feat: enhance install script and upgrade command

.github/workflows/release.yaml

@@ -27,6 +27,7 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
 
   release-darwin:
     needs: release-linux

.goreleaser-darwin.yaml

@@ -25,6 +25,9 @@ archives:
       {{- .Version }}_
       {{- .Os }}_
       {{- .Arch }}
+    files:
+      - LICENSE
+      - README.md
 
 release:
   github:

.goreleaser.yaml

@@ -33,6 +33,9 @@ archives:
       {{- .Os }}_
       {{- .Arch }}
       {{- if .Arm }}v{{ .Arm }}{{ end }}
+    files:
+      - LICENSE
+      - README.md
 
 checksum:
   name_template: "checksums.txt"
@@ -61,6 +64,27 @@ nfpms:
       - rpm
       - apk
 
+aurs:
+  - name: snitch-bin
+    homepage: https://github.com/karol-broda/snitch
+    description: a friendlier ss/netstat for humans
+    maintainers:
+      - "Karol Broda <me@karolbroda.com>"
+    license: MIT
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/snitch-bin.git"
+    depends:
+      - glibc
+    provides:
+      - snitch
+    conflicts:
+      - snitch
+    package: |-
+      install -Dm755 "./snitch" "${pkgdir}/usr/bin/snitch"
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/snitch/LICENSE"
+    commit_msg_template: "Update to {{ .Tag }}"
+    skip_upload: auto
+
 release:
   github:
     owner: karol-broda

README.md

@@ -28,18 +28,48 @@ nix profile install github:karol-broda/snitch
 # then use: inputs.snitch.packages.${system}.default
 ```
 
+### arch linux (aur)
+
+```bash
+# with yay
+yay -S snitch-bin
+
+# with paru
+paru -S snitch-bin
+```
+
+### shell script
+
+```bash
+curl -sSL https://raw.githubusercontent.com/karol-broda/snitch/master/install.sh | sh
+```
+
+installs to `~/.local/bin` if available, otherwise `/usr/local/bin`. override with:
+
+```bash
+curl -sSL https://raw.githubusercontent.com/karol-broda/snitch/master/install.sh | INSTALL_DIR=~/bin sh
+```
+
+> **macos:** the install script automatically removes the quarantine attribute (`com.apple.quarantine`) from the binary to allow it to run without gatekeeper warnings. to disable this, set `KEEP_QUARANTINE=1`.
+
 ### binary
 
 download from [releases](https://github.com/karol-broda/snitch/releases):
 
-```bash
-# amd64
-curl -L https://github.com/karol-broda/snitch/releases/latest/download/snitch_linux_amd64.tar.gz | tar xz
-sudo mv snitch /usr/local/bin/
+- **linux:** `snitch_<version>_linux_<arch>.tar.gz` or `.deb`/`.rpm`/`.apk`
+- **macos:** `snitch_<version>_darwin_<arch>.tar.gz`
 
-# or install .deb/.rpm/.apk from releases
+```bash
+tar xzf snitch_*.tar.gz
+sudo mv snitch /usr/local/bin/
 ```
 
+> **macos:** if blocked with "cannot be opened because the developer cannot be verified", run:
+>
+> ```bash
+> xattr -d com.apple.quarantine /usr/local/bin/snitch
+> ```
+
 ## quick start
 
 ```bash
@@ -116,6 +146,16 @@ snitch watch -i 1s | jq '.count'
 snitch watch -l -i 500ms
 ```
 
+### `snitch upgrade`
+
+check for updates and upgrade in-place.
+
+```bash
+snitch upgrade              # check for updates
+snitch upgrade --yes        # upgrade automatically
+snitch upgrade -v 0.1.7     # install specific version
+```
+
 ## filters
 
 shortcut flags work on all commands:
@@ -174,5 +214,6 @@ theme = "auto"
 
