Dshamir/AI-Legal

Hardened, self-hosted Mike fork with Prisma ORM, Redis caching, and a Docker-based AI Legal stack.

Active infrastructure-focused fork. Changes span backend hardening, ORM migration off Supabase SDK to Prisma, Redis caching, credit enforcement, a self-hosted Docker stack, and GitHub Actions CI. Roadmap content suggests longer-term architectural intent beyond the upstream feature set.

View on GitHub →

Dshamir/AI-Legal has been through substantial infrastructure work since forking. The main themes: backend request hardening (input validation, structured logging, error tracking via Sentry, Content Security Policy), a credit enforcement layer, and workflow export/import. On the data side, the Supabase SDK was replaced with Prisma ORM for database access. Frontend work added auth middleware, error tracking, and accessibility improvements.

The self-hosting story got significant attention - a custom ailegal.sh orchestration script drives a Docker stack, and the repo ships CI via GitHub Actions. Redis caching and HTTP cache headers arrived alongside encryption key rotation. The repo also carries substantial README and roadmap churn, which suggests active development with someone thinking about future architecture.

What's in it

Direction

infrastructuresecuritymulti-tenant

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

📝 README and project documentation churn 12 commits 2mo ago minor change
📝 Testing harness and GitHub Actions CI 7 commits 2mo ago minor change

Threads of work (detailed view)

16 threads have been distilled into posts.

Monthly credit metering and workflow export/import

Dshamir adds per-user monthly credit enforcement on both chat streaming routes and portable workflow files - two product features that signal the fork is targeting metered multi-tenant operation.

Security fixes: filename sanitization, timing-safe HMAC, HKDF salts, RLS deny-all

Dshamir integrates four upstream PRs addressing concrete vulnerabilities: a prompt-injection vector via crafted filenames, a length-oracle side channel in download token verification, weak API key encryption, and an open PostgREST data plane with no row-level access control.

11-service self-hosted stack with a Bash orchestrator

Dshamir converts the upstream prototype into a turnkey self-hosted deployment: a `docker-compose.yml` spanning 11 services, a `ailegal.sh` CLI that wraps Compose with health checks, dynamic port allocation, and database commands, and a round of first-run bug fixes to make the whole thing actually work on a fresh machine.

Roadmap documents: distributed workers, MCP/plugin architecture, deployment path

Dshamir commits a series of planning documents laying out where the fork is heading: a 295-line candidate PRD for BullMQ worker offloading, an MCP server/client and plugin system design, local and cloud LLM provider support, and a Docker Compose to Kubernetes progression via k3s, Helm, and KEDA.

Next.js auth middleware, Sentry wiring, and a build-time crash fix

Dshamir adds Next.js auth middleware, client-side error tracking, and an accessibility skip-link to the frontend, then fixes a build-time crash where the Supabase client threw on empty env vars during static page generation.

Full Prisma migration: Supabase SDK data access removed from 13 files

Dshamir replaces every `supabase.from()` call in the backend with Prisma client queries against Postgres, decoupling persistence from the Supabase SDK. This is the fork's largest single change - 13 files rewritten, roughly 2100 lines net removed.

Four request-hardening primitives wired into Express

Dshamir adds Zod validation, Pino structured logging, GlitchTip/Sentry error tracking, magic-byte MIME validation, and a strict Helmet CSP to the Express backend - all as self-contained modules that drop in without touching route logic.