⛔ #73 fix: remove auth bypass dev fallback in getUserIdFromRequest +921 -19 11d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
bmersereau/mike
A security-and-reliability-focused fork of Mike, where bmersereau is methodically hardening the backend one quiet footgun at a time.
This fork reads less like a product reimagining and more like a sustained security audit in motion. bmersereau is working through Mike's backend the way a careful reviewer would: closing auth bypasses, tightening how user API keys are stored, putting expiries on download links, capping runaway streams and bulk downloads, and forcing the system to fail loudly when configuration is missing rather than silently fall open.
There's no rebrand here and no obvious niche pivot. What you see instead is a consistent posture - treat ambiguous defaults as bugs, treat reused secrets as bugs, treat unbounded queries as bugs - applied across authentication, encryption, file storage, sharing, and logging. A GDPR-flavoured log cleanup and a draft contributor guide hint at someone thinking about how Mike would behave in a more regulated, more collaborative setting.
If you're evaluating Mike for somewhere that cares about its security floor, this is the fork worth reading. Click through to GitHub to see how much of it has actually landed versus been proposed.
What's in it
- Backend security hardening A running thread of fixes across authentication, encryption, signed download links, and a timing-attack closure - small patches that collectively raise the floor.
- Fail-loud configuration Missing or reused secrets are treated as startup errors rather than silent fallbacks, so misconfigured deployments refuse to boot instead of quietly running insecure.
- Stronger credential storage User API keys move to a per-row salted derivation, so compromising one stored credential no longer compromises the rest.
- Bounded resource usage Chat listings get paginated, bulk zip downloads get capped, and stalled chat streams get a hard timeout - closing a cluster of reliability complaints.
- Upload and browser hardening Document uploads, content security policy, and an unpatched XML dependency get addressed together to shrink the XSS and malicious-upload surface.
- Quieter, more compliant logs Edit-resolution logging is trimmed of identifiable data, nudging the system toward GDPR-style data minimization.
- Contributor onboarding A draft contributing guide tries to write down the working norms a newcomer would otherwise have to absorb by osmosis.
Direction
securityinfrastructurecompliance
Activity
⛔ #107 fix: remove SUPABASE_SECRET_KEY fallback from encryptionKey() +1,310 -9 11d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
## Summary
🟢 #109 fix: singleton Supabase admin client in requireAuth middleware +1,359 -16 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #108 fix: S3Client singleton and R2 error logging +1,339 -19 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #106 fix: throw on missing env vars in backend createServerSupabase() +1,310 -39 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #113 fix: migration to convert user_id text → uuid with FK to auth.users +1,532 -8 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #112 fix: 3-minute timeout on SSE LLM streams +1,364 -33 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #111 fix: cap POST /download-zip at 50 documents +1,301 -7 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #110 fix: paginate GET /chat (limit + before cursor) +41 -4 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #79 fix: consistent case-insensitive email check in GET /projects/:projectId +1,349 -24 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #78 fix: magic-byte upload validation, CSP headers, upgrade xmldom +1,398 -12 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #74 fix: require dedicated secrets for download signing and API key encryption +1,443 -21 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #77 fix: add expiration to download tokens (30-day TTL) +1,344 -21 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #80 fix: remove PII console.log from edit-resolution handler +1,328 -57 13d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #76 fix: replace SHA-256 with HKDF + per-row salt for user API key encryption +1,371 -23 14d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
🟢 #81 fix: remove early length exit from timingSafeEqStr +1,312 -10 14d ago by
bmersereau ↗ analysis ↗ GitHub ## Summary
A proposed fix would have stopped missing config from quietly switching off authentication on the server.
A quiet config footgun in the Mike backend becomes a startup-time refusal.
A quiet but meaningful security upgrade: cracking one stored credential no longer cracks them all.
Show 14 more
📝 bmersereau puts a clock on download links in willchen96's Mike 0 commits — securityinfrastructure draft
Shareable file links now expire by default, closing a long-lived exposure if the signing secret ever leaks.
📝 bmersereau hardens Mike against three open security holes at once 0 commits — securitycompliance draft
One pull request takes aim at malicious uploads, weak browser defenses, and unpatched XML library bugs.
