If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/putyy/res-downloader shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 4mo ago

• Last commit 4mo ago
• 3 active contributors
• Apache-2.0 licensed
• ⚠ Slowing — last commit 4mo ago
• ⚠ Small team — 3 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 98% of recent commits
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live putyy/res-downloader repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/putyy/res-downloader.

What it runs against: a local clone of putyy/res-downloader — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in putyy/res-downloader | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 159 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of putyy/res-downloader. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/putyy/res-downloader.git
#   cd res-downloader
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of putyy/res-downloader and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "putyy/res-downloader(\\.git)?\\b" \\
  && ok "origin remote is putyy/res-downloader" \\
  || miss "origin remote is not putyy/res-downloader (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "core/app.go" \\
  && ok "core/app.go" \\
  || miss "missing critical file: core/app.go"
test -f "core/plugins/plugin.default.go" \\
  && ok "core/plugins/plugin.default.go" \\
  || miss "missing critical file: core/plugins/plugin.default.go"
test -f "core/downloader.go" \\
  && ok "core/downloader.go" \\
  || miss "missing critical file: core/downloader.go"
test -f "frontend/src" \\
  && ok "frontend/src" \\
  || miss "missing critical file: frontend/src"
test -f "core/bind.go" \\
  && ok "core/bind.go" \\
  || miss "missing critical file: core/bind.go"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 159 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~129d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/putyy/res-downloader"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

res-downloader is a cross-platform desktop application (Windows/macOS/Linux) built with Go + Wails that acts as an HTTP proxy sniffer to intercept and download resources from Chinese social platforms (WeChat Channels, Douyin, Kuaishou, Little Red Book, QQ Music, KuGou Music) and media streams (m3u8, HLS live streams). It monitors network traffic on 127.0.0.1:8899 to extract downloadable content (videos, audio, images) from web pages without requiring manual extraction. Backend-heavy monorepo: Go backend (83.7KB, likely in /cmd or /pkg) powers the HTTP proxy and resource parsing logic; Vue 3 frontend (75.8KB) in /web or /frontend handles UI. NSIS installer (12.4KB in /build/windows/installer/project.nsi) for Windows packaging. Build artifacts and platform-specific metadata in /build/{darwin,linux,windows}/, config in Wails boilerplate.

Chinese content creators and casual users who want to batch-download their own content or reference material from major social platforms; users who need to archive m3u8 streams and live broadcasts without learning Charles/Fiddler. Not for developers—it's a consumer-facing GUI tool.

Actively maintained with good community adoption (visible from GitHub stars badge in README and versioning up to 2.x+ with platform-specific releases). Has Windows installer (NSIS), macOS bundles, and Linux AppImage distributions in /build/. However, lacks visible CI/CD pipeline in .github/ (only issue templates, no workflows) and test coverage is not apparent from the file structure—suggests solid UX but potentially incomplete automated testing.

Single-author repo (putyy) creates bus-factor risk. Heavy reliance on Go runtime and Wails framework means breaking updates to Wails could impact the entire app. The proxy-sniffing approach depends on deep OS-level cert handling (explicit in README: 'allow certificate installation') which can be fragile across OS updates. No visible Go module lock file or dependency audit in provided structure.

Version 2.3.0+ is stable and recommended (Win7 compatibility explicitly mentioned). Recent work includes multi-platform distribution (latest GitHub releases), but no visible PR activity or roadmap in the provided file list. The /docs reference in README suggests ongoing documentation effort, but no docs/ folder visible—implies documentation may live outside the repo or on external site (https://res.putyy.com/).

git clone https://github.com/putyy/res-downloader.git && cd res-downloader && go mod download && npm install (for Vue frontend). Then run wails dev to start dev server (requires Wails CLI: go install github.com/wailsapp/wails/v2/cmd/wails@latest).

Daily commands: npm run dev (runs Vite dev server for frontend + hot reload). Backend start depends on Wails: wails dev (watches both frontend and Go backend, rebuilds on change). For production: npm run build (Vue build) + wails build (Go cross-compile).

