counselos slams the door on guessable download links
A fork tuned for in-house legal teams now refuses to start unless someone has set a real signing secret.
Mike hands out download links for documents, and those links are cryptographically signed so they can't be forged or tampered with. The catch: the original code would quietly fall back to a default, guessable key if nobody configured a real one - meaning a rushed deployment could be signing every document link with a secret that's effectively public.
counselos closed that gap. The server now checks for a proper signing secret at startup and simply won't boot without one, printing the exact command to generate a good one. The same update also documents a debug switch that writes file names and snippets of document text to disk, so operators know to leave it off in production. It's a deliberate breaking change: existing instances that never set the secret will need to before they can upgrade.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?