Upload 12 files

.env

@@ -0,0 +1,16 @@
+# Telegram credentials (from https://my.telegram.org)
+API_ID=15022711
+API_HASH=51225833a1b50c15c6c39071ea567e48
+
+# Target channel (must be a supergroup/channel your bots are admin of)
+# Use negative ID for supergroups: e.g. -1001234567890
+CHANNEL_ID=-1003739341703
+
+# MongoDB Atlas connection string
+# Get this from: Atlas → Connect → Drivers → Python
+MONGODB_URI=mongodb+srv://nitinbhujwa:nitinbhujwa@tgstorage.thhklhw.mongodb.net/?appName=tgstorage
+MONGO_DB_NAME=tgstorage
+
+# API authentication key for this server
+ADMIN_API_KEY=
+# BASE_URL=

.gitignore

@@ -0,0 +1,3 @@
+.env
+__pycache__
+.gitignore

Dockerfile

@@ -0,0 +1,37 @@
+# Use an official Python runtime as a parent image
+FROM python:3.11-slim
+
+# Set environment variables
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
+ENV FLASK_APP=server.py
+ENV FLASK_ENV=production
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Install system dependencies required for some Python packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    python3-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy requirements first to leverage Docker cache
+COPY requirements.txt .
+
+# Install Python dependencies
+RUN pip install --no-cache-dir -r requirements.txt 
+
+# Create a non-root user and switch to it
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+RUN chown -R appuser:appuser /app
+USER appuser
+
+# Copy the rest of the application
+COPY --chown=appuser:appuser . .
+
+# Expose the port the app runs on
+EXPOSE 8082
+
+# Command to run the application
+CMD ["gunicorn", "--bind", "0.0.0.0:8082", "--workers", "4", "--threads", "2", "server:app"]

README.md

@@ -7,4 +7,426 @@ sdk: docker
 pinned: false
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+<div align="center">
+
+# 📡 TG Storage
+
+**Infinite file storage powered by Telegram — with a clean REST API, public CDN URLs, and a built-in test UI.**
+
+[![Python](https://img.shields.io/badge/Python-3.10+-blue?logo=python&logoColor=white)](https://python.org)
+[![FastAPI](https://img.shields.io/badge/FastAPI-0.111+-green?logo=fastapi&logoColor=white)](https://fastapi.tiangolo.com)
+[![MongoDB](https://img.shields.io/badge/MongoDB-Atlas-brightgreen?logo=mongodb&logoColor=white)](https://www.mongodb.com/atlas)
+[![License](https://img.shields.io/badge/License-MIT-yellow)](LICENSE)
+[![GitHub](https://img.shields.io/badge/GitHub-NitinBot001%2FTG--Storage-black?logo=github)](https://github.com/NitinBot001/TG-Storage)
+
+</div>
+
+---
+
+## ✨ What is TG Storage?
+
+TG Storage turns any Telegram channel into a **free, unlimited cloud storage backend**. You upload files through a REST API — they get stored in your Telegram channel — and you get back a **permanent, public CDN URL** to share anywhere.
+
+No S3. No GCS. No storage bills.
+
+### Key features
+
+- 🚀 **REST API** — Upload, download, list, and delete files via HTTP
+- 🔗 **Public CDN URLs** — Shareable links with no auth required (`/cdn/your-path`)
+- 🏷️ **Custom paths** — Assign vanity paths like `/cdn/images/logo.png` or `/cdn/avatar.jpg`
+- 🤖 **Multi-bot pool** — Add multiple bot tokens to spread Telegram rate limits
+- 🧠 **MongoDB Atlas** — File metadata stored in the cloud, zero local state
+- 🖥️ **Built-in UI** — Drop-in browser interface to test everything at `/`
+- ⚡ **Pure httpx** — No telegram library dependencies, raw Bot API calls only
+
+---
+
+## 📁 Project Structure
+
+```
+TG-Storage/
+├── main.py            # FastAPI app — all routes & lifespan
+├── db.py              # MongoDB Atlas async layer (Motor)
+├── tg.py              # Telegram Bot API client (pure httpx)
+├── server.py          # Uvicorn entry point
+├── frontend.html      # Built-in browser test UI
+├── requirements.txt   # Python dependencies
+├── vercel.json        # Vercel deployment config
+├── .env.example       # Environment variable template
+└── tokens.txt         # (you create) one bot token per line
+```
+
+---
+
+## 🛠️ Setup & Installation
+
+### 1. Clone the repo
+
+```bash
+git clone https://github.com/NitinBot001/TG-Storage.git
+cd TG-Storage
+```
+
+### 2. Install dependencies
+
+```bash
+pip install -r requirements.txt
+```
+
+### 3. Create your Telegram bot(s)
+
+1. Open [@BotFather](https://t.me/BotFather) on Telegram
+2. Send `/newbot` and follow the prompts
+3. Copy the token (looks like `1234567890:AAExampleTokenHere`)
+4. Repeat for as many bots as you want (more bots = higher upload throughput)
+
+### 4. Set up your Telegram channel
+
+1. Create a **private channel** in Telegram
+2. Add all your bots as **Administrators** with permission to **post messages**
+3. Get the channel ID — forward any message from the channel to [@JsonDumpBot](https://t.me/JsonDumpBot) and look for `"chat": { "id": -1001234567890 }`
+
+### 5. Create `tokens.txt`
+
+```
+# tokens.txt — one bot token per line, lines starting with # are ignored
+1234567890:AAExampleToken1Here
+9876543210:AAExampleToken2Here
+```
+
+### 6. Configure environment
+
+Copy `.env.example` to `.env` and fill in your values:
+
+```bash
+cp .env.example .env
+```
+
+```env
+# Telegram
+CHANNEL_ID=-1001234567890
+
+# MongoDB Atlas (get from: Atlas → Connect → Drivers → Python)
+MONGODB_URI=mongodb+srv://<user>:<password>@cluster0.xxxxx.mongodb.net/?retryWrites=true&w=majority
+MONGO_DB_NAME=tgstorage
+
+# API auth key — clients must send this in X-API-Key header
+ADMIN_API_KEY=your-secret-key-here
+
+# Public base URL — used to build CDN links
+# Local dev:   http://localhost:8082
+# Production:  https://your-vercel-app.vercel.app
+BASE_URL=http://localhost:8082
+```
+
+### 7. Run the server
+
+```bash
+python server.py
+```
+
+Server starts at **http://localhost:8082**
+Open it in your browser to access the built-in test UI.
+
+---
+
+## 🌐 API Reference
+
+All endpoints except `/` and `/cdn/*` require the header:
+```
+X-API-Key: your-secret-key-here
+```
+
+### `POST /upload` — Upload a file
+
+**Form fields:**
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `file` | file | ✅ | The file to upload (any format) |
+| `custom_path` | string | ❌ | Vanity CDN path, e.g. `images/logo.png` |
+
+**Example:**
+```bash
+# Upload with auto-generated ID
+curl -X POST http://localhost:8082/upload \
+  -H "X-API-Key: your-key" \
+  -F "file=@photo.jpg"
+
+# Upload with custom path
+curl -X POST http://localhost:8082/upload \
+  -H "X-API-Key: your-key" \
+  -F "file=@logo.png" \
+  -F "custom_path=brand/logo.png"
+```
+
+**Response:**
+```json
+{
+  "file_id": "550e8400-e29b-41d4-a716-446655440000",
+  "filename": "logo.png",
+  "mime_type": "image/png",
+  "size_bytes": 20480,
+  "custom_path": "brand/logo.png",
