Go Green Transit — User Guide¶

Desktop FTP / SFTP / WebDAV / SMB / S3 / Azure Storage / GCS / Dropbox / Drive / OneDrive / Box client, with a local bridge on 127.0.0.1:7878 for other Go Green tools to consume.

This guide covers only how to use the app. For API details see API.md; for the architecture see IMPLEMENTATION.md.

Data at rest¶

Your saved sites are stored at <data_dir>/sites.json, encrypted with AES-256-GCM. The encryption key lives in your OS keychain (Windows Credential Manager, macOS Keychain, GNOME Keyring) under the service name ai.opensentinel.ftproxy. On platforms without a working keychain, the key falls back to an owner-only file at <data_dir>/.encryption_key.

A stolen laptop, an AppData roaming-profile leak, or a Time Machine snapshot leaks ciphertext only — your hostnames, usernames, folder paths, and notes are unreadable without the keychain unlock.
Passwords were already protected in the OS keychain (one entry per saved site, never on disk in any form).
If you wipe the keychain entry, FTProxy can't decrypt the file on next launch — it backs up the unreadable sites.json to sites.json.corrupt.<timestamp> so you can recover later by restoring the keychain entry, then starts fresh.
Existing pre-encryption plaintext files are detected on first launch, loaded normally, and rewritten in the encrypted format on the next save. No user action required.

Accessibility¶

Built to WCAG 2.1 AA:

Keyboard navigation — every interactive control is reachable via Tab. Focus rings appear when you reach a control via keyboard and disappear when you click with a mouse.
Skip link — Tab once from the address bar to jump straight to the workspace, bypassing the brand strip and protocol palette.
Screen readers — the wire console announces statusLog() output as it appends. Protocol-swatch buttons announce "Set protocol accent to SFTP" (etc.) rather than the bare slug. iCloud on Linux announces as "disabled, iCloud Drive not available on Linux."
Reduced motion — if you've enabled "Reduce motion" in your OS accessibility settings, FTProxy collapses every transition and accent-color animation to ~1ms.

0. First launch¶

The very first time you open Go Green Transit, a welcome modal blocks the UI with three controls before any data is recorded:

Check for updates automatically (default ON) — controls whether the app fetches gogreentransit.com/downloads/latest.json on launch. No personal data is sent; uncheck if you want a fully offline-disconnected install.
Send anonymous crash reports (default OFF) — opt-in only. When on, Rust panic stack traces are uploaded to a configured endpoint. No file contents, hostnames, usernames, or credentials are included.
Acknowledgment of the Privacy Policy and Terms of Service (links in the modal). Clicking "Accept and continue" records your choices. Clicking "Quit" exits without writing anything to disk.

You can change either toggle later under Edit → Settings.

A second modal explains the default SFTP host-key behavior (TOFU, matching FileZilla/WinSCP/PuTTY). One-time; dismiss it and it never shows again.

If you double-click the app icon twice in quick succession, the second launch focuses the existing window instead of starting a parallel copy — no risk of two FTProxy windows fighting over the same saved-sites file.

1. Window layout¶

Top to bottom:

Native OS menubar — File, Edit, View, Transfer, Server, Bookmarks, Help. Rendered by Windows, always at the top of the window.
Brand row — Go Green Paperless Initiative logo · GoGreen Transit · one-liner · bridge status chip on the right.
Session tabs strip — each connected protocol has its own tab with a coloured chip, the host label, and a close × . + opens a new empty session slot.
Protocol accent palette — fourteen swatches (SFTP, FTP, FTPS, WebDAV, SMB / CIFS, NFS, Amazon S3, Backblaze B2, Azure Storage, Google Cloud, Dropbox, Google Drive, OneDrive, Box). One swatch per family: the cloud OAuth variant and the local-sync variant share the same swatch (the same way Azure Blob and Azure Files share the "Azure Storage" swatch). Click any to preview how the UI retints for that protocol, including the workspace layout (see §5). The behaviour while connected vs. disconnected:
Disconnected (or fresh + tab): every swatch is full-color and clickable. Clicking flips the protocol-mark badge color, the "Ready · X" title, and the "Preview — kicker" subtitle to the picked protocol. The session-tab label's protocol slug updates too (e.g., session #c2288e · sftp → · webdav).
Connected (active tab has a live session): only the active protocol's swatch is interactive. The other thirteen dim out (opacity 0.30, grayscale, not-allowed cursor) with a tooltip explaining: "Connected to X — disconnect or open a new tab to switch to Y." Open a + tab and the swatches re-enable on that fresh-no-session tab.
Family swatch resolution: when you connect to a *-local site (e.g. dropbox-local, box-local) the family swatch (dropbox, box) lights up. Same for azure-files → azure. You pick cloud-vs-local at the site level (in Sites… or Quick Connect), not at the swatch level.
Shell — the main console card:
Shell-head: protocol badge · live/disconnected meta
Action bar: Connect… / Sites… / Disconnect / Upload / Download / New folder / Rename / Delete / Verify hash / Compare dirs / Refresh, plus a channel/type/TLS mode-rail
Workspace: Local pane · Transit lane · Remote pane (or just Remote pane for object-store protocols)
Queue pill strip: active + queued + done + failed transfers
Wire protocol console: live tx/rx/sys log
Status bar: connection · bridge · sessions · concurrency · throughput · p50/p95 latency · activity lights
Design-note footnote at the very bottom.

