Severity

Medium-High (surprising insecure default / footgun)

Where

ui/desktop/src/main.ts

What was observed

If process.env.GOOSE_EXTERNAL_BACKEND is set, the server secret becomes the literal string "test".

Why this matters

This is a classic debug hook shipped to prod risk. If a user (or packaging environment) sets it unintentionally, they get a predictable shared secret.

If the external backend is not strictly localhost-only, risk is substantially worse.