dropthejase tightens the front door on louis

Two small commits close a permissive default that often ships to production by accident.

securityinfrastructure

The team narrowed the fork's API so it only accepts traffic from its own hosted front-end domain, instead of accepting requests from anywhere on the open web. They also turned on a check that every incoming request carries a valid identity token before the back-end will answer it.

Neither change is glamorous, and one of them is later undone when a different sign-in approach replaces it. But the pattern - refuse strangers at the door, demand ID from everyone else - is the kind of basic hygiene that quietly separates a hobby deployment from something a firm could actually put in front of clients.

So what Anyone evaluating an open-source legal-AI fork for real use should check whether it ships locked-down by default or wide-open; louis is moving in the right direction.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from dropthejase/louis, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date

685c7ad5 security: lock CORS to CloudFront domain, enable Identity Pool token check Jason Lee 2026-05-08 ↗ GitHub

SHA	Subject	Author	Date
`685c7ad5`	security: lock CORS to CloudFront domain, enable Identity Pool token check	Jason Lee	2026-05-08	↗ GitHub
commit body - serverSideTokenCheck: true on Identity Pool - revoked tokens can no longer exchange for IAM credentials until expiry - docsBucket CORS allowedOrigins locked to CF distribution domain via Fn::GetAtt (no longer '*'); resolved at deploy time by CloudFormation - ApiStack FRONTEND_URL wired to CF domain token for API Gateway CORS - Removed dev-only RemovalPolicy.DESTROY / autoDeleteObjects from docsBucket; enterprise POC always retains data
`54937c3a`	fix: lock API Gateway CORS allowOrigins to CloudFront domain	Jason Lee	2026-05-09	↗ GitHub

commit body

- serverSideTokenCheck: true on Identity Pool - revoked tokens can no
  longer exchange for IAM credentials until expiry
- docsBucket CORS allowedOrigins locked to CF distribution domain via
  Fn::GetAtt (no longer '*'); resolved at deploy time by CloudFormation
- ApiStack FRONTEND_URL wired to CF domain token for API Gateway CORS
- Removed dev-only RemovalPolicy.DESTROY / autoDeleteObjects from
  docsBucket; enterprise POC always retains data

54937c3a fix: lock API Gateway CORS allowOrigins to CloudFront domain Jason Lee 2026-05-09 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-350.md from inside the repo you want the changes in.

⬇ Download capture-thread-350.md