+  "public_url": "http://localhost:8082/cdn/brand/logo.png",
+  "cdn_url_by_id": "http://localhost:8082/cdn/550e8400-...",
+  "cdn_url_by_path": "http://localhost:8082/cdn/brand/logo.png",
+  "uploaded_at": "2025-01-01T12:00:00"
+}
+```
+
+---
+
+### `GET /cdn/{path}` — Public CDN URL *(no auth)*
+
+Works with both the UUID file_id and any assigned custom path:
+
+```
+GET /cdn/550e8400-e29b-41d4-a716-446655440000   ← by file_id
+GET /cdn/logo.png                                ← by custom_path
+GET /cdn/images/avatar.jpg                       ← by nested custom_path
+```
+
+Files are served `inline` — images, PDFs, and videos render directly in the browser.
+
+---
+
+### `GET /file/{file_id}` — Download *(auth required)*
+
+Forces a file download (`Content-Disposition: attachment`).
+
+```bash
+curl -H "X-API-Key: your-key" \
+     http://localhost:8082/file/550e8400-... \
+     -o downloaded.jpg
+```
+
+---
+
+### `GET /files` — List all files
+
+```bash
+curl -H "X-API-Key: your-key" \
+     "http://localhost:8082/files?limit=50&offset=0"
+```
+
+**Response:**
+```json
+{
+  "total": 42,
+  "limit": 50,
+  "offset": 0,
+  "files": [
+    {
+      "file_id": "...",
+      "filename": "photo.jpg",
+      "mime_type": "image/jpeg",
+      "size_bytes": 204800,
+      "custom_path": "photos/summer.jpg",
+      "public_url": "http://localhost:8082/cdn/photos/summer.jpg",
+      "uploaded_at": "2025-01-01T12:00:00"
+    }
+  ]
+}
+```
+
+---
+
+### `DELETE /file/{file_id}` — Delete a record
+
+Removes the metadata from MongoDB. The Telegram message remains in the channel.
+
+```bash
+curl -X DELETE -H "X-API-Key: your-key" \
+     http://localhost:8082/file/550e8400-...
+```
+
+---
+
+### `GET /health` — Health check
+
+```bash
+curl http://localhost:8082/health
+```
+
+```json
+{
+  "status": "ok",
+  "timestamp": "2025-01-01T12:00:00",
+  "total_files": 42,
+  "base_url": "http://localhost:8082"
+}
+```
+
+---
+
+## 🚀 Deploy to Vercel
+
+Vercel runs Python serverless functions — perfect for this API.
+
+### Prerequisites
+
+- A [Vercel account](https://vercel.com) (free tier works)
+- The repo pushed to GitHub at `https://github.com/NitinBot001/TG-Storage`
+
+---
+
+### Step 1 — Add `tokens.txt` to the repo *(or use env var)*
+
+> ⚠️ **Do not commit real bot tokens to a public repo.**
+>
+> Instead, encode your tokens as a single environment variable:
+
+On your machine, run:
+```bash
+# Join tokens with a newline, then base64-encode
+python -c "
+import base64
+tokens = '1234567890:TokenOne\n9876543210:TokenTwo'
+print(base64.b64encode(tokens.encode()).decode())
+"
+```
+
+Copy the output — you'll add it as `TOKENS_B64` in Vercel. Then update `tg.py` to decode it (see Step 4).
+
+---
+
+### Step 2 — Import project in Vercel
+
+1. Go to [vercel.com/new](https://vercel.com/new)
+2. Click **"Import Git Repository"**
+3. Select `NitinBot001/TG-Storage`
+4. Framework preset: **Other**
+5. Click **Deploy** (it will fail — that's fine, we need to add env vars first)
+
+---
+
+### Step 3 — Add environment variables
+
+In your Vercel project → **Settings → Environment Variables**, add:
+
+| Name | Value |
+|------|-------|
+| `CHANNEL_ID` | `-1001234567890` |
+| `MONGODB_URI` | `mongodb+srv://...` |
+| `MONGO_DB_NAME` | `tgstorage` |
+| `ADMIN_API_KEY` | `your-secret-key` |
+| `BASE_URL` | `https://your-app.vercel.app` |
+| `TOKENS_B64` | *(base64 string from Step 1)* |
+
+---
+
+### Step 4 — Update `tg.py` to read `TOKENS_B64`
+
+Replace the `_tokens_path()` function in `tg.py` with this loader that checks for the env var first:
+
+```python
+import base64, tempfile, os
+
+def _get_tokens() -> list[str]:
+    """Read tokens from TOKENS_B64 env var (Vercel) or tokens.txt (local)."""
+    b64 = os.getenv("TOKENS_B64", "").strip()
+    if b64:
+        decoded = base64.b64decode(b64).decode("utf-8")
+        return [l.strip() for l in decoded.splitlines() if l.strip() and not l.startswith("#")]
+
+    # Fallback to file
+    for candidate in [Path(__file__).parent / "tokens.txt", Path(os.getcwd()) / "tokens.txt"]:
+        if candidate.exists():
+            return [l.strip() for l in candidate.read_text(encoding="utf-8").splitlines()
+                    if l.strip() and not l.startswith("#")]
+    raise FileNotFoundError("No tokens found. Set TOKENS_B64 env var or create tokens.txt.")
+```
+
+Then in `init_bot_pool()` replace:
+```python
+raw_tokens = [...]  # the old file-reading block
+```
+with:
+```python
+raw_tokens = _get_tokens()
+```
+
+---
+
+### Step 5 — The `vercel.json` is already included
+
+```json
+{
+  "version": 2,
+  "builds": [{ "src": "main.py", "use": "@vercel/python" }],
+  "routes": [{ "src": "/(.*)", "dest": "main.py" }]
+}
+```
+
+---
+
+### Step 6 — Redeploy
+
+Push your changes to GitHub:
+```bash
+git add tg.py
+git commit -m "feat: support TOKENS_B64 for Vercel deployment"
+git push
+```
+
+Vercel auto-deploys on every push. Your API will be live at:
+```
+https://tg-storage-xxxx.vercel.app
+```
+
+Update `BASE_URL` in Vercel env vars to match your actual deployment URL.
+
+---
+
+### ⚠️ Vercel Limitations
+
+| Limitation | Impact |
+|------------|--------|
+| **10s function timeout** (Hobby plan) | Large file uploads may time out. Upgrade to Pro (60s) or use a VPS. |
+| **4.5 MB request body limit** | Files larger than 4.5 MB cannot be uploaded via Vercel's edge. Use a VPS for large files. |
+| **Serverless = stateless** | The bot pool reinitializes on every cold start. `tokens.txt` won't persist — use `TOKENS_B64`. |
+| **No persistent filesystem** | MongoDB Atlas handles all state — this is fine. |
+
+For large files or heavy usage, deploy on a **VPS (Railway, Render, DigitalOcean)** instead — run `python server.py` directly with no changes needed.
+
+---
+
+## 🐳 Self-host with Docker *(optional)*
+
+```dockerfile
+FROM python:3.11-slim
+WORKDIR /app
+COPY . .
+RUN pip install -r requirements.txt
+EXPOSE 8082
+CMD ["python", "server.py"]
+```
+
+```bash
+docker build -t tg-storage .
+docker run -p 8082:8082 --env-file .env -v $(pwd)/tokens.txt:/app/tokens.txt tg-storage
+```
+
+---
+
+## 🔒 Security Notes
+
+- Never expose `ADMIN_API_KEY` publicly — it controls all file operations
+- The `/cdn/*` endpoint is intentionally public — anyone with the URL can access the file
+- Bot tokens in `tokens.txt` should never be committed to a public repo
+- MongoDB URI contains credentials — keep it in `.env` / Vercel environment variables only
+
+---
+
+## 📜 License
+
+MIT — free to use, modify, and deploy.
+
+---
+
+<div align="center">
+Built with ❤️ using FastAPI + Telegram Bot API + MongoDB Atlas
+<br/>
+<a href="https://github.com/NitinBot001/TG-Storage">⭐ Star on GitHub</a>
+</div>

