ryanmcdonough/mike

ryanmcdonough is hardening Mike's access controls so a signed-in user can only ever reach what's theirs.

Barely diverged and currently quiet: a short burst of security work in early May 2026, one proposal closed unmerged, and nothing pushed since 2026-05-01.

View on GitHub →

This fork is about one worry: a logged-in user reaching material that belongs to someone else. Everything ryanmcdonough has done here points at it. One change closes a hole that let users attach chats to projects they were never given access to. The other pushes authorization down into the database itself, extending row-level security from user profiles to every content table, so one client's material can never surface in another's account.

The database-wide sweep didn't land. The proposal was closed on 2026-05-08 with no explanation left behind, which leaves the fork carrying the narrower chat-creation fix. There is no rebrand and no new feature work; if you tried it, it would look and behave like stock Mike, with stricter rules about who can touch what.

We have no signal on who ryanmcdonough is beyond the handle. But the choice of work is legible enough - confidentiality between clients, enforced at the deepest layer available. If access control in a legal AI assistant is the thing you'd check before deploying, the actual changes on GitHub are a short read.

What's in it

Direction

security

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

📝 RLS sweep across all content tables - closed without merging 0 commits securitymulti-tenant draft
ryanmcdonough opened a PR to extend row-level security beyond user profiles to every other content table in the schema. The intent was a database-layer authorization sweep rather than a targeted fix. The PR was closed on…

Threads of work (detailed view)

5 threads have been distilled into posts.

POST /chat/create now checks project access before inserting

ryanmcdonough patches an authz hole in `POST /chat/create`: the endpoint previously accepted any `project_id` from the request body and inserted a chat row without verifying the caller had access to that project. Eight lines close it. Upstream willchen96/mike still has the gap.

RLS sweep across all content tables - closed without merging

ryanmcdonough opened a PR to extend row-level security beyond user profiles to every other content table in the schema. The intent was a database-layer authorization sweep rather than a targeted fix. The PR was closed on 2026-05-08 without merging, and no explanation was left.

Pull requests (detailed view)

4 PRs touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

⛔ Closed without merge (4)