible FTP fixes:

• The FTP clone-pool upload path now dials the connection before reading credentials, eliminating a class of "command not connected" failures on parallel uploads.
• The resume-download path and the in-memory read_file path on FTP both dial first, fixing intermittent zero-byte downloads and empty Properties previews on cold pools.
• AeroSync now routes FTP transfers through the provider API instead of the bare-protocol path, so the bandwidth limiter and the retry policy apply identically to FTP and to cloud providers.
• A panicking local scan inside the DAG sync path is now caught and surfaced as a structured SyncError instead of aborting the entire sync.

pCloud WebDAV preset

A pcloud-webdav registry preset is added (email + password, port 443, https://webdav.pcloud.com for US accounts, https://ewebdav.pcloud.com for EU accounts). Setup instructions cover the data-region split and the first-connection "New login attempt" confirmation email. The storage dedup layer recognises a pCloud WebDAV profile and a pCloud OAuth profile sharing the same email as a single account.

The preset is picked up automatically by the Discover panel and carries a translated description in all 47 languages.

Filen: optional CLI API key, hardened master-keys ring

A new optional "Filen CLI API Key" field on the Filen connection form. When set, connect() authenticates with the supplied key and skips the /v3/login call, so reconnects no longer wait on the 30-second TOTP code window. The account password stays required: it derives the end-to-end master key, which the API key can never replace.

The master-keys recovery path on the API-key flow now fails connect() with a clear error message when the encrypted master-keys ring cannot be fully assembled (network failure, empty blob or decrypt failure), instead of silently degrading to a session that would fail to decrypt files encrypted under previously-rotated keys.

WebDAV User-Agent pinned to the major version

The shared WebDAV client now sends AeroFTP/3 instead of the full AeroFTP/3.8.x. WebDAV servers, including pCloud, fingerprint the User-Agent as a device identifier; the full version string made every patch release register as a new device and forced a fresh email re-approval. Pinning the User-Agent to the major version keeps the device stable across patch and minor releases. The other providers continue to send the full version string.

Google OAuth: refresh token always reissued

The Google authorization URL now carries prompt=consent, so re-authentication always re-issues a refresh token. Previously a previously-authorized Google account could be re-authorised silently and return a short-lived access token without a refresh token, which made aeroftp-cli ls and aeroftp-cli tree fail with invalid_grant until the user revoked and re-authorised manually.

DAG transfer engine foundation (default off)

A new shared transfer execution engine lands as foundational work for the next cycle. It runs single-file, batch and AeroSync transfers through a ready-frontier executor over a Directed Acyclic Graph (DAG), with AIMD backpressure and a session-probe cache. The engine is off by default in v3.8.5. It can be enabled per surface via:

• AEROFTP_TRANSFER_ENGINE_DAG_SINGLE_FILE=1
• AEROFTP_TRANSFER_ENGINE_DAG_BATCH=1
• AEROFTP_TRANSFER_ENGINE_DAG_SYNC=1

Existing transfer paths are unchanged when the flags are unset. The flag-gated convergence work was validated in CI (byte-identical output on SFTP, S3 and FTP across the GUI parity harness) before being merged.

AeroRsync Z.4.3.f6 cross-platform closure

Two orthogonal fixes close the last AeroRsync Blocco Z deadlock cross-platform:

• The Linux leg: MSG_DATA header and payload writes are now coalesced into a single send, eliminating a framing-mismatch deadlock against embedded SSH servers (WD My Cloud NAS).
• The Windows leg: the file-mode helper synthesises S_IFREG|0o644 on non-unix builds, fixing rsync exit 22 after the coalesce work exposed an S_ISREG(mode)==false regression on Windows.

The Windows 100-file batch validation completes in 55.4 seconds in a single SSH session with 0.68% bytes on the wire.