db.py

@@ -0,0 +1,94 @@
+"""
+db.py — Async MongoDB Atlas metadata store using Motor.
+Collection: tgstorage.files
+"""
+
+import os
+from datetime import datetime
+from typing import Optional
+
+from motor.motor_asyncio import AsyncIOMotorClient
+from pymongo import DESCENDING
+
+MONGO_URI = os.getenv("MONGODB_URI", "mongodb://localhost:27017")
+DB_NAME   = os.getenv("MONGO_DB_NAME", "tgstorage")
+
+_client: Optional[AsyncIOMotorClient] = None
+
+
+def _get_collection():
+    global _client
+    if _client is None:
+        _client = AsyncIOMotorClient(MONGO_URI)
+    return _client[DB_NAME]["files"]
+
+
+async def init_db():
+    """Ensure indexes exist."""
+    col = _get_collection()
+    await col.create_index("file_id", unique=True)
+    await col.create_index([("uploaded_at", DESCENDING)])
+    # sparse=True so documents without custom_path don't conflict
+    await col.create_index("custom_path", unique=True, sparse=True)
+
+
+# ──────────────────────────────────────────────────
+#  CRUD
+# ──────────────────────────────────────────────────
+
+async def save_file_record(
+    *,
+    file_id: str,
+    filename: str,
+    mime_type: str,
+    size: int,
+    tg_message_id: int,
+    tg_file_id: str | None,
+    public_url: str,
+    custom_path: str | None = None,
+):
+    col = _get_collection()
+    doc = {
+        "file_id":       file_id,
+        "filename":      filename,
+        "mime_type":     mime_type,
+        "size_bytes":    size,
+        "tg_message_id": tg_message_id,
+        "tg_file_id":    tg_file_id,
+        "public_url":    public_url,
+        "uploaded_at":   datetime.utcnow().isoformat(),
+    }
+    if custom_path:
+        doc["custom_path"] = custom_path
+    await col.insert_one(doc)
+
+
+async def get_file_record(file_id: str) -> dict | None:
+    col = _get_collection()
+    return await col.find_one({"file_id": file_id}, {"_id": 0})
+
+
+async def get_file_by_custom_path(custom_path: str) -> dict | None:
+    col = _get_collection()
+    return await col.find_one({"custom_path": custom_path}, {"_id": 0})
+
+
+async def list_file_records(limit: int = 50, offset: int = 0) -> list[dict]:
+    col = _get_collection()
+    cursor = (
+        col.find({}, {"_id": 0})
+           .sort("uploaded_at", DESCENDING)
+           .skip(offset)
+           .limit(limit)
+    )
+    return await cursor.to_list(length=limit)
+
+
+async def delete_file_record(file_id: str):
+    col = _get_collection()
+    await col.delete_one({"file_id": file_id})
+
+
+async def count_files() -> int:
+    col = _get_collection()
+    return await col.count_documents({})

