@nightowne/tas-cli 1.1.1 → 2.0.0

package/README.md

@@ -1,11 +1,11 @@
-# TAS — Telegram as Storage
+# Telegram as Storage
 
 [![CI](https://github.com/ixchio/tas/actions/workflows/ci.yml/badge.svg)](https://github.com/ixchio/tas/actions/workflows/ci.yml)
 [![npm](https://img.shields.io/npm/v/@nightowne/tas-cli)](https://www.npmjs.com/package/@nightowne/tas-cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 <p align="center">
-  <img src="assets/demo.gif" alt="TAS Demo" width="600">
+  <img src="assets/demo.gif" alt="Demo" width="600">
 </p>
 
 A CLI tool that uses your Telegram bot as encrypted file storage. Files are compressed, encrypted locally, then uploaded to your private bot chat.
@@ -26,16 +26,16 @@ A CLI tool that uses your Telegram bot as encrypted file storage. Files are comp
 
 | Feature | TAS | Session-based tools (e.g. teldrive) |
 |---------|:---:|:-----------------------------------:|
-| Account ban risk | **None** (Bot API) | High (session hijack detection) |
+| Account ban risk | None (Bot API) | High (session hijack detection) |
 | Encryption | AES-256-GCM | Usually none |
 | Dependencies | SQLite only | Rclone, external DB |
 | Setup complexity | 2 minutes | Docker + multiple services |
 
-**Key differences:**
-- Uses **Bot API**, not session-based auth — Telegram can't ban your account
-- **Encryption by default** — files encrypted before leaving your machine
-- **Local-first** — SQLite index, no cloud dependencies
-- **FUSE mount** — use Telegram like a folder
+Key differences:
+- Uses Bot API, not session-based auth - Telegram can't ban your account
+- Encryption by default - files encrypted before leaving your machine
+- Local-first - SQLite index, no cloud dependencies
+- FUSE mount - use Telegram like a folder
 
 ## Security Model
 
@@ -51,11 +51,11 @@ Your password never leaves your machine. Telegram stores encrypted blobs.
 
 ## Limitations
 
-- **Not a backup** — Telegram can delete content without notice
-- **No versioning** — overwriting a file deletes the old version
-- **49MB chunks** — files split due to Bot API limits
-- **FUSE required** — mount feature needs `libfuse` on Linux/macOS
-- **Single user** — designed for personal use, not multi-tenant
+- Not a backup - Telegram can delete content without notice
+- No versioning - overwriting a file deletes the old version
+- 49MB chunks - files split due to Bot API limits
+- FUSE required - mount feature needs libfuse on Linux/macOS
+- Single user - designed for personal use, not multi-tenant
 
 ## Quick Start
 
@@ -122,10 +122,36 @@ tas sync start              # Start watching
 tas sync pull               # Download all to sync folders
 tas sync status             # Show sync status
 
+# Share (temporary links)
+tas share create <file>     # Create download link
+tas share create <file> --expire 1h --max-downloads 3
+tas share list              # Show active shares
+tas share revoke <token>    # Revoke a share
+
 # Verification
 tas verify                  # Check file integrity
 ```
 
+## Automation
+
+Skip password prompts for scripts and CI/CD:
+
+```bash
+# Environment variable
+export TAS_PASSWORD="your-password"
+tas push file.pdf
+tas sync start
+
+# Or use CLI flag (recommended for CI/CD)
+tas push -p "password" file.pdf
+```
+
+Works great with:
+- Cron jobs for automated backups
+- GitHub Actions and GitLab CI
+- Docker containers
+- Shell scripts for batch operations
+
 ## Auto-Start (systemd)
 
 See [systemd/README.md](systemd/README.md) for running sync as a service.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@nightowne/tas-cli",
-  "version": "1.1.1",
-  "description": "📦 Telegram as Storage - Free encrypted cloud storage via Telegram. Mount Telegram as a folder!",
+  "version": "2.0.0",
+  "description": "Telegram as Storage - Automated encrypted cloud backup. Free, encrypted, scriptable. Mount as folder or use with cron/Docker.",
   "type": "module",
   "main": "src/index.js",
   "bin": {
@@ -54,4 +54,4 @@
   "engines": {
     "node": ">=18.0.0"
   }
-}
+}

package/src/cli.js

@@ -15,6 +15,7 @@ import { Compressor } from './utils/compression.js';
 import { FileIndex } from './db/index.js';
 import { processFile, retrieveFile } from './index.js';
 import { printBanner, LOGO, TAGLINE, VERSION } from './utils/branding.js';
+import { getPassword, verifyPassword, loadConfig, requireConfig, getAndVerifyPassword } from './utils/cli-helpers.js';
 import fs from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
@@ -140,6 +141,7 @@ program
     .command('push <file>')
     .description('Upload a file to Telegram storage')
     .option('-n, --name <name>', 'Custom name for the file')
+    .option('-p, --password <password>', 'Encryption password (uses TAS_PASSWORD env var if not provided)')
     .action(async (file, options) => {
         const spinner = ora('Preparing...').start();
 
@@ -150,32 +152,11 @@ program
                 process.exit(1);
             }
 
-            // Load config
-            const configPath = path.join(DATA_DIR, 'config.json');
-            if (!fs.existsSync(configPath)) {
-                spinner.fail('TAS not initialized. Run `tas init` first.');
-                process.exit(1);
-            }
-            const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-
+            const config = requireConfig(DATA_DIR);
             spinner.stop();
 
-            // Get password
-            const { password } = await inquirer.prompt([
-                {
-                    type: 'password',
-                    name: 'password',
