diff --git a/server/cmd/server/router.go b/server/cmd/server/router.go
index 406860bf1..d2674d634 100644
--- a/server/cmd/server/router.go
+++ b/server/cmd/server/router.go
@@ -449,42 +449,11 @@ func NewRouterWithOptions(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus
realtime.HandleWebSocket(hub, mc, pr, slugResolver, w, r)
})
- // Local file serving (when using local storage).
- //
- // The disclosure (security-findings-2026-06-02) explicitly flagged this
- // route as a layer in the SVG-XSS chain: it was unauthenticated, served
- // directory listings, and lacked nosniff/CSP. The primary fix (PR #3023)
- // broke the inline-render step by forcing Content-Disposition: attachment
- // for non-media types, but the layered defenses here stay open until we
- // add them.
- //
- // Auth dispatch is two-track:
- // - Signed-query (?exp=&sig=): the route bypasses middleware.Auth and
- // ServeLocalUpload validates the HMAC signature itself. This is the
- // path used by token-auth clients (Desktop, legacy-token Web,
- // mobile) for inline
/