2. Connecting to a server¶

Three entry points, all equivalent:

Path	When to use
Action bar → Connect… (SFTP / FTP / FTPS / WebDAV / SMB)	Opens Quick Connect modal
Action bar → Connect… (S3 / Azure / GCS / Dropbox / Drive / OneDrive)	If a saved site exists for that family, connects to it directly. If 2+ saved sites exist, a chooser modal appears. If none, the button is hidden — use Sites… to set one up.
File menu → Quick connect… (Ctrl+Q)	Always opens the modal (power-user free-form path)
Action bar → Sites… (or File → Site Manager… (Ctrl+S))	Manage saved sites — search/filter, hover/select rows, double-click to connect

Quick Connect¶

Opens with the protocol already selected based on whichever protocol is currently active:

If you're already on an SFTP tab, the modal pre-selects SFTP
If you clicked the "Amazon S3" palette swatch, the modal pre-selects Amazon S3 and defaults port 443

Fill in host / username / password / port (port defaults per protocol: 22 for SFTP, 21 for FTP, 443 for everything else) and hit Connect.

On success:

A session tab appears in the tabs strip
The UI retints to the protocol's accent colour
The remote pane lists the default directory
The connection auto-saves to Sites with name <user>@<host> — on next launch it appears in the Sites list with password stored in the OS keychain. No plaintext on disk.

FTP family — Encryption + Logon Type fields¶

For protocol = FTP or FTPS or SFTP the Site Form shows two top-level dropdowns (FileZilla parity), positioned right after the Port field:

Encryption (FTP and FTPS only — SFTP shows an "always-encrypted" info row instead):

Mode	Behaviour
Use explicit FTP over TLS if available (FTP default)	Try AUTH TLS; fall back to plain if the server refuses
Require explicit FTP over TLS (FTPS default)	Fail if AUTH TLS handshake doesn't succeed
Require implicit FTP over TLS (port 990)	TLS handshake before any FTP command; default port 990
Only use plain FTP (insecure)	Refuse TLS even if offered. Tooltip warns.

Logon Type (FTP / FTPS):

Normal — username + password
Anonymous — auto-fills anonymous / anonymous@example.com
Ask for password — clears the stored password; a prompt fires at connect time

Logon Type (SFTP):

Normal — username + password
Ask for password
Key file — exposes a file picker (or paste the path) for an OpenSSH private key, plus an optional passphrase. Backed by russh-keys authenticate_publickey.

Quick Connect doesn't show the Encryption dropdown — the bridge defaults to auto mode for FTP, so connect-time auto-detection handles it. Use Site Manager → New site for the full controls.

Cloud protocols (S3 / Azure / GCS / Dropbox / Google Drive / OneDrive)¶

Every cloud protocol's section in the Site Form has an ⓘ info icon next to its title. Click it for a full step-by-step setup walkthrough specific to that provider, with a "Copy to clipboard" button so you can keep the steps next to your dev console while filling out the form. The notes below summarize what each form needs.

Local sync mode — the easiest path (Dropbox / OneDrive / Google Drive / Box)¶

If you have the desktop client of Dropbox / OneDrive / Google Drive / Box installed, FTProxy auto-detects the local sync folder when you open the Site Form for that provider. The form defaults to Use local sync mode with the path pre-filled — zero OAuth, zero dev-console registration, zero token rotation. Reads and writes are instant (filesystem speed); the desktop client uploads to the cloud asynchronously.