-                    message: 'Enter your encryption password:',
-                    mask: '*'
-                }
-            ]);
-
-            // Verify password
-            const encryptor = new Encryptor(password);
-            if (encryptor.getPasswordHash() !== config.passwordHash) {
-                console.log(chalk.red('✗ Incorrect password'));
-                process.exit(1);
-            }
+            // Get and verify password
+            const password = await getAndVerifyPassword(options.password, DATA_DIR);
 
             spinner.start('Processing file...');
 
@@ -221,17 +202,12 @@ program
     .command('pull <identifier> [output]')
     .description('Download a file from Telegram storage (by filename or hash)')
     .option('-o, --output <path>', 'Output path for the file')
+    .option('-p, --password <password>', 'Encryption password (uses TAS_PASSWORD env var if not provided)')
     .action(async (identifier, output, options) => {
         const spinner = ora('Looking up file...').start();
 
         try {
-            // Load config
-            const configPath = path.join(DATA_DIR, 'config.json');
-            if (!fs.existsSync(configPath)) {
-                spinner.fail('TAS not initialized. Run `tas init` first.');
-                process.exit(1);
-            }
-            const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+            const config = requireConfig(DATA_DIR);
 
             // Find file in index
             const db = new FileIndex(path.join(DATA_DIR, 'index.db'));
@@ -245,22 +221,8 @@ program
 
             spinner.stop();
 
-            // Get password
-            const { password } = await inquirer.prompt([
-                {
-                    type: 'password',
-                    name: 'password',
-                    message: 'Enter your encryption password:',
-                    mask: '*'
-                }
-            ]);
-
-            // Verify password
-            const encryptor = new Encryptor(password);
-            if (encryptor.getPasswordHash() !== config.passwordHash) {
-                console.log(chalk.red('✗ Incorrect password'));
-                process.exit(1);
-            }
+            // Get and verify password
+            const password = await getAndVerifyPassword(options.password, DATA_DIR);
 
             spinner.start('Downloading...');
 
@@ -429,33 +391,12 @@ program
 program
     .command('mount <mountpoint>')
     .description('🔥 Mount Telegram storage as a local folder (FUSE)')
-    .action(async (mountpoint) => {
+    .option('-p, --password <password>', 'Encryption password (uses TAS_PASSWORD env var if not provided)')
+    .action(async (mountpoint, options) => {
         console.log(chalk.cyan('\n🗂️  Mounting Telegram as filesystem...\n'));
 
-        // Load config
-        const configPath = path.join(DATA_DIR, 'config.json');
-        if (!fs.existsSync(configPath)) {
-            console.log(chalk.red('✗ TAS not initialized. Run `tas init` first.'));
-            process.exit(1);
-        }
-        const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-
-        // Get password
-        const { password } = await inquirer.prompt([
-            {
-                type: 'password',
-                name: 'password',
-                message: 'Enter your encryption password:',
-                mask: '*'
-            }
-        ]);
-
-        // Verify password
-        const encryptor = new Encryptor(password);
-        if (encryptor.getPasswordHash() !== config.passwordHash) {
-            console.log(chalk.red('✗ Incorrect password'));
-            process.exit(1);
-        }
+        const config = requireConfig(DATA_DIR);
+        const password = await getAndVerifyPassword(options.password, DATA_DIR);
 
         const spinner = ora('Initializing filesystem...').start();
 
@@ -732,33 +673,12 @@ syncCmd
 syncCmd
     .command('start')
     .description('Start syncing all registered folders')
-    .action(async () => {
+    .option('-p, --password <password>', 'Encryption password (uses TAS_PASSWORD env var if not provided)')
+    .action(async (options) => {
         console.log(chalk.cyan('\n🔄 Starting folder sync...\n'));
 
-        // Load config
-        const configPath = path.join(DATA_DIR, 'config.json');
-        if (!fs.existsSync(configPath)) {
-            console.log(chalk.red('✗ TAS not initialized. Run `tas init` first.'));
-            process.exit(1);
-        }
-        const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-
-        // Get password
-        const { password } = await inquirer.prompt([
-            {
-                type: 'password',
-                name: 'password',
-                message: 'Enter your encryption password:',
-                mask: '*'
-            }
-        ]);
-
-        // Verify password
-        const encryptor = new Encryptor(password);
-        if (encryptor.getPasswordHash() !== config.passwordHash) {
-            console.log(chalk.red('✗ Incorrect password'));
-            process.exit(1);
-        }
+        const config = requireConfig(DATA_DIR);
+        const password = await getAndVerifyPassword(options.password, DATA_DIR);
 
         try {
             const { SyncEngine } = await import('./sync/sync.js');
@@ -825,33 +745,12 @@ syncCmd
 syncCmd
     .command('pull')
     .description('Download all Telegram files to sync folders (two-way sync)')
-    .action(async () => {
+    .option('-p, --password <password>', 'Encryption password (uses TAS_PASSWORD env var if not provided)')
