You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Organizations with secure, isolated compute zones (e.g., Coder workspaces, air-gapped VMs) need a secure way to transfer files OUT of the zone.
Currently, OpenCloud struggles with this for two reasons:
Network Bleed: Standard OpenCloud is bidirectional. If a user can access the OpenCloud domain to upload a file for egress, they can also browse and download files. This breaks strict unidirectional network policies.
The Human Bottleneck: If we implement an "Approval Gate" for file egress, human administrators must manually review every file (logs, ML models, CI/CD artifacts). This is unscalable. Traditional DLP (regex-based) scanning is too brittle and creates endless false positives.
Describe the solution you'd like
We request a Split-Domain Egress Portal combined with an Agentic (AI) Approval Workflow.
1. Split-Domain Network Isolation
OpenCloud should offer a stripped-down, Upload-Only Portal hosted on a completely separate domain (e.g., transfer.opencloud.internal).
The Secure Zone firewall only allows traffic to the transfer domain. The main domain is blocked.
The user logs in, sees no file browser, and can only drag-and-drop files into a Quarantine queue.
2. Agentic Approval (Policy-as-Code)
Instead of humans reviewing every file, OpenCloud utilizes an integrated AI Agent (e.g., OpenCode/Claude).
Admins define data egress policies in plain Markdown (e.g., "Auto-approve log files under 10MB if no PII is found. Escalate PDFs to a human.").
The AI Agent autonomously scans quarantined files against the Markdown policy.
Auto-Approve: Safe files are instantly moved to the main.opencloud.domain for download.
Auto-Reject: Policy violations are deleted and the user is notified.
Escalate: Ambiguous files are flagged in the main UI for a human Admin to review, complete with the Agent's reasoning.
Describe alternatives you've considered
Deploying SFTPGo alongside OpenCloud: Using SFTPGo just for the secure network upload, and manually moving files to OpenCloud later. This breaks the unified user experience.
Traditional Regex DLP Plugins: Legacy DLP is too rigid. AI Agents provide contextual understanding (e.g., knowing the difference between a fake API key in a test script vs. a real production credential).
Is your feature request related to a problem? Please describe.
Organizations with secure, isolated compute zones (e.g., Coder workspaces, air-gapped VMs) need a secure way to transfer files OUT of the zone.
Currently, OpenCloud struggles with this for two reasons:
Describe the solution you'd like
We request a Split-Domain Egress Portal combined with an Agentic (AI) Approval Workflow.
1. Split-Domain Network Isolation
OpenCloud should offer a stripped-down, Upload-Only Portal hosted on a completely separate domain (e.g.,
transfer.opencloud.internal).transferdomain. Themaindomain is blocked.2. Agentic Approval (Policy-as-Code)
Instead of humans reviewing every file, OpenCloud utilizes an integrated AI Agent (e.g., OpenCode/Claude).
main.opencloud.domainfor download.Describe alternatives you've considered
Additional context
Network Architecture & Egress Flow
graph TD subgraph "Secure Zone (Isolated)" UserSecure[Workspace User] end subgraph "OpenCloud Deployment" UploadPortal[Upload Portal<br/>transfer.opencloud.internal] Quarantine[(Quarantine Storage)] Agent[AI Policy Agent<br/>Reads Markdown Rules] MainFrontend[Main OpenCloud UI<br/>main.opencloud.domain] StandardDrive[(Standard Storage)] end subgraph "Public / Office Network" Admin[Human Approver] UserPublic[User on Office PC] end %% Network Flow UserSecure -->|1. Allowed: Upload Only| UploadPortal UserSecure -.-x|Blocked by Firewall| MainFrontend UploadPortal -->|2. Files Staged| Quarantine Quarantine -->|3. Analyzes| Agent Agent -->|4a. Auto-Approve| StandardDrive Agent -->|4b. Escalate for Review| MainFrontend Admin -->|5. Reviews Agent Notes & Approves| MainFrontend MainFrontend --> StandardDrive UserPublic -->|6. Logs in & Downloads| MainFrontend style UploadPortal fill:#ccffcc,stroke:#333 style Agent fill:#e7d4ff,stroke:#333 style Quarantine fill:#fff3cd,stroke:#333 style StandardDrive fill:#bbf,stroke:#333Agentic Approval Decision Tree
flowchart TD Upload([File uploaded via transfer.opencloud.internal]) --> Agent subgraph Agentic Evaluation Agent[AI Agent reads Markdown Policy] --> Scan[Agent scans file content & metadata] Scan --> Eval{Does file pass<br/>Markdown rules?} end Eval -->|Yes - Clear| AutoApp[✅ Auto-Approve] Eval -->|No - Violation| AutoRej[❌ Auto-Reject] Eval -->|Unsure - Ambiguous| Escalate[⚠️ Escalate to Human] AutoApp --> Available[Moved to main.opencloud.domain] AutoRej --> Delete[File Deleted + User Notified] Escalate --> Queue[Admin UI: Pending Approval] Queue -.->|Agent provides summary<br/>e.g. 'Found confidential watermark'| Human[Admin logs in] Human -->|Approves| Available Human -->|Rejects| Delete style Agent fill:#e7d4ff style AutoApp fill:#d4edda style AutoRej fill:#f8d7da style Escalate fill:#fff3cd