---

Detailed changes

Added

• AeroSync unified dialog with Compare / Plan / Sync tabs, shared in-process runner, recursive provider-native compare scan, JSON/CSV compare export, journal resume UI, Scheduler and Journal History launchers, canary mode with keep-both rename, per-file results table, bandwidth control row, Plan-tab Speed/Verify/Retry/Budget/Versioning knobs, header launchers, F4 shortcut.
• Local-to-local sync execution in the unified runner with recursive compare and deepest-first delete ordering.
• pCloud WebDAV registry preset with US/EU data-region instructions and cross-protocol dedup against the pCloud OAuth profile.
• Optional Filen CLI API key field on the Filen connection form (skips 2FA TOTP on reconnect).
• Filen reconnect auto-retry when a TOTP secret is saved on the profile.
• DAG transfer engine foundation (single-file, batch and sync entry points), behind AEROFTP_TRANSFER_ENGINE_DAG_ env flags, default off.
• macOS CI pin to macos-14 to dodge a Sequoia-only bundle_dmg.sh regression on macos-latest.

Fixed

• FTP clone-pool upload: dial the connection before the credential read.
• FTP resume download and in-memory read: dial the connection before issuing the command, fixing intermittent zero-byte transfers on cold pools.
• AeroSync FTP transfers: routed through the provider API so the bandwidth limiter and retry policy apply.
• DAG sync scan errors: a panicking local scan now surfaces as a SyncError instead of aborting the run.
• AeroRsync Linux deadlock (Z.4.3.f6): coalesce MSG_DATA header and payload writes against embedded SSH servers.
• AeroRsync Windows leg: synthesise S_IFREG|0o644 on non-unix builds.
• AeroRsync delta call sites: lift the cfg(unix) gate so Windows can reach them.
• WebDAV User-Agent: pinned to AeroFTP/<major> to stop patch releases churning the device fingerprint at the server side.
• Google OAuth refresh token: authorization URL carries prompt=consent so re-auth always re-issues a refresh token.
• Filen masterKeys ring: API-key path fails connect() with a clear error when the ring cannot be fully assembled (closes #229).
• Filen 2FA terminology: connection form labels match the saved-secret semantics, with a copyable secret display.
• AeroAgent local_list tilde: the local_ path resolver now expands ~ ahead of base-joining, so path="~" resolves to the home directory instead of <base>/~.
• CLI exit code on current_exe() failure: mapped from 5 (config error class) to 2 (path error), aligning with the rest of the CLI exit-code taxonomy (closes #232).
• pCloud WebDAV preset polish: helpUrl points at the canonical pCloud WebDAV article, setup instructions make the US default region explicit, Turkish filenApiKeyHelp genitive case corrected (closes #231).
• IntroHub inline rename: double-click a saved-profile name to start editing in place.
• Mount config shell metachars: rejected at the boundary (Z.4.3.f2).
• File preview on cloud providers: ftp_read_file_base64 now supports cloud-backed profiles, so the preview pane works on S3/B2/Dropbox/GDrive/etc.
• Sync delta_session_count: stop fabricating a count in the client-driven loop, the server-driven count is the source of truth.
• russh 0.60.3: bumped for GHSA-g9f8-wqj9-fjw5.
• Dispatcher exec test: retry on transient ETXTBSY in CI.

Changed

• Three legacy View-menu entries (Local Sync, Compare Panels, Sync Presets) removed. The unified AeroSync dialog replaces all three.
• Compare scan uses provider-native recursive listing where available, with a bounded BFS fallback elsewhere.

Removed

• src/components/SyncPanel.tsx: the unified AeroSync dialog absorbs every code path it covered.

---

Credits

• The AeroSync unification work and the cross-platform AeroRsync Z.4.3.f6 closure sit on top of the GUI Transfer Convergence and AeroRsync filones tracked internally.
• The DAG transfer engine foundation (phases 1-3) is the staging work for the next cycle and was validated against the GUI parity harness before merge.

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[3.8.4] - 2026-05-20

Unified Transfer DAG, Staging Queue and AeroFile Sync

v3.8.4 is a big release: the slow work of the last cycle was converging every transfer surface (GUI, CLI, AeroSync, cross-profile) onto one shared execution engine, building a staging queue on top of it, shipping a CLI dispatcher set, unifying three disconnected sync dialogs, and acting on the v3.8.3 community feedback. Seventy commits since v3.8.3, organized below.

---

What's new

This section is the high-level tour. The detailed lists below cover every change.