Even easier — first-launch auto-seed: on a fresh install, the bridge boots, scans for installed desktop-sync clients, and creates matching dropbox-local / onedrive-local / gdrive-local / box-local / icloud-local saved sites for everything it finds. You'll see them in the Site Manager the first time you open it, each tagged with an "Auto-created on first launch" note. Deletes stick — if you remove one, it won't reappear on the next boot.

Detection methods: - Dropbox — reads %LOCALAPPDATA%\Dropbox\info.json (Win) or ~/.dropbox/info.json (Mac/Linux). Survives custom folder locations (e.g. D:\Dropbox). - OneDrive — reads Windows registry HKCU\Software\Microsoft\OneDrive\Accounts\*\UserFolder (covers Personal + Business accounts with their actual paths). Falls back to ~/OneDrive and ~/OneDrive - <Org> siblings on other platforms. - Google Drive — scans drive letters (Windows) for <drive>:\My Drive. Works whether the user picked Streaming mode (default G:\) or Mirror mode. - Box — scans %USERPROFILE%\Box (Win) and macOS CloudStorage (~/Library/CloudStorage/Box-…). Recognises legacy Box (Sync legacy) folders too. - iCloud Drive — scans ~/Library/Mobile Documents/com~apple~CloudDocs (macOS only).

Switching to OAuth mode: if the desktop client doesn't have what you need (selective sync excludes a folder, you want files-on-demand without local cache, you need team-shared spaces) — the Site Form's mode toggle has a second radio "Connect via API (OAuth)" that uses the provider's REST API with an OAuth refresh-token flow.

OAuth (per-user) mode¶

Protocol	Required extras	Auth model	Status
Amazon S3	Bucket. Optional: region, endpoint, path-style (for MinIO / R2 / DO Spaces / Wasabi). Username = access key id; password = secret key.	Static keys	Working
Azure Storage (Blob)	Container. Optional: endpoint suffix; `auth_method` (`account_key` (default) / `sas` / `entra` (Day 2 — see `docs/azure-entra-plan.md`)). Username = storage account; password = account key (or `sas_token` extra when `auth_method=sas`).	Static keys, SAS tokens; Entra ID coming	Working
Azure Storage (Files)	Storage account name + access key + share name. The bridge constructs `\\<account>.file.core.windows.net\<share>` and dispatches to SMB transport (mounts via OS-native SMB client).	Storage account key	Working
Google Cloud	Bucket. Service-account JSON pasted into the "Service-account JSON" field (not a path — actual contents). Host / username / password are ignored.	Service account	Working
Dropbox	Register a Scoped App at https://www.dropbox.com/developers/apps with files.metadata + files.content + account_info.read scopes. Add `http://localhost:53682/oauth/callback` to Redirect URIs. Paste App key + App secret into Site Form, click "Sign in with Dropbox".	OAuth 2.0 + refresh-token (long-term, auto-rotates)	Working
Google Drive	Cloud Console Desktop OAuth client + Drive API enabled. Paste client id, click "Sign in with Google".	OAuth 2.0 + PKCE + refresh-token	Working
OneDrive	Azure AD app registration with Files.ReadWrite delegated permission. Paste Application (client) ID, click "Sign in with Microsoft".	OAuth 2.0 + PKCE + refresh-token	Working — small files via PUT, large files via Graph's createUploadSession + chunked PUTs
Box	No FTProxy-side API client today; only `box-local` (desktop sync via Box Drive). Site form auto-detects `%USERPROFILE%\Box` if Box Drive is installed.	OS-mediated (Box Drive handles auth)	Local sync only — Box-OAuth direct API is a future addition

Signing in to Google Drive / OneDrive (one-time setup)¶

Both providers require you to register your own OAuth client. There's no shared client ID FTProxy can ship — Google and Microsoft TOS forbid it. Once registered, the Site Form's "Sign in" button drives the rest.

Google Drive: 1. Go to https://console.cloud.google.com/apis/credentials 2. Create / pick a project, enable the Google Drive API 3. Create credentials → OAuth client ID → application type Desktop app 4. Copy the client id (looks like …apps.googleusercontent.com) 5. In FTProxy: File → Site Manager → New site → protocol Google Drive → paste the client id → click Sign in with Google → complete the browser flow. Token is stored in your OS keychain.