 ## requirements
 
-- linux (reads from `/proc/net/*`)
-- root or `CAP_NET_ADMIN` for full process info
+- linux or macos
+- linux: reads from `/proc/net/*`, root or `CAP_NET_ADMIN` for full process info
+- macos: uses system APIs, may require sudo for full process info

cmd/json.go

@@ -15,4 +15,5 @@ var jsonCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(jsonCmd)
+	addFilterFlags(jsonCmd)
 }

cmd/upgrade.go

@@ -0,0 +1,412 @@
+package cmd
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/fatih/color"
+	"github.com/spf13/cobra"
+)
+
+const (
+	repoOwner = "karol-broda"
+	repoName  = "snitch"
+	githubAPI = "https://api.github.com"
+	firstUpgradeVersion = "0.1.8"
+)
+
+var (
+	upgradeYes     bool
+	upgradeVersion string
+)
+
+var upgradeCmd = &cobra.Command{
+	Use:   "upgrade",
+	Short: "Check for updates and optionally upgrade snitch",
+	Long: `Check for available updates and show upgrade instructions.
+
+Use --yes to perform an in-place upgrade automatically.
+Use --version to install a specific version.`,
+	RunE: runUpgrade,
+}
+
+func init() {
+	upgradeCmd.Flags().BoolVarP(&upgradeYes, "yes", "y", false, "Perform the upgrade automatically")
+	upgradeCmd.Flags().StringVarP(&upgradeVersion, "version", "v", "", "Install a specific version (e.g., v0.1.7)")
+	rootCmd.AddCommand(upgradeCmd)
+}
+
+type githubRelease struct {
+	TagName string `json:"tag_name"`
+	HTMLURL string `json:"html_url"`
+}
+
+func runUpgrade(cmd *cobra.Command, args []string) error {
+	current := Version
+
+	if upgradeVersion != "" {
+		return handleSpecificVersion(current, upgradeVersion)
+	}
+
+	latest, err := fetchLatestVersion()
+	if err != nil {
+		return fmt.Errorf("failed to check for updates: %w", err)
+	}
+
+	currentClean := strings.TrimPrefix(current, "v")
+	latestClean := strings.TrimPrefix(latest, "v")
+
+	printVersionComparison(current, latest)
+
+	if currentClean == latestClean {
+		green := color.New(color.FgGreen)
+		green.Println("✓ you are running the latest version")
+		return nil
+	}
+
+	if current == "dev" {
+		yellow := color.New(color.FgYellow)
+		yellow.Println("⚠ you are running a development build")
+		fmt.Println()
+		fmt.Println("use one of the methods below to install a release version:")
+		fmt.Println()
+		printUpgradeInstructions()
+		return nil
+	}
+
+	green := color.New(color.FgGreen, color.Bold)
+	green.Printf("✓ update available: %s → %s\n", current, latest)
+	fmt.Println()
+
+	if !upgradeYes {
+		printUpgradeInstructions()
+		fmt.Println()
+		faint := color.New(color.Faint)
+		cmdStyle := color.New(color.FgCyan)
+		faint.Print("  in-place      ")
+		cmdStyle.Println("snitch upgrade --yes")
+		return nil
+	}
+
+	return performUpgrade(latest)
+}
+
+func handleSpecificVersion(current, target string) error {
+	if !strings.HasPrefix(target, "v") {
+		target = "v" + target
+	}
+	targetClean := strings.TrimPrefix(target, "v")
+
+	printVersionComparisonTarget(current, target)
+
+	if isVersionLower(targetClean, firstUpgradeVersion) {
+		yellow := color.New(color.FgYellow)
+		yellow.Printf("⚠ warning: the upgrade command was introduced in v%s\n", firstUpgradeVersion)
+		faint := color.New(color.Faint)
+		faint.Printf("  version %s does not include this command\n", target)
+		faint.Println("  you will need to use other methods to upgrade from that version")
+		fmt.Println()
+	}
+
+	currentClean := strings.TrimPrefix(current, "v")
+	if currentClean == targetClean {
+		green := color.New(color.FgGreen)
+		green.Println("✓ you are already running this version")
