Share Link Privacy
How export data is validated and privacy-scrubbed for public sharing
Privacy Scrubbing Overview
This document describes how export data is validated and what guarantees theprivacyScrubbed: true flag provides when viewing shared evaluations.
Security Guarantee
Export data for public share links is validated at publish time. unknown sensitive data is rejected before storage - no secrets can ever reach the public.
What Is Scrubbed
Export data for public share links is validated at publish time. The following are rejected (never stored):
❌ Secret-like Keys
Case-insensitive, unknownwhere in the object tree:
apiKeyapi_keyauthorizationbearerbearer_tokensecretpasswordtokenorganizationIdorganization_iduserIduser_idcreatedBycreated_byannotatorIdannotator_idinternalNotesinternal_notes❌ Secret-like Values
Detected in strings:
sk-...)❌ Unauthorized Top-level Keys
Top-level keys not in the allowlist are rejected:
_internalshare_idpublished_at✅ Allowed Top-level Keys
Only these keys are permitted in shared exports:
evaluationtimestampsummaryqualityScoretypetestResultsevaluationsjudgeEvaluationscriteriainterRaterReliabilityvariantsresultsstatisticalSignificancecomparisoncodeValidationjudgePromptjudgeModelaggregateMetricssrc/lib/shared-exports/sanitize.tsWhen Scrubbing Happens
Write-time Only
The single write path for shared_exports usesprepareExportForShare() (sanitize + validate). All inserts/updates to shared_exports.exportData go through this path.
If unknown forbidden keys or secret-like values are detected, the request fails with a validation error.No unsanitized export can ever be persisted.
Read-time
The export endpoint GET /api/exports/[shareId] returns storedexportData (already validated at publish) and setsprivacyScrubbed: true in the DTO.
What privacyScrubbed: true Means
✅ What It Guarantees
- • Export data was validated at publish time
- • No PII/secrets in the payload
- • Implementation uses
assertNoSecrets(rejects) - • Data with secrets never reaches storage
⚠️ What It Does NOT Mean
- • No PII in evaluation names or descriptions — those are allowed and may contain user-provided text
- • No scrubbing of content within allowed fields (e.g. test case inputs/outputs)
- • Content filtering or sanitization of user-provided text
Security Flow
Export Request
User requests to share evaluation data
Validation
prepareExportForShare() scans for secrets and forbidden keys
Storage
Only validated data is stored with privacyScrubbed: true
Public Access
unknownone can view the scrubbed data via share link