+    .action(async (options) => {
         console.log(chalk.cyan('\n📥 Pulling files from Telegram...\n'));
 
-        // Load config
-        const configPath = path.join(DATA_DIR, 'config.json');
-        if (!fs.existsSync(configPath)) {
-            console.log(chalk.red('✗ TAS not initialized. Run `tas init` first.'));
-            process.exit(1);
-        }
-        const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-
-        // Get password
-        const { password } = await inquirer.prompt([
-            {
-                type: 'password',
-                name: 'password',
-                message: 'Enter your encryption password:',
-                mask: '*'
-            }
-        ]);
-
-        // Verify password
-        const encryptor = new Encryptor(password);
-        if (encryptor.getPasswordHash() !== config.passwordHash) {
-            console.log(chalk.red('✗ Incorrect password'));
-            process.exit(1);
-        }
+        const config = requireConfig(DATA_DIR);
+        const password = await getAndVerifyPassword(options.password, DATA_DIR);
 
         const spinner = ora('Loading...').start();
 
@@ -939,13 +838,7 @@ program
     .action(async () => {
         console.log(chalk.cyan('\n🔍 Verifying file integrity...\n'));
 
-        // Load config
-        const configPath = path.join(DATA_DIR, 'config.json');
-        if (!fs.existsSync(configPath)) {
-            console.log(chalk.red('✗ TAS not initialized. Run `tas init` first.'));
-            process.exit(1);
-        }
-        const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+        const config = requireConfig(DATA_DIR);
 
         const spinner = ora('Checking files...').start();
 
@@ -1078,7 +971,8 @@ program
 program
     .command('resume')
     .description('Resume interrupted uploads')
-    .action(async () => {
+    .option('-p, --password <password>', 'Encryption password (uses TAS_PASSWORD env var if not provided)')
+    .action(async (options) => {
         try {
             const db = new FileIndex(path.join(DATA_DIR, 'index.db'));
             db.init();
@@ -1139,30 +1033,15 @@ program
             }
 
             // Resume uploads
-            const configPath = path.join(DATA_DIR, 'config.json');
-            if (!fs.existsSync(configPath)) {
+            const config = loadConfig(DATA_DIR);
+            if (!config) {
                 console.log(chalk.red('✗ TAS not initialized.'));
                 db.close();
                 return;
             }
-            const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
-
-            // Get password
-            const { password } = await inquirer.prompt([
-                {
-                    type: 'password',
-                    name: 'password',
-                    message: 'Enter your encryption password:',
-                    mask: '*'
-                }
-            ]);
 
-            const encryptor = new Encryptor(password);
-            if (encryptor.getPasswordHash() !== config.passwordHash) {
-                console.log(chalk.red('✗ Incorrect password'));
-                db.close();
-                return;
-            }
+            // Get and verify password
+            const password = await getAndVerifyPassword(options.password, DATA_DIR);
 
             // Connect to Telegram
             const { TelegramClient } = await import('./telegram/client.js');
@@ -1234,6 +1113,173 @@ program
         }
     });
 
+// ============== SHARE COMMAND ==============
+const shareCmd = program
+    .command('share')
+    .description('🔗 Share files via temporary download links');
+
+shareCmd
+    .command('create <file>')
+    .description('Create a temporary download link for a file')
+    .option('-e, --expire <duration>', 'Expiry duration (e.g. 1h, 24h, 7d)', '24h')
+    .option('-m, --max-downloads <n>', 'Maximum number of downloads', '1')
+    .option('--port <port>', 'HTTP server port', '3000')
+    .option('-p, --password <password>', 'Encryption password')
+    .action(async (file, options) => {
+        console.log(chalk.cyan('\n🔗 Creating share link...\n'));
+
+        const config = requireConfig(DATA_DIR);
+        const password = await getAndVerifyPassword(options.password, DATA_DIR);
+
+        const spinner = ora('Setting up...').start();
+
+        try {
+            const db = new FileIndex(path.join(DATA_DIR, 'index.db'));
+            db.init();
+
+            const fileRecord = db.findByHash(file) || db.findByName(file);
+            if (!fileRecord) {
+                spinner.fail(`File not found: ${file}`);
+                process.exit(1);
+            }
+
+            // Generate token and calculate expiry
+            const { generateToken, parseDuration } = await import('./share/server.js');
+            const token = generateToken();
+            const expiresAt = new Date(Date.now() + parseDuration(options.expire)).toISOString();
+            const maxDownloads = parseInt(options.maxDownloads) || 1;
+
+            // Add share to DB
+            db.addShare(fileRecord.id, token, expiresAt, maxDownloads);
+
+            // Start share server
+            const { ShareServer } = await import('./share/server.js');
+            const port = parseInt(options.port) || 3000;
+
+            const server = new ShareServer({
+                dataDir: DATA_DIR,
+                password,
+                config,
+                port
+            });
+
+            await server.initialize();
+            await server.start();
+
+            spinner.succeed('Share server running!');
