← Back to Index

✅ Secure External Sharing - Implemented

Status: Live (partial - Tailscale Funnel requires manual setup)
Implemented: 2026-02-17
Time: 45 minutes

What's Working

1. LLM Security Scanning ✅

Scans documents for sensitive info (credentials, names, IPs, financials)
Risk classification: HIGH (block) / MEDIUM (sanitize) / LOW (approve)
Auto-detects patterns: API keys, personal names, infrastructure details

2. Auto-Sanitization ✅

Preset rules: tools/sanitization-rules.json (configurable)
LLM-powered context-aware rewriting
Replaces: "Quan" → "CEO", "144.202.121.97" → "VPS server", etc.

3. Human Approval Workflow ✅

Click "📤 Share Externally" button on any doc
Shows diff of changes (before/after)
Lists all flagged items
Approve or cancel

4. Share Links ✅

Time-limited tokens (24hr default)
Watermarked external docs
Access logging (IP, user-agent, timestamp)

5. Audit Trail ✅

All actions logged: data/share-audit.jsonl
Tracks: scans, approvals, accesses, revocations

What Needs Manual Setup

⚠️ Tailscale Funnel (5 min)

Status: Not enabled (requires host-level command)

To enable public HTTPS access:

# On VPS host (not in container)
tailscale funnel --bg 9876

Result: Markdown server accessible at https://minnie-core.ts.net (no Tailscale needed for recipients)

Without Funnel:

Share links work internally: http://100.72.11.53:9876/share/abc123
Require Tailscale to access
Can't share with external users yet

Test It Now

Test file: http://100.72.11.53:9876/test-mermaid.md

Click "📤 Share Externally" button:

Waits 3-5 seconds (LLM scan)
Shows risk level + flagged items
Shows diff preview
Click "Approve" → generates link
Link auto-copied to clipboard

Example flow:

Original: "Quan Gan deployed Dev Agent on 144.202.121.97"
Sanitized: "The CEO deployed a development agent on a cloud server"

Files Modified/Created

New Files

tools/share-api.js (370 lines)
- LLM integration (scan, sanitize)
- Share token management
- Audit logging
tools/sanitization-rules.json (30 lines)
- Preset replacement rules
- Editable for custom mappings
data/share-audit.jsonl (created)
- JSON lines audit log

Modified Files

tools/markdown-server.js (+250 lines)
- Share API route handling
- Share button UI
- Modal for approval workflow
- CSS for diff viewer

Security Features

✅ Implemented

Blocklist (auto-reject):

API keys (32+ chars)
OpenAI keys (sk-...)
GitHub tokens (ghp_...)
SSNs (XXX-XX-XXXX)
Passwords

Sanitization rules:

Personal names → roles
IPs → "VPS server"
Financials → ranges
Company specifics → generalized

Audit trail:

Every scan logged
Every approval logged
Every access logged (IP, user-agent)

Watermarking:

External docs include footer
Timestamp + expiration shown

Cost Analysis

Per share:

Scan (Haiku): ~1K tokens = $0.001
Sanitize (Sonnet): ~3K tokens = $0.03
Total: ~$0.03 per share

100 shares/month: $3

Example: Before/After

Original (deployment-architecture.md):

Quan Gan approved deploying Dev Agent to Malachi on Vultr (144.202.121.97).
Budget: $200/month. ZTAG's $2.3M revenue supports this.

Sanitized:

The CEO approved deploying a development agent to assist the lead developer
on a cloud provider. Budget: modest operational cost. The company's 
multi-million dollar revenue supports this investment.

*Note: ZTAG is an ed-tech platform specializing in after-school programs.*

Next Steps

Immediate (5 min - requires host access)

Enable Tailscale Funnel:

# SSH to VPS host
ssh root@144.202.121.97

# Enable funnel
tailscale funnel --bg 9876

# Verify
tailscale funnel status
# Should show: https://minnie-core.ts.net → localhost:9876

Then test:

Share any doc (e.g., test-mermaid.md)
Link will be: https://minnie-core.ts.net/share/abc123
Send to anyone (no Tailscale needed)
They see sanitized version

Optional Enhancements

1. Revoke API (10 min)

// Add to share-api.js
POST /api/share/revoke/:token
// Deletes share immediately

2. Admin Dashboard (30 min)

View active shares
See access logs
Revoke links
Edit sanitization rules

3. Email Alerts (15 min)

Email when link accessed
Email when HIGH risk doc attempted
Weekly share summary

Verification Checklist

Share button appears on docs
LLM scan working (Anthropic API integrated)
Sanitization rules loaded
Diff preview rendering
Modal UI functional
Share tokens generated
Audit log created
Watermark on shared docs
Tailscale Funnel enabled (manual step)
External access tested

Troubleshooting

Share button doesn't appear:

Check: Is it a markdown file? (Button only on .md files, not directories)
Check server logs: tail -f /tmp/markdown-server.log

LLM scan fails:

Check Anthropic API key: /home/node/.openclaw/agents/main/agent/auth-profiles.json
Check error in audit log: tail data/share-audit.jsonl

Share link doesn't work:

Internal (Tailscale): http://100.72.11.53:9876/share/TOKEN
External (needs Funnel): https://minnie-core.ts.net/share/TOKEN
Check token not expired (24hr default)

Access URLs

Internal (Tailscale required):

Markdown server: http://100.72.11.53:9876
Test doc: http://100.72.11.53:9876/test-mermaid.md
Share links: http://100.72.11.53:9876/share/TOKEN

External (after Funnel enabled):

Markdown server: https://minnie-core.ts.net
Share links: https://minnie-core.ts.net/share/TOKEN

Audit log:

data/share-audit.jsonl (view via markdown server or cat)

Ready to Enable Funnel?

Command (on host):

tailscale funnel --bg 9876

Then test: Share test-mermaid.md → Send link to someone without Tailscale → Verify they can access.

Feedback welcome. If working well, this is production-ready for external doc sharing.