Added

• (aio) public runtime-agnostic async HTTP client (P2 entry point)
• (tls) socket-free engine construction for the sans-IO stack (P2)
• (proto) purecrypto TlsEngine adapter + cross-backend handshake proof
• (proto) real rustls TlsEngine adapter + in-memory handshake proof
• (proto) sans-IO TLS as a layered Machine (Phase 1)
• (io) runtime-agnostic async driver + Tokio adapter (Phase 1)
• (io) sans-IO foundation + HTTP/1.1 core + blocking driver (Phase 1)

Other

• (deps) update purecrypto 0.6.14 -> 0.6.17 (wire explicit TLS entropy)
• (tls) make connect-wiring test hermetic (fix Windows-rustls CI)

Added

• (ssh) adopt puressh 0.0.6 and complete the Rust 1.88 MSRV

Fixed

• (websocket) make WsShutdown unblock a parked reader on Windows

Other

• lower MSRV to Rust 1.88

Added

• (websocket) add WsShutdown to force-unblock a parked recv()

Added

• (ffi) add RSURLOPT_HTTP_CONTENT_DECODING to disable decompression

Other

• WebSocket::split() into concurrent WsReader + WsWriter
• cover send_reader fallback+redirects, add http-only CI lane

Added

• add Read-returning raw body API (into_reader + send_reader)
• add decompress(false) to Request and Client
• gate SSH (puressh) behind a default-on ssh feature

Other

• fix intro to reflect optional SSH/BitTorrent and the intl swap
• drop the status table; give HTTP/2 and HTTP/3 their own chapters
• refresh README for new APIs and maturity
• (idn) use the first-party intl crate instead of idna
• concurrent TLS connection + WsTransport (no API change yet)
• buffer inbound frames so a mid-frame read error can't desync

Other

• canonical forward-slash paths in metadata/selection (Windows)
• disable URL globbing for all torrent-routing flags (Windows)
• metadata inspection + selective/concatenated downloads

Other

• fix rustdoc private-intra-doc-link after making the module public
• HTTP/2 PRIORITY weights + runtime pool-size config
• TlsInfo + per-phase Timing on h2, h3, and pooled HTTPS
• timing, DNS/proxy resolvers, partitioning, WS subprotocols, priorities
• caller-owned cert-validation hook + handshake introspection
• SameSite/CHIPS surface + jar enumeration; opt-out redirect cookies
• streaming callbacks, cancellation, and strict header control

Other

• don't glob-expand local .torrent paths (fixes Windows CI)
• --recheck re-hashes on-disk data on resume
• resumable parallel download with -C - --parallel-segments
• resumable single-stream downloads with -C -
• resume downloads from saved piece state
• shared partial-file format for resumable downloads
• gitignore downloaded media in repo root
• endgame mode + detach workers so completion never blocks
• verbosity levels for torrent diagnostics
• per-peer diagnostics under -v
• bound block-request pipeline per piece
• probe peers concurrently for magnet metadata
• fix seeding on macOS/BSD/Windows (blocking accepted sockets)
• inbound seeding with --seed / --share-ratio
• DHT peer discovery (BEP 5)
• magnet metadata download (BEP 9 / BEP 10)
• concurrent swarm engine + CLI download
• phase 3 — peer wire protocol, picker, storage, verified download
• phase 2 — HTTP and UDP tracker clients
• phase 1 — bencode, .torrent metainfo, magnet (default feature)
• default --parallel-segments to 4 + live progress display
• add --parallel-segments for multi-connection single-file downloads
• fix broken intra-doc link in Response.final_url doc
• implement the multi interface on rsurl::Multi
• implement the easy interface
• optional libcurl-ABI drop-in crate (skeleton)
• add Response.final_url (effective URL after redirects)
• add a native concurrent multi-transfer driver (rsurl::Multi)
• add a command-line client (curl never built one)
• close lib feature gaps vs curl (control frames, raw mode, close code)
• drop intra-doc link to the private ctl field (rustdoc warning)
• document the persistent WebSocket entry point in the module header
• add persistent WebSocket client API
• honor --pinnedpubkey and SAN-required check over h3 (purecrypto#31)
• detect TLS truncation on the purecrypto backend (TLS-1, purecrypto#30)
• reject truncated EOF-delimited bodies over TLS (TLS-1)
• POP3 STLS (RFC 2595) + --ssl-reqd require-TLS enforcement
• add --ssl-reqd require-TLS mode for SMTP/IMAP
• honor --capath/--crlfile/--ciphers over h3; guard --pinnedpubkey
• fold effective dial target into HTTP/1.1 pool Key (HTTP1-5)
• TLS-4 reject SAN-less server leaf on the purecrypto backend
• TLS-5 zeroize client private-key material on drop
• reject forbidden header octets (H23-2)
• reject forbidden header octets (H23-1)
• validate UTF-8 on reassembled TEXT messages (websocket-utf8)
• fail closed on unknown algorithm; reject quoted-string breakout (AUTH-2/digest-algorithm)
• write jar 0600 owner-only, atomically (AUTH-1)
• validate SOCKS5 UDP relay source (NET-2)
• bound per-line read in LineReader::read_line (MAIL-2)
• bound per-line read in read_reply (MAIL-1)
• --crlfile honours all PEM CRL blocks, not just the first (TLS-3)
• make TlsOpts::default() verify certificates (TLS-2)
• fix four robustness bugs (HTTP1-1..HTTP1-4)
• terminate authority at first of / ? # (NET-1 authority confusion / SSRF)