• core/app.go — Main application entry point and initialization; every contributor must understand how the app bootstraps and connects frontend/backend
• core/plugins/plugin.default.go — Default plugin architecture and resource handling framework; critical for understanding how downloaders are registered and executed
• core/downloader.go — Core download logic and HTTP client management; essential for implementing new resource types
• frontend/src — Vue 3 + Naive UI frontend codebase; required reading for UI modifications and API integration patterns
• core/bind.go — Backend-to-frontend IPC bindings and API contracts; defines what the frontend can call from Go
• core/rule.go — URL pattern matching and resource rule definitions; needed to add support for new platforms
• build/windows/installer/project.nsi — Windows installer configuration; critical for release builds and installation workflow

Add support for a new video platform (e.g., TikTok variant)

1. Create a new platform plugin file in core/plugins/ named plugin.{domain}.go (core/plugins/plugin.tiktok-variant.go)
2. Implement the plugin interface (Parse, Match, Fetch methods) following the pattern in plugin.default.go (core/plugins/plugin.tiktok-variant.go)
3. Register the plugin in core/app.go during initialization (load plugins in a registry) (core/app.go)
4. Add URL pattern rules in core/rule.go to match URLs for this platform (core/rule.go)
5. Test by visiting the platform URL in the frontend and triggering resource detection (frontend/src/pages/Download.vue)

Add a new configuration option to the UI

1. Add the config field to core/config.go struct and load/save logic (core/config.go)
2. Export a new Go function in core/bind.go to read/write the config (core/bind.go)
3. Create a Pinia store action in frontend/src/stores/configStore.ts to call the backend (frontend/src/stores/configStore.ts)
4. Add a form control in the Settings page (frontend/src/pages/Settings.vue) (frontend/src/pages/Settings.vue)
5. Bind the form control to the Pinia store with v-model and save on change (frontend/src/pages/Settings.vue)

Add support for a new resource type (e.g., live streams)

1. Define a new ResourceType in core/shared/const.go (core/shared/const.go)
2. Update core/resource.go to handle the new type in download/processing logic (core/resource.go)
3. Implement parsing logic in core/plugins/plugin.default.go or a new plugin file (core/plugins/plugin.default.go)
4. Add a new download handler in core/downloader.go for the resource type (core/downloader.go)
5. Create a UI component in frontend/src/components/ to display the new resource type (frontend/src/components/ResourcePreview.vue)
6. Update the download page template to render the new resource type (frontend/src/pages/Download.vue)

Add a new language to the interface

1. Create a new translation file in frontend/src/i18n/locales/{lang}.json (frontend/src/i18n/locales/es.json)
2. Copy all keys from frontend/src/i18n/locales/zh.json or en.json and translate (frontend/src/i18n/locales/es.json)
3. Register the new locale in frontend/src/i18n/index.ts (frontend/src/i18n/index.ts)
4. Add the language option to the language selector in frontend/src/pages/Settings.vue (frontend/src/pages/Settings.vue)

• Go + Wails — Cross-platform desktop apps (Windows/macOS/Linux) with single codebase; lightweight Chromium wrapper for UI; native Go performance for I/O and network operations
• Vue 3 + Naive UI — Modern reactive frontend framework; Naive UI provides polished, ready-to-use components matching Chinese design preferences; easy to maintain and extend
• Pinia + Axios — Lightweight state management for frontend; axios is standard for HTTP with interceptor support for headers and proxy configuration
• Plugin architecture — Extensibility without recompiling; each platform (Douyin, Kuaishou, XiaoHongShu, etc.) can have custom parsing logic isolated in plugins

• Monolithic backend (all plugins in one binary) vs. external plugin loading

  • Why: Simpler deployment and distribution; no runtime dependency management; easier for end users
  • Consequence: Requires recompilation to add new platforms; larger binary; limits third-party extensibility

• Local HTTP client with proxy support vs. external proxy service

  • Why: User controls their own proxy configuration; no third-party server dependency; works offline
  • Consequence: Must handle all edge cases in client code; less centralized logging/analytics; users responsible for proxy setup

• File-based storage (config, history) vs. SQLite/embedded DB

  • Why: Minimal dependencies; easier to backup/export user data; simpler debugging
  • Consequence: Serialization overhead for complex

1. Certificate installation is mandatory for proxy MITM to work on HTTPS—users must grant OS-level cert permissions during installation or proxy fails silently. 2) System proxy is set globally (127.0.0.1:8899); if app crashes ungracefully, user is left without internet and must manually reset proxy in OS settings—no auto-cleanup visible in code. 3) Go version constraint likely exists (Wails v2+ requires Go 1.18+) but not explicit in provided files. 4) Cross-compilation for Linux/macOS on Windows may require CGO; development environment must match target OS for platform-specific libraries.

