# Tailscale Funnel: Share Generated HTML Outputs Publicly

When generating rich HTML files (schematics, reports, data visualizations, architecture diagrams), use Tailscale Funnel to share them with a public HTTPS link. The user can open it on mobile, desktop, or share the link with others.

## Setup

```bash
# 1. Serve the output directory with a minimal HTTP server (background)
cd ~/.hermes/output/public && python3 -m http.server 8080 --bind 0.0.0.0 &

# 2. Expose via Tailscale Funnel (background, persists after shell exits)
tailscale funnel --bg 8080

# 3. Get the public URL
tailscale funnel status
# → https://<hostname>.<tailnet>.ts.net/
```

## Directory Structure

Only expose a dedicated `public/` subdirectory, never the entire `~/.hermes/`:

```
~/.hermes/output/
└── public/               ← Serve THIS directory
    ├── report-01.html
    ├── architecture.html
    └── ...
```

## Security

- **No API keys in public HTML** — Never include `.env`, config with keys, or tokens in served files
- **Funnel is HTTPS-only** — Traffic is encrypted end-to-end via Tailscale's edge
- **No port forwarding needed** — Doesn't touch cloud firewall/security groups
- **Revocable** — `tailscale funnel reset` kills the exposure instantly

## File Organization Convention

When serving multiple HTML files over time, use consistent naming:

```
https://<hostname>.<tailnet>.ts.net/hermes-github-plan.html
https://<hostname>.<tailnet>.ts.net/session-summary-2026-05-15.html
```

## Teardown

```bash
tailscale funnel reset    # Stop funnel
kill %1                   # Stop HTTP server (or use pkill python3)
```

## Pitfalls

- Must use `--bg` flag for background persistence (otherwise funnel runs in foreground and times out)
- The HTTP server needs to keep running alongside funnel
- No auth on the funnel URL — anyone with the link can see the content
- The Tailscale Funnel URL includes the tailnet name, which may reveal the tailnet owner