jenni.download
v0.4 self-hosted download & update server coming soon

Run,
Jenni,
run.

In Forrest Gump, Jenny is the reason Forrest runs. My Jenni — yes, with an i, deliberate — is the reason my downloads run.

Vibe-coded. Hardened. Dogfooded for months on jenni.noschmarrn.dev. Every release I shipped this year went through her — zero incidents, about thirty uploads, and counting.
01 · what she actually is

Three things in one binary.

  • A self-hosted download server for versioned releases. Upload a ZIP, /your-app serves the latest.
  • An update endpoint your apps poll. Tiny JSON: /api/projects/<slug>/latest returns version, SHA256, download URL, scan status.
  • A WordPress plugin deploy pipeline. Optional pre-flight (PHPCompatibility, plugin-check), optional one-click svn push to wp.org.

Replaces the Linux box where I used to type svn ci -m '…' to ship plugins. Replaces the cron job that copied tarballs to a public bucket. Replaces the half-finished script that was supposed to combine them. All in one place. Magic-byte sniffing, zip-slip protection, zip-bomb caps, ClamAV scans on every upload — and a few things I added because they felt right at 2 a.m.

02 · what's inside

Five primitives.
Zero feature creep.
Single admin.

The whole binary fits in a Docker image you can audit in an afternoon. No SaaS dependency, no telemetry, no email flow, no „Pro plan" upsell. Your server, your password, your CLI on the host for recovery.
  1. 1
    Versioned releases with atomic switching

    Upload, activate, done. /<slug> always points to the latest version. Older versions stay reachable by exact version string until you prune them.

  2. 2
    JSON API for your own apps

    /api/projects/<slug>/latest returns version, size, SHA256, download URL, ClamAV scan status, scanner version, signature date. Schneespur asks Jenni once a day.

  3. 3
    Hardened uploads

    Magic-byte sniff before extension trust, zip-slip protection, zip-bomb cap, ClamAV scan on every upload. Vibe-coded doesn't have to mean reckless.

  4. 4
    WordPress plugin pipeline

    Optional pre-flight (PHPCompatibility, plugin-check) before publish. Optional one-click SVN push to wp.org for the plugins that live there. The non-WordPress projects ignore this entire branch.

  5. 5
    Embeddable download widgets

    Drop a small snippet on any external site. The widget asks Jenni for the latest version of your-app and renders a download button with the verified SHA256 and ClamAV status next to it. Upload a new version on jenni.download — every embed updates automatically.

03 · how it actually works

One curl. The whole protocol.

~/projects/breznflow $ 
$ curl https://jenni.download/api/projects/breznflow/latest
{
  "version": "1.0.4",
  "size_bytes": 107226,
  "sha256": "d09e7e20442b789a4890beb2a8b2dd23a0adec62030d80a1828d533647eda13e",
  "download_url": "https://jenni.download/breznflow",
  "scan_status": "clean",
  "scanned_at": "2026-05-09T02:03:20",
  "scanner_name": "clamav",
  "scanner_version": "1.4.3",
  "scanner_signature_date": "2026-05-08T08:28:30"
}

Your app polls this endpoint. If version differs from what's running, fetch download_url, check sha256, install. That's the whole protocol. The widget on third-party sites uses the same call.

04 · why I built this

Started as a habit, became a tool.

I was already self-hosting downloads — old habit, predates this stack. Zip the binary, drop it in a folder, link the URL. It worked. It was also messy.

When WordPress plugins joined the pile, the versioning side stopped being optional. Twenty plugins, twenty stable update endpoints, twenty hashes, twenty virus scans someone in legal can point to. The zip-in-a-folder pattern doesn't scale, and nobody needs another half-finished script to glue it together.

So I asked Claude to build me a download server. Then I read every line, hardened the uploads, added ClamAV, and ran her against my own stack at jenni.noschmarrn.dev for months. She's been the update endpoint for every release I shipped this year. Vibe coding, when you actually look at the code afterwards, can ship something solid. Jenni is exhibit A — and jenni.download is where she'll live for everyone else.

05 · still cooking

Not public yet. Still ironing out edges, finishing release-notes rendering, adding ed25519 signature options, writing the security CHANGELOG so others can audit the hardening choices. If anything above made you curious —

info@noschmarrn.dev