+
+            // Get local IP for network sharing
+            const { networkInterfaces } = await import('os');
+            const nets = networkInterfaces();
+            let localIP = 'localhost';
+            for (const name of Object.keys(nets)) {
+                for (const net of nets[name]) {
+                    if (net.family === 'IPv4' && !net.internal) {
+                        localIP = net.address;
+                        break;
+                    }
+                }
+            }
+
+            console.log(chalk.cyan('\n📎 Share Links:\n'));
+            console.log(`  ${chalk.white('Local:')}    ${chalk.green(`http://localhost:${port}/d/${token}`)}`);
+            console.log(`  ${chalk.white('Network:')}  ${chalk.green(`http://${localIP}:${port}/d/${token}`)}`);
+            console.log();
+            console.log(chalk.dim(`  File:       ${fileRecord.filename}`));
+            console.log(chalk.dim(`  Expires:    ${options.expire}`));
+            console.log(chalk.dim(`  Downloads:  ${maxDownloads} max`));
+            console.log(chalk.dim(`  Token:      ${token.substring(0, 8)}...`));
+            console.log();
+            console.log(chalk.yellow('Press Ctrl+C to stop the share server'));
+
+            // Handle graceful shutdown
+            const cleanup = async () => {
+                console.log(chalk.dim('\n\nStopping share server...'));
+                await server.stop();
+                console.log(chalk.green('✓ Share server stopped'));
+                process.exit(0);
+            };
+
+            process.on('SIGINT', cleanup);
+            process.on('SIGTERM', cleanup);
+
+            // Keep process running
+            await new Promise(() => { });
+
+        } catch (err) {
+            spinner.fail(`Share failed: ${err.message}`);
+            process.exit(1);
+        }
+    });
+
+shareCmd
+    .command('list')
+    .description('List all active share links')
+    .action(async () => {
+        try {
+            const db = new FileIndex(path.join(DATA_DIR, 'index.db'));
+            db.init();
+
+            // Clean expired first
+            const cleaned = db.cleanExpiredShares();
+            if (cleaned > 0) {
+                console.log(chalk.dim(`  (${cleaned} expired shares cleaned)`));
+            }
+
+            const shares = db.listShares();
+
+            if (shares.length === 0) {
+                console.log(chalk.yellow('\n📭 No active shares. Use `tas share create <file>` to create one.\n'));
+            } else {
+                console.log(chalk.cyan(`\n🔗 Active Shares (${shares.length})\n`));
+
+                for (const share of shares) {
+                    const expired = new Date(share.expires_at) < new Date();
+                    const status = expired
+                        ? chalk.red('expired')
+                        : chalk.green('active');
+
+                    console.log(`  ${chalk.blue('●')} ${share.filename}`);
+                    console.log(chalk.dim(`    Token: ${share.token.substring(0, 8)}...  Status: ${status}  Downloads: ${share.download_count}/${share.max_downloads}`));
+                    console.log(chalk.dim(`    Expires: ${new Date(share.expires_at).toLocaleString()}`));
+                }
+                console.log();
+            }
+
+            db.close();
+        } catch (err) {
+            console.error(chalk.red('Error:'), err.message);
+            process.exit(1);
+        }
+    });
+
+shareCmd
+    .command('revoke <token>')
+    .description('Revoke a share link')
+    .action(async (token) => {
+        try {
+            const db = new FileIndex(path.join(DATA_DIR, 'index.db'));
+            db.init();
+
+            // Support partial token match
+            const shares = db.listShares();
+            const match = shares.find(s => s.token === token || s.token.startsWith(token));
+
+            if (!match) {
+                console.log(chalk.red(`✗ Share not found: ${token}`));
+                process.exit(1);
+            }
+
+            db.revokeShare(match.token);
+            console.log(chalk.green(`✓ Revoked share for "${match.filename}"`));
+
+            db.close();
+        } catch (err) {
+            console.error(chalk.red('Error:'), err.message);
+            process.exit(1);
+        }
+    });
+
 program.parse();
 
 

package/src/db/index.js

@@ -92,6 +92,22 @@ export class FileIndex {
       );
     `);
 
+    // Create shares table for temporary file sharing
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS shares (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        file_id INTEGER NOT NULL,
+        token TEXT UNIQUE NOT NULL,
+        expires_at TEXT NOT NULL,
+        max_downloads INTEGER NOT NULL DEFAULT 1,
+        download_count INTEGER NOT NULL DEFAULT 0,
+        created_at TEXT NOT NULL DEFAULT (datetime('now')),
+        FOREIGN KEY (file_id) REFERENCES files(id) ON DELETE CASCADE
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_shares_token ON shares(token);
+    `);
+
     // Create pending_uploads table for resume functionality
     this.db.exec(`
       CREATE TABLE IF NOT EXISTS pending_uploads (
@@ -492,6 +508,76 @@ export class FileIndex {
     return stmt.get(hash);
   }
 
+  // ============== SHARE METHODS ==============
+
+  /**
+   * Create a share link for a file
+   */
+  addShare(fileId, token, expiresAt, maxDownloads = 1) {
+    const stmt = this.db.prepare(`
+      INSERT INTO shares (file_id, token, expires_at, max_downloads)
+      VALUES (?, ?, ?, ?)