frontend.html

@@ -0,0 +1,874 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+<title>TG Storage — File Vault</title>
+<link href="https://fonts.googleapis.com/css2?family=Share+Tech+Mono&family=Syne:wght@400;700;800&display=swap" rel="stylesheet" />
+<style>
+  :root {
+    --bg:       #050810;
+    --surface:  #0b1120;
+    --border:   #1a2a45;
+    --accent:   #00d4ff;
+    --accent2:  #7b2fff;
+    --danger:   #ff3c6e;
+    --success:  #00ffb3;
+    --text:     #c8d8f0;
+    --muted:    #4a6080;
+    --mono:     'Share Tech Mono', monospace;
+    --sans:     'Syne', sans-serif;
+  }
+
+  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+  body {
+    background: var(--bg);
+    color: var(--text);
+    font-family: var(--sans);
+    min-height: 100vh;
+    overflow-x: hidden;
+  }
+
+  /* ── Grid bg ── */
+  body::before {
+    content: '';
+    position: fixed;
+    inset: 0;
+    background-image:
+      linear-gradient(rgba(0,212,255,.03) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(0,212,255,.03) 1px, transparent 1px);
+    background-size: 40px 40px;
+    pointer-events: none;
+    z-index: 0;
+  }
+
+  /* ── Glow blobs ── */
+  .blob {
+    position: fixed;
+    border-radius: 50%;
+    filter: blur(120px);
+    pointer-events: none;
+    z-index: 0;
+    opacity: .35;
+  }
+  .blob-1 { width: 500px; height: 500px; top: -150px; left: -100px; background: var(--accent2); }
+  .blob-2 { width: 400px; height: 400px; bottom: -100px; right: -80px; background: var(--accent); }
+
+  /* ── Layout ── */
+  .wrapper { position: relative; z-index: 1; max-width: 1100px; margin: 0 auto; padding: 40px 24px 80px; }
+
+  /* ── Header ── */
+  header { display: flex; align-items: center; gap: 16px; margin-bottom: 48px; }
+  .logo-icon {
+    width: 48px; height: 48px;
+    background: linear-gradient(135deg, var(--accent2), var(--accent));
+    border-radius: 12px;
+    display: grid; place-items: center;
+    font-size: 22px;
+    box-shadow: 0 0 30px rgba(0,212,255,.3);
+    flex-shrink: 0;
+  }
+  header h1 { font-size: 28px; font-weight: 800; letter-spacing: -1px; }
+  header h1 span { color: var(--accent); }
+  header p { font-family: var(--mono); font-size: 12px; color: var(--muted); margin-top: 3px; }
+  .status-dot {
+    width: 8px; height: 8px; border-radius: 50%;
+    background: var(--success);
+    box-shadow: 0 0 8px var(--success);
+    animation: pulse 2s infinite;
+    margin-left: auto; flex-shrink: 0;
+  }
+  @keyframes pulse { 0%,100%{opacity:1} 50%{opacity:.4} }
+
+  /* ── Config bar ── */
+  .config-bar {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 14px;
+    padding: 20px 24px;
+    display: flex; gap: 16px; flex-wrap: wrap;
+    align-items: flex-end;
+    margin-bottom: 36px;
+  }
+  .config-bar label { font-family: var(--mono); font-size: 11px; color: var(--muted); display: block; margin-bottom: 6px; letter-spacing: .08em; }
+  .config-bar input {
+    background: var(--bg);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    color: var(--text);
+    font-family: var(--mono);
+    font-size: 13px;
+    padding: 10px 14px;
+    outline: none;
+    transition: border-color .2s;
+    width: 100%;
+  }
+  .config-bar input:focus { border-color: var(--accent); }
+  .config-bar .field { flex: 1; min-width: 180px; }
+  .config-bar .field-key { flex: 1.2; min-width: 220px; }
+
+  /* ── Tabs ── */
+  .tabs { display: flex; gap: 4px; margin-bottom: 28px; }
+  .tab {
+    padding: 10px 22px;
+    border-radius: 8px;
+    font-family: var(--mono);
+    font-size: 13px;
+    cursor: pointer;
+    border: 1px solid transparent;
+    color: var(--muted);
+    transition: all .2s;
+    background: none;
+  }
+  .tab:hover { color: var(--text); border-color: var(--border); }
+  .tab.active {
+    background: var(--surface);
+    border-color: var(--accent);
+    color: var(--accent);
+    box-shadow: 0 0 20px rgba(0,212,255,.1);
+  }
+
+  /* ── Panel ── */
+  .panel { display: none; }
+  .panel.active { display: block; }
+
+  /* ── Upload zone ── */
+  .upload-zone {
+    border: 2px dashed var(--border);
+    border-radius: 16px;
+    padding: 60px 40px;
+    text-align: center;
+    cursor: pointer;
+    transition: all .25s;
+    position: relative;
+    overflow: hidden;
+    background: var(--surface);
+  }
+  .upload-zone:hover, .upload-zone.drag { border-color: var(--accent); background: rgba(0,212,255,.04); }
+  .upload-zone .icon { font-size: 48px; margin-bottom: 16px; display: block; }
+  .upload-zone h3 { font-size: 18px; font-weight: 700; margin-bottom: 8px; }
+  .upload-zone p { font-family: var(--mono); font-size: 12px; color: var(--muted); }
+  .upload-zone input[type=file] { position: absolute; inset: 0; opacity: 0; cursor: pointer; }
+
+  /* ── Progress ── */
+  .progress-wrap { margin-top: 24px; display: none; }
+  .progress-wrap.show { display: block; }
+  .progress-bar-bg {
+    background: var(--border);
+    border-radius: 100px;
+    height: 6px;
+    overflow: hidden;
+  }
+  .progress-bar-fill {
+    height: 100%;
+    border-radius: 100px;
+    background: linear-gradient(90deg, var(--accent2), var(--accent));
+    width: 0%;
+    transition: width .3s ease;
+    box-shadow: 0 0 12px var(--accent);
+  }
+  .progress-label { font-family: var(--mono); font-size: 12px; color: var(--muted); margin-top: 10px; }
+
+  /* ── Response box ── */
+  .response-box {
+    background: #020509;
+    border: 1px solid var(--border);
+    border-radius: 12px;
+    padding: 20px;
+    font-family: var(--mono);
+    font-size: 12.5px;
+    line-height: 1.7;
+    color: var(--success);
+    white-space: pre-wrap;
+    word-break: break-all;
+    margin-top: 20px;
+    min-height: 80px;
+    display: none;
+  }
+  .response-box.show { display: block; }
+  .response-box.error { color: var(--danger); }
+
+  /* ── File list ── */
+  .list-controls { display: flex; gap: 12px; align-items: center; margin-bottom: 20px; }
+  .btn {
+    padding: 10px 20px;
+    border-radius: 8px;
+    font-family: var(--mono);
+    font-size: 13px;
+    cursor: pointer;
+    border: 1px solid var(--accent);
+    background: transparent;
+    color: var(--accent);
+    transition: all .2s;
+    display: inline-flex; align-items: center; gap: 8px;
+  }
+  .btn:hover { background: var(--accent); color: var(--bg); box-shadow: 0 0 20px rgba(0,212,255,.3); }
+  .btn.danger { border-color: var(--danger); color: var(--danger); }
+  .btn.danger:hover { background: var(--danger); color: #fff; box-shadow: 0 0 20px rgba(255,60,110,.3); }
+  .btn.success { border-color: var(--success); color: var(--success); }
+  .btn.success:hover { background: var(--success); color: var(--bg); }
+  .btn:disabled { opacity: .4; cursor: not-allowed; }
+
+  .files-grid { display: flex; flex-direction: column; gap: 10px; }
+
+  .file-card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 12px;
+    padding: 16px 20px;
+    display: flex; align-items: center; gap: 16px;
+    transition: border-color .2s, transform .15s;
+    animation: fadeUp .3s ease both;
+  }
+  .file-card:hover { border-color: var(--accent); transform: translateY(-1px); }
+  @keyframes fadeUp { from{opacity:0;transform:translateY(12px)} to{opacity:1;transform:translateY(0)} }
+
+  .file-icon {
+    width: 42px; height: 42px;
+    border-radius: 10px;
+    display: grid; place-items: center;
+    font-size: 20px;
+    flex-shrink: 0;
+    background: rgba(0,212,255,.08);
+    border: 1px solid rgba(0,212,255,.15);
+  }
+  .file-info { flex: 1; min-width: 0; }
+  .file-name { font-weight: 700; font-size: 14px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; margin-bottom: 4px; }
+  .file-meta { font-family: var(--mono); font-size: 11px; color: var(--muted); display: flex; gap: 16px; flex-wrap: wrap; }
+  .file-actions { display: flex; gap: 8px; flex-shrink: 0; }
+  .icon-btn {
+    width: 36px; height: 36px;
+    border-radius: 8px;
+    border: 1px solid var(--border);
+    background: transparent;
+    color: var(--muted);
+    cursor: pointer;
+    display: grid; place-items: center;
+    font-size: 16px;
+    transition: all .2s;
+  }
+  .icon-btn:hover.dl { border-color: var(--success); color: var(--success); background: rgba(0,255,179,.08); }
+  .icon-btn:hover.del { border-color: var(--danger); color: var(--danger); background: rgba(255,60,110,.08); }
+
+  /* ── Download panel ── */
+  .get-form { background: var(--surface); border: 1px solid var(--border); border-radius: 14px; padding: 28px; }
+  .get-form label { font-family: var(--mono); font-size: 11px; color: var(--muted); display: block; margin-bottom: 8px; letter-spacing: .08em; }
+  .get-form input {
+    background: var(--bg);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    color: var(--text);
+    font-family: var(--mono);
+    font-size: 13px;
+    padding: 12px 16px;
+    width: 100%;
+    outline: none;
+    margin-bottom: 16px;
+    transition: border-color .2s;
+  }
+  .get-form input:focus { border-color: var(--accent); }
+
+  /* ── Empty state ── */
+  .empty {
+    text-align: center;
+    padding: 60px 20px;
+    color: var(--muted);
+    font-family: var(--mono);
+    font-size: 13px;
+  }
+  .empty span { font-size: 40px; display: block; margin-bottom: 16px; }
+
+  /* ── Toast ── */
+  #toast {
+    position: fixed;
+    bottom: 32px; right: 32px;
+    background: var(--surface);
+    border: 1px solid var(--accent);
+    border-radius: 10px;