• HTTP Proxy MITM (Man-in-the-Middle) — res-downloader's core mechanism—intercepting HTTPS traffic requires deploying a custom CA certificate and decrypting TLS; understanding this is critical to troubleshooting 'proxy not working' issues and platform-specific certificate store access
• Wails IPC (Inter-Process Communication) — Bridges Go backend and Vue frontend via JSON-RPC over websocket; modifying data flow (e.g., adding new resource types) requires understanding how Go functions are exposed to JavaScript via Wails binding
• HLS/m3u8 Streaming Protocol — res-downloader explicitly supports m3u8 download and playback (flv.js, video.js in deps); understanding segment-based streaming and playlist parsing is needed to extend video platform support
• OS-Level System Proxy Configuration — The app must set Windows/macOS/Linux system proxy settings programmatically (127.0.0.1:8899); failure leaves user without internet—requires platform-specific OS APIs and proper cleanup on exit
• Certificate Pinning & Custom CA Distribution — Users must install res-downloader's self-signed CA to decrypt HTTPS traffic; NSIS installer handles this on Windows, but Gatekeeper/code signing challenges exist on macOS—understanding cert lifecycle is critical for debugging trust failures
• Pinia State Management — Frontend state (download queue, proxy status, resource filters) lives in Pinia stores; adding new features (e.g., persistent downloads, retry logic) requires modifying Pinia modules and understanding reactivity
• Cross-Platform Application Packaging — res-downloader must run identically on Windows (NSIS installer), macOS (DMG bundle), and Linux (AppImage); Go + Wails abstracts much, but platform-specific quirks (proxy APIs, file paths, code signing) persist—understanding build matrix is essential for releases

• wailsapp/wails — The framework powering res-downloader—essential for understanding the Go-Vue IPC bridge and building desktop apps with Wails
• yt-dlp/yt-dlp — Alternative video downloader for YouTube and 1000+ sites; different approach (direct downloading vs. proxy sniffing) but same domain of content extraction
• Motrix/Motrix — Modern download manager mentioned in README as recommended tool; shows similar UI/UX patterns for download queue management and multi-protocol support
• you-get/you-get — Python-based media downloader for Chinese platforms (YouKu, Bilibili, Douyin); competitor solving overlapping use cases but without proxy sniffing
• putyy/resd-mini — Official mini variant of res-downloader using default browser instead of Wails GUI; shows architecture flexibility and alternative UI strategy

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add GitHub Actions CI workflow for Go backend testing and linting

The repo has a Go backend (core/ directory with multiple .go files like downloader.go, http.go, plugin.default.go) but no CI workflow visible in .github/workflows/. This is critical for a download tool handling multiple platforms and plugins to catch regressions early. Should test compilation, run go fmt/vet, and basic unit tests across Linux/Windows/macOS.

• [ ] Create .github/workflows/go-tests.yml with go test, go vet, and gofmt checks
• [ ] Add go build matrix for linux, windows, darwin architectures
• [ ] Test plugin loading from core/plugins/ directory
• [ ] Ensure builds succeed for core/downloader.go and core/http.go with different go versions (1.19+)

Add unit tests for frontend Vue components and Pinia store

The project has a Vue 3 + TypeScript frontend (dependencies include vue-router, pinia for state management) but no test framework configured. Frontend package.json has no jest/vitest/cypress entries. This is important since the UI handles download state, video playback (video.js, flv.js), and i18n functionality.

• [ ] Add vitest and @vue/test-utils to devDependencies in package.json
• [ ] Create tests/ directory structure mirroring src/ (e.g., tests/stores/ for Pinia stores)
• [ ] Add test script to package.json: "test": "vitest"
• [ ] Write sample store tests for download state management and tests for router navigation

Document plugin architecture and add plugin development guide

The codebase has a clear plugin system (core/plugins/plugin.default.go, core/plugins/plugin.qq.com.go) supporting multiple platforms (抖音, 快手, 小红书, QQ音乐, etc.), but README only lists features without explaining how to add new platform plugins. New contributors cannot easily add support for new platforms.