+		return nil
+	}
+
+	if !upgradeYes {
+		faint := color.New(color.Faint)
+		cmdStyle := color.New(color.FgCyan)
+		if isVersionLower(targetClean, currentClean) {
+			yellow := color.New(color.FgYellow)
+			yellow.Printf("↓ this will downgrade from %s to %s\n", current, target)
+		} else {
+			green := color.New(color.FgGreen)
+			green.Printf("↑ this will upgrade from %s to %s\n", current, target)
+		}
+		fmt.Println()
+		faint.Print("run ")
+		cmdStyle.Printf("snitch upgrade --version %s --yes", target)
+		faint.Println(" to proceed")
+		return nil
+	}
+
+	return performUpgrade(target)
+}
+
+func isVersionLower(v1, v2 string) bool {
+	parts1 := parseVersion(v1)
+	parts2 := parseVersion(v2)
+
+	for i := 0; i < 3; i++ {
+		if parts1[i] < parts2[i] {
+			return true
+		}
+		if parts1[i] > parts2[i] {
+			return false
+		}
+	}
+	return false
+}
+
+func parseVersion(v string) [3]int {
+	var parts [3]int
+	segments := strings.Split(v, ".")
+
+	for i := 0; i < len(segments) && i < 3; i++ {
+		n, err := strconv.Atoi(segments[i])
+		if err == nil {
+			parts[i] = n
+		}
+	}
+	return parts
+}
+
+func fetchLatestVersion() (string, error) {
+	url := fmt.Sprintf("%s/repos/%s/%s/releases/latest", githubAPI, repoOwner, repoName)
+
+	resp, err := http.Get(url)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("github api returned status %d", resp.StatusCode)
+	}
+
+	var release githubRelease
+	if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
+		return "", err
+	}
+
+	if release.TagName == "" {
+		return "", fmt.Errorf("no releases found")
+	}
+
+	return release.TagName, nil
+}
+
+func printVersionComparison(current, latest string) {
+	faint := color.New(color.Faint)
+	version := color.New(color.FgCyan)
+
+	faint.Print("current  ")
+	version.Println(current)
+	faint.Print("latest   ")
+	version.Println(latest)
+	fmt.Println()
+}
+
+func printVersionComparisonTarget(current, target string) {
+	faint := color.New(color.Faint)
+	version := color.New(color.FgCyan)
+
+	faint.Print("current  ")
+	version.Println(current)
+	faint.Print("target   ")
+	version.Println(target)
+	fmt.Println()
+}
+
+func printUpgradeInstructions() {
+	bold := color.New(color.Bold)
+	faint := color.New(color.Faint)
+	cmd := color.New(color.FgCyan)
+
+	bold.Println("upgrade options:")
+	fmt.Println()
+
+	faint.Print("  go install    ")
+	cmd.Printf("go install github.com/%s/%s@latest\n", repoOwner, repoName)
+
+	faint.Print("  shell script  ")
+	cmd.Printf("curl -sSL https://raw.githubusercontent.com/%s/%s/master/install.sh | sh\n", repoOwner, repoName)
+
+	faint.Print("  arch (aur)    ")
+	cmd.Println("yay -S snitch-bin")
+
+	faint.Print("  nix           ")
+	cmd.Printf("nix profile upgrade --inputs-from github:%s/%s\n", repoOwner, repoName)
+}
+
+func performUpgrade(version string) error {
+	execPath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("failed to get executable path: %w", err)
+	}
+
+	execPath, err = filepath.EvalSymlinks(execPath)
+	if err != nil {
+		return fmt.Errorf("failed to resolve executable path: %w", err)
+	}
+
+	goos := runtime.GOOS
+	goarch := runtime.GOARCH
+
+	versionClean := strings.TrimPrefix(version, "v")
+	archiveName := fmt.Sprintf("%s_%s_%s_%s.tar.gz", repoName, versionClean, goos, goarch)
+	downloadURL := fmt.Sprintf("https://github.com/%s/%s/releases/download/%s/%s",
+		repoOwner, repoName, version, archiveName)
+
+	faint := color.New(color.Faint)
+	cyan := color.New(color.FgCyan)
+	faint.Print("↓ downloading ")
+	cyan.Printf("%s", archiveName)
