kveton ↗ analysis ↗ GitHub kveton/mike
kveton's fork centers on one thing: pulling sensitive trust decisions out of the browser and behind the backend.
This is a fork of Mike from @kveton whose visible work is a single, deliberate security hardening effort. The idea is to stop trusting the browser with things it shouldn't hold: sensitive application data, stored LLM credentials, and the integrity of uploaded files. Instead, those decisions move behind backend services that mediate access, encrypt keys at rest, and check what's actually being uploaded before it lands in storage.
The same pass tightens who can reach what - document access, project scoping, and shared-edit permissions all get firmer boundaries. It's a security posture change more than a feature push, and it touches the whole stack rather than any one corner of the app.
Worth knowing before you click through: the hardening was proposed as a pull request and then closed without merging. So this reads less as a shipped direction and more as a considered proposal about where Mike's trust boundaries should sit. If backend-mediated auth and encrypted secrets are your interest, @kveton's work is the conversation to read.
What's in it
- Backend-mediated data access Sensitive application data moves behind server-side access instead of being reachable from the browser directly.
- Encrypted LLM keys API keys for language-model access are encrypted at rest rather than sitting in the clear.
- Validated uploads Uploaded files get checked for what they actually contain before they're stored.
- Tighter authorization Firmer boundaries around document access, project scoping, and shared-edit permissions.
Direction
securityinfrastructure
Activity
kveton ↗ analysis ↗ GitHub Threads of work (detailed view)
kveton wants the browser to stop holding the keys
A wide security pass that pulls secrets, file checks, and access rules back behind the server, though it never made it into the main project.
kveton proposes backend-mediated auth and LLM key encryption across the full stack
kveton/mike describes a security hardening PR that moves sensitive Supabase table access behind backend service-role APIs, encrypts LLM API keys at rest, validates uploaded file bytes before storage, and tightens authorization across document access, project scoping, and direct-share edits. The PR was closed without merging on 2026-05-10.
Pull requests (detailed view)
⛔ Closed without merge (2)
kveton · opened 2mo ago · closed 2mo ago kveton · opened 2mo ago · closed 2mo ago