fix: enforce Content-Type to accept only binary responses

Add validation for CLI downloads that ensures the Content-Type header
is indicating a binary stream (`application/octet-stream`),
including common variants with parameters. This prevents saving unexpected
HTML or other non-binary responses (e.g., from frontend dev servers on :8080)
as binaries, improving reliability and providing clearer error feedback.

Author: fioan89

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- content-type is now enforced when downloading the CLI to accept only binary responses
+
 ## 0.6.1 - 2025-08-11
 
 ### Added

src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadService.kt

@@ -51,6 +51,13 @@ class CoderDownloadService(
 
         return when (response.code()) {
             HTTP_OK -> {
+                val contentType = response.headers()["Content-Type"]?.lowercase()
+                if (contentType?.startsWith("application/octet-stream") != true) {
+                    throw ResponseException(
+                        "Invalid content type '$contentType' when downloading CLI from $remoteBinaryURL. Expected application/octet-stream.",
+                        response.code()
+                    )
+                }
                 context.logger.info("Downloading binary to temporary $cliTempDst")
                 response.saveToDisk(cliTempDst, showTextProgress, buildVersion)?.makeExecutable()
                 DownloadResult.Downloaded(remoteBinaryURL, cliTempDst)