fix(audit): record null actor for anonymous public-share downloads

Address Greptile P1: setting actorId to the file owner made every anonymous
external download read as a self-download, undermining the exfiltration trail.
recordAudit now accepts a null actor; the public content/inline routes record
actorId=null with the owner in metadata.sharedByUserId and rely on ip/user-agent
for the forensic trail. The misleading owner-attributed file_downloaded PostHog
event is dropped on these anonymous paths.

Author: waleedlatif1

apps/sim/app/api/files/public/[token]/content/route.ts

@@ -8,7 +8,6 @@ import { resolveServableDoc } from '@/lib/copilot/tools/server/files/doc-compile
 import { validateDeploymentAuth } from '@/lib/core/security/deployment-auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
-import { captureServerEvent } from '@/lib/posthog/server'
 import { enforcePublicFileRateLimit } from '@/lib/public-shares/rate-limit'
 import { resolveActiveShareByToken } from '@/lib/public-shares/share-manager'
 import { downloadFile } from '@/lib/uploads/core/storage-service'
@@ -78,9 +77,12 @@ export const GET = withRouteHandler(
 
       logger.info('Public shared file served', { token, key: file.key, size: buffer.length })
 
+      // Anonymous external access: the actor is genuinely unknown, so the actor
+      // FK is null (not the owner — that would read as a self-download) and the
+      // share owner is captured in metadata. ip/user-agent carry the trail.
       recordAudit({
         workspaceId: file.workspaceId ?? null,
-        actorId: file.userId,
+        actorId: null,
         action: AuditAction.FILE_DOWNLOADED,
         resourceType: AuditResourceType.FILE,
         resourceId: file.id,
@@ -89,17 +91,12 @@ export const GET = withRouteHandler(
         metadata: {
           access: 'public_share',
           anonymous: true,
+          sharedByUserId: file.userId,
           fileName: file.originalName,
           bytes: buffer.length,
         },
         request,
       })
-      captureServerEvent(
-        file.userId,
-        'file_downloaded',
-        { workspace_id: file.workspaceId ?? '', is_bulk: false, file_count: 1 },
-        file.workspaceId ? { groups: { workspace: file.workspaceId } } : undefined
-      )
 
       // Revalidate every request: a shared file can be unshared, edited, or deleted,
       // so the fixed token URL must never serve stale bytes from a long-lived cache.

apps/sim/app/api/files/public/[token]/inline/route.ts

@@ -11,7 +11,6 @@ import {
 import { validateDeploymentAuth } from '@/lib/core/security/deployment-auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
-import { captureServerEvent } from '@/lib/posthog/server'
 import { enforcePublicFileRateLimit } from '@/lib/public-shares/rate-limit'
 import { resolveActiveShareByToken } from '@/lib/public-shares/share-manager'
 import { downloadFile } from '@/lib/uploads/core/storage-service'
@@ -93,22 +92,23 @@ export const GET = withRouteHandler(
       // record a spurious download.
       const response = await serveInlineImage(image, { sniff: true })
 
+      // Anonymous external access: null actor FK (not the owner), share owner in
+      // metadata, ip/user-agent carry the trail.
       recordAudit({
         workspaceId: doc.workspaceId,
-        actorId: doc.userId,
+        actorId: null,
         action: AuditAction.FILE_DOWNLOADED,
         resourceType: AuditResourceType.FILE,
         resourceName: image.filename,
         description: `Public share inline image "${image.filename}"`,
-        metadata: { access: 'public_share', anonymous: true, inline: true },
+        metadata: {
+          access: 'public_share',
+          anonymous: true,
+          inline: true,
+          sharedByUserId: doc.userId,
+        },
         request,
       })
-      captureServerEvent(
-        doc.userId,
-        'file_downloaded',
-        { workspace_id: doc.workspaceId, is_bulk: false, file_count: 1 },
-        { groups: { workspace: doc.workspaceId } }
-      )
 
       return response
     } catch (error) {

packages/audit/src/log.ts

@@ -8,7 +8,13 @@ const logger = createLogger('AuditLog')
 
 interface AuditLogParams {
   workspaceId?: string | null
-  actorId: string
+  /**
+   * The acting user's id (FK to `user.id`). Pass `null` for genuinely
+   * actor-less events such as anonymous public-share access — the row is then
+   * persisted with a null actor and the forensic context (ip/user-agent,
+   * metadata) carries the trail instead.
+   */
+  actorId: string | null
   action: AuditActionType
   resourceType: AuditResourceTypeValue
   resourceId?: string