mrkairolee-crypto puts a clock on document download links

Permanent download links that anyone could reuse forever are now short-lived and single-purpose.

securitycompliance

In the original Mike codebase, the links used to download a document stayed valid indefinitely. Paste one into a chat thread or an email and it kept working - a quiet confidentiality hole, since a link that leaks is as good as the document itself.

This fork closes that gap. Download links now carry an expiry (24 hours by default) and are tied to a single purpose, so a stale or repurposed link simply stops working. The convenient, copy-paste-friendly format is kept; what changes is how long it lives. mrkairolee-crypto also paired the change with a real test suite covering expiry, tampering, and misuse - a sign this fork is starting to harden its backend properly. The route still re-checks access on every request, so this is a belt-and-braces tightening rather than the only line of defense.

So what Anyone running Mike where documents carry privilege or client confidentiality should look at importing this - it's small, well-tested, and closes a leak-by-link risk.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from mrkairolee-crypto/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA	Subject	Author	Date
`feae01a6`	feat: expire download tokens (#2)	Kairo C.H. Lee	2026-05-27	↗ GitHub
Co-authored-by: Kairo Lee <kairolee@KairodeMacBook-Pro-2.local>

SHA

Subject

Author

Date

feae01a6

feat: expire download tokens (#2)

Kairo C.H. Lee

2026-05-27

↗ GitHub

Co-authored-by: Kairo Lee <kairolee@KairodeMacBook-Pro-2.local>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-620.md from inside the repo you want the changes in.