abbyshekit goes leak-hunting in Mike's backend

Three small, targeted security fixes, each closing a concrete way access or client data could slip out - though the pull request was closed minutes after it was filed, so none of it actually landed.

securitycompliance

abbyshekit bundled three surgical fixes into a single change, each shutting one specific exposure without touching the rest of the app:

  • Chat access: an authenticated user could attach a chat to any project, including ones they had no permission to read. The fix runs the same ownership check the rest of the app already enforces, and rejects malformed requests cleanly instead of failing deep in the database.
  • Document logging: raw model output - which for a legal-AI app can include user-submitted documents - was being written to a plain file on disk on every single chat. It is now off by default and, when deliberately switched on, locked down so only the file's owner can read it.
  • Download links: a hardcoded fallback secret meant anyone could mint valid download URLs when none was configured. Now the server refuses to boot until a real secret is set, rather than silently trusting a shared default.
So what Anyone running their own Mike fork should check these three spots directly - the fixes never merged, but the exposures are real, and the chat-access gap was independently caught elsewhere in the ecosystem.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?