ADR-0037 — Public sharing security model

V1 Freeze (2026-06-12): Accepted, scoped. Blocker-5 follow-up: the bearer token is stored only as a hash (SHARE.link_token_hash), matching how API tokens are handled — a DB/backup leak no longer hands out live links. The scoped-capability core (unguessable token, one node + permission, password, expiry, max-downloads, revocation) is V1. The heavier abuse program (sandboxed-origin serving, SSRF defenses, malware/CSAM scanning, link reputation) is Deferred to P3+ — noted below.

Context

Public file sharing and public APIs are BitVault’s most-exposed surface and a magnet for abuse (enumeration, exfiltration, malware/phishing/CSAM hosting, SSRF via previews). A share link or presigned URL is a bearer capability — whoever holds it can act within its scope, with no account — so the capability must be tightly bounded and the served content handled as hostile.

Decision

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Token checks are O(1); abuse scanning runs as event-driven Functions (product/06); CDN + per-tenant limits absorb public read load.