OneDrive: 1. Go to https://portal.azure.com → Azure Active Directory → App registrations → New registration 2. Pick "Mobile and desktop applications", add http://127.0.0.1 as a redirect URI (any port — FTProxy binds a dynamic loopback) 3. API permissions → Microsoft Graph → Delegated → Files.ReadWrite and offline_access 4. Copy the Application (client) ID 5. In FTProxy: New site → protocol Microsoft OneDrive → paste the client id → Sign in with Microsoft → complete the browser flow.

WebDAV¶

Set Host to the full base URL of the user's WebDAV root (e.g. https://cloud.example.com/remote.php/dav/files/alice/). Username / password are HTTP Basic.

SMB / CIFS — Windows file shares & NAS¶

Transit speaks SMB by mounting the share through your operating system's native SMB client — no Samba dependency, no virtual-FS driver, no admin elevation on Windows.

Site Form fields - Protocol = SMB / CIFS — Windows file share / NAS - Host — accepts three forms: - \\server\share (full UNC) - smb://server/share (URL form, gets normalized) - bare server plus the Share extras field (separate share name) - Username / Password — NTLM credentials. Leave both blank for anonymous mounts. For Active Directory shops use either DOMAIN\user in Username, or set the Domain extras field and put just the user in Username. - Share (extras) — only needed if Host is just the server name. - Domain (extras) — Windows AD domain prefix. - Drive letter (extras, Windows only) — Z etc. Empty = first free letter from Z down to G is picked automatically. - Pre-mounted path (extras) — if you already mounted the share at, say, Z:\ outside Transit, paste it here and Transit attaches to it without running another net use.

What happens on Connect

Platform	Stack used	Required package
Windows	Windows SMB redirector (`net use`)	ships with the OS
macOS	Apple's own SMB client (`mount_smbfs`)	ships with macOS
Linux	kernel `cifs.ko` (`mount -t cifs`)	`cifs-utils` (`sudo apt install cifs-utils` once on minimal installs)

On Disconnect Transit unmounts (net use … /delete / umount) so the drive letter / mount point is released.

Tip: for a one-off browse without saving credentials, use the 📁 Places button on the Local pane → Map network drive… modal. That's the same code path; the share appears as a regular local drive in your Local pane until you eject it.

The 📁 Places popover groups drives by kind so it's obvious at a glance which letters are local vs. remote-mounted: Local drives (C:, D:, fixed HDD/SSD), Removable drives (USB, CDs), and Network drives (mapped UNC paths — Azure Files, SMB, etc.). Clicking any drive treats it as a local path; for a network drive that means Windows resolves the SMB I/O underneath, same as File Explorer does.

3. Working with files¶

Dual-pane (FTP / SFTP / WebDAV)¶

Left pane = your machine. Right pane = the server.

Single-click a directory to enter it (including .. to go up)
Single-click a file to select it (row turns accent)
Ctrl-click / Shift-click to multi-select (including multi-selecting directories — modifier keys suppress single-click-navigate)
Double-click a file to download (on remote) or upload (on local)
Drag a row from one pane into the other to transfer
Right-click a row for the context menu (see §6)
Click a breadcrumb in the path bar to jump up; double-click the path bar itself to type a full path and hit Enter
Click the column headers (Name / Size / Modified / Perms / Owner / Verify) to sort; click again to reverse

Single-pane (S3 / Azure / GCS)¶

Only the remote object-store is shown. To upload:

↑ Upload selected in the action bar opens an OS file picker
Or drag-drop files from Windows Explorer / your desktop onto the pane
↓ Download fetches a selected object to the OS download folder

Right-click a row for Copy S3 URI / Copy Azure URL / Copy gs:// URI — pastes a canonical URI for the object.

Transit lane (dual-pane only)¶

Between the panes. Upload arrow (↑) and download arrow (↓) act on currently-selected rows — same as the corresponding action-bar buttons.

Queue¶

Pill strip below the workspace. Each in-flight transfer gets a pill showing direction arrow · filename · percent / status. Long filenames truncate with an ellipsis (each pill is capped at 240px); hover the pill to see the full local↔remote path in a tooltip. If many concurrent transfers exceed the strip width, the strip itself scrolls horizontally rather than wrapping to a second row. When the queue finishes, summary on the right reads N items · N active · N done · N failed (green / red tinted).

