coder
diff --git a/‎CHANGELOG.md
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎gradle.properties
Lines changed: 1 addition & 1 deletion b/‎gradle.properties
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadService.kt
Lines changed: 7 additions & 0 deletions b/‎src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadService.kt
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/test/kotlin/com/coder/toolbox/cli/CoderCLIManagerTest.kt
Lines changed: 17 additions & 16 deletions b/‎src/test/kotlin/com/coder/toolbox/cli/CoderCLIManagerTest.kt
Lines changed: 17 additions & 16 deletions
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- content-type is now enforced when downloading the CLI to accept only binary responses
+
 ## 0.6.1 - 2025-08-11
 
 ### Added
 
@@ -1,3 +1,3 @@
-version=0.6.1
+version=0.6.2
 group=com.coder.toolbox
 name=coder-toolbox
@@ -51,6 +51,13 @@ class CoderDownloadService(
 
         return when (response.code()) {
             HTTP_OK -> {
+                val contentType = response.headers()["Content-Type"]?.lowercase()
+                if (contentType?.startsWith("application/octet-stream") != true) {
+                    throw ResponseException(
+                        "Invalid content type '$contentType' when downloading CLI from $remoteBinaryURL. Expected application/octet-stream.",
+                        response.code()
+                    )
+                }
                 context.logger.info("Downloading binary to temporary $cliTempDst")
                 response.saveToDisk(cliTempDst, showTextProgress, buildVersion)?.makeExecutable()
                 DownloadResult.Downloaded(remoteBinaryURL, cliTempDst)
 
@@ -137,6 +137,7 @@ internal class CoderCLIManagerTest {
             }
 
             val body = response.toByteArray()
+            exchange.responseHeaders["Content-Type"] = "application/octet-stream"
             exchange.sendResponseHeaders(code, if (code == HttpURLConnection.HTTP_OK) body.size.toLong() else -1)
             exchange.responseBody.write(body)
             exchange.close()
@@ -197,11 +198,11 @@ internal class CoderCLIManagerTest {
         val ccm = CoderCLIManager(
             context.copy(
                 settingsStore = CoderSettingsStore(
-                pluginTestSettingsStore(
-                    DATA_DIRECTORY to tmpdir.resolve("cli-dir-fail-to-write").toString(),
-                ),
-                Environment(),
-                context.logger
+                    pluginTestSettingsStore(
+                        DATA_DIRECTORY to tmpdir.resolve("cli-dir-fail-to-write").toString(),
+                    ),
+                    Environment(),
+                    context.logger
                 )
             ),
             url
@@ -307,11 +308,11 @@ internal class CoderCLIManagerTest {
         val ccm = CoderCLIManager(
             context.copy(
                 settingsStore = CoderSettingsStore(
-                pluginTestSettingsStore(
-                    DATA_DIRECTORY to tmpdir.resolve("does-not-exist").toString(),
-                ),
-                Environment(),
-                context.logger
+                    pluginTestSettingsStore(
+                        DATA_DIRECTORY to tmpdir.resolve("does-not-exist").toString(),
+                    ),
+                    Environment(),
+                    context.logger
                 )
             ),
             URL("https://foo")
@@ -329,12 +330,12 @@ internal class CoderCLIManagerTest {
         val ccm = CoderCLIManager(
             context.copy(
                 settingsStore = CoderSettingsStore(
-                pluginTestSettingsStore(
-                    FALLBACK_ON_CODER_FOR_SIGNATURES to "allow",
-                    DATA_DIRECTORY to tmpdir.resolve("overwrite-cli").toString(),
-                ),
-                Environment(),
-                context.logger
+                    pluginTestSettingsStore(
+                        FALLBACK_ON_CODER_FOR_SIGNATURES to "allow",
+                        DATA_DIRECTORY to tmpdir.resolve("overwrite-cli").toString(),
+                    ),
+                    Environment(),
+                    context.logger
                 )
             ),
             url