+    padding: 14px 22px;
+    font-family: var(--mono);
+    font-size: 13px;
+    color: var(--accent);
+    box-shadow: 0 8px 40px rgba(0,0,0,.6);
+    transform: translateY(80px);
+    opacity: 0;
+    transition: all .3s ease;
+    z-index: 999;
+    max-width: 340px;
+  }
+  #toast.show { transform: translateY(0); opacity: 1; }
+  #toast.err { border-color: var(--danger); color: var(--danger); }
+
+  /* ── Spinner ── */
+  .spin {
+    width: 16px; height: 16px;
+    border: 2px solid var(--border);
+    border-top-color: var(--accent);
+    border-radius: 50%;
+    animation: spin .6s linear infinite;
+    display: inline-block;
+  }
+  @keyframes spin { to{transform:rotate(360deg)} }
+
+
+  /* ── CDN URL box ── */
+  .cdn-box {
+    display: none;
+    margin-top: 16px;
+    background: rgba(0,255,179,.05);
+    border: 1px solid rgba(0,255,179,.3);
+    border-radius: 12px;
+    padding: 14px 18px;
+    animation: fadeUp .3s ease;
+  }
+  .cdn-box.show { display: block; }
+  .cdn-box label {
+    font-family: var(--mono);
+    font-size: 10px;
+    color: var(--success);
+    letter-spacing: .1em;
+    display: block;
+    margin-bottom: 8px;
+  }
+  .cdn-url-row {
+    display: flex;
+    gap: 8px;
+    align-items: center;
+  }
+  .cdn-url-input {
+    flex: 1;
+    background: var(--bg);
+    border: 1px solid rgba(0,255,179,.2);
+    border-radius: 8px;
+    color: var(--success);
+    font-family: var(--mono);
+    font-size: 12px;
+    padding: 9px 13px;
+    outline: none;
+    min-width: 0;
+  }
+  .cdn-copy-btn {
+    padding: 9px 16px;
+    border-radius: 8px;
+    border: 1px solid var(--success);
+    background: transparent;
+    color: var(--success);
+    font-family: var(--mono);
+    font-size: 12px;
+    cursor: pointer;
+    white-space: nowrap;
+    transition: all .2s;
+    flex-shrink: 0;
+  }
+  .cdn-copy-btn:hover { background: var(--success); color: var(--bg); }
+  .cdn-open-btn {
+    padding: 9px 14px;
+    border-radius: 8px;
+    border: 1px solid rgba(0,255,179,.3);
+    background: transparent;
+    color: var(--muted);
+    font-family: var(--mono);
+    font-size: 12px;
+    cursor: pointer;
+    text-decoration: none;
+    white-space: nowrap;
+    transition: all .2s;
+    flex-shrink: 0;
+  }
+  .cdn-open-btn:hover { border-color: var(--success); color: var(--success); }
+
+
+  /* ── Custom path input ── */
+  .custom-path-wrap {
+    margin-top: 16px;
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 12px;
+    padding: 16px 18px;
+  }
+  .custom-path-wrap label {
+    font-family: var(--mono);
+    font-size: 10px;
+    color: var(--muted);
+    letter-spacing: .1em;
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    margin-bottom: 8px;
+  }
+  .custom-path-wrap label span.opt {
+    background: rgba(0,212,255,.1);
+    color: var(--accent);
+    border-radius: 4px;
+    padding: 1px 6px;
+    font-size: 9px;
+  }
+  .path-row {
+    display: flex;
+    align-items: center;
+    gap: 0;
+    background: var(--bg);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    overflow: hidden;
+    transition: border-color .2s;
+  }
+  .path-row:focus-within { border-color: var(--accent); }
+  .path-prefix {
+    font-family: var(--mono);
+    font-size: 12px;
+    color: var(--muted);
+    padding: 10px 0 10px 13px;
+    white-space: nowrap;
+    flex-shrink: 0;
+    user-select: none;
+  }
+  .path-input {
+    flex: 1;
+    background: transparent;
+    border: none;
+    color: var(--accent);
+    font-family: var(--mono);
+    font-size: 12px;
+    padding: 10px 13px 10px 4px;
+    outline: none;
+    min-width: 0;
+  }
+  .path-input::placeholder { color: var(--muted); }
+  .path-hint {
+    font-family: var(--mono);
+    font-size: 11px;
+    color: var(--muted);
+    margin-top: 7px;
+  }
+  .path-hint span { color: var(--accent); opacity: .7; }
+
+  /* ── Scrollbar ── */
+  ::-webkit-scrollbar { width: 6px; }
+  ::-webkit-scrollbar-track { background: var(--bg); }
+  ::-webkit-scrollbar-thumb { background: var(--border); border-radius: 3px; }
+</style>
+</head>
+<body>
+
+<div class="blob blob-1"></div>
+<div class="blob blob-2"></div>
+
+<div class="wrapper">
+
+  <!-- Header -->
+  <header>
+    <div class="logo-icon">📡</div>
+    <div>
+      <h1>TG <span>Storage</span></h1>
+      <p>telegram-powered file vault // api tester</p>
+    </div>
+    <div class="status-dot" id="statusDot" title="checking..."></div>
+  </header>
+
+  <!-- Config -->
+  <div class="config-bar">
+    <div class="field">
+      <label>API BASE URL</label>
+      <input id="baseUrl" type="text" value="http://localhost:8082" placeholder="http://localhost:8082" />
+    </div>
+    <div class="field-key">
+      <label>X-API-KEY</label>
+      <input id="apiKey" type="password" placeholder="your-admin-api-key" />
+    </div>
+    <button class="btn" onclick="checkHealth()">⚡ ping</button>
+  </div>
+
+  <!-- Tabs -->
+  <div class="tabs">
+    <button class="tab active" data-tab="upload">↑ Upload</button>
+    <button class="tab" data-tab="files">≡ Files</button>
+    <button class="tab" data-tab="download">↓ Download</button>
+  </div>
+
+  <!-- ── Upload Panel ── -->
+  <div class="panel active" id="tab-upload">
+    <div class="upload-zone" id="dropZone">
+      <span class="icon">📂</span>
+      <h3>Drop a file here</h3>
+      <p>or click to browse — any format, any size</p>
+      <input type="file" id="fileInput" onchange="handleFileSelect()" />
+    </div>
+
+    <div class="custom-path-wrap">
+      <label>CUSTOM CDN PATH <span class="opt">optional</span></label>
+      <div class="path-row">
+        <span class="path-prefix" id="pathPrefix">/cdn/</span>
+        <input class="path-input" id="customPath" type="text"
+          placeholder="images/logo.png  or  avatar.jpg  or  docs/readme.pdf"
+          oninput="updatePathPreview()" />
+      </div>
+      <div class="path-hint" id="pathHint">Leave blank to use auto-generated ID &nbsp;·&nbsp; Use <span>/</span> for folders</div>
+    </div>
+
+    <div class="progress-wrap" id="progressWrap">
+      <div class="progress-bar-bg"><div class="progress-bar-fill" id="progressFill"></div></div>
+      <div class="progress-label" id="progressLabel">Uploading…</div>
+    </div>
+
+    <div class="cdn-box" id="cdnBox">
+      <label>🔗 PUBLIC CDN URL — shareable, no auth required</label>
+      <div class="cdn-url-row">
+        <input class="cdn-url-input" id="cdnUrlInput" type="text" readonly />
+        <button class="cdn-copy-btn" onclick="copyCdnUrl()">⎘ Copy</button>
+        <a class="cdn-open-btn" id="cdnOpenLink" href="#" target="_blank" rel="noopener">↗ Open</a>
+      </div>
+    </div>
+    <pre class="response-box" id="uploadResponse"></pre>
+  </div>
+
+  <!-- ── Files Panel ── -->
+  <div class="panel" id="tab-files">
+    <div class="list-controls">
+      <button class="btn" onclick="loadFiles()">↻ Refresh</button>
+      <span id="fileCount" style="font-family:var(--mono);font-size:12px;color:var(--muted)"></span>
+    </div>
+    <div class="files-grid" id="filesGrid">
+      <div class="empty"><span>📭</span>Hit refresh to load files</div>
+    </div>
+  </div>
+
+  <!-- ── Download Panel ── -->
+  <div class="panel" id="tab-download">
+    <div class="get-form">
+      <label>FILE ID</label>
+      <input id="dlFileId" type="text" placeholder="550e8400-e29b-41d4-a716-446655440000" />
+      <button class="btn success" onclick="downloadFile()">↓ Download File</button>
+    </div>
+    <pre class="response-box" id="dlResponse"></pre>
+  </div>
+
+</div><!-- /wrapper -->
+
+<div id="toast"></div>
+
+<script>
+// ──────────────────────────────────────────────
+//  Helpers
+// ──────────────────────────────────────────────
+const $ = id => document.getElementById(id);
+
+function cfg() {
+  return {
+    base: ($('baseUrl').value || 'http://localhost:8082').replace(/\/$/, ''),
+    key: $('apiKey').value,
+  };
+}
+
+function headers(extra = {}) {
+  return { 'X-API-Key': cfg().key, ...extra };
+}
+
+function toast(msg, err = false) {
+  const t = $('toast');
+  t.textContent = msg;
+  t.className = 'show' + (err ? ' err' : '');
+  clearTimeout(t._t);
+  t._t = setTimeout(() => t.className = '', 3200);
+}
+
+function showResponse(elId, data, isError = false) {
+  const el = $(elId);
+  el.textContent = JSON.stringify(data, null, 2);
+  el.className = 'response-box show' + (isError ? ' error' : '');
+}
+
+function fileIcon(mime = '') {
+  if (mime.startsWith('image/')) return '🖼️';
+  if (mime.startsWith('video/')) return '🎬';
+  if (mime.startsWith('audio/')) return '🎵';
+  if (mime.includes('pdf')) return '📄';
+  if (mime.includes('zip') || mime.includes('tar') || mime.includes('gz')) return '🗜️';
+  if (mime.includes('text')) return '📝';
+  return '📦';
+}
+
+function formatBytes(b) {
+  if (b < 1024) return b + ' B';
+  if (b < 1048576) return (b / 1024).toFixed(1) + ' KB';
+  return (b / 1048576).toFixed(1) + ' MB';
+}
+
+// ──────────────────────────────────────────────
+//  Tabs
+// ──────────────────────────────────────────────
+document.querySelectorAll('.tab').forEach(btn => {
+  btn.addEventListener('click', () => {
+    document.querySelectorAll('.tab').forEach(t => t.classList.remove('active'));
+    document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));
+    btn.classList.add('active');
+    $('tab-' + btn.dataset.tab).classList.add('active');
+    if (btn.dataset.tab === 'files') loadFiles();
