Lef-F/mike

Lef-F/mike: self-host stack, upstream security audit, and a jsonb bug fix

Active fork with three areas of meaningful work: self-host infrastructure, security audit of upstream PRs, and a jsonb bug fix. The security findings are relevant to any fork that took the MCP Connectors or OpenRouter upstream PRs without an independent review.

View on GitHub →

Lef-F has done more active development work than most forks in this catalog. Three distinct threads are visible.

The most substantial is a complete self-hosted deployment: docker-compose replacing Supabase Cloud and Cloudflare R2 with vanilla Postgres, GoTrue, PostgREST, Garage (S3), and Caddy - docker compose up on a single host with no managed services. The implementation is detailed and includes real first-boot debugging that surfaced non-obvious issues with Garage bootstrap and backend auth routing.

The second thread is a cherry-pick of eight upstream willchen96/mike PRs (OpenRouter, MCP Connectors, and six fixes) followed by a 13-commit code review of the merged tree. That review found four security gaps in the upstream-contributed code - SSRF in MCP URL handling, a missing RLS migration, a dev-secret fallback in the OAuth flow, and unbounded MCP tool output - plus eight application bugs and a round of deduplication work.

The third is a standalone backend bug fix: .contains() on a jsonb column was receiving a plain JS array instead of a JSON string, silently breaking project sharing for non-owners with a 500 error.

What's in it

Direction

infrastructuresecurity

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

Threads of work (detailed view)

5 threads have been distilled into posts.

Pull requests (detailed view)

2 PRs touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

🟢 Open (1)

✅ Merged (1)