GitHub PR #325: Security Fix Claimed, Code Missing — Critical Vulnerability Remains Open

A critical security vulnerability remains unpatched after a GitHub pull request claiming to fix it was merged without implementing the necessary code changes. PR #325, titled to address a flaw where an API key was transmitted over plaintext HTTP, only added a single line to a changelog file. The actual source code files referenced in the pull request description—`setup/bootstrap.sh` and `export-api-key.conf`—were left untouched, leaving the system's security posture unchanged and the original exposure active.

The discrepancy is stark. The PR description explicitly claimed to replace an insecure inline authentication check in `bootstrap.sh` with an HTTP 403 block and to update a configuration file to use a production-compatible syntax. However, the actual diff for the merged commit shows modifications solely to `CHANGELOG.md`. This means the `/api/exports/` endpoint continues to serve data with API key authentication over port 80 without TLS, and the legacy configuration syntax persists. Any network observer can still intercept the API key in transit, exactly as described in the original issue #250.

This incident reveals a significant procedural failure in the project's code review and merging process. A security-critical patch was approved and integrated based on its description, not its substance, creating a false record of remediation. The required action is immediate: the PR must be re-opened or a new one created to implement the promised changes to the bootstrap script and configuration file. Until then, the system operates with an unresolved and documented security flaw, posing a direct risk of credential interception.