[C2] Unauthenticated downloads.rs: hardcoded prod relay URL + default API-key fallback + false support-embedding docstring #11
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: Critical
Component(s): server
Affected file(s):
server/src/api/downloads.rsProblem:
downloads.rscontains a hardcoded production relay URL plus a "managed-agent" default API-key fallback, and a support-download docstring that claims it embeds a value it does not actually embed.Recommended fix:
Move the URL and key into
Config/AppState, have handlers takeState, implement (or correct the docstring for) support embedding, and remove the default key.Remediation phase: P0 (SPEC-019)
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C2) and REMEDIATION-PLAN.md (P0).