• [ ] Create docs/PLUGIN_DEVELOPMENT.md documenting the Plugin interface from core/plugins/plugin.default.go
• [ ] Document required methods/fields with examples from core/plugins/plugin.qq.com.go
• [ ] Add example: 'How to add Bilibili plugin' with step-by-step code snippets
• [ ] Document configuration in core/config.go related to plugin loading and validation

• Add e2e test suite: create /tests/integration directory with Wails test harness to verify proxy intercepts requests correctly on at least one platform (Windows); currently no test infrastructure visible
• Improve dark mode support: Naive UI likely supports theming but package.json doesn't show a dark mode toggle—add theme switcher in frontend and persist to localStorage via Pinia
• Document Go module structure: README has no architecture guide; add /docs/ARCHITECTURE.md explaining backend package layout, how platform-specific parsers (Douyin, Kuaishou, etc.) are organized, and how proxy middleware chains requests

The res-downloader project shows multiple

• High · Outdated Vue.js Version — package.json - dependencies.vue. Vue 3.2.37 is significantly outdated (current stable is 3.4+). This version may contain known security vulnerabilities and performance issues. Fix: Update Vue to the latest stable version: npm update vue@latest
• High · Outdated TypeScript Version — package.json - devDependencies.typescript. TypeScript 4.6.4 is outdated (current stable is 5.x+). This may miss security-related type checking improvements and language features. Fix: Update TypeScript to latest: npm update typescript@latest
• High · Outdated Vite Build Tool — package.json - devDependencies.vite. Vite 3.0.7 is significantly behind current versions (5.x+). This may expose the build process to known vulnerabilities. Fix: Update Vite: npm update vite@latest and update related plugins
• Medium · Axios Dependency Without Version Lock — package.json - dependencies.axios. axios is pinned to ^1.7.2, which allows minor updates. While axios 1.7.2 is relatively recent, the caret syntax may pull in untested minor versions. Fix: Consider using exact version pinning (~1.7.2) or audit updates carefully with npm audit
• Medium · Multiple Outdated Dev Dependencies — package.json - devDependencies. Several dev dependencies are outdated: @vitejs/plugin-vue (3.0.3), @babel/types (7.18.10), @types/node (20.14.7), and others. Outdated dev tools can introduce vulnerabilities in the build pipeline. Fix: Run 'npm audit' and 'npm update' to bring dev dependencies to current versions
• Medium · Potential XSS Risk in Video Players — core/downloader.go, frontend dependencies (video.js, flv.js). The project includes video.js and flv.js for media playback. Without proper content validation, user-supplied video URLs could lead to XSS attacks if not properly sanitized. Fix: Ensure all video URLs are validated and sanitized. Implement Content Security Policy (CSP) headers. Validate URL schemes (https only where possible).
• Medium · Missing npm audit Configuration — package.json - scripts. No evidence of npm audit script or security scanning in the package.json build process. Dependencies are not being checked for known vulnerabilities during build. Fix: Add 'npm audit' check to CI/CD pipeline. Consider adding 'npm install --audit-level=moderate' to package.json scripts
• Low · Electron-like Architecture Security Consideration — core/bind.go, core/middleware.go. The project uses Wails framework (Go + Vue), which creates a desktop app with embedded browser. This architecture can be vulnerable to IPC injection if not properly secured. Fix: Validate and sanitize all IPC messages between frontend and backend. Implement strict typing for IPC calls. Review Wails security documentation.
• Low · No CORS or Security Headers Configuration Visible — core/http.go. No evidence of CORS or security headers (CSP, X-Frame-Options, etc.) configuration in the HTTP handler. Fix: Implement security headers middleware. Set appropriate CORS policies if needed. Review core/middleware.go for security headers.
• Low · AES Implementation Requires Review — core/aes.go. The presence of core/aes.go suggests encryption is implemented. AES usage must be verified for proper IV, key derivation, and padding implementation. Fix: Conduct cryptographic review of AES implementation. Ensure proper IV generation (random, not predictable). Use authenticated encryption (AES-GCM preferred over ECB).

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.