Status: Not implemented yet (current app uses SUBST mapping to a local folder; that cannot report custom capacity/free space in Explorer).
This document defines the hard requirements and a realistic implementation path for a true FileShot drive that appears in the OS file explorer as a mounted volume with a tier-based quota.
- Windows: shows under “This PC” as a drive letter (e.g.
F:). - macOS: shows in Finder as a mounted volume.
- Linux: shows as a mounted filesystem (e.g. under
/mnt/fileshotor user-chosen).
- Explorer/Finder must show:
- Total size = tier quota (e.g. Free = 50 GB)
- Free space = quota remaining (quota - usage)
- This must not mirror the host disk (no “it looks like C:” / “it’s just a folder”).
- Creating/copying a file into the drive uploads it to FileShot.
- Browsing the drive shows the user’s remote FileShot files/folders.
- Opening/reading a file downloads and decrypts it locally.
- Deleting a file deletes it remotely (with safety settings/confirmation behavior defined below).
- Users must be able to set an optional password per upload (or per folder default) from the drive workflow.
- This must remain compatible with FileShot’s zero-knowledge encryption model.
To report custom volume size/free space, we need a real filesystem mount:
- Windows: WinFsp (chosen) or Dokan-style user-mode filesystem
- macOS: macFUSE (or native FS APIs)
- Linux: FUSE
Electron alone cannot do this; it needs a companion native component.
We will implement the Windows “true drive” using WinFsp.
Why:
- It’s a mature, widely-used user-mode filesystem stack.
- It supports filesystem statistics reporting (total/free bytes), which we must control to match tier quota.
- It supports a FUSE-compatibility path, which helps keep the long-term cross-platform story coherent.
Non-goal (explicit): SUBST can never meet the “Explorer shows tier quota capacity” requirement, because it inherits capacity from the underlying disk.
FileShot’s ZKE model means:
- The server must never learn the plaintext
- Client must encrypt before upload
- Client must decrypt after download
The current desktop app already has ZKE streaming container support in utils/zke-stream.js.
File managers don’t provide a standard UI to prompt for extra metadata when copying. So we need a deterministic UX mechanism (see §5).
A) Electron app (UI + auth + settings)
- Login, store auth token
- Shows status (mounted/unmounted, quota used/remaining)
- Starts/stops the mount service
- Handles configuration (drive letter, mount point, sync rules)
B) fileshot-drive mount service (native executable)
- Implements filesystem callbacks (list/read/write/delete/etc)
- Reports filesystem statistics (total bytes, free bytes)
- Streams encryption/decryption
- Talks to FileShot API using the user token
Electron communicates with the service over a local IPC channel:
- Windows named pipe / localhost loopback HTTP
- macOS/Linux: Unix domain socket / localhost
- Node/Electron cannot reliably implement a filesystem driver
- A dedicated service can be:
- restarted independently
- kept minimal for security
- packaged per OS
Default layout:
/(root)My Files/(remote user root)Shared With Me/(optional, later).fileshot/(special config folder; see §5)
We can start simpler: / == user’s file root.
When a file is copied into the mounted drive:
- The mount service receives write operations
- It buffers to a local temp file
- On close/flush, it:
- encrypts to FSZK (streaming)
- performs pre-upload
- uploads chunks
- finalizes
- exposes a stable remote entry in the drive
When a file is opened:
- Service downloads encrypted blob
- Decrypts on the fly or to temp
- Serves plaintext bytes to the filesystem reader
Options (must be decided):
- Immediate remote delete
- Or move-to-trash semantics (special folder)
- Minimal v1: small read cache + write staging only
- Later: full offline pinning
We need a mechanism that does not require interactive prompts.
- In any folder, user can create/edit:
.fileshot/settings.json
- Example keys:
defaultPassphrase(or password hint; careful)requirePassphrase: true/falsedefaultExpirationHoursdefaultMaxDownloads
Security note: storing passphrases in plaintext on disk is risky. Better: store an identifier that tells Electron to fetch the secret from OS keychain.
- For
photo.jpgallowphoto.jpg.fileshot.json - Contains upload settings for that one file
- Use xattrs/ADS where supported
- Not cross-platform reliable; keep as later enhancement
- Implement
fileshot-drive.exeusing WinFsp (user-mode filesystem). - Must support:
- directory listing
- file read
- file create/write/close->upload
- delete
- disk free/total reporting based on tier quota
- Implement
fileshot-drivevia macFUSE
- Implement via FUSE3
- GitHub Actions builds installers for:
- Windows (NSIS)
- macOS (DMG/ZIP)
- Linux (AppImage/DEB/RPM)
- The mount service binaries must be included inside the Electron app bundle and signed/notarized later.
- In Explorer,
FileShot (F:)shows:- Capacity: 50 GB for Free tier
- Free space decreases as usage increases
- Copying a file into
F:uploads it to FileShot and the file appears in the user’s account - Opening a file in
F:downloads/decrypts and opens correctly - No “C drive mirror” behavior
- Same semantics, appropriate mount points
- There is an existing “FileShot Drive” feature implemented with
SUBSTmapping toapp.getPath('userData')/vault/drive-inbox. - This is useful as a drop-folder workflow, but it cannot meet the quota/capacity requirement.
Next step is implementing the native mount service and switching the UI to prefer the true mount.