Please report suspected vulnerabilities privately through GitHub Security Advisories at https://github.com/excelano/xfiles/security/advisories/new. If you would rather not use GitHub, email david.anderson@excelano.com instead. I aim to respond within seven days.
Please do not open public issues for security problems.
The latest v1.x release receives security fixes. Older versions are not supported.
This repository ships five CLIs that run locally on your machine: xftp (interactive), xcp (one-shot copies), xsync (recursive mirror), and the read-only xfind and xtree (recursive listing). They call Microsoft Graph over HTTPS to read and write items in a single bound SharePoint document library — the one named by the URL you pass (and the optional --library flag); xfind and xtree only ever read. Authentication is delegated device-code OAuth against your Microsoft Entra ID account; the single scope requested is Sites.ReadWrite.All. None of the tools can access any data your account cannot already access in SharePoint Online, and they touch no Graph endpoints beyond the bound library's drive. There is no daemon, no mounted filesystem, and no server component.
Downloads stream to a temporary file in the destination directory and are renamed into place only on success; uploads larger than 250 MB go through a Graph upload session, which is cancelled on the server if the transfer is interrupted. xsync's --delete flag removes destination items that no longer exist in the source; on an interactive terminal it asks for confirmation first, and --dry-run previews the full plan without changing anything.
IT administrators evaluating any of these tools for a Microsoft 365 tenant will find the application's registration details, the delegated-permission risk profile, and the consent and revocation steps in ADMINS.md. All five tools share one app registration, so a single consent covers them all.
xftp stores REPL command history at ~/.config/xftp/history and caches a refresh token at ~/.config/xftp/sp-token.json; xcp, xfind, xtree, and xsync each cache their own refresh token under ~/.config/xcp, ~/.config/xfind, ~/.config/xtree, and ~/.config/xsync respectively. All are written with file mode 0600 (directory mode 0700). The cached token lets subsequent runs reauthenticate without another device-code prompt. Delete sp-token.json to force re-authentication; revoke the granted permission at https://myaccount.microsoft.com/applications to invalidate the token server-side. There is no telemetry, no analytics, and no remote logging.
Every GitHub release includes a checksums.txt file listing SHA-256 hashes of all binary archives. Verify any download before running it:
sha256sum xftp_1.0.0_linux_amd64.tar.gz
# compare against the value in checksums.txt
Release artifacts are built by GitHub Actions from a tagged commit using the goreleaser configuration in this repo. The workflow and build configuration are public and auditable.