Other

• Response ergonomics, no-trace send_multiplexed, pooling/timeout docs

Other

• wire purecrypto 0.6.5 fixes — --ciphers, encrypted ECDSA keys, faithful pinning
• wire --crlfile (CRL revocation) on the purecrypto backend; fix wording
• M2 client certs (mTLS), public-key pinning, and --capath (both backends)
• receive interleaved RTP/RTCP after PLAY (M10) — roadmap complete
• stream response bodies to a sink (completes M1)
• finalize status — functional curl parity complete under no-C invariant
• broaden the C ABI with ten common libcurl-shaped options (M11)
• active-mode FTP (-P/--ftp-port) + roadmap scope correction (M10)
• streaming decompression for single gzip/zstd/br downloads (rest of M1)
• stream all non-HTTP downloads to a file through the sink (rest of M1)
• --ftp-create-dirs + route FTP upload through the Client (M10)
• honor -w on FTP downloads (size_download, time_total, ...)
• stream FTP/FTPS downloads to disk (rest of M1)
• accept --basic and --ftp-skip-pasv-ip as honest confirmations
• add man/rsurl.1 man page (M11) + README examples
• --disable-epsv (skip EPSV, use PASV directly) (M10)
• log --json/--remove-on-error/--no-clobber/-w extras/exit codes; mark NTLM out of scope
• --remove-on-error and --no-clobber for downloads (M5/M11)
• make CLI tests cross-platform (Windows CI green)
• --json shortcut (POST JSON body + JSON Accept) (M4)
• centralize transfer-error exit codes to match curl (M11)
• -w %header{Name} and %{ssl_verify_result} (M5)
• log SigV4, -y/-Y low-speed abort, -w phase timers, compat no-ops
• -w phase timers (%{time_connect,appconnect,pretransfer,starttransfer}) (M5)
• enforce -y/-Y low-speed abort + accept curl no-op flags (M5/M11)
• AWS SigV4 request signing (--aws-sigv4) (M3)
• roadmap progress — M1 streaming, M3 digest, M5 limits, M8 parallel
• -Z/--parallel concurrent transfers (M8)
• --oauth2-bearer and --data-ascii (M3/M4)
• HTTP Digest authentication (M3)
• streaming HTTP/1.1 downloads (M1) + enforce --limit-rate/-#/--max-filesize (M5)
• roadmap progress — SMTP/TELNET, TLS pins, connect-to, unix-socket
• minimal TELNET client (M9)
• SMTP/SMTPS sending (M9)
• roadmap progress log (network, Tiers A-C, M2/M4/M7 partials)
• --tlsv1.x / --tls-max version pinning (M2)
• --unix-socket via a UnixConnector (M6)
• --connect-to (M6) — override the dial target, keep Host/SNI
• --location-trusted and --post301/302/303 redirect controls (M4)
• URL globbing (M7) — {a,b} alternation, [1-100]/[a-z] ranges, -g, #N
• --retry-delay/--retry-max-time/--retry-connrefused/--retry-all-errors
• -z, -e ;auto, --output-dir, --fail-with-body, --proto[-default]
• getopt-style bundled short flags and attached values
• add curl feature-parity roadmap
• recognize -E/--limit-rate/-y/-Y/-# for compatibility (Tier C)
• -K/--config files and --next multi-operation (partial Tier C)
• Tier-B curl flags — netrc, -J, --retry, -4/-6, --resolve
• add Tier-A curl flags to close the -h gap
• route -x proxy through all schemes; no_proxy bypass; docs (phase 5)
• UDP transport + SOCKS5 UDP ASSOCIATE for HTTP/3 and TFTP (phase 4)
• Client/Session + thread connector through TCP protocols (phase 3)
• route requests through a pluggable Connector (phase 2)
• add pluggable Connector trait + built-in proxy connectors (phase 1)
• bump purecrypto to 0.6.1 and puressh to 0.0.4
• rustfmt the security-fix changes (cargo fmt --check)
• fix pre-existing doc link and clippy lint blocking master CI
• reject frame lengths exceeding usize (32-bit truncation in grease-frame path)
• add wall-clock deadline to handshake read (slowloris hold)
• make PEM root-bundle splitter skip malformed blocks instead of dropping the rest
• reject signed/non-digit chunk-size and Content-Length (RFC 9112 framing parity)
• don't re-ACK unvalidated source; add transfer deadline; fix TID comments
• reject data port 0 in PASV/EPSV parsers
• apply IP-literal scoping guard to cookies.txt load path
• document borrow-invalidation and thread-safety contracts; fix doc example symbol
• reject control bytes and over-long credentials in CONNECT
• bound total buffered response size (OOM DoS)
• fix panic on non-char-boundary split in status-line parsing (server DoS)
• sanitize/guard server bytes written to a TTY (ANSI escape injection)
• bound no-progress/control-frame floods (empty-DATA spin, SETTINGS/PING/Rapid-Reset DoS)
• re-validate host after UTS-46 to block authority-delimiter injection
• convert international (IDN) hostnames to punycode, on by default
• enforce Domain= eTLD scoping with the real PSL (psl2), kill supercookies
• enforce inbound flow-control window, reject peer overrun (FLOW_CONTROL_ERROR)
• fail closed when an existing known_hosts file cannot be read (avoid silent TOFU accept-all)
• bound filter-parser recursion depth to prevent stack-overflow DoS
• cap packet remaining-length at 64 MiB to prevent pre-alloc memory exhaustion
• reject backslash and percent in reg-name host (parser-differential host confusion)
• bound status/header/chunk-size/trailer line reads to prevent server-driven OOM (DoS)
• fix three confirmed security bugs in Set-Cookie handling
• reject pre-TLS pipelined data before STARTTLS upgrade (CVE-2011-0411 class injection)
• bound attacker-controlled QPACK literal lengths with checked_add (fix slice-index panic / remote DoS)