+	faint.Println("...")
+
+	resp, err := http.Get(downloadURL)
+	if err != nil {
+		return fmt.Errorf("failed to download: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("download failed with status %d", resp.StatusCode)
+	}
+
+	tmpDir, err := os.MkdirTemp("", "snitch-upgrade-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temp directory: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	binaryPath, err := extractBinaryFromTarGz(resp.Body, tmpDir)
+	if err != nil {
+		return fmt.Errorf("failed to extract binary: %w", err)
+	}
+
+	// check if we can write to the target location
+	targetDir := filepath.Dir(execPath)
+	if !isWritable(targetDir) {
+		yellow := color.New(color.FgYellow)
+		cmdStyle := color.New(color.FgCyan)
+
+		yellow.Printf("⚠ elevated permissions required to install to %s\n", targetDir)
+		fmt.Println()
+		faint.Println("run with sudo or install to a user-writable location:")
+		fmt.Println()
+		faint.Print("  sudo         ")
+		cmdStyle.Println("sudo snitch upgrade --yes")
+		faint.Print("  custom dir   ")
+		cmdStyle.Printf("curl -sSL https://raw.githubusercontent.com/%s/%s/master/install.sh | INSTALL_DIR=~/.local/bin sh\n",
+			repoOwner, repoName)
+		return nil
+	}
+
+	// replace the binary
+	backupPath := execPath + ".bak"
+	if err := os.Rename(execPath, backupPath); err != nil {
+		return fmt.Errorf("failed to backup current binary: %w", err)
+	}
+
+	if err := copyFile(binaryPath, execPath); err != nil {
+		// try to restore backup
+		if restoreErr := os.Rename(backupPath, execPath); restoreErr != nil {
+			return fmt.Errorf("failed to install new binary and restore backup: %w (restore error: %v)", err, restoreErr)
+		}
+		return fmt.Errorf("failed to install new binary: %w", err)
+	}
+
+	if err := os.Chmod(execPath, 0755); err != nil {
+		return fmt.Errorf("failed to set executable permissions: %w", err)
+	}
+
+	if err := os.Remove(backupPath); err != nil {
+		// non-fatal, just warn
+		yellow := color.New(color.FgYellow)
+		yellow.Fprintf(os.Stderr, "⚠ warning: failed to remove backup file %s: %v\n", backupPath, err)
+	}
+
+	green := color.New(color.FgGreen, color.Bold)
+	green.Printf("✓ successfully upgraded to %s\n", version)
+	return nil
+}
+
+func extractBinaryFromTarGz(r io.Reader, destDir string) (string, error) {
+	gzr, err := gzip.NewReader(r)
+	if err != nil {
+		return "", err
+	}
+	defer gzr.Close()
+
+	tr := tar.NewReader(gzr)
+
+	for {
+		header, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", err
+		}
+
+		if header.Typeflag != tar.TypeReg {
+			continue
+		}
+
+		// look for the snitch binary
+		name := filepath.Base(header.Name)
+		if name != repoName {
+			continue
+		}
+
+		destPath := filepath.Join(destDir, name)
+		outFile, err := os.Create(destPath)
+		if err != nil {
+			return "", err
+		}
+
+		if _, err := io.Copy(outFile, tr); err != nil {
+			outFile.Close()
+			return "", err
+		}
+		outFile.Close()
+
+		return destPath, nil
+	}
+
+	return "", fmt.Errorf("binary not found in archive")
+}
+
+func isWritable(path string) bool {
+	testFile := filepath.Join(path, ".snitch-write-test")
+	f, err := os.Create(testFile)
+	if err != nil {
+		return false
+	}
+	f.Close()
+	os.Remove(testFile)
+	return true
+}
+
+func copyFile(src, dst string) error {
+	srcFile, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	dstFile, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer dstFile.Close()
+
+	if _, err := io.Copy(dstFile, srcFile); err != nil {
+		return err
+	}
+
+	return dstFile.Sync()
+}
+

