Metbcy/mike

A near-mirror of Mike whose one visible contribution closes a signing-secret hole in the download subsystem.

Barely diverged and quiet - one security fix on the record, last pushed in early May 2026, with no sign of active development since.

View on GitHub →

This is Metbcy's fork of Mike, and right now it sits essentially in step with upstream - no divergence to speak of. If you cloned it today you'd get the Mike you already know, plus one focused piece of security hardening.

That piece is worth the click: @Metbcy closed a signature-forgery gap in the download subsystem. Signed download links are protected by a keyed HMAC, but the backend used to fall back to a hardcoded placeholder secret when no real one was configured - which quietly opened the door to forged tokens. The fork makes the backend refuse to start without a real secret, so a misconfigured deployment fails loudly instead of trusting bad links.

Beyond that single thread, there's little to read into here. No rebrand, no stated niche, no product direction being telegraphed - just a security-minded fix from someone paying attention to how downloads get authenticated. Click through to GitHub if you want the specifics.

What's in it

Direction

security

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

📝 Download-signing secret no longer falls back to a hardcoded value 0 commits securityinfrastructure draft
Metbcy/mike removes a hardcoded `"dev-secret"` fallback in the HMAC signing path for `/download/:token` URLs. Without a real secret configured, the backend now refuses to start rather than silently accepting forged token…

Threads of work (detailed view)

2 threads have been distilled into posts.

Pull requests (detailed view)

2 PRs touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

✅ Merged (2)