clapointe-carbonleo/mike-legal

clapointe-carbonleo is forking Mike into CarbonIQ, an internal AI tool for Carbonleo running on Vercel behind a Supabase sign-in.

Active in short, decisive bursts - first seen on 2026-05-07 with 53 commits landing through 2026-05-14, mostly clustered around the rebrand-and-migrate push.

View on GitHub →

CarbonIQ is what Mike looks like when a single company decides to make it their own. clapointe-carbonleo has reskinned the interface in Carbonleo green, swapped the public login for an internal Supabase sign-in, and moved hosting off Cloudflare Workers onto Vercel - all signals that this fork is heading inside one organization rather than chasing a broader market.

The handle and naming point to Carbonleo, the Quebec-based real-estate developer behind Royalmount; CarbonIQ reads as an in-house brand for their team. A reader trying it today would land on a Carbonleo-branded sign-in and, once through, a Mike that looks and feels like Carbonleo's own product.

Direction-wise, this is a deployment-and-branding fork more than a product-direction fork. The interesting wrinkle: the sign-in flow is in place, but the authorization checks behind it haven't been fully reconnected - worth knowing before drawing conclusions about how locked-down the internal deployment really is.

What's in it

CarbonIQ rebrand A fork-wide reskin retargets Mike's interface to CarbonIQ, Carbonleo's in-house brand, in Carbonleo green.
Supabase sign-in The public login screen has been replaced with a branded Supabase JWT sign-in flow gating access to the app.
Vercel hosting Hosting has been migrated off Cloudflare Workers onto Vercel for both the frontend and backend.
API key leak fix Anthropic and Gemini keys are no longer shipped to the browser - a quiet but important hardening for an internal deployment.
Security-tracking posture The fork is keeping pace with upstream security advisories, pulling in Next.js patches as CVEs land.
Shared-projects fix A small data-access fix restores the ability to see projects shared with you, which had been silently broken upstream.

Direction

brandinginfrastructuresecurity

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

⛔ #120 Feat/supabase auth v2 +1,826 -20,448 13d ago by clapointe-carbonleo ↗ analysis ↗ GitHub

📝 clapointe-carbonleo moves Mike off Cloudflare onto Vercel 10 commits 19d ago infrastructure draft

A single-afternoon hosting swap, with a small self-inflicted detour along the way.

✅ #1 Feat/carbon iq imp +1,418 -2,472 20d ago self by clapointe-carbonleo ↗ analysis ↗ GitHub

📝 Carbonleo rebuilt the front door but left the locks off inside 3 commits 20d ago securitymulti-tenant draft

clapointe-carbonleo replaced Mike's login screen with a branded sign-in flow, but the checks that decide who can see what never got reconnected.

📝 /projects: replace Supabase `.contains()` on `shared_with` with client-side filter (no public page) 1 commit 20d ago not yet rewritten

📝 clapointe-carbonleo plugs an API key leak in Mike's frontend 1 commit 20d ago securityinfrastructure draft

A two-line fix stops Anthropic and Gemini keys from being shipped to every user's browser.

📝 Next.js bumped to 16.2.4 to patch CVE-2025-66478 (no public page) 1 commit 20d ago not yet rewritten

📝 clapointe-carbonleo paints Mike in Carbonleo green 2 commits 20d ago branding draft

A fork-wide reskin retargets Mike's interface to CarbonIQ, Carbonleo's in-house brand.

📝 clapointe-carbonleo is rebranding the fork as CarbonIQ and going internal 4 commits 20d ago brandinginfrastructure draft

A single update rebrands the interface, strips out login, and swaps hosting providers - all at once.

Threads of work (detailed view)

5 threads have been distilled into posts.

clapointe-carbonleo moves Mike off Cloudflare onto Vercel

A single-afternoon hosting swap, with a small self-inflicted detour along the way.

infrastructure

10 commits · latest 19d ago

Carbonleo rebuilt the front door but left the locks off inside

clapointe-carbonleo replaced Mike's login screen with a branded sign-in flow, but the checks that decide who can see what never got reconnected.

securitymulti-tenant

3 commits · latest 20d ago

clapointe-carbonleo plugs an API key leak in Mike's frontend

A two-line fix stops Anthropic and Gemini keys from being shipped to every user's browser.

securityinfrastructure

1 commit · latest 20d ago

clapointe-carbonleo paints Mike in Carbonleo green

A fork-wide reskin retargets Mike's interface to CarbonIQ, Carbonleo's in-house brand.

branding

2 commits · latest 20d ago

clapointe-carbonleo is rebranding the fork as CarbonIQ and going internal

A single update rebrands the interface, strips out login, and swaps hosting providers - all at once.

brandinginfrastructure

4 commits · latest 20d ago

Pull requests (detailed view)

2 PRs touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

✅ Merged (1)

✅ merged · #1 Feat/carbon iq imp

by clapointe-carbonleo · opened 20d ago · merged 20d ago by clapointe-carbonleo

clapointe-carbonleo/mike-legal ← clapointe-carbonleo/mike-legal · +1,418 -2,472 · self · ↗ analysis · ↗ GitHub

⛔ Closed without merge (1)

⛔ closed · #120 Feat/supabase auth v2

by clapointe-carbonleo · opened 13d ago · closed 13d ago

willchen96/mike ← clapointe-carbonleo/mike-legal · +1,826 -20,448 · ↗ analysis · ↗ GitHub