flake.lock

@@ -18,23 +18,7 @@
     },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs",
-        "systems": "systems"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
+        "nixpkgs": "nixpkgs"
       }
     }
   },

flake.nix

@@ -1,107 +1,105 @@
 {
   description = "snitch - a friendlier ss/netstat for humans";
 
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
-    systems.url = "github:nix-systems/default";
-  };
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
 
-  outputs = { self, nixpkgs, systems }:
+  outputs = { self, nixpkgs }:
     let
-      supportedSystems = import systems;
-      forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
+      systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
+      eachSystem = nixpkgs.lib.genAttrs systems;
 
-      # go 1.25 overlay (required until nixpkgs has it)
-      goOverlay = final: prev:
+      # go 1.25 binary derivation (required until nixpkgs ships it)
+      mkGo125 = pkgs:
         let
           version = "1.25.0";
-          platformInfo = {
-            "x86_64-linux" = { suffix = "linux-amd64"; sri = "sha256-KFKvDLIKExObNEiZLmm4aOUO0Pih5ZQO4d6eGaEjthM="; };
-            "aarch64-linux" = { suffix = "linux-arm64"; sri = "sha256-Bd511plKJ4NpmBXuVTvVqTJ9i3mZHeNuOLZoYngvVK4="; };
-            "x86_64-darwin" = { suffix = "darwin-amd64"; sri = "sha256-W9YOgjA3BiwjB8cegRGAmGURZxTW9rQQWXz1B139gO8="; };
-            "aarch64-darwin" = { suffix = "darwin-arm64"; sri = "sha256-VEkyhEFW2Bcveij3fyrJwVojBGaYtiQ/YzsKCwDAdJw="; };
-          };
-          hostSystem = prev.stdenv.hostPlatform.system;
-          chosen = platformInfo.${hostSystem} or (throw "unsupported system: ${hostSystem}");
+          platform = {
+            "x86_64-linux" = { suffix = "linux-amd64"; hash = "sha256-KFKvDLIKExObNEiZLmm4aOUO0Pih5ZQO4d6eGaEjthM="; GOOS = "linux"; GOARCH = "amd64"; };
+            "aarch64-linux" = { suffix = "linux-arm64"; hash = "sha256-Bd511plKJ4NpmBXuVTvVqTJ9i3mZHeNuOLZoYngvVK4="; GOOS = "linux"; GOARCH = "arm64"; };
+            "x86_64-darwin" = { suffix = "darwin-amd64"; hash = "sha256-W9YOgjA3BiwjB8cegRGAmGURZxTW9rQQWXz1B139gO8="; GOOS = "darwin"; GOARCH = "amd64"; };
+            "aarch64-darwin" = { suffix = "darwin-arm64"; hash = "sha256-VEkyhEFW2Bcveij3fyrJwVojBGaYtiQ/YzsKCwDAdJw="; GOOS = "darwin"; GOARCH = "arm64"; };
+          }.${pkgs.stdenv.hostPlatform.system} or (throw "unsupported system: ${pkgs.stdenv.hostPlatform.system}");
         in
-        {
-          go_1_25 = prev.stdenvNoCC.mkDerivation {
-            pname = "go";
-            inherit version;
-            src = prev.fetchurl {
-              url = "https://go.dev/dl/go${version}.${chosen.suffix}.tar.gz";
-              hash = chosen.sri;
-            };
-            dontBuild = true;
-            installPhase = ''
-              runHook preInstall
-              mkdir -p "$out"/{bin,share}
-              tar -C "$TMPDIR" -xzf "$src"
-              cp -a "$TMPDIR/go" "$out/share/go"
-              ln -s "$out/share/go/bin/go" "$out/bin/go"
-              ln -s "$out/share/go/bin/gofmt" "$out/bin/gofmt"
-              runHook postInstall
-            '';
-            dontPatchELF = true;
-            dontStrip = true;