A single DAG transfer executor

AeroFTP had multiple parallel transfer paths: the GUI segmented download, intra-file range downloads, cross-profile transfers, the AeroSync engine, the CLI pget and sync commands, and the legacy per-protocol code. v3.8.4 lands a ready-frontier executor over a Directed Acyclic Graph (DAG: every transfer is a graph of nodes where each edge says "this step depends on that one", and the executor walks the graph fanning out as soon as a node's dependencies are satisfied), and progressively converges every one of those paths onto it. The same code now powers concurrent-range downloads for SFTP and FTP, B2 large-file uploads, cross-profile transfers, and the AeroSync download stage. The executor ships with prudent AIMD backpressure (Additive Increase, Multiplicative Decrease: the classic TCP-style self-tuning that ramps up while the link is healthy and backs off hard at the first sign of strain) so it adapts to the slowest link without the user having to pick a number, and an AppHandle-free observability sink so non-Tauri callers (CLI, agents, tests) get the same progress signal the GUI does.

This is mostly internal plumbing. The user-visible effect is that the GUI and the CLI now use the same path for large transfers, with the same parallelism, the same backpressure, and the same telemetry. The GUI grows a Settings knob for the download segment count when you want to override the heuristic.

Transfer Queue with real staging

The unified planner had a queue, but it was effectively a fire-and-forget list. v3.8.4 turns it into a proper staging queue: items land first as staged (with their pre-enumerated tree for FTP and SFTP), an explicit dispatcher moves them to pending when they are ready, and an Auto-start setting decides whether they go automatically or wait for a manual Start. The CLI gains an agent peek view of what is currently staged or pending. The transfer toast was demoted to a minimized indicator so the queue panel is the source of truth.

Command-line surface, feature-complete

v3.8.4 closes the long-running CLI work and pushes aeroftp-cli to 69 top-level subcommands across listings, transfers, syncing, vaults, profiles, hashing, agent operation, batch scripting, mount and packaging. With this release the CLI is feature-complete for everyday workflows: anything the GUI can do on a file or a server is reachable from the command line, and the same shared transfer engine now powers both surfaces so the throughput numbers no longer drift between them.

The release adds:

• rmdirs: recursive prune of empty directory trees, the missing companion to rmdir from v3.8.2.
• agent peek: a read-only view of the current transfer queue (staged + pending) for agents and automation. The agent-info subcommand also surfaces the transfer count and queue depth now.
• CLI dispatcher binary: a thin dispatcher that routes Linux deb / rpm / AppImage packages and Windows installs through a stable entry point, ported to Windows with proper detach+wait semantics. The set-of-four packaging slots (deb / rpm / AppImage / Windows) are now all wired to it, with R10 / R11 / R13 regression gates in CI.
• aero alias toggle: a one-command toggle to install or remove the short aero invocation, so aero get s3://bucket/file.tar Just Works.
• --max-transfer enforcement on the converged shared transfer path, so a global byte cap now applies uniformly to CLI runs, GUI runs, and AeroSync.
• Transfer capability discovery documented per-protocol, so agents and scripts can query what concurrent ranges, segments and server-side copy moves each provider actually supports before issuing them.
• The speech-to-text dependency stack (whisper-rs / hound) is moved behind an opt-out local-stt cargo feature so default builds stay lean.

AeroFile Sync (unified dialog)

The View menu had three disconnected entries for the same workflow: Local Sync, Compare Panels, Sync Presets. They are now collapsed into a single AeroFile Sync dialog with three tabs (Compare, Plan, Sync) that share context. The local-to-local sync engine is named AeroRsync in the UI now (it was already AeroRsync under the hood, the description just said "in-process delta engine"). New toolbar button on the AeroFile panel; F4 still opens the dialog on the Compare tab for muscle memory.

Connection state on the home screen (issue #222)

A community finding from @raelb and @EhudKirsh, landed in two halves. The per-server health dot in compact layout and the small radial in detailed layout now pulse softly when the saved profile has at least one open session, so the home screen also reflects "I am connected to this one" and not only reachability. The color of the dot still encodes the health probe; the pulse is a separate signal. The right-click menu on a saved server gains a Disconnect entry that appears only when the profile is connected; picking it closes every session that came from that profile.

Tier D server-side hashes (WebDAV and FTP)

Server-side hashing now covers WebDAV (DAV Mc-Checksum- headers when the server returns them) and FTP (XCRC, XSHA256, MD5 extensions where supported), on top of the S3 / B2 / pCloud / Drive / OneDrive / Box / Dropbox / SFTP coverage shipped in v3.8.2. The Properties dialog surfaces QuickXor (OneDrive) and Dropbox content hashes alongside the usual MD5/SHA-1/SHA-256. CLI hashsum prefers server-side hashes wherever available.