+    `);
+    const result = stmt.run(fileId, token, expiresAt, maxDownloads);
+    return result.lastInsertRowid;
+  }
+
+  /**
+   * Get a share by token (returns null if not found)
+   */
+  getShare(token) {
+    const stmt = this.db.prepare(`
+      SELECT s.*, f.filename, f.original_size
+      FROM shares s
+      JOIN files f ON s.file_id = f.id
+      WHERE s.token = ?
+    `);
+    return stmt.get(token) || null;
+  }
+
+  /**
+   * List all active shares
+   */
+  listShares() {
+    const stmt = this.db.prepare(`
+      SELECT s.*, f.filename, f.original_size
+      FROM shares s
+      JOIN files f ON s.file_id = f.id
+      ORDER BY s.created_at DESC
+    `);
+    return stmt.all();
+  }
+
+  /**
+   * Revoke (delete) a share by token
+   */
+  revokeShare(token) {
+    const stmt = this.db.prepare('DELETE FROM shares WHERE token = ?');
+    const result = stmt.run(token);
+    return result.changes > 0;
+  }
+
+  /**
+   * Increment download count for a share
+   */
+  incrementShareDownload(token) {
+    const stmt = this.db.prepare(`
+      UPDATE shares SET download_count = download_count + 1 WHERE token = ?
+    `);
+    stmt.run(token);
+  }
+
+  /**
+   * Remove expired shares
+   */
+  cleanExpiredShares() {
+    const stmt = this.db.prepare(`
+      DELETE FROM shares WHERE
+        REPLACE(REPLACE(expires_at, 'T', ' '), 'Z', '') < strftime('%Y-%m-%d %H:%M:%f', 'now')
+    `);
+    return stmt.run().changes;
+  }
+
   /**
    * Close database connection
    */

package/src/share/server.js

@@ -0,0 +1,412 @@
+/**
+ * Share Server — Temporary file sharing via HTTP
+ * Spins up a lightweight server that serves one-time download links
+ * for files stored in Telegram. Files are decrypted on-the-fly.
+ */
+
+import http from 'http';
+import crypto from 'crypto';
+import path from 'path';
+import { FileIndex } from '../db/index.js';
+import { TelegramClient } from '../telegram/client.js';
+import { Encryptor } from '../crypto/encryption.js';
+import { Compressor } from '../utils/compression.js';
+import { parseHeader, HEADER_SIZE } from '../utils/chunker.js';
+
+/**
+ * Generate a secure random share token
+ */
+export function generateToken() {
+    return crypto.randomBytes(16).toString('hex');
+}
+
+/**
+ * Parse duration string to milliseconds
+ * Supports: 1h, 24h, 7d, 30m, etc.