+        pkgs.stdenv.mkDerivation {
+          pname = "go";
+          inherit version;
+          src = pkgs.fetchurl {
+            url = "https://go.dev/dl/go${version}.${platform.suffix}.tar.gz";
+            inherit (platform) hash;
+          };
+          dontBuild = true;
+          dontPatchELF = true;
+          dontStrip = true;
+          installPhase = ''
+            runHook preInstall
+            mkdir -p $out/{bin,share/go}
+            tar -xzf $src --strip-components=1 -C $out/share/go
+            ln -s $out/share/go/bin/go $out/bin/go
+            ln -s $out/share/go/bin/gofmt $out/bin/gofmt
+            runHook postInstall
+          '';
+          passthru = {
+            inherit (platform) GOOS GOARCH;
+          };
+        };
+
+      pkgsFor = system: import nixpkgs { inherit system; };
+
+      mkSnitch = pkgs:
+        let
+          version = self.shortRev or self.dirtyShortRev or "dev";
+          go = mkGo125 pkgs;
+          buildGoModule = pkgs.buildGoModule.override { inherit go; };
+        in
+        buildGoModule {
+          pname = "snitch";
+          inherit version;
+          src = self;
+          vendorHash = "sha256-fX3wOqeOgjH7AuWGxPQxJ+wbhp240CW8tiF4rVUUDzk=";
+          env.CGO_ENABLED = "0";
+          env.GOTOOLCHAIN = "local";
+          ldflags = [
+            "-s"
+            "-w"
+            "-X snitch/cmd.Version=${version}"
+            "-X snitch/cmd.Commit=${version}"
+            "-X snitch/cmd.Date=${self.lastModifiedDate or "unknown"}"
+          ];
+          meta = {
+            description = "a friendlier ss/netstat for humans";
+            homepage = "https://github.com/karol-broda/snitch";
+            license = pkgs.lib.licenses.mit;
+            platforms = pkgs.lib.platforms.linux;
+            mainProgram = "snitch";
           };
         };
     in
     {
-      overlays.default = final: prev: {
-        snitch = final.callPackage ./nix/package.nix { };
-      };
-
-      packages = forAllSystems (system:
-        let
-          pkgs = import nixpkgs {
-            inherit system;
-            overlays = [ goOverlay ];
-          };
-        in
-        let
-          version = self.shortRev or self.dirtyShortRev or "dev";
-        in
+      packages = eachSystem (system:
+        let pkgs = pkgsFor system; in
         {
-          default = pkgs.buildGoModule {
-            pname = "snitch";
-            inherit version;
-            src = self;
-            vendorHash = "sha256-fX3wOqeOgjH7AuWGxPQxJ+wbhp240CW8tiF4rVUUDzk=";
-            env.CGO_ENABLED = 0;
-            ldflags = [
-              "-s" "-w"
-              "-X snitch/cmd.Version=${version}"
-              "-X snitch/cmd.Commit=${version}"
-              "-X snitch/cmd.Date=${self.lastModifiedDate or "unknown"}"
-            ];
-            meta = with pkgs.lib; {
-              description = "a friendlier ss/netstat for humans";
-              homepage = "https://github.com/karol-broda/snitch";
-              license = licenses.mit;
-              platforms = platforms.linux;
-              mainProgram = "snitch";
-            };
-          };
+          default = mkSnitch pkgs;
+          snitch = mkSnitch pkgs;
         }
       );
 