Transfer capabilities surfaced to agents and CLI

The Sync GUI now honors the real per-provider transfer capabilities (concurrent ranges, segment count, server-side copy) instead of using a one-size-fits-all default. The CLI exposes a capability discovery surface for agents (LLM tooling, automation), documented in the CLI guide. --max-transfer is now enforced on the converged shared path, so a global cap actually caps the GUI too.

---

Detailed changes

Added

• DAG transfer executor: ready-frontier executor over a Directed Acyclic Graph, the new shared execution path for every transfer surface (a083181d). AIMD (Additive Increase, Multiplicative Decrease) backpressure layered on top (185234c2), AppHandle-free observability sink so the CLI and tests share the same progress events (f69c41f6), converged range download running on it (78992012).
• Intra-file range downloads on the converged engine for FTP and SFTP, with pooled SFTP range worker and pipelined reads on one session (b21b78b7, 4cb3099d, 250a62bf). Provider download executor and provider_download_file both wire the segments (995ea848, 82bc9104).
• Cross-profile DAG: cross-profile transfers run on the parallelized DAG path (503c9d67).
• GUI segmented downloads with a Settings knob for the segment count (4322ca84, b9647b3f). Live-WAN integration tests under tests/gtc (4d05e882, 1c6e2812).
• B2 large-file upload converged on the shared part engine (425c8266).
• CLI pget and sync converged on the shared concurrent-range engine and executor (8db6c7e7, 7a947101).
• AeroSync downloads routed through the segmented helper (4706d4cd).
• Transfer Queue staging: lazy per-level remote scan for FTP and SFTP (a0e7a9c1), extension to provider-backed protocols (884efb56), staged -> pending dispatcher (246e12d1), 5 entry-points routed through staging (fc668479), Start / Start all UI in the panel (28c45a7f), Auto-start setting (f4a41a0e), staging lifecycle in useTransferQueue hook (798cd216), pruned-set + lifecycle test coverage (be61c164).
• CLI agent peek subcommand: read-only view of the current staged and pending transfer queue, plus transfer count surfaced in agent-info (9fe0443e).
• CLI rmdirs: recursive prune of empty directory trees, companion to v3.8.2's rmdir (8ccaaac8).
• CLI dispatcher binary (a3300879) routing deb / rpm / AppImage on Linux (366d208e) and Windows installs with detach+wait (288a8452). aero alias toggle (b8b3caa2). CI gates R10 / R11 / R13 (cf9fa393). With this commit the dispatcher closes the CLI packaging work that started in v3.8.0.
• Transfer capability discovery for agents (c65c02f0), per-protocol documentation (9238931e, bcbb72ba), and --max-transfer enforcement on the converged shared path (890239f9).
• CLI guide refreshed for the new commands and the server-side hash work from v3.8.2 (96388c39).
• AeroFile Sync unified dialog with three tabs (Compare, Plan, Sync) replacing three legacy View menu entries (f52533bf). Toolbar button on the AeroFile panel, F4 opens on Compare. LocalSyncPanel styling baseline (5ea74e6a).
• Connection state on saved-server cards (issue #222): per-server health dot and radial pulse when the profile has an active session (861cf7dc); Disconnect entry in the context menu, gated on connection state (4a4f3aef). Co-authored with Rael Bauer.
• IntroHub connect-failure marker: standalone amber dot on the My Servers card after a failed connection attempt (c5938899), readable glyph and immediate badge refresh follow-up (af268d19).
• Tier D server-side hashes for WebDAV and FTP (504ba2b5); QuickXor (OneDrive) and Dropbox content hashes surfaced in the Properties checksum tab (f7af4f62).
• Sync GUI honors real per-provider transfer capabilities (44d306e6).
• AeroRsync naming: local-to-local sync description and delta-transport toggle now name AeroRsync explicitly in the UI.

