MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · clapointe-carbonleo/mike-legal · this thread

clapointe-carbonleo bolts a real front door onto Mike - but leaves the inner rooms unlocked

CarbonLeo's internal fork now demands a real login, yet anyone who gets in can still see everything.

securitymulti-tenant

This fork is a CarbonLeo deployment, and clapointe-carbonleo just took it through a full authentication rebuild in three quick moves. It started rough: a bring-up shortcut that tore out roughly a thousand lines of access-control code and treated every user as the same "internal" account. From there the team added a proper sign-in screen - French-language, CarbonLeo-branded - backed by Supabase, a hosted service that handles email-and-password login and session tokens. The backend now genuinely checks that token before letting anyone through.

The catch worth flagging: the front door is real, but the room-by-room locks aren't. Once you're authenticated, the per-document and per-project ownership and sharing checks still wave everyone through. So the system knows who you are, but not yet what you're allowed to touch.

So what Anyone evaluating this fork's security posture should know authentication is live but fine-grained authorization is still stubbed - fine for a closed internal pilot, not for shared or client-facing use.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

3 commits from clapointe-carbonleo/mike-legal, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
e6568f87 feat(mike): ic - remove auth - fix sql - all users 'internal' for now clapointe-carbonleo 2026-05-06 ↗ GitHub
2217a5df Add Supabase email/password authentication clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body 
- AuthContext now uses real Supabase session (onAuthStateChange)
- (pages) layout redirects to /login when not authenticated
- Login page with Carbonleo brand styling (dark bg, yellow CTA)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fffe4396 Validate real Supabase JWT in requireAuth middleware clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body 
Replaces hardcoded 'internal' userId with the actual Supabase user ID
extracted from the Bearer token sent by the frontend. Each user now has
their own isolated data in the database.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-8.md from inside the repo you want the changes in.

⬇ Download capture-thread-8.md