-      devShells = forAllSystems (system:
+      devShells = eachSystem (system:
         let
-          pkgs = import nixpkgs {
-            inherit system;
-            overlays = [ goOverlay ];
-          };
+          pkgs = pkgsFor system;
+          go = mkGo125 pkgs;
         in
         {
           default = pkgs.mkShell {
-            packages = [ pkgs.go_1_25 pkgs.git pkgs.vhs ];
-            GOTOOLCHAIN = "local";
+            packages = [ go pkgs.git pkgs.vhs ];
+            env.GOTOOLCHAIN = "local";
             shellHook = ''
               echo "go toolchain: $(go version)"
             '';
           };
         }
       );
+
+      overlays.default = final: _prev: {
+        snitch = mkSnitch final;
+      };
     };
 }

install.sh

@@ -0,0 +1,113 @@
+#!/bin/sh
+set -e
+
+REPO="karol-broda/snitch"
+BINARY_NAME="snitch"
+
+# allow override via environment
+INSTALL_DIR="${INSTALL_DIR:-}"
+KEEP_QUARANTINE="${KEEP_QUARANTINE:-}"
+
+detect_install_dir() {
+    if [ -n "$INSTALL_DIR" ]; then
+        echo "$INSTALL_DIR"
+        return
+    fi
+
+    # prefer user-local directory if it exists and is in PATH
+    if [ -d "$HOME/.local/bin" ] && echo "$PATH" | grep -q "$HOME/.local/bin"; then
+        echo "$HOME/.local/bin"
+        return
+    fi
+
+    # fallback to /usr/local/bin
+    echo "/usr/local/bin"
+}
+
+detect_os() {
+    os=$(uname -s | tr '[:upper:]' '[:lower:]')
+    case "$os" in
+        darwin) echo "darwin" ;;
+        linux) echo "linux" ;;
+        *)
+            echo "error: unsupported operating system: $os" >&2
+            exit 1
+            ;;
+    esac
+}
+
+detect_arch() {
+    arch=$(uname -m)
+    case "$arch" in
+        x86_64|amd64) echo "amd64" ;;
+        aarch64|arm64) echo "arm64" ;;
+        armv7l) echo "armv7" ;;
+        *)
+            echo "error: unsupported architecture: $arch" >&2
+            exit 1
+            ;;
+    esac
+}
+
+fetch_latest_version() {
+    version=$(curl -sL "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name"' | head -1 | cut -d'"' -f4)
+    if [ -z "$version" ]; then
+        echo "error: failed to fetch latest version" >&2
+        exit 1
+    fi
+    echo "$version"
+}
+
+main() {
+    os=$(detect_os)
+    arch=$(detect_arch)
+    install_dir=$(detect_install_dir)
+    version=$(fetch_latest_version)
+    version_no_v="${version#v}"
+
+    archive_name="${BINARY_NAME}_${version_no_v}_${os}_${arch}.tar.gz"
+    download_url="https://github.com/${REPO}/releases/download/${version}/${archive_name}"
+
+    echo "installing ${BINARY_NAME} ${version} for ${os}/${arch}..."
+
+    tmp_dir=$(mktemp -d)
+    trap 'rm -rf "$tmp_dir"' EXIT
+
+    echo "downloading ${download_url}..."
+    if ! curl -sL --fail "$download_url" -o "${tmp_dir}/${archive_name}"; then
+        echo "error: failed to download ${download_url}" >&2
+        exit 1
+    fi
+
+    echo "extracting..."
+    tar -xzf "${tmp_dir}/${archive_name}" -C "$tmp_dir"
+
+    if [ ! -f "${tmp_dir}/${BINARY_NAME}" ]; then
+        echo "error: binary not found in archive" >&2
+        exit 1
+    fi
+
+    # remove macos quarantine attribute unless disabled
+    if [ "$os" = "darwin" ] && [ -z "$KEEP_QUARANTINE" ]; then
+        if xattr -d com.apple.quarantine "${tmp_dir}/${BINARY_NAME}" 2>/dev/null; then
+            echo "warning: removed macOS quarantine attribute from binary"
+        fi
+    fi
+
+    # install binary
+    if [ -w "$install_dir" ]; then
+        mv "${tmp_dir}/${BINARY_NAME}" "${install_dir}/${BINARY_NAME}"
+    else
+        echo "elevated permissions required to install to ${install_dir}"
+        sudo mv "${tmp_dir}/${BINARY_NAME}" "${install_dir}/${BINARY_NAME}"
+    fi
+
+    chmod +x "${install_dir}/${BINARY_NAME}"
+
+    echo "installed ${BINARY_NAME} to ${install_dir}/${BINARY_NAME}"
+    echo ""
+    echo "run '${BINARY_NAME} --help' to get started"
+}
+
+main
+