4. Protocol accent palette¶

The eleven swatches below the session tabs let you preview any protocol's look without actually connecting. Clicking a swatch:

Changes the accent colour everywhere (action bar primary button, remote pane glyphs, breadcrumbs, queue pills, wire console)
Flips the layout between dual-pane (SFTP/FTP/FTPS/WebDAV/SMB) and single-pane (S3/Azure/GCS/Dropbox/Drive/OneDrive)
Records the pick as the intent for the active tab. If you then click +, the new tab inherits this protocol — its chip renders in the right colour from the moment it appears.
When you actually connect, the live session's protocol overrides the preview for that tab.

Solid border (.swatch.active) = swatch matches the protocol currently driving the chrome. Dashed border (.swatch.intent) = swatch is queued for the next new tab while the active tab stays on its live protocol — useful when you're connected via SFTP and want the next + to be an S3 tab.

5. Layout per protocol¶

Protocols	Layout	Why
SFTP, FTP, WebDAV	Dual-pane (local + transit lane + remote)	Filesystem ↔ filesystem workflow
S3, Azure Blob, GCS, Dropbox, Google Drive, OneDrive	Single-pane (remote only)	Object stores / personal cloud — upload is "pick a file", not "sync a tree"

Switching tabs flips the layout live — no reload.

Local pane: - Open (if directory) - ↑ Upload selected - New folder - Rename · Delete - Compare dirs · Refresh

Remote pane (FTP / SFTP / WebDAV): - Open / ↓ Download / Save as… - New folder · Rename · Delete - Verify hash · Compare dirs - Copy remote path - Refresh

Remote pane (S3 / Azure / GCS): - Open / ↓ Download / Save as… - New folder · Rename · Delete - Verify hash - Copy S3 URI / Copy Azure URL / Copy gs:// URI - Refresh

7. Keyboard shortcuts¶

Key	Action
`U`	Upload selected
`D`	Download selected
`R` or `F5`	Refresh both panes
`Ctrl+Q`	Quick Connect (via native menu)
`Ctrl+S`	Site Manager (via native menu)
`Ctrl+R`	Reload the UI
`Ctrl+Shift+R`	Hard Reload — clears WebView2 caches before reloading (use this if v## marker in the wire console looks stale)
`Ctrl+Shift+I`	Toggle DevTools (debug builds)
`Esc`	Close any open dropdown / context menu

8. Menus¶

File¶

Quick connect · Site Manager · Disconnect · Reconnect last · Copy current connection to Site Manager · Import sites from FileZilla XML · Import sites from WinSCP · Import sites from PuTTY · Import sites from CoreFTP · Export sites to JSON · Exit.

Every "Import sites from …" lives under File in 0.7.3+. The WinSCP / PuTTY entries used to live under Bookmarks; if you have muscle memory for that, they moved.

Edit¶

Settings · Clear private data (queue history) · native Undo / Redo / Cut / Copy / Paste / Select All.

View¶

Refresh both panes (F5) · Compare directories · Toggle wire console · Toggle protocol palette · Toggle hidden files (Ctrl+H) hides / shows desktop.ini, Thumbs.db, .DS_Store, dotfiles, and Office lock files (~$*) — applies to every protocol pane (matches Explorer / Box / Dropbox / OneDrive / Google Drive defaults) · Reload (Ctrl+R) · Hard Reload (Ctrl+Shift+R) clears WebView2 cache + sessionStorage before reloading · DevTools (Ctrl+Shift+I).

Transfer¶

Process queue · Retry all failed · Cancel all in-flight · Clear finished.

Server¶

Disconnect · Reconnect last · Run command… (SFTP only) · Benchmark connection… · Jobs… · Job history…

Jobs… opens the unified jobs dashboard. A Job is a named, ordered list of steps the runner walks end-to-end on a schedule. Two views:
📅 Calendar (default) — month grid with a chip per scheduled firing. Today's day cell is outlined in accent. Chip color tells you the type at a glance (green = upload, blue = download, purple = mirror, orange = batch, grey = disabled). Click a chip for run-now / edit / details. Click an empty day to create a new job pre-dated to that day.
☰ List — flat list of every Job with run-now / edit / delete.
+ New schedule opens the schedule builder:
Job name + Steps (folder-sync / file-sync / wait / webhook).
Recurrence: Once · Daily · Weekly · Monthly · Custom-cron.
Time of day (HH:MM picker). Weekly adds day-of-week checkboxes; Monthly adds day-of-month spinner.
Start on date (don't fire before this) and Stop after date (optional — stop firing after this).
Live cron preview shows what's being generated.
Job history… lists every run (scheduled or "Run now") with status icons, timestamps, duration, and a N↑ N↓ N✗ stats line. Failed rows expand to show the error. Refresh + Clear-all + per-row delete.