+  });
+});
+
+// ──────────────────────────────────────────────
+//  Health check
+// ──────────────────────────────────────────────
+async function checkHealth() {
+  const dot = $('statusDot');
+  dot.style.background = '#ffd700';
+  dot.style.boxShadow = '0 0 8px #ffd700';
+  try {
+    const r = await fetch(cfg().base + '/health', { headers: headers() });
+    const d = await r.json();
+    dot.style.background = 'var(--success)';
+    dot.style.boxShadow = '0 0 8px var(--success)';
+    toast('✓ API online — ' + d.timestamp);
+  } catch (e) {
+    dot.style.background = 'var(--danger)';
+    dot.style.boxShadow = '0 0 8px var(--danger)';
+    toast('✗ Cannot reach API', true);
+  }
+}
+checkHealth();
+
+// ──────────────────────────────────────────────
+//  Drag & Drop
+// ──────────────────────────────────────────────
+const dz = $('dropZone');
+['dragenter','dragover'].forEach(ev => dz.addEventListener(ev, e => { e.preventDefault(); dz.classList.add('drag'); }));
+['dragleave','drop'].forEach(ev => dz.addEventListener(ev, e => { e.preventDefault(); dz.classList.remove('drag'); }));
+dz.addEventListener('drop', e => {
+  const file = e.dataTransfer.files[0];
+  if (file) uploadFile(file);
+});
+
+function handleFileSelect() {
+  const file = $('fileInput').files[0];
+  if (file) uploadFile(file);
+}
+
+// ──────────────────────────────────────────────
+//  Upload
+// ──────────────────────────────────────────────
+async function uploadFile(file) {
+  const pw = $('progressWrap');
+  const pf = $('progressFill');
+  const pl = $('progressLabel');
+  const rb = $('uploadResponse');
+
+  pw.className = 'progress-wrap show';
+  rb.className = 'response-box';
+  $('cdnBox').className = 'cdn-box';
+  $('cdnBox').querySelector('label').textContent = '🔗 PUBLIC CDN URL — shareable, no auth required';
+  pf.style.width = '0%';
+  pl.textContent = `Uploading ${file.name} (${formatBytes(file.size)})…`;
+
+  // Fake progress animation while real request runs
+  let prog = 0;
+  const tick = setInterval(() => {
+    prog = Math.min(prog + Math.random() * 12, 88);
+    pf.style.width = prog + '%';
+  }, 200);
+
+  try {
+    const fd = new FormData();
+    fd.append('file', file);
+    const cp = $('customPath').value.trim();
+    if (cp) fd.append('custom_path', cp);
+    const r = await fetch(cfg().base + '/upload', {
+      method: 'POST',
+      headers: { 'X-API-Key': cfg().key },
+      body: fd,
+    });
+    const data = await r.json();
+    clearInterval(tick);
+    pf.style.width = '100%';
+    pl.textContent = r.ok ? `✓ Uploaded successfully` : `✗ Upload failed`;
+
+    showResponse('uploadResponse', data, !r.ok);
+    if (r.ok) {
+      toast(`✓ ${file.name} uploaded!`);
+      if (data.public_url) {
+        $('cdnUrlInput').value = data.public_url;
+        $('cdnOpenLink').href  = data.public_url;
+        // Update label to indicate whether custom path or UUID is used
+        const lbl = $('cdnBox').querySelector('label');
+        if (data.custom_path) {
+          lbl.textContent = `🔗 CDN URL  •  custom path: /${data.custom_path}`;
+        } else {
+          lbl.textContent = '🔗 PUBLIC CDN URL — shareable, no auth required';
+        }
+        $('cdnBox').className = 'cdn-box show';
+      }
+      navigator.clipboard?.writeText(data.public_url || data.file_id).catch(() => {});
+      // Reset custom path input for next upload
+      $('customPath').value = '';
+      updatePathPreview();
+    } else {
+      $('cdnBox').className = 'cdn-box';
+      toast('✗ Upload failed', true);
+    }
+  } catch (e) {
+    clearInterval(tick);
+    pf.style.width = '0%';
+    pl.textContent = '✗ Request failed';
+    showResponse('uploadResponse', { error: e.message }, true);
+    toast('✗ Network error', true);
+  }
+}
+
+// ──────────────────────────────────────────────
+//  List files
+// ──────────────────────────────────────────────
+async function loadFiles() {
+  const grid = $('filesGrid');
+  const countEl = $('fileCount');
+  grid.innerHTML = '<div class="empty"><span><div class="spin"></div></span>Loading…</div>';
+  try {
+    const r = await fetch(cfg().base + '/files?limit=100', { headers: headers() });
+    const data = await r.json();
+    if (!r.ok) { showFiles([], data); return; }
+    countEl.textContent = `${data.total} file${data.total !== 1 ? 's' : ''}`;
+    showFiles(data.files);
+  } catch (e) {
+    grid.innerHTML = `<div class="empty"><span>⚠️</span>${e.message}</div>`;
+  }
+}
+
+function showFiles(files) {
+  const grid = $('filesGrid');
+  if (!files.length) {
+    grid.innerHTML = '<div class="empty"><span>📭</span>No files stored yet</div>';
+    return;
+  }
+  grid.innerHTML = files.map((f, i) => `
+    <div class="file-card" style="animation-delay:${i * 40}ms">
+      <div class="file-icon">${fileIcon(f.mime_type)}</div>
+      <div class="file-info">
+        <div class="file-name" title="${f.filename}">${f.filename}</div>
+        <div class="file-meta">
+          <span>${formatBytes(f.size_bytes)}</span>
+          <span>${f.mime_type}</span>
+          <span>${f.uploaded_at?.slice(0, 16).replace('T', ' ')}</span>
+          <span style="color:var(--accent);cursor:pointer" onclick="copyId('${f.file_id}')" title="Click to copy file ID">${f.file_id.slice(0, 18)}…</span>
+          ${f.custom_path ? `<span style="color:var(--accent);opacity:.6" title="custom path">/${f.custom_path}</span>` : ''}
+          ${f.public_url ? `<span style="color:var(--success);cursor:pointer;max-width:220px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap" onclick="copyCdnUrlStr('${f.public_url}')" title="${f.public_url}">🔗 CDN link</span>` : ''}
+        </div>
+      </div>
+      <div class="file-actions">
+        ${f.public_url ? `<button class="icon-btn dl" title="Copy CDN URL" onclick="copyCdnUrlStr('${f.public_url}')">🔗</button>` : ''}
+        <button class="icon-btn dl" title="Download" onclick="triggerDownload('${f.file_id}','${f.filename}')">↓</button>
+        <button class="icon-btn del" title="Delete" onclick="deleteFile('${f.file_id}', this)">✕</button>
+      </div>
+    </div>
+  `).join('');
+}
+
+function updatePathPreview() {
+  const val = $('customPath').value.trim();
+  const hint = $('pathHint');
+  if (val) {
+    const clean = val.replace(/^\/+/, '');
+    hint.innerHTML = `CDN URL will be: <span>${cfg().base}/cdn/${clean}</span>`;
+  } else {
+    hint.innerHTML = `Leave blank to use auto-generated ID &nbsp;·&nbsp; Use <span>/</span> for folders`;
+  }
+}
+
+function copyId(id) {
+  navigator.clipboard?.writeText(id);
+  toast('✓ File ID copied');
+}
+
+function copyCdnUrl() {
+  const url = $('cdnUrlInput').value;
+  navigator.clipboard?.writeText(url);
+  const btn = document.querySelector('.cdn-copy-btn');
+  btn.textContent = '✓ Copied!';
+  setTimeout(() => btn.textContent = '⎘ Copy', 2000);
+  toast('✓ CDN URL copied to clipboard');
+}
+
+function copyCdnUrlStr(url) {
+  navigator.clipboard?.writeText(url);
+  toast('✓ CDN URL copied');
+}
+
+// ──────────────────────────────────────────────
+//  Download
+// ──────────────────────────────────────────────
+async function triggerDownload(fileId, filename) {
+  try {
+    const r = await fetch(cfg().base + '/file/' + fileId, { headers: headers() });
+    if (!r.ok) { toast('✗ Download failed', true); return; }
+    const blob = await r.blob();
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url; a.download = filename;
+    a.click();
+    URL.revokeObjectURL(url);
+    toast(`↓ ${filename} downloaded`);
+  } catch (e) {
+    toast('✗ ' + e.message, true);
+  }
+}
+
+async function downloadFile() {
+  const id = $('dlFileId').value.trim();
+  if (!id) { toast('✗ Enter a file ID', true); return; }
+  const rb = $('dlResponse');
+  rb.className = 'response-box show';
+  rb.textContent = 'Fetching…';
+  try {
+    const r = await fetch(cfg().base + '/file/' + id, { headers: headers() });
+    if (!r.ok) {
+      const d = await r.json();
+      showResponse('dlResponse', d, true);
+      toast('✗ Not found', true);
+      return;
+    }
+    const blob = await r.blob();
+    const cd = r.headers.get('Content-Disposition') || '';
+    const fnMatch = cd.match(/filename="?([^"]+)"?/);
+    const filename = fnMatch ? fnMatch[1] : 'download';
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url; a.download = filename;
+    a.click();
+    URL.revokeObjectURL(url);
+    rb.textContent = `✓ Downloaded: ${filename} (${formatBytes(blob.size)})`;
+    rb.className = 'response-box show';
+    toast(`↓ ${filename} saved`);
+  } catch (e) {
+    showResponse('dlResponse', { error: e.message }, true);
+    toast('✗ Network error', true);
+  }
+}
+
+// ──────────────────────────────────────────────
+//  Delete
+// ────────────────��─────────────────────────────
+async function deleteFile(fileId, btn) {
+  if (!confirm('Delete this file record?')) return;
+  btn.textContent = '…';
+  btn.disabled = true;
+  try {
+    const r = await fetch(cfg().base + '/file/' + fileId, {
+      method: 'DELETE', headers: headers()
+    });
+    const d = await r.json();
+    if (r.ok) {
+      toast('✓ File record deleted');
+      loadFiles();
+    } else {
+      toast('✗ Delete failed', true);
+      btn.textContent = '✕';
+      btn.disabled = false;
+    }
+  } catch (e) {
+    toast('✗ ' + e.message, true);
+    btn.textContent = '✕';
+    btn.disabled = false;
+  }
+}
+</script>
+</body>
+</html>