+ */
+export function parseDuration(str) {
+    const match = str.match(/^(\d+)(m|h|d)$/);
+    if (!match) throw new Error(`Invalid duration: ${str}. Use format like 1h, 24h, 7d, 30m`);
+
+    const value = parseInt(match[1]);
+    const unit = match[2];
+
+    const multipliers = {
+        'm': 60 * 1000,
+        'h': 60 * 60 * 1000,
+        'd': 24 * 60 * 60 * 1000
+    };
+
+    return value * multipliers[unit];
+}
+
+/**
+ * Format remaining time human-readable
+ */
+function formatTimeLeft(expiresAt) {
+    const now = Date.now();
+    const diff = new Date(expiresAt).getTime() - now;
+
+    if (diff <= 0) return 'expired';
+
+    const hours = Math.floor(diff / (1000 * 60 * 60));
+    const minutes = Math.floor((diff % (1000 * 60 * 60)) / (1000 * 60));
+
+    if (hours > 24) return `${Math.floor(hours / 24)}d ${hours % 24}h`;
+    if (hours > 0) return `${hours}h ${minutes}m`;
+    return `${minutes}m`;
+}
+
+/**
+ * Generate the download HTML page
+ */
+function generateDownloadPage(share, fileRecord) {
+    const timeLeft = formatTimeLeft(share.expires_at);
+    const downloadsLeft = share.max_downloads - share.download_count;
+    const fileSize = fileRecord.original_size;
+    const sizeStr = fileSize > 1048576
+        ? `${(fileSize / 1048576).toFixed(1)} MB`
+        : fileSize > 1024
+            ? `${(fileSize / 1024).toFixed(1)} KB`
+            : `${fileSize} B`;
+
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>TAS — Secure File Download</title>
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+            background: #0a0a0a;
+            color: #e0e0e0;
+            min-height: 100vh;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+        .card {
+            background: #1a1a2e;
+            border: 1px solid #2a2a4a;
+            border-radius: 16px;
+            padding: 40px;
+            max-width: 420px;
+            width: 90%;
+            text-align: center;
+            box-shadow: 0 20px 60px rgba(0,0,0,0.5);
+        }
+        .icon { font-size: 48px; margin-bottom: 16px; }
+        h1 { font-size: 20px; margin-bottom: 8px; color: #fff; }
+        .filename {
+            font-family: 'SF Mono', Monaco, monospace;
+            background: #0f0f23;
+            padding: 8px 16px;
+            border-radius: 8px;
+            margin: 16px 0;
+            font-size: 14px;
+            color: #7c83ff;
+            word-break: break-all;
+        }
+        .meta {
+            display: flex;
+            justify-content: center;
+            gap: 24px;
+            margin: 16px 0;
+            font-size: 13px;
+            color: #888;
+        }
+        .meta span { display: flex; align-items: center; gap: 4px; }
+        .btn {
+            display: inline-block;
+            background: linear-gradient(135deg, #667eea, #764ba2);
+            color: #fff;
+            text-decoration: none;
+            padding: 14px 40px;
+            border-radius: 10px;
+            font-size: 16px;
+            font-weight: 600;
+            margin-top: 20px;
+            transition: transform 0.2s, box-shadow 0.2s;
+        }
+        .btn:hover {
+            transform: translateY(-2px);
+            box-shadow: 0 8px 24px rgba(102, 126, 234, 0.3);
+        }
+        .footer {
+            margin-top: 24px;
+            font-size: 11px;
+            color: #555;
+        }
+        .footer a { color: #667eea; text-decoration: none; }
+    </style>
+</head>
+<body>
+    <div class="card">
+        <div class="icon">🔐</div>
+        <h1>Secure File Share</h1>
+        <div class="filename">${fileRecord.filename}</div>
+        <div class="meta">
+            <span>📦 ${sizeStr}</span>
+            <span>⏳ ${timeLeft}</span>
+            <span>⬇️ ${downloadsLeft} left</span>
+        </div>
+        <a href="/d/${share.token}?download=1" class="btn">⬇ Download</a>
+        <div class="footer">
+            Encrypted with AES-256-GCM · Powered by <a href="https://github.com/ixchio/tas">TAS</a>
+        </div>
+    </div>
+</body>
+</html>`;
+}
+
+/**
+ * Generate expired/invalid page
+ */
+function generateExpiredPage(reason = 'expired') {
+    const messages = {
+        expired: { icon: '⏰', title: 'Link Expired', desc: 'This download link has expired.' },
+        used: { icon: '✅', title: 'Already Downloaded', desc: 'This file has reached its download limit.' },
+        invalid: { icon: '❌', title: 'Invalid Link', desc: 'This download link is invalid or has been revoked.' }
+    };
+    const msg = messages[reason] || messages.invalid;
+
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>TAS — ${msg.title}</title>
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+            background: #0a0a0a;
+            color: #e0e0e0;
+            min-height: 100vh;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+        .card {
+            background: #1a1a2e;
+            border: 1px solid #2a2a4a;
+            border-radius: 16px;
+            padding: 40px;
+            max-width: 420px;
+            width: 90%;
+            text-align: center;
+        }
+        .icon { font-size: 48px; margin-bottom: 16px; }
+        h1 { font-size: 20px; margin-bottom: 8px; color: #fff; }
+        p { color: #888; font-size: 14px; }
+    </style>
+</head>
+<body>
+    <div class="card">
+        <div class="icon">${msg.icon}</div>
+        <h1>${msg.title}</h1>