Step types: - Folder sync — recursive transfer against a saved site (whole directory tree). Use for "back up C:\reports to S3 every night". - File sync — explicit list of files (e.g. report.pdf, data.xlsx). Use for "sync these 2 specific files daily, not the whole folder". Direction limited to upload/download (no mirror). - Wait — pure delay. Useful between steps to let the previous step's writes settle. - Webhook — fire-and-forget HTTP call with optional JSON body. Useful for kicking deploys, posting to Slack/Discord, etc.

The Site Manager's per-site form has a 📅 Schedule a job for this site → button that opens the Job builder pre-filled with one folder-sync step targeting that site.

NFS — Amazon EFS, FSx OpenZFS, NetApp NFS, Storage Gateway NFS¶

NFS is a first-class protocol now. Mount-and-proxy via the OS-native client (same strategy as SMB; Cyberduck / WinSCP / FileZilla all use this approach too).

Platform requirements: - Windows Pro / Enterprise: enable the Services for NFS → Client for NFS feature once via Turn Windows features on or off. Windows Home doesn't ship the NFS client. If the feature isn't enabled, FTProxy surfaces a clear actionable error on connect ("Enable Windows feature 'Services for NFS' → 'Client for NFS' first"). - macOS: mount_nfs ships with the OS — no setup. - Linux: sudo apt install nfs-common (Debian/Ubuntu) or equivalent if not preinstalled.

Connection forms: 1. server:/export (canonical NFS form) 2. nfs://server/export (URL form, gets normalised) 3. bare server + extras.export = /export

Optional extras: - nfs_version: "3" or "4" (default "4") - mount_opts: extra comma-separated opts appended to -o (e.g. "ro,rsize=1048576,wsize=1048576" or "sec=krb5") - drive_letter (Windows only): preferred letter; falls back to the first free Z..G - mount_path: skip the mount step and attach to a path the user has already mounted by hand

Auth: NFS uses host-based AUTH_SYS by default — no username/password needed. For Kerberos NFSv4 (sec=krb5) you'd need a kinit'd ticket; the username/password slots on the saved site are ignored.

Site Manager templates: Amazon EFS (NFSv4), AWS FSx for OpenZFS (NFS), AWS FSx for NetApp ONTAP (NFS side), AWS Storage Gateway (File Gateway, NFS mode), and Generic NFS export (v3 / v4) — each preconfigured with the right host shape and default mount opts.

Quick preview (right-click → 👁 Preview)¶

Right-click any remote file → 👁 Preview. Renders inline: - Text / code files in monospace with word-wrap (handles utf-8, utf-16, latin-1; ext list includes .txt, .md, .json, .yaml, .py, .rs, .ts, .sql, dozens more). - Images (png, jpg, webp, gif, svg, bmp, ico, avif). - PDFs in an iframe (using WebView2's built-in PDF viewer). - Unknown binaries → hex+ASCII dump of the first 4 KB so you can verify magic bytes.

Capped at 5 MB; files larger get a "preview anyway?" prompt that loads the first 5 MB. The Download button in the modal footer fetches the full file if the preview tease wasn't enough.

Right-click any file on a Dropbox / GDrive / OneDrive session → Get share link…. Returns a public URL (anyone-with-link, view-only) auto-copied to your clipboard. The modal shows the URL with a re-copy button so it works even if the Clipboard API was blocked (some WebView2 configurations disallow it without a fresh user gesture). Each provider's API: - Dropbox: sharing/create_shared_link_with_settings; falls back to list_shared_links if a link already exists. - Google Drive: permissions.create (anyone-with-link reader) + files.get?fields=webViewLink. - OneDrive: /createLink with type=view, scope=anonymous.

Other protocols (S3, Azure Blob, GCS, SFTP, etc.) don't expose share-link APIs the same way — the menu item is hidden there.