main.py

@@ -0,0 +1,296 @@
+"""
+TG Storage API — Store & retrieve files via Telegram as a backend.
+
+Endpoints:
+  GET    /                        — Frontend UI
+  POST   /upload                  — Upload a file (optional custom_path)
+  GET    /cdn/{path}              — Public CDN URL — works with:
+                                      /cdn/<file_id>
+                                      /cdn/<custom_path>        e.g. /cdn/logo.png
+                                      /cdn/<folder/name.ext>   e.g. /cdn/images/avatar.jpg
+  GET    /file/{file_id}          — Download (auth required, forces attachment)
+  GET    /files                   — List all stored files
+  DELETE /file/{file_id}          — Delete a file record
+  GET    /health                  — Health check
+"""
+
+import os
+import io
+import re
+import uuid
+import logging
+import mimetypes
+from contextlib import asynccontextmanager
+from datetime import datetime
+from typing import Optional
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+from fastapi import FastAPI, UploadFile, File, Form, Header, HTTPException, Depends, Query, Request
+from fastapi.responses import StreamingResponse, HTMLResponse
+from fastapi.middleware.cors import CORSMiddleware
+
+from db import (
+    init_db, save_file_record,
+    get_file_record, get_file_by_custom_path,
+    list_file_records, delete_file_record, count_files,
+)
+from tg import upload_to_telegram, download_from_telegram, init_bot_pool, close_http
+
+# ──────────────────────────────────────────────────
+#  Lifespan
+# ──────────────────────────────────────────────────
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    await init_db()        # connect MongoDB Atlas + ensure indexes
+    await init_bot_pool()  # verify tokens.txt & build bot pool
+    yield
+    await close_http()     # drain httpx connection pool
+
+# ──────────────────────────────────────────────────
+#  App
+# ──────────────────────────────────────────────────
+app = FastAPI(
+    title="TG Storage API",
+    description="Infinite file storage powered by Telegram",
+    version="4.0.0",
+    lifespan=lifespan,
+)
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+ADMIN_API_KEY = os.getenv("ADMIN_API_KEY", "changeme")
+BASE_URL      = os.getenv("BASE_URL", "http://localhost:8082").rstrip("/")
+
+_HERE         = Path(__file__).parent
+FRONTEND_PATH = _HERE / "frontend.html"
+
+# Allowed characters in a custom path segment:
+# alphanumeric, hyphen, underscore, dot, forward slash
+_CUSTOM_PATH_RE = re.compile(r'^[a-zA-Z0-9._\-/]+$')
+
+
+# ──────────────────────────────────────────────────
+#  Helpers
+# ──────────────────────────────────────────────────
+async def require_api_key(x_api_key: str = Header(..., description="Your API key")):
+    if x_api_key != ADMIN_API_KEY:
+        raise HTTPException(status_code=401, detail="Invalid or missing API key")
+    return x_api_key
+
+
+def _sanitize_custom_path(raw: str) -> str:
+    """
+    Normalise and validate a custom path.
+    - Strip leading/trailing slashes and whitespace
+    - Reject empty, path-traversal attempts, or illegal characters
+    """
+    path = raw.strip().strip("/")
+    if not path:
+        raise HTTPException(status_code=400, detail="custom_path cannot be empty after stripping slashes.")
+    if ".." in path:
+        raise HTTPException(status_code=400, detail="custom_path must not contain '..'")
+    if not _CUSTOM_PATH_RE.match(path):
+        raise HTTPException(
+            status_code=400,
+            detail="custom_path may only contain letters, digits, hyphens, underscores, dots, and slashes."
+        )
+    return path
+
+
+def _build_public_url(identifier: str) -> str:
+    """identifier is either a file_id UUID or a normalised custom_path."""
+    return f"{BASE_URL}/cdn/{identifier}"
+
+
+async def _stream_record(record: dict) -> StreamingResponse:
+    """Download from Telegram and stream to client."""
+    try:
+        data: bytes = await download_from_telegram(record["tg_message_id"], record["tg_file_id"])
+    except Exception as exc:
+        logger.exception("Telegram download error")
+        raise HTTPException(status_code=502, detail=str(exc))
+
+    return StreamingResponse(
+        io.BytesIO(data),
+        media_type=record["mime_type"],
+        headers={
+            "Content-Disposition": f'inline; filename="{record["filename"]}"',
+            "Content-Length":      str(len(data)),
+            "Cache-Control":       "public, max-age=31536000, immutable",
+        },
+    )
+
+
+# ──────────────────────────────────────────────────
+#  Routes
+# ──────────────────────────────────────────────────
+
+@app.get("/", include_in_schema=False)
+async def frontend():
+    if FRONTEND_PATH.exists():
+        return HTMLResponse(FRONTEND_PATH.read_text(encoding="utf-8"))
+    return HTMLResponse("<h2>frontend.html not found</h2>", status_code=404)
+
+
+@app.get("/health", tags=["System"])
+async def health():
+    total = await count_files()
+    return {"status": "ok", "timestamp": datetime.utcnow().isoformat(),
+            "total_files": total, "base_url": BASE_URL}
+
+
+# ── CDN — public, no auth ─────────────────────────────────────────────
+@app.get(
+    "/cdn/{path:path}",
+    tags=["CDN"],
+    summary="Public shareable URL — supports UUID file_id or any custom path",
+)
+async def cdn_file(path: str):
+    """
+    Resolve priority:
+      1. Exact match on custom_path  (e.g. /cdn/images/logo.png)
+      2. Exact match on file_id UUID (e.g. /cdn/550e8400-...)
+    """
+    # 1 — custom path lookup
+    record = await get_file_by_custom_path(path)
+
+    # 2 — fall back to file_id lookup
+    if not record:
+        record = await get_file_record(path)
+
+    if not record:
+        raise HTTPException(
+            status_code=404,
+            detail=f"No file found for path '{path}'. "
+                   f"Provide a valid file_id or a custom_path assigned at upload."
+        )
+
+    return await _stream_record(record)
+
+
+# ── Upload ────────────────────────────────────────────────────────────
+@app.post(
+    "/upload",
+    tags=["Files"],
+    summary="Upload a file. Optionally assign a custom CDN path.",
+)
+async def upload_file(
+    file: UploadFile = File(...),
+    custom_path: Optional[str] = Form(
+        default=None,
+        description=(
+            "Optional vanity path for the CDN URL. "
+            "Examples: 'logo.png', 'images/avatar.jpg', 'docs/readme.md'. "
+            "Must be unique. Leave blank to use the auto-generated file_id."
+        ),
+    ),
+    _: str = Depends(require_api_key),
+):
+    content = await file.read()
+    if not content:
+        raise HTTPException(status_code=400, detail="Empty file.")
+
+    filename  = file.filename or f"upload_{uuid.uuid4().hex}"
+    mime_type = file.content_type or mimetypes.guess_type(filename)[0] or "application/octet-stream"
+    size      = len(content)
+
+    # Validate + normalise custom_path if provided
+    clean_custom_path: str | None = None
+    if custom_path and custom_path.strip():
+        clean_custom_path = _sanitize_custom_path(custom_path)
+        # Check uniqueness before hitting Telegram
+        existing = await get_file_by_custom_path(clean_custom_path)
+        if existing:
+            raise HTTPException(
+                status_code=409,
+                detail=f"custom_path '{clean_custom_path}' is already taken by file_id={existing['file_id']}."
+            )
+
+    # Upload bytes to Telegram
+    try:
+        tg_message_id, tg_file_id = await upload_to_telegram(content, filename, mime_type)
+    except Exception as exc:
+        logger.exception("Telegram upload error")
+        raise HTTPException(status_code=502, detail=str(exc))
+
+    # Build URLs
+    file_id    = str(uuid.uuid4())
+    cdn_key    = clean_custom_path if clean_custom_path else file_id
+    public_url = _build_public_url(cdn_key)
+
+    await save_file_record(
+        file_id=file_id,
+        filename=filename,
+        mime_type=mime_type,
+        size=size,
+        tg_message_id=tg_message_id,
+        tg_file_id=tg_file_id,
+        public_url=public_url,
+        custom_path=clean_custom_path,
+    )
+
+    logger.info(f"Uploaded {filename!r} → {public_url}")
+
+    return {
+        "file_id":     file_id,
+        "filename":    filename,
+        "mime_type":   mime_type,
+        "size_bytes":  size,
+        "custom_path": clean_custom_path,
+        "public_url":  public_url,
+        "cdn_url_by_id":   _build_public_url(file_id),
+        "cdn_url_by_path": _build_public_url(clean_custom_path) if clean_custom_path else None,
+        "uploaded_at": datetime.utcnow().isoformat(),
+    }
+
+
+# ── Authenticated download ────────────────────────────────────────────
+@app.get("/file/{file_id}", tags=["Files"], summary="Download (auth required, forces attachment)")
+async def download_file(file_id: str, _: str = Depends(require_api_key)):
+    record = await get_file_record(file_id)
+    if not record:
+        raise HTTPException(status_code=404, detail="File not found.")
+
+    try:
+        data: bytes = await download_from_telegram(record["tg_message_id"], record["tg_file_id"])
+    except Exception as exc:
+        logger.exception("Download error")
+        raise HTTPException(status_code=502, detail=str(exc))
+
+    return StreamingResponse(
+        io.BytesIO(data),
+        media_type=record["mime_type"],
+        headers={
+            "Content-Disposition": f'attachment; filename="{record["filename"]}"',
+            "Content-Length":      str(len(data)),
+        },
+    )
+
+
+# ── List ──────────────────────────────────────────────────────────────
+@app.get("/files", tags=["Files"], summary="List all stored files")
+async def list_files(
+    limit:  int = Query(50, ge=1, le=500),
+    offset: int = Query(0, ge=0),
+    _: str = Depends(require_api_key),
+):
+    records = await list_file_records(limit=limit, offset=offset)
+    total   = await count_files()
+    return {"total": total, "limit": limit, "offset": offset, "files": records}
+
+
+# ── Delete ────────────────────────────────────────────────────────────
+@app.delete("/file/{file_id}", tags=["Files"], summary="Delete a file record")
+async def delete_file(file_id: str, _: str = Depends(require_api_key)):
+    record = await get_file_record(file_id)
+    if not record:
+        raise HTTPException(status_code=404, detail="File not found.")
+    await delete_file_record(file_id)
+    return {"deleted": True, "file_id": file_id}

requirements.txt

@@ -0,0 +1,7 @@
+fastapi>=0.111.0
+uvicorn[standard]>=0.29.0
+python-multipart>=0.0.9
+httpx>=0.27.0
+motor>=3.4.0
+pymongo>=4.7.0
+python-dotenv>=1.0.1

server.py

@@ -0,0 +1,27 @@
+"""
+server.py — Entry point. Loads .env then starts Uvicorn.
+
+Run:
+    python server.py
+or directly:
+    uvicorn main:app --host 0.0.0.0 --port 8082
+"""
+
+import sys
+import uvicorn
+from dotenv import load_dotenv
+
+load_dotenv()  # load .env before importing app so env vars are available
+
+if __name__ == "__main__":
+    # reload=True causes a multiprocessing crash on Python 3.13 + Windows.
+    # Use reload only on Python < 3.13, otherwise run without it.
+    py313_or_above = sys.version_info >= (3, 13)
+
+    uvicorn.run(
+        "main:app",
+        host="0.0.0.0",
+        port=8082,
+        reload=not py313_or_above,   # disabled on 3.13+ Windows to avoid BufferFlags crash
+        log_level="info",
+    )

