← Back to Index

✅ Secure External Sharing - Implemented

Status: Live (partial - Tailscale Funnel requires manual setup)
Implemented: 2026-02-17
Time: 45 minutes


What's Working

1. LLM Security Scanning ✅

2. Auto-Sanitization ✅

3. Human Approval Workflow ✅

4. Share Links ✅

5. Audit Trail ✅


What Needs Manual Setup

⚠️ Tailscale Funnel (5 min)

Status: Not enabled (requires host-level command)

To enable public HTTPS access:

# On VPS host (not in container)
tailscale funnel --bg 9876

Result: Markdown server accessible at https://minnie-core.ts.net (no Tailscale needed for recipients)

Without Funnel:


Test It Now

Test file: http://100.72.11.53:9876/test-mermaid.md

Click "📤 Share Externally" button:

  1. Waits 3-5 seconds (LLM scan)
  2. Shows risk level + flagged items
  3. Shows diff preview
  4. Click "Approve" → generates link
  5. Link auto-copied to clipboard

Example flow:

Original: "Quan Gan deployed Dev Agent on 144.202.121.97"
Sanitized: "The CEO deployed a development agent on a cloud server"

Files Modified/Created

New Files

  1. tools/share-api.js (370 lines)

    • LLM integration (scan, sanitize)
    • Share token management
    • Audit logging
  2. tools/sanitization-rules.json (30 lines)

    • Preset replacement rules
    • Editable for custom mappings
  3. data/share-audit.jsonl (created)

    • JSON lines audit log

Modified Files

  1. tools/markdown-server.js (+250 lines)
    • Share API route handling
    • Share button UI
    • Modal for approval workflow
    • CSS for diff viewer

Security Features

✅ Implemented

Blocklist (auto-reject):

Sanitization rules:

Audit trail:

Watermarking:


Cost Analysis

Per share:

100 shares/month: $3


Example: Before/After

Original (deployment-architecture.md):

Quan Gan approved deploying Dev Agent to Malachi on Vultr (144.202.121.97).
Budget: $200/month. ZTAG's $2.3M revenue supports this.

Sanitized:

The CEO approved deploying a development agent to assist the lead developer
on a cloud provider. Budget: modest operational cost. The company's 
multi-million dollar revenue supports this investment.

*Note: ZTAG is an ed-tech platform specializing in after-school programs.*

Next Steps

Immediate (5 min - requires host access)

Enable Tailscale Funnel:

# SSH to VPS host
ssh root@144.202.121.97

# Enable funnel
tailscale funnel --bg 9876

# Verify
tailscale funnel status
# Should show: https://minnie-core.ts.net → localhost:9876

Then test:

  1. Share any doc (e.g., test-mermaid.md)
  2. Link will be: https://minnie-core.ts.net/share/abc123
  3. Send to anyone (no Tailscale needed)
  4. They see sanitized version

Optional Enhancements

1. Revoke API (10 min)

// Add to share-api.js
POST /api/share/revoke/:token
// Deletes share immediately

2. Admin Dashboard (30 min)

3. Email Alerts (15 min)


Verification Checklist


Troubleshooting

Share button doesn't appear:

LLM scan fails:

Share link doesn't work:


Access URLs

Internal (Tailscale required):

External (after Funnel enabled):

Audit log:


Ready to Enable Funnel?

Command (on host):

tailscale funnel --bg 9876

Then test: Share test-mermaid.md → Send link to someone without Tailscale → Verify they can access.

Feedback welcome. If working well, this is production-ready for external doc sharing.