CaseMark/mikeoss-casedotdev

Full Case.dev platform integration on top of the willchen96/mike base, with a hosted public demo and BYOK escape hatches for LLM routing and Postgres.

Active production fork. kveton shipped roughly 18 topics across bring-up, feature work, and hardening. The integration is deep -- a "Case-free fork" is possible but requires replacing storage, text extraction, search, model routing, legal research, and matter metadata before the app is useful. Adoption cost is high; worth evaluating if Case.dev is already in your stack or you want a reference for how to integrate it end-to-end.

View on GitHub →

kveton's fork replaces mike's original storage, model routing, and workspace primitives with Case.dev counterparts: Vault for document storage and RAG, Matters as the workspace primitive, a model gateway instead of single-provider assumptions, and Skills for workflow discovery. Better Auth handles user sessions with per-user encrypted Case.dev credentials. An optional BYOK path lets users supply their own Anthropic or Gemini keys for direct LLM routing without touching the document infrastructure.

The fork shipped a public demo at mike.casemark.dev with per-user lifetime budget metering ($5 default), a pause gate via MIKE_DEMO_MODE, and a /demo-status endpoint the frontend reads to show a landing page when the demo is paused. A substantial pre-launch hardening pass covered AI-route rate limiting, safe error sanitization on document routes, a jsonb column registry fixing silent write failures, and error propagation for streamed chat events. The document display and DOCX routes were moved from storage redirects to backend byte proxies to keep auth at a single boundary.

Password policy (minimum length 6 to 8), signup validation alignment, and a GitHub source link in the footer round out the smaller changes.

What's in it

Direction

infrastructuresecuritybranding

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

📝 CaseMark is locking the doors before launch 7 commits 3mo ago infrastructuresecurity draft
A quiet seven-commit hardening pass turns this Mike fork from a working prototype into something safe to put in front of real users.
✅ #4 Allow personal Case.dev keys in demo mode +57 -59 3mo ago self by kveton ↗ analysis ↗ GitHub
## Summary\n- Make hosted Demo Mode use the shared Case.dev key only when a user has not saved a personal Case.dev key.\n- Allow users to save or clear their own Case.dev key in Demo Mode; clearing falls back to the shar…
✅ #3 Fix signup password validation +15 -8 3mo ago self by kveton ↗ analysis ↗ GitHub
## Summary\n- Align signup form validation and copy with the backend's 8-character minimum password policy.\n- Surface Better Auth error messages from plain error objects instead of showing a generic signup failure.\n\n#…
📝 CaseMark hands you the exit map for Case.dev 5 commits 3mo ago integrationinfrastructure draft
The fork now documents, in plain terms, exactly how deeply it leans on its underlying AI platform - and how hard each piece would be to swap out.
Show 7 more
📝 Signup password minimum length 6 → 8 2 commits 3mo ago minor change
📝 CaseMark hands every user their own AI key 5 commits 3mo ago securityinfrastructure draft
CaseMark's fork lets each person plug in their own Anthropic or Gemini credentials instead of riding on a shared, firm-wide key.

Threads of work (detailed view)

31 threads have been distilled into posts.

Demo budget card stays visible when a personal key overrides the shared demo key

The demo budget card was disappearing when a user saved their own Case.dev API key. Since the personal key only overrides the shared key rather than erasing the underlying budget, the card should still be visible - just labeled differently. This pair of commits makes that distinction visible in the UI.

CaseMark is locking the doors before launch

A quiet seven-commit hardening pass turns this Mike fork from a working prototype into something safe to put in front of real users.

Post-merge hardening: expiring download tokens, AI rate limits, streamed chat error handling

kveton bundled a set of post-merge hardening commits that missed a review cycle on the previous branch, pairing them with one new fix for chat stream errors. The result is a PR that tightens several security-adjacent gaps and fixes the most visible user-facing failure mode: a chat that hangs mid-stream when the backend sends an error frame.

Demo budget 402 errors propagated through all document load routes

Previously a demo user who hit their spending limit would see a generic 500 when trying to open a document - the budget error was being caught and swallowed inside the storage layer. This PR surfaces a typed `HTTP 402` with `code: "demo_budget_exceeded"` through every document-facing route, and retunes the demo cost model so only LLM calls actually count against the budget.