tg.py

@@ -0,0 +1,282 @@
+"""
+tg.py — Pure-HTTP Telegram Bot API client. No tgstorage-cluster, no
+        python-telegram-bot. Just httpx + the official Bot API.
+
+Bot pool:
+  • Reads tokens.txt (one token per line) at startup via init_bot_pool().
+  • Verifies each token with getMe(). Skips bad/dead tokens.
+  • Round-robins uploads across all healthy bots to spread rate-limit load.
+
+Upload flow:
+  sendDocument  →  returns message_id + file_id  →  stored in MongoDB.
+
+Download flow (two-stage):
+  1. getFile(file_id)          →  get a temporary download path from Telegram.
+  2. GET https://api.telegram.org/file/bot{token}/{file_path}  →  raw bytes.
+  File paths expire after ~1 h, so we always call getFile fresh.
+"""
+
+import os
+import io
+import itertools
+import logging
+from pathlib import Path
+from typing import Tuple
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+# ──────────────────────────────────────────────────────────────────────
+#  Constants
+# ──────────────────────────────────────────────────────────────────────
+TG_API  = "https://api.telegram.org/bot{token}/{method}"
+TG_FILE = "https://api.telegram.org/file/bot{token}/{file_path}"
+
+# Telegram hard limit for getFile downloads via Bot API is 20 MB.
+# Files larger than this must be sent as separate parts (chunking) or
+# via a Telegram client (MTProto). We warn but still attempt.
+TG_MAX_DOWNLOAD_BYTES = 20 * 1024 * 1024  # 20 MB
+
+TIMEOUT = httpx.Timeout(connect=10.0, read=120.0, write=120.0, pool=10.0)
+
+
+# ──────────────────────────────────────────────────────────────────────
+#  Shared async HTTP client (one per process)
+# ──────────────────────────────────────────────────────────────────────
+_http: httpx.AsyncClient | None = None
+
+def _client() -> httpx.AsyncClient:
+    global _http
+    if _http is None or _http.is_closed:
+        _http = httpx.AsyncClient(timeout=TIMEOUT, follow_redirects=True)
+    return _http
+
+
+async def close_http():
+    """Call on app shutdown to cleanly drain the connection pool."""
+    global _http
+    if _http and not _http.is_closed:
+        await _http.aclose()
+        _http = None
+
+
+# ──────────────────────────────────────────────────────────────────────
+#  Bot pool
+# ──────────────────────────────────────────────────────────────────────
+_pool:  list[dict] = []   # [{"token": str, "username": str, "id": int}, …]
+_cycle: itertools.cycle | None = None
+
+
+def _tokens_path() -> Path:
+    """Look for tokens.txt next to this file, then in cwd."""
+    for candidate in [Path(__file__).parent / "tokens.txt",
+                      Path(os.getcwd()) / "tokens.txt"]:
+        if candidate.exists():
+            return candidate
+    raise FileNotFoundError(
+        "tokens.txt not found. Create it with one bot token per line.\n"
+        "Example:  123456789:AAExampleTokenHere"
+    )
+
+
+async def _verify_token(token: str) -> dict | None:
+    """Call getMe to validate a token. Returns bot info dict or None."""
+    url = TG_API.format(token=token, method="getMe")
+    try:
+        r = await _client().get(url)
+        data = r.json()
+        if data.get("ok"):
+            bot = data["result"]
+            return {"token": token, "username": bot["username"], "id": bot["id"]}
+        logger.warning(f"✗ Token rejected by Telegram ({token[:20]}…): {data.get('description')}")
+    except Exception as e:
+        logger.warning(f"✗ Could not reach Telegram for token {token[:20]}…: {e}")
+    return None
+
+
+async def init_bot_pool():
+    """
+    Read tokens.txt, verify each token with getMe(), build the round-robin pool.
+    Raises RuntimeError if no healthy bots are found.
+    """
+    global _pool, _cycle
+
+    path = _tokens_path()
+    raw_tokens = [
+        line.strip()
+        for line in path.read_text(encoding="utf-8").splitlines()
+        if line.strip() and not line.startswith("#")
+    ]
+
+    if not raw_tokens:
+        raise RuntimeError(f"tokens.txt at {path} is empty — add at least one bot token.")
+
+    healthy = []
+    for token in raw_tokens:
+        info = await _verify_token(token)
+        if info:
+            logger.info(f"✓ Bot ready: @{info['username']} (id={info['id']})")
+            healthy.append(info)
+
+    if not healthy:
+        raise RuntimeError(
+            "No healthy bots found.\n"
+            "• Check tokens.txt — each line must be a valid BotFather token.\n"
+            "• The bot must be added as an Administrator to your CHANNEL_ID."
+        )
+
+    _pool  = healthy
+    _cycle = itertools.cycle(_pool)
+    logger.info(f"Bot pool ready — {len(_pool)} bot(s) active.")
+
+
+def _next_bot() -> dict:
+    if not _pool:
+        raise RuntimeError(
+            "Bot pool is empty. Make sure init_bot_pool() ran at startup "
+            "and tokens.txt contains at least one valid token."
+        )
+    return next(_cycle)  # type: ignore[arg-type]
+
+
+def _get_channel_id() -> int:
+    raw = os.getenv("CHANNEL_ID", "0").strip()
+    if not raw or raw == "0":
+        raise RuntimeError(
+            "CHANNEL_ID is not set.\n"
+            "Add to .env:  CHANNEL_ID=-1001234567890\n"
+            "Tip: forward any message from the channel to @JsonDumpBot to get the ID."
+        )
+    try:
+        return int(raw)
+    except ValueError:
+        raise RuntimeError(f"CHANNEL_ID must be an integer, got: {raw!r}")
+
+
+# ──────────────────────────────────────────────────────────────────────
+#  Low-level API helpers
+# ──────────────────────────────────────────────────────────────────────
+
+async def _api(token: str, method: str, **kwargs) -> dict:
+    """
+    POST to a Bot API method with JSON body.
+    Raises RuntimeError on non-ok responses.
+    """
+    url = TG_API.format(token=token, method=method)
+    r = await _client().post(url, **kwargs)
+    data = r.json()
+    if not data.get("ok"):
+        raise RuntimeError(
+            f"Telegram API error on {method}: "
+            f"[{data.get('error_code')}] {data.get('description')}"
+        )
+    return data["result"]
+
+
+# ──────────────────────────────────────────────────────────────────────
+#  Upload
+# ──────────────────────────────────────────────────────────────────────
+
+async def upload_to_telegram(
+    content: bytes,
+    filename: str,
+    mime_type: str,
+) -> Tuple[int, str]:
+    """
+    Upload raw bytes to the Telegram channel as a document.
+    Returns: (message_id, tg_file_id)
+    """
+    channel_id = _get_channel_id()
+    bot = _next_bot()
+
+    files   = {"document": (filename, io.BytesIO(content), mime_type)}
+    payload = {
+        "chat_id": channel_id,
+        "caption": f"📁 {filename}  •  {mime_type}  •  {len(content):,} B",
+    }
+
+    try:
+        msg = await _api(
+            bot["token"], "sendDocument",
+            data=payload,
+            files=files,
+        )
+    except RuntimeError as e:
+        raise RuntimeError(
+            f"{e}\n"
+            f"Bot: @{bot['username']}  |  Channel: {channel_id}\n"
+            f"Make sure the bot is an Administrator in the channel."
+        )
+
+    doc        = msg["document"]
+    file_id    = doc["file_id"]
+    message_id = msg["message_id"]
+
+    logger.info(f"Uploaded {filename!r} → msg_id={message_id}  file_id={file_id[:24]}…")
+    return message_id, file_id
+
+
+# ──────────────────────────────────────────────────────────────────────
+#  Download
+# ──────────────────────────────────────────────────────────────────────
+
+async def download_from_telegram(
+    tg_message_id: int,
+    tg_file_id: str | None,
+) -> bytes:
+    """
+    Download and return the raw bytes of a stored file.
+
+    Strategy:
+      1. Call getFile(file_id) to resolve the temporary download path.
+      2. GET the file bytes from the CDN path.
+      3. If step 1 fails (file_id stale), fall back to forwarding the
+         original message and re-extracting the document's file_id.
+    """
+    channel_id = _get_channel_id()
+    bot        = _next_bot()
+
+    # ── Stage 1: resolve download path ──────────────────────────────
+    file_path: str | None = None
+
+    if tg_file_id:
+        try:
+            result    = await _api(bot["token"], "getFile", json={"file_id": tg_file_id})
+            file_path = result.get("file_path")
+        except RuntimeError as e:
+            logger.warning(f"getFile failed for file_id {tg_file_id[:24]}…, trying message fallback. ({e})")
+
+    # ── Stage 2: message fallback if file_id is stale ───────────────
+    if not file_path:
+        try:
+            fwd = await _api(bot["token"], "forwardMessage", json={
+                "chat_id":      channel_id,
+                "from_chat_id": channel_id,
+                "message_id":   tg_message_id,
+            })
+        except RuntimeError as e:
+            raise RuntimeError(
+                f"Could not retrieve message {tg_message_id} from channel {channel_id}.\n"
+                f"Ensure the bot can read the channel. Detail: {e}"
+            )
+
+        doc = fwd.get("document")
+        if not doc:
+            raise ValueError(f"Message {tg_message_id} contains no document.")
+
+        result    = await _api(bot["token"], "getFile", json={"file_id": doc["file_id"]})
+        file_path = result.get("file_path")
+
+    if not file_path:
+        raise RuntimeError("Telegram did not return a file_path — file may be too large for Bot API (>20 MB).")
+
+    # ── Stage 3: download bytes ──────────────────────────────────────
+    url = TG_FILE.format(token=bot["token"], file_path=file_path)
+    r   = await _client().get(url)
+
+    if r.status_code != 200:
+        raise RuntimeError(f"File download failed: HTTP {r.status_code} from Telegram CDN.")
+
+    logger.info(f"Downloaded {len(r.content):,} bytes for msg_id={tg_message_id}")
+    return r.content

tokens.txt

@@ -0,0 +1 @@
+6637167867:AAEDDm3d2l5bjD-Ms7QJ3WnEPu7KKWLY86w

vercel.json

@@ -0,0 +1,15 @@
+{
+  "version": 2,
+  "builds": [
+    {
+      "src": "server.py",
+      "use": "@vercel/python"
+    }
+  ],
+  "routes": [
+    {
+      "src": "/(.*)",
+      "dest": "server.py"
+    }
+  ]
+}