+        <p>${msg.desc}</p>
+    </div>
+</body>
+</html>`;
+}
+
+export class ShareServer {
+    constructor(options) {
+        this.dataDir = options.dataDir;
+        this.password = options.password;
+        this.config = options.config;
+        this.port = options.port || 3000;
+        this.host = options.host || '0.0.0.0';
+
+        this.db = null;
+        this.client = null;
+        this.encryptor = null;
+        this.compressor = null;
+        this.server = null;
+    }
+
+    async initialize() {
+        this.db = new FileIndex(path.join(this.dataDir, 'index.db'));
+        this.db.init();
+
+        this.client = new TelegramClient(this.dataDir);
+        await this.client.initialize(this.config.botToken);
+        this.client.setChatId(this.config.chatId);
+
+        this.encryptor = new Encryptor(this.password);
+        this.compressor = new Compressor();
+    }
+
+    /**
+     * Download and decrypt a file from Telegram
+     */
+    async downloadAndDecrypt(fileRecord) {
+        const chunks = this.db.getChunks(fileRecord.id);
+        if (chunks.length === 0) throw new Error('No chunks found');
+
+        const downloadedChunks = [];
+
+        for (const chunk of chunks) {
+            const data = await this.client.downloadFile(chunk.file_telegram_id);
+            const header = parseHeader(data);
+            const payload = data.subarray(HEADER_SIZE);
+
+            downloadedChunks.push({
+                index: header.chunkIndex,
+                data: payload,
+                compressed: header.compressed
+            });
+        }
+
+        downloadedChunks.sort((a, b) => a.index - b.index);
+        const encryptedData = Buffer.concat(downloadedChunks.map(c => c.data));
+
+        const compressedData = this.encryptor.decrypt(encryptedData);
+
+        const wasCompressed = downloadedChunks[0].compressed;
+        return await this.compressor.decompress(compressedData, wasCompressed);
+    }
+
+    /**
+     * Handle incoming HTTP requests
+     */
+    async handleRequest(req, res) {
+        const url = new URL(req.url, `http://${req.headers.host}`);
+
+        // Route: GET /d/:token
+        const downloadMatch = url.pathname.match(/^\/d\/([a-f0-9]+)$/);
+
+        if (!downloadMatch) {
+            res.writeHead(404, { 'Content-Type': 'text/html' });
+            res.end(generateExpiredPage('invalid'));
+            return;
+        }
+
+        const token = downloadMatch[1];
+        const wantDownload = url.searchParams.get('download') === '1';
+
+        try {
+            // Clean expired shares first
+            this.db.cleanExpiredShares();
+
+            // Look up share
+            const share = this.db.getShare(token);
+
+            if (!share) {
+                res.writeHead(410, { 'Content-Type': 'text/html' });
+                res.end(generateExpiredPage('invalid'));
+                return;
+            }
+
+            // Check expiry
+            if (new Date(share.expires_at) < new Date()) {
+                res.writeHead(410, { 'Content-Type': 'text/html' });
+                res.end(generateExpiredPage('expired'));
+                return;
+            }
+
+            // Check download limit
+            if (share.download_count >= share.max_downloads) {
+                res.writeHead(410, { 'Content-Type': 'text/html' });
+                res.end(generateExpiredPage('used'));
+                return;
+            }
+
+            // Get file record
+            const fileRecord = this.db.db.prepare('SELECT * FROM files WHERE id = ?').get(share.file_id);
+            if (!fileRecord) {
+                res.writeHead(404, { 'Content-Type': 'text/html' });
+                res.end(generateExpiredPage('invalid'));
+                return;
+            }
+
+            if (!wantDownload) {
+                // Show download page
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(generateDownloadPage(share, fileRecord));
+                return;
+            }
+
+            // Download the file from Telegram, decrypt, and serve
+            const data = await this.downloadAndDecrypt(fileRecord);
+
+            // Increment download count
+            this.db.incrementShareDownload(token);
+
+            // Determine content type
+            const ext = path.extname(fileRecord.filename).toLowerCase();
+            const contentTypes = {
+                '.pdf': 'application/pdf',
+                '.png': 'image/png',
+                '.jpg': 'image/jpeg',
+                '.jpeg': 'image/jpeg',
+                '.gif': 'image/gif',
+                '.txt': 'text/plain',
+                '.json': 'application/json',
+                '.zip': 'application/zip',
+                '.mp4': 'video/mp4',
+                '.mp3': 'audio/mpeg'
+            };
+            const contentType = contentTypes[ext] || 'application/octet-stream';
+
+            res.writeHead(200, {
+                'Content-Type': contentType,
+                'Content-Disposition': `attachment; filename="${fileRecord.filename}"`,
+                'Content-Length': data.length
+            });
+            res.end(data);
+
+        } catch (err) {
+            console.error('Share server error:', err.message);
+            res.writeHead(500, { 'Content-Type': 'text/plain' });
+            res.end('Internal server error');
+        }
+    }
