clapointe-carbonleo/mike-legal
An in-house CarbonLeo build of Mike, rebranded as CarbonIQ, rehosted on Vercel with a login gate and Supabase behind it.
This is a private, internal rework of Mike by clapointe-carbonleo - a fork the CarbonLeo team is shaping into their own tool rather than a public product. The most visible change is cosmetic: it's been reskinned as CarbonIQ, trading Mike's pale, serif look for a dark olive-and-gold house style. But the real story is under the hood.
The team has moved the whole stack - the app you use and the server behind it - off Cloudflare and onto Vercel, and put a real front door on it with Supabase email/password login. Worth knowing before you get excited: the login gate is real, but access inside is coarse - anyone who signs in can see everything, so this reads as a trusted-internal-users tool, not a multi-tenant product.
Alongside the platform move, clapointe-carbonleo has been doing housekeeping that any fork can learn from: pulling AI provider keys out of the public web bundle where users could read them, patching a Next.js security advisory, and fixing a project-sharing bug so work shared with a colleague actually shows up. The Vercel migration in particular is clean enough to copy if you're contemplating the same move.
What's in it
- CarbonIQ rebrand A full in-house visual reskin - dark olive-gold palette replacing Mike's pale serif default. This is a branded internal tool, not stock Mike.
- Vercel-hosted stack Both frontend and backend have moved off Cloudflare onto Vercel. The backend recipe is tidy enough to lift for your own migration.
- Supabase login gate Email/password authentication now guards the app. It's a genuine sign-in wall - though everyone who's in sees the same thing.
- API keys pulled from the browser AI provider keys that were shipping into the public web bundle have been yanked out - a small fix that closes a real leak.
- Shared projects that actually appear A broken visibility filter meant projects shared with a colleague didn't reliably show up. That's fixed.
- Security patching clapointe-carbonleo keeps current on upstream advisories, including a Next.js bump to patch a named CVE.
Direction
brandinginfrastructuresecurity
Activity
Threads of work (detailed view)
clapointe-carbonleo rebuilt this fork's login and hosting, then walked it back
A big bundle of divergence - a new sign-in system, a hosting move, and a rebrand - was proposed back to the base project and closed minutes later with no explanation.
clapointe-carbonleo is moving the whole stack off Cloudflare onto Vercel
Both the user-facing app and the server behind it are changing hosting platforms - and the backend recipe is clean enough to copy.
Cloudflare Workers / OpenNext dropped; both apps moved to Vercel serverless
clapointe-carbonleo migrated the frontend and backend off Cloudflare across ten commits in a single afternoon. The process was iterative and included at least one dependency-cull mistake that had to be walked back.
clapointe-carbonleo bolts a real front door onto Mike - but leaves the inner rooms unlocked
CarbonLeo's internal fork now demands a real login, yet anyone who gets in can still see everything.
Auth stripped to a hardcoded stub, then partially rebuilt on Supabase JWT
clapointe-carbonleo gutted upstream auth in one commit, re-added a real login page in a second, then restored JWT verification in a third - but never fixed the backend access helpers. The result is a codebase where users authenticate with real tokens but every authorization check returns true for every request.
clapointe-carbonleo gets shared projects to actually show up
A broken visibility filter meant projects shared with a colleague weren't reliably appearing for them - this fixes that, with a catch.
clapointe-carbonleo stops the API keys from leaking into every browser
A one-line security fix that yanks two AI provider keys out of the public web bundle, where any user could have read them.
Fix: stop shipping Anthropic and Gemini API keys in the browser bundle
Upstream Mike reads `NEXT_PUBLIC_ANTHROPIC_API_KEY` and `NEXT_PUBLIC_GEMINI_API_KEY` into the static user profile - which means those values land in the client JS bundle and ship to every browser. clapointe-carbonleo patches this with two lines.
clapointe-carbonleo reskins Mike in CarbonLeo colours
A 70-file visual rebrand swaps Mike's pale serif look for a dark, olive-gold house style - and quietly pulls a setting along the way.
CarbonIQ brand reskin: 70-file palette swap from Mike's defaults to Carbonleo tokens
clapointe-carbonleo replaced the entire Mike design-token set with Carbonleo's brand palette in a single 1340-line commit. No behavior changes - just CSS variables, font references, and Tailwind class strings updated across ~68 components.
clapointe-carbonleo moves Mike off Cloudflare and onto Vercel
A CarbonLeo team rehosts its Mike fork on a new platform, reskins it in-house, and rips out login to get there fast.
PR #1: CarbonIQ rebrand, auth removal, and Cloudflare-to-Vercel swap bundled in a self-merge
clapointe-carbonleo landed four commits as a single self-merged PR: a UI reskin under the CarbonIQ brand, a complete auth strip-out, an unrelated SQL addition, and a frontend hosting switch from Cloudflare to Vercel. None of the four changes were individually reviewed before merge.
Pull requests (detailed view)
✅ Merged (1)
clapointe-carbonleo · opened 2mo ago · merged 2mo ago by clapointe-carbonleo ⛔ Closed without merge (2)
clapointe-carbonleo · opened 2mo ago · closed 2mo ago clapointe-carbonleo · opened 2mo ago · closed 2mo ago