bmersereau puts a cap on bulk downloads before they can crash the server
A fork of the Mike legal-AI codebase closes a resource-exhaustion hole in its bulk document export.
In this fork of Mike, any logged-in user could ask the backend to bundle up an unlimited number of documents into a single zip file. The catch: the server pulled every one of those files into memory at once to build the archive. Feed it enough large documents and a single request could spike memory hard enough to threaten the whole application - a denial-of-service waiting to happen, and one that had already been flagged twice as a real concern.
bmersereau's fix is deliberately small. Bulk downloads now have a fixed ceiling, and any request over the limit is rejected up front, before a single file is read. The change also stands up basic test tooling for the backend and adds a check confirming the guard is present in the code, though that check verifies the limit exists rather than stress-testing the endpoint under real load.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?