Per-site bandwidth throttle¶

Site Form now carries a Bandwidth limit (KiB/s) field. Set it to cap that one site at a specific rate; leave at 0 (or empty) to fall through to the global rate from Settings → Transfer rate.

Two concurrent sessions on different sites can have independent caps — the throttle scope is per-session via a tokio::task_local!, not a single global rate. The bridge logs each cap to the wire console on connect: Per-session bandwidth cap active: 256 KiB/s (0.3 MB/s) for this connection.

Custom protocol templates (Wasabi / IDrive e2 / MinIO variants)¶

Drop a JSON file into <data dir>/templates/ and it appears in Site Manager → From template… alongside the built-ins. Each file is a single object:

{
  "category": "Custom",
  "name": "My Wasabi Setup",
  "description": "Free-form text shown in the picker.",
  "site": {
    "name": "New Wasabi site",
    "protocol": "s3",
    "host": "s3.wasabisys.com",
    "port": 443,
    "remotePath": "/",
    "secure": true,
    "extra": { "region": "us-east-1", "endpoint": "https://s3.us-east-1.wasabisys.com", "path_style": "true" }
  }
}

The picker's footer shows the directory path so you can find it quickly. A sample wasabi.json is auto-written on first launch.

Backblaze B2¶

Backblaze B2 is a first-class protocol now (alongside S3, Azure Blob, GCS, Dropbox, etc.). Connect via the Backblaze B2 swatch in the protocol palette or pick the Backblaze B2 (S3-compatible) template in Site Manager → From template….

Under the hood B2 uses Backblaze's S3-compatible API surface — that means every S3 feature works unchanged: multipart upload, multipart-resume, paginated listing, and right-click → Restore from Glacier… if you ever stash B2 objects in a cold-archive class.

Auth: Application Key from the Backblaze B2 console. The keyId is the username; the applicationKey is the password. extras.bucket + extras.region (default us-west-002) are required.

S3 Glacier — restore-from-archive¶

Right-click any object in an S3 (or Backblaze B2) listing → Restore from Glacier…. Prompts for how long the restored copy should stay accessible (1-30 days, default 7).

The bridge pre-checks the object's storage class via HeadObject: - If the object is in GLACIER, DEEP_ARCHIVE, GLACIER_IR, or GLACIER_INSTANT_RETRIEVAL → fires the restore. Glacier Flexible thaws in 1-12 hours; Deep Archive in 12+ hours. - If the object is not archived (STANDARD, STANDARD_IA, INTELLIGENT_TIERING, etc.) → no restore needed; the wire console reports the actual class and you can download directly.

After thaw, the object's storage class flips to STANDARD (temporarily, for the days you specified) and you can download it normally.

Site Manager → From template… (one-click AWS / Azure setup)¶

The From template… button in the Site Manager opens a catalog of pre-canned site shapes for services that don't have their own dedicated transport but ARE reachable today through SMB or one of the existing object-store transports — picking one prefills the protocol, host pattern, port, and extras so creating an AWS FSx Windows site is a 30-second click instead of a docs hunt.

Templated: AWS S3 · AWS FSx for Windows File Server (SMB) · AWS Storage Gateway, File Gateway SMB mode · AWS FSx for NetApp ONTAP (SMB side) · Azure Blob · Azure Files · Generic SMB / SFTP / WebDAV.

Not yet templated (need NFS transport — on roadmap): Amazon EFS, FSx Lustre, FSx OpenZFS, FSx NetApp ONTAP NFS side, Storage Gateway in NFS mode. Workaround today: OS-mount the export via your platform's NFS client and browse via the local pane. Amazon EBS is not a file-transfer target — it's block-level storage attached to EC2; use the EC2 instance's SFTP / SMB endpoint instead.

Sync (action bar → Sync…, dual-pane only)¶

Recursive sync between the local and remote panes — the same engine the scheduler and ftproxy-cli --sync have used for months, now surfaced in the GUI:

Direction: ↑ Upload (local → remote) · ↓ Download (remote → local) · ↔ Mirror (bidirectional; for files present on both sides, the newer one wins).
Overwrite policy: skip · overwrite · overwrite-if-newer (default) · resume · rename.
Max depth: 1–12 levels deep, default 4.
Dry Run: preview the diff via /dir/compare without transferring any bytes. The Compare-dirs action-bar button is the same modal with Dry Run pre-checked.