Demo budget errors propagated through document preview and download routes

Document previews were returning 404s when the real failure was a `DemoBudgetExceededError` from Case Vault. kveton traced the masking to the storage helpers swallowing the error into null, then rewired the display, DOCX, URL, and download-token routes to surface a 402 instead.

Document display proxied through the backend; profile fetches parallelized

Two follow-up fixes after the Case.dev migration. The `GET /single-documents/:id/display` route stopped issuing a 302 redirect to a Case Vault signed URL and now proxies the bytes through the backend. Profile data for the Account > Models page shifted from sequential awaits to `Promise.all`, eliminating a false "missing key" flash on load.

Document display route proxies bytes instead of redirecting to Case Vault

kveton fixed a production "Failed to load document" error by replacing a 302 redirect to a Case Vault presigned URL with a backend byte proxy. The single-document display endpoint now downloads the file server-side and streams it to the browser with the correct content-type and `private, no-store` cache headers.

CaseMark hands you the exit map for Case.dev

The fork now documents, in plain terms, exactly how deeply it leans on its underlying AI platform - and how hard each piece would be to swap out.

Demo key priority inverted, /demo-status kill switch, integration depth docs

Three threads around launching the public demo at mike.casemark.dev. The first fixes a fundamental flaw in the demo key resolution: the shared key was taking priority over personal keys, making it impossible for users to save their own. The second adds a `/demo-status` endpoint and a client-side gate that swaps the app for a landing page without a redeploy. The third documents what Case.dev services are actually wired vs. candidates for later.

Pause gate, /demo-status endpoint, and Case.dev integration docs

kveton added a public `/demo-status` endpoint and a frontend landing page that activates when `MIKE_DEMO_CASE_API_KEY` is set but `MIKE_DEMO_MODE` is off -- a clean way to pause the hosted demo without taking the whole app down. This PR also doubled as the README for the fork's Case.dev integration, laying out the full primitive map and BYOK escape hatches.

Personal Case.dev key takes priority over shared demo key

The CaseMark fork's demo mode previously gave the shared demo key unconditional priority, making it impossible for users to save their own Case.dev key within Demo Mode. kveton inverted that logic so the personal key wins when present, with the shared demo key as fallback.

Signup form minimum password length aligned with backend (6 -> 8 characters)

The signup page in CaseMark's fork was enforcing a 6-character minimum while the backend required 8. A user who entered a 7-character password passed the frontend gate, hit `PASSWORD_TOO_SHORT` from Better Auth, and got a generic error with no explanation. This commit fixes both sides.

CaseMark hands every user their own AI key

CaseMark's fork lets each person plug in their own Anthropic or Gemini credentials instead of riding on a shared, firm-wide key.

BYOK Anthropic and Gemini keys stored encrypted alongside Case.dev gateway

kveton added a second credential surface to the CaseMark fork. Users can now route Anthropic and Gemini calls directly with their own keys instead of going through the Case.dev model gateway. The credential management sits in a new `provider_api_credentials` Postgres table with encrypted storage, live validation, and soft-delete on removal.

kveton adds encrypted BYOK storage for Anthropic and Gemini provider keys

CaseMark's mikeoss-casedotdev fork now lets users save their own Anthropic or Gemini keys alongside (or instead of) the Case.dev model gateway. Keys are encrypted at rest using the same helpers already in place for Case credentials, validated against a live `/v1/models` call on save, and stored with verification metadata. The model catalog then reads from whatever credentials are configured to decide which providers are selectable.

CaseMark fork bring-up: Supabase/R2 replaced with Case.dev Vault and Better Auth

This is the fork's founding commit bundle. Two massive diffs (+9804 and +7335 lines across 78 and 74 files) replace Mike's upstream Supabase auth, Supabase Postgres client, and Cloudflare R2 storage with Case.dev Vault as the document store, Better Auth with encrypted per-user keys, and a new `postgresCompat.ts` shim for raw SQL access. A follow-up commit hardens the public release with rate limiting, expiring download tokens, and the removal of plaintext provider key columns.

Case.dev public release: Vault, Matters, Skills, Demo Mode, Vercel deployment

kveton merged the closing batch of the Case.dev public release branch into `mikeoss-casedotdev`, bundling Matter and Vault integration polish, demo metering, Vercel deployment entrypoints, and a security hardening pass. This is the point where the fork shifts from internal work-in-progress to a deployable public artifact.

Pull requests (detailed view)

9 PRs touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

✅ Merged (9)