Three bug reports traced back to the same problem: shared access depended on how an email happened to be capitalised on its way in.
A small cleanup that doubles as a GDPR posture fix - and surfaces a quieter bug underneath.
📝 bmersereau closes a timing-attack loophole in Mike's download tokens 0 commits — securityinfrastructure draft
A security helper meant to be tamper-proof was leaking a tiny clue about its inputs - bmersereau patched the leak before anyone could use it.
📝 Guard Supabase env vars in the backend (no public page) 0 commits — not yet rewritten
📝 bmersereau tries to stop a backend secret from doing two jobs 0 commits — securityinfrastructure draft
A proposed hardening would have forced the user-API-key encryption secret to stand on its own - but it never landed.
📝 bmersereau tightens the screws on Mike's file storage 0 commits — infrastructureknowledge-management draft
A small, pointed backend cleanup that closes a cluster of reliability complaints around how Mike handles uploaded documents.
📝 Singleton admin client in requireAuth middleware (no public page) 0 commits — not yet rewritten
A small but pointed fix: the chat list endpoint stops handing back everything by default.
A tight server-side limit on how many documents one user can zip up in a single request.
When the model hangs, the connection now dies cleanly instead of dangling forever.
A schema cleanup turns loose text IDs into real foreign keys - and quietly decides what happens to shared work when a user walks away.
A proposed contributor guide tries to turn Mike's emerging working norms into something a newcomer can actually read.
Threads of work (detailed view)
bmersereau drafts the house rules for Mike
A proposed contributor guide tries to turn Mike's emerging working norms into something a newcomer can actually read.
bmersereau tightens the bolts on Mike's user table
A schema cleanup turns loose text IDs into real foreign keys - and quietly decides what happens to shared work when a user walks away.
bmersereau puts a 3-minute leash on stalled chat streams
When the model hangs, the connection now dies cleanly instead of dangling forever.
bmersereau caps the bulk download before it bites back
A tight server-side limit on how many documents one user can zip up in a single request.
bmersereau puts a ceiling on runaway chat queries
A small but pointed fix: the chat list endpoint stops handing back everything by default.
bmersereau tightens the screws on Mike's file storage
A small, pointed backend cleanup that closes a cluster of reliability complaints around how Mike handles uploaded documents.
bmersereau tries to stop a backend secret from doing two jobs
A proposed hardening would have forced the user-API-key encryption secret to stand on its own - but it never landed.
bmersereau closes a timing-attack loophole in Mike's download tokens
A security helper meant to be tamper-proof was leaking a tiny clue about its inputs - bmersereau patched the leak before anyone could use it.
bmersereau strips identifiable logs from Mike's edit handler
A small cleanup that doubles as a GDPR posture fix - and surfaces a quieter bug underneath.
bmersereau fixes the silent failure in project sharing
Three bug reports traced back to the same problem: shared access depended on how an email happened to be capitalised on its way in.
bmersereau hardens Mike against three open security holes at once
One pull request takes aim at malicious uploads, weak browser defenses, and unpatched XML library bugs.
bmersereau puts a clock on download links in willchen96's Mike
Shareable file links now expire by default, closing a long-lived exposure if the signing secret ever leaks.
bmersereau hardens how Mike stores user API keys
A quiet but meaningful security upgrade: cracking one stored credential no longer cracks them all.
bmersereau makes the backend fail loud on secret reuse
A quiet config footgun in the Mike backend becomes a startup-time refusal.
bmersereau tries to close a fail-open auth hole in Mike
A proposed fix would have stopped missing config from quietly switching off authentication on the server.
Pull requests (detailed view)
🟢 Open (15)
by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 13d ago by
bmersereau · opened 14d ago by
bmersereau · opened 14d ago Show 5 more open
by
bmersereau · opened 14d ago by
bmersereau · opened 14d ago by
bmersereau · opened 14d ago by
bmersereau · opened 14d ago by
bmersereau · opened 14d ago ⛔ Closed without merge (2)
by
bmersereau · opened 14d ago · closed 11d ago by
bmersereau · opened 13d ago · closed 11d ago