clapointe-carbonleo/mike-legal

An in-house CarbonLeo build of Mike, rebranded as CarbonIQ, rehosted on Vercel with a login gate and Supabase behind it.

Active and moving fast - 129 commits ahead of upstream across roughly two months, with the latest push at the end of June 2026.

View on GitHub →

This is a private, internal rework of Mike by clapointe-carbonleo - a fork the CarbonLeo team is shaping into their own tool rather than a public product. The most visible change is cosmetic: it's been reskinned as CarbonIQ, trading Mike's pale, serif look for a dark olive-and-gold house style. But the real story is under the hood.

The team has moved the whole stack - the app you use and the server behind it - off Cloudflare and onto Vercel, and put a real front door on it with Supabase email/password login. Worth knowing before you get excited: the login gate is real, but access inside is coarse - anyone who signs in can see everything, so this reads as a trusted-internal-users tool, not a multi-tenant product.

Alongside the platform move, clapointe-carbonleo has been doing housekeeping that any fork can learn from: pulling AI provider keys out of the public web bundle where users could read them, patching a Next.js security advisory, and fixing a project-sharing bug so work shared with a colleague actually shows up. The Vercel migration in particular is clean enough to copy if you're contemplating the same move.

What's in it

Direction

brandinginfrastructuresecurity

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

📝 Next.js bumped to 16.2.4 to patch CVE-2025-66478 1 commit 2mo ago minor change

Threads of work (detailed view)

12 threads have been distilled into posts.

Auth stripped to a hardcoded stub, then partially rebuilt on Supabase JWT

clapointe-carbonleo gutted upstream auth in one commit, re-added a real login page in a second, then restored JWT verification in a third - but never fixed the backend access helpers. The result is a codebase where users authenticate with real tokens but every authorization check returns true for every request.

Fix: stop shipping Anthropic and Gemini API keys in the browser bundle

Upstream Mike reads `NEXT_PUBLIC_ANTHROPIC_API_KEY` and `NEXT_PUBLIC_GEMINI_API_KEY` into the static user profile - which means those values land in the client JS bundle and ship to every browser. clapointe-carbonleo patches this with two lines.

Pull requests (detailed view)

3 PRs touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

✅ Merged (1)

✅ merged · #1 Feat/carbon iq imp
by clapointe-carbonleo · opened 2mo ago · merged 2mo ago by clapointe-carbonleo
clapointe-carbonleo/mike-legal ← clapointe-carbonleo/mike-legal · +1,418 -2,472 · self · ↗ analysis · ↗ GitHub

⛔ Closed without merge (2)