+
+    /**
+     * Start the HTTP server
+     */
+    start() {
+        return new Promise((resolve, reject) => {
+            this.server = http.createServer((req, res) => {
+                this.handleRequest(req, res).catch(err => {
+                    console.error('Request error:', err);
+                    res.writeHead(500);
+                    res.end('Internal error');
+                });
+            });
+
+            this.server.on('error', (err) => {
+                if (err.code === 'EADDRINUSE') {
+                    reject(new Error(`Port ${this.port} is already in use. Try --port <other-port>`));
+                } else {
+                    reject(err);
+                }
+            });
+
+            this.server.listen(this.port, this.host, () => {
+                resolve();
+            });
+        });
+    }
+
+    /**
+     * Stop the HTTP server
+     */
+    stop() {
+        return new Promise((resolve) => {
+            if (this.server) {
+                this.server.close(() => {
+                    if (this.db) this.db.close();
+                    resolve();
+                });
+            } else {
+                if (this.db) this.db.close();
+                resolve();
+            }
+        });
+    }
+}

package/src/utils/cli-helpers.js

@@ -0,0 +1,145 @@
+/**
+ * CLI Helper utilities
+ * Shared logic for commands
+ */
+
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import fs from 'fs';
+import path from 'path';
+import { Encryptor } from '../crypto/encryption.js';
+
+/**
+ * Get password from command-line option, environment variable, or interactive prompt
+ * @param {string} passwordOption - Password from --password flag (if provided)
+ * @param {boolean} allowCache - Allow caching via TAS_PASSWORD env var
+ * @returns {Promise<string>}
+ */
+export async function getPassword(passwordOption, allowCache = true) {
+    // Priority: CLI flag > Environment variable > Interactive prompt
+    
+    if (passwordOption) {
+        return passwordOption;
+    }
+
+    if (allowCache && process.env.TAS_PASSWORD) {
+        return process.env.TAS_PASSWORD;
+    }
+
+    const { password } = await inquirer.prompt([
+        {
+            type: 'password',
+            name: 'password',
+            message: 'Enter your encryption password:',
+            mask: '*'
+        }
+    ]);
+
+    return password;
+}
+
+/**
+ * Verify password against config
+ * @param {string} password - Password to verify
+ * @param {Object} config - Config object with passwordHash
+ * @returns {boolean}
+ */
+export function verifyPassword(password, config) {
+    const encryptor = new Encryptor(password);
+    return encryptor.getPasswordHash() === config.passwordHash;
+}
+
+/**
+ * Validate config structure and content
+ * @param {Object} config - Config to validate
+ * @returns {Object} - { valid: boolean, errors: string[] }
+ */
+export function validateConfig(config) {
+    const errors = [];
+
+    if (!config) {
+        errors.push('Config is null or undefined');
+        return { valid: false, errors };
+    }
+
+    if (!config.botToken || typeof config.botToken !== 'string') {
+        errors.push('Missing or invalid botToken');
+    }
+
+    if (!config.botToken?.includes(':')) {
+        errors.push('Invalid bot token format (should contain :)');
+    }
+
+    if (!config.chatId || (typeof config.chatId !== 'number' && typeof config.chatId !== 'string')) {
+        errors.push('Missing or invalid chatId');
+    }
+
+    if (!config.passwordHash || typeof config.passwordHash !== 'string') {
+        errors.push('Missing or invalid passwordHash');
+    }
+
+    return {
+        valid: errors.length === 0,
+        errors
+    };
+}
+
+/**
+ * Load and validate config
+ * @param {string} dataDir - Data directory path
+ * @returns {Object|null} - Config object or null if not found
+ */
+export function loadConfig(dataDir) {
+    const configPath = path.join(dataDir, 'config.json');
+    
+    if (!fs.existsSync(configPath)) {
+        return null;
+    }
+
+    try {
+        const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+        const validation = validateConfig(config);
+
+        if (!validation.valid) {
+            throw new Error(`Invalid config: ${validation.errors.join(', ')}`);
+        }
+
+        return config;
+    } catch (err) {
+        throw new Error(`Config error: ${err.message}`);
+    }
+}
+
+/**
+ * Ensure TAS is initialized
+ * @param {string} dataDir - Data directory path
+ * @returns {Object} - Config object
+ */
+export function requireConfig(dataDir) {
+    const config = loadConfig(dataDir);
+    
+    if (!config) {
+        console.log(chalk.red('✗ TAS not initialized. Run `tas init` first.'));
+        process.exit(1);
+    }
+
+    return config;
+}
+
+/**
+ * Get and verify password with proper error handling
+ * @param {string} passwordOption - Password from CLI flag
+ * @param {string} dataDir - Data directory path
+ * @returns {Promise<string>} - Verified password
+ */
+export async function getAndVerifyPassword(passwordOption, dataDir) {
+    const config = requireConfig(dataDir);
+    const password = await getPassword(passwordOption);
+
+    if (!verifyPassword(password, config)) {
+        console.log(chalk.red('✗ Incorrect password'));
+        process.exit(1);
+    }
+
+    return password;
+}