feat: harden download and install security

crates/aim-cli/tests/config_loading.rs

@@ -10,6 +10,7 @@ fn missing_config_file_returns_defaults() {
 
     assert_eq!(config, CliConfig::default());
     assert_eq!(config.search, SearchConfig::default());
+    assert!(!config.allow_http);
     assert!(config.search.bottom_to_top);
     assert!(!config.search.skip_confirmation);
     assert_eq!(config.theme.accent, "#b388ff");
@@ -23,7 +24,7 @@ fn search_section_overrides_defaults() {
     let path = dir.path().join("config.toml");
     std::fs::write(
         &path,
-        "[search]\nbottom_to_top = false\nskip_confirmation = true\n\n[theme]\naccent = \"#9f6bff\"\naccent_secondary = \"#efe7ff\"\ndim = \"#6b6480\"\n",
+        "allow_http = true\n\n[search]\nbottom_to_top = false\nskip_confirmation = true\n\n[theme]\naccent = \"#9f6bff\"\naccent_secondary = \"#efe7ff\"\ndim = \"#6b6480\"\n",
     )
     .unwrap();
 
@@ -32,6 +33,7 @@ fn search_section_overrides_defaults() {
     assert_eq!(
         config,
         CliConfig {
+            allow_http: true,
             search: SearchConfig {
                 bottom_to_top: false,
                 skip_confirmation: true,

crates/aim-cli/tests/end_to_end_cli.rs

@@ -339,6 +339,74 @@ fn cli_add_installs_sourceforge_latest_download_with_truthful_origin() {
     assert!(contents.contains("canonical_locator = \"team-app\""));
 }
 
+#[test]
+fn cli_rejects_insecure_http_direct_urls_by_default() {
+    let dir = tempdir().unwrap();
+    let registry_path = dir.path().join("registry.toml");
+    let mut cmd = Command::cargo_bin("aim").unwrap();
+
+    cmd.arg("http://example.com/team-app.AppImage")
+        .env("AIM_REGISTRY_PATH", &registry_path)
+        .assert()
+        .failure()
+        .stderr(contains("insecure HTTP sources are disabled"));
+
+    assert!(!registry_path.exists());
+}
+
+#[test]
+fn cli_allows_insecure_http_direct_urls_when_config_enables_it() {
+    let dir = tempdir().unwrap();
+    let registry_path = dir.path().join("registry.toml");
+    let config_path = dir.path().join("config.toml");
+    std::fs::write(&config_path, "allow_http = true\n").unwrap();
+    let mut cmd = Command::cargo_bin("aim").unwrap();
+
+    cmd.arg("http://example.com/team-app.AppImage")
+        .env("AIM_REGISTRY_PATH", &registry_path)
+        .env("AIM_CONFIG_PATH", &config_path)
+        .env(FIXTURE_MODE_ENV, "1")
+        .assert()
+        .success()
+        .stdout(contains("Installed"))
+        .stdout(contains(
+            "Source: direct-url http://example.com/team-app.AppImage",
+        ));
+}
+
+#[test]
+fn cli_rejects_insecure_appimagehub_download_urls_even_when_http_is_allowed() {
+    let dir = tempdir().unwrap();
+    let registry_path = dir.path().join("registry.toml");
+    let config_path = dir.path().join("config.toml");
+    std::fs::write(&config_path, "allow_http = true\n").unwrap();
+    let mut cmd = Command::cargo_bin("aim").unwrap();
+
+    cmd.arg("appimagehub/2338455")
+        .env("AIM_REGISTRY_PATH", &registry_path)
+        .env("AIM_CONFIG_PATH", &config_path)
+        .env(FIXTURE_MODE_ENV, "1")
+        .env("AIM_APPIMAGEHUB_FIXTURE_INSECURE_HTTP", "1")
+        .assert()
+        .failure()
+        .stderr(contains("insecure appimagehub download url"));
+}
+
+#[test]
+fn cli_rejects_appimagehub_install_when_md5_does_not_match() {
+    let dir = tempdir().unwrap();
+    let registry_path = dir.path().join("registry.toml");
+    let mut cmd = Command::cargo_bin("aim").unwrap();
+
+    cmd.arg("appimagehub/2338455")
+        .env("AIM_REGISTRY_PATH", &registry_path)
+        .env(FIXTURE_MODE_ENV, "1")
+        .env("AIM_APPIMAGEHUB_FIXTURE_BAD_MD5", "1")
+        .assert()
+        .failure()
+        .stderr(contains("weak provider checksum did not match"));
+}
+
 #[test]
 fn cli_add_installs_sourceforge_release_folder_with_truthful_origin() {
     let dir = tempdir().unwrap();

crates/aim-cli/tests/ui_summary.rs

@@ -161,6 +161,7 @@ fn install_summary_omits_completed_steps_recap() {
             version: "0.25.0".to_owned(),
             arch: Some("x86_64".to_owned()),
             trusted_checksum: None,
+            weak_checksum_md5: None,
             selection_reason: "heuristic-match".to_owned(),
         },
         artifact_size_bytes: 173_015_040,