Sync is hidden on single-pane protocols (S3 / Azure Blob / GCS / Dropbox-OAuth / GDrive-OAuth / OneDrive-OAuth) because tree comparison doesn't model the same way for object stores — use scheduled batch jobs for those.

Bookmarks¶

Add current path · Manage bookmarks. (Sites imports moved to File in 0.7.3.)

A bookmark is a (site, remote path, optional local path, optional note) tuple — the same site can carry many bookmarks pointing at different working directories (FileZilla parity). Jump to (or double-click a row) connects to the bookmark's saved site if you aren't already on it, then cd's the remote pane to the bookmarked path; if the bookmark also has a local path, the local pane jumps there too. Bookmarks without a saved site (free-floating) navigate only the local pane.

Help¶

About FTProxy · Show bridge URL + token · Bridge & Automation (API · MCP · CLI)… — one-stop panel showing the bearer token (masked, with Show + Copy), REST base + WebSocket URL, ready-to-paste MCP config for Claude Desktop / Claude Code, and ftproxy-cli examples. Use this when wiring FTProxy into scripts, AI assistants, or other apps.

9. Settings (Edit → Settings…)¶

Field	Effect
Default local path	Starting directory for new sessions
Concurrent transfers	Semaphore size (max in-flight)
Default transfer rate	Global bandwidth cap in KiB/s applied to every transfer (`0` = unlimited). Per-site `Bandwidth limit` overrides this when non-zero.
Verify after upload	FTP HASH / XMD5 / SHA integrity check
Default FTP transfer type	Binary (default) or ASCII
Play completion sound	Audible chime on transfer complete
Theme	Dark (locked on currently — light disabled)
SFTP host-key verification	TOFU (default — pin on first connect, reject mismatches) or Strict (reject unknown hosts entirely; for HIPAA / PCI / SOC 2).
Check for updates automatically	Background check of `gogreentransit.com/downloads/latest.json` on launch. Default ON.
Send anonymous crash reports	Upload Rust panic stack traces (no PII, no file contents) to the configured endpoint when the app crashes. Default OFF — opt-in only.
Log level	error / warn / info (default) / debug / trace — needs restart

10. The local bridge¶

Every FTProxy window also runs a localhost REST + WebSocket bridge on 127.0.0.1:7878, bearer-token protected, for other local Go Green products (OpenSentinel.ai, etc.) to drive file transfers programmatically.

Token location: OS keychain. Retrieve via Help → Show bridge URL + token or from the /health endpoint.
Public endpoint: GET /health (no auth).
Everything else takes Authorization: Bearer <token>.

See API.md for the full endpoint reference.

11. Troubleshooting¶

UI looks stale / old version after a rebuild. WebView2 caches the embedded frontend. Use View → Reload (Ctrl+R) to force a refresh. Verify the build marker in the Wire console matches the current UI build: … entry.

Connect fails with "Bridge unavailable". The Tauri window couldn't reach its own bridge. Close the window and relaunch. If persistent, netstat -ano | findstr 7878 — something else may be bound.

SFTP "host key mismatch" modal. Server rotated keys (or MITM). Verify the fingerprint out-of-band, paste it in the modal, click Trust new key to update known_hosts.json.

Transfer shows "550 err" (FTP). Server refused. Usually permission denied or path doesn't exist. Check the remote pane's permissions column.

S3 / Azure / GCS lists only the first 1000 objects. Pagination of prefixes past 1000 is a deliberately deferred feature — see tasks/todo.md.

Tabs wrap to a second line. Resize the window wider — the tabs strip scrolls horizontally when narrow but wraps down on very small windows.

12. Where to find things¶

File	What it is
`CHANGELOG.md`	Every release's bullet list
`API.md`	Bridge REST + WebSocket reference
`INTEGRATION.md`	Embedding FTProxy's bridge into other tools
`IMPLEMENTATION.md`	Architecture and design notes
`CLAUDE.md`	AI-assist guidance for contributors
`tasks/todo.md`	Deferred / in-progress items
`tasks/lessons.md`	Non-obvious gotchas from the build
`tasks/ui-restyle-progress.md`	Mock-workspace port history
`CREDENTIALS.md`	How to obtain keys / tokens / OAuth IDs for every supported protocol
`dist/mock-workspace.html`	Visual reference (dual-pane)
`dist/mock-remote-pane.html`	Visual reference (single-pane / S3)