DOWNLOAD_SIGNING_SECRET made mandatory at startup - silent fallback removed
counselos removes the `"dev-secret"` fallback from `downloadTokens.ts` and adds a boot-time check that prints a helpful error and exits if `DOWNLOAD_SIGNING_SECRET` is missing or shorter than 32 characters. Any deployment without the variable set won't start.
The problem being closed: getSecret() in downloadTokens.ts used a three-step fallback chain - DOWNLOAD_SIGNING_SECRET ?? SUPABASE_SECRET_KEY ?? "dev-secret". Both the literal and the coupling to SUPABASE_SECRET_KEY were visible in public source. Any operator who deployed without setting the variable would silently sign download URLs with a guessable or service-coupled key.
The fix cuts the fallback entirely. getSecret() now throws if the variable is absent or under 32 characters. At the module level in backend/src/index.ts, assertRequiredEnv() runs before Express is configured: it collects validation failures into an array, prints them with a suggested fix (openssl rand -hex 32), and calls process.exit(1). The server never reaches app.listen() without a valid secret.
backend/.env.example is updated with documentation for both DOWNLOAD_SIGNING_SECRET and MIKE_DEBUG_STREAMS. The comment on the latter warns that filenames, storage paths, and document text land on disk and stdout when the flag is on - leave it unset in production.
This is a breaking change. Upgrade sequence: generate the secret first, add it to backend/.env, then deploy. Any rollout that deploys the code before setting the variable will fail to start. That's intentional - the explicit error is better than the previous silent misconfiguration.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?