Fixed

• Filen and MEGA TOTP 2FA: saved TOTP secret is now wired into the Connect path and the live login preview (254d6196).
• AeroFile folder tree roots on Windows: load roots from drives so the tree opens the right anchors (40388f00).
• Import flow: a double-clicked .aeroftp export now routes to the import flow instead of opening it as a file (fab94a3d).
• SFTP exec drain past EOF: a late exit-status now wins over the default 255, so commands report the right code (00c354fb).
• SFTP and FTP pools: a cloned worker now self-dials on read_range instead of borrowing the parent's session (f5c9ab91).
• Cargo.lock version pin for the aeroftp crate, plus dompurify override aligned with the direct dependency (4013b669, 04fa6f13).
• OpenSSL bump: 0.10.79 -> 0.10.80 (8e5460b7).
• Clippy too_many_arguments: targeted allow on perform_download (e4bdea23), redundant_closure in a GTC test (aaf450ac).
• CI delta-sync trigger: now also fires on changes under src/aerorsync, with preamble dump on hard fail (61cd2105).
• Dependabot: dropped dead tauri-build ignore rule (90a70e61).
• GTC parity harness: GUI cells extended (bdc00a59), single-{s3,ftp} bands widened to no-regression after live runs (d1fd509c).

Changed

• View menu collapses three sync-related entries (Local Sync, Compare Panels, Sync Presets) into a single AeroFile Sync entry. F4 remains bound to opening the dialog on the Compare tab.
• LocalSyncPanel chrome aligned to the Settings dialog pattern with a draggable header, ahead of being absorbed into the unified dialog as the Sync tab.
• Transfer toast demoted to a minimized indicator: the transfer queue panel is now the source of truth (3ac8c132).
• 47-language i18n batch: new aerofileSync. namespace and the renamed menu.aerofileSync entry translated in all 47 supported locales. The deprecated menu.localSync, menu.comparePanels, menu.syncPresets keys are removed from every locale.
• whisper-rs / hound moved behind an opt-out local-stt cargo feature so default builds skip the speech-to-text stack (507f29c2).

Removed

• src/components/LocalSyncPanel.tsx, src/components/UnifiedCompareDialog.tsx, src/components/SyncPresetDialog.tsx: their bodies now live as noChrome tab components under src/components/AeroFileSync/.
• The three legacy View menu entries menu.localSync, menu.comparePanels, menu.syncPresets.

---

Credits

• Issue #222 (connection state visual + Disconnect entry): @raelb (Rael Bauer), with @EhudKirsh for the helpful clarification of the existing health-probe semantics.
• The transfer engine work (DAG executor, AIMD backpressure, convergence) sits on top of the GUI Transfer Convergence and CLI Dispatch filones tracked internally.

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP

[3.8.3] - 2026-05-18

Critical Linux Hotfix

v3.8.2 shipped a Tauri 2.11.1 dependency bump that made every Linux build non-functional: the production webview origin was reclassified as remote and all backend commands were rejected, leaving the app unable to list files, read the credential vault, connect, mount drives or check for updates. Windows and macOS were unaffected. This release restores Linux operation and bundles the related vault and edit-screen fixes.

Added

• Drag-and-drop profile import: Drag a client profile or configuration file directly onto its Profile Bridge import form to bring it in, instead of browsing for it.

Fixed

• Linux app fully non-functional on v3.8.2: Pinned Tauri back to the known-good 2.11.0 so the production webview keeps backend access. Every Linux v3.8.2 install was affected; upgrading is strongly recommended.
• Saved-server passwords blank in the edit screen: The edit form now reads the stored password from the vault unconditionally, matching the connect path, so credentials appear after the server list is rebuilt from the vault.
• Server list empty after a storage-cache cleanup: The list is rebuilt from the encrypted vault when the local cache is missing instead of showing zero servers.
• Keystore backup and import: Corrected the local backup whitelist key names and routed a double-clicked .aeroftp-keystore file straight to the import screen.
• Provider mode tabs while editing: Locked read-only during profile edit to prevent accidental protocol changes.
• AeroFile initial panel: Starts on a single left panel and never lists with an empty path.

Changed

• Parallel transfers: SFTP gains a connection pool for concurrent multi-file transfers and intra-file concurrent byte-range reads, with concurrent ranged reads also applied to WebDAV and Koofr. The GUI and CLI now share one concurrent executor, and CLI recursive, glob and upload transfers run on it for faster large and multi-file operations.

Downloads:

• Windows: .msi installer, .exe, or .zip portable (no installation required)
• macOS: .dmg disk image
• Linux: .deb, .rpm, .snap, or .AppImage

Download AeroFTP