internal/tui/view.go

@@ -47,37 +47,14 @@ func (m model) renderTitle() string {
 func (m model) renderFilters() string {
 	var parts []string
 
-	if m.showTCP {
-		parts = append(parts, m.theme.Styles.Success.Render("tcp"))
-	} else {
-		parts = append(parts, m.theme.Styles.Normal.Render("tcp"))
-	}
-
-	if m.showUDP {
-		parts = append(parts, m.theme.Styles.Success.Render("udp"))
-	} else {
-		parts = append(parts, m.theme.Styles.Normal.Render("udp"))
-	}
+	parts = append(parts, m.renderFilterLabel("t", "cp", m.showTCP))
+	parts = append(parts, m.renderFilterLabel("u", "dp", m.showUDP))
 
 	parts = append(parts, m.theme.Styles.Border.Render(BoxVertical))
 
-	if m.showListening {
-		parts = append(parts, m.theme.Styles.Success.Render("listen"))
-	} else {
-		parts = append(parts, m.theme.Styles.Normal.Render("listen"))
-	}
-
-	if m.showEstablished {
-		parts = append(parts, m.theme.Styles.Success.Render("estab"))
-	} else {
-		parts = append(parts, m.theme.Styles.Normal.Render("estab"))
-	}
-
-	if m.showOther {
-		parts = append(parts, m.theme.Styles.Success.Render("other"))
-	} else {
-		parts = append(parts, m.theme.Styles.Normal.Render("other"))
-	}
+	parts = append(parts, m.renderFilterLabel("l", "isten", m.showListening))
+	parts = append(parts, m.renderFilterLabel("e", "stab", m.showEstablished))
+	parts = append(parts, m.renderFilterLabel("o", "ther", m.showOther))
 
 	left := "  " + strings.Join(parts, "  ")
 
@@ -119,6 +96,18 @@ func (m model) renderTableHeader() string {
 	return m.theme.Styles.Header.Render(header) + "\n"
 }
 
+func (m model) renderFilterLabel(firstChar, rest string, active bool) string {
+	baseStyle := m.theme.Styles.Normal
+	if active {
+		baseStyle = m.theme.Styles.Success
+	}
+
+	underlinedFirst := baseStyle.Underline(true).Render(firstChar)
+	restPart := baseStyle.Render(rest)
+
+	return underlinedFirst + restPart
+}
+
 func (m model) renderSeparator() string {
 	w := m.width - 4
 	if w < 1 {
@@ -134,8 +123,11 @@ func (m model) renderConnections() string {
 	pageSize := m.pageSize()
 
 	if len(visible) == 0 {
-		empty := "\n  " + m.theme.Styles.Normal.Render("no connections match filters") + "\n"
-		return empty
+		b.WriteString("  " + m.theme.Styles.Normal.Render("no connections match filters") + "\n")
+		for i := 1; i < pageSize; i++ {
+			b.WriteString("\n")
+		}
+		return b.String()
 	}
 
 	start := m.scrollOffset(pageSize, len(visible))