clapointe-carbonleo stops the API keys from leaking into every browser

A one-line security fix that yanks two AI provider keys out of the public web bundle, where any user could have read them.

securityinfrastructure

The team caught a genuine leak in the upstream code. The keys that let the app talk to its AI providers (Anthropic, which makes Claude, and Google's Gemini) were being loaded in a way that bakes them straight into the code shipped to every visitor's browser. In plain terms: anyone using the app could have opened their browser's developer tools and copied the keys, then run up charges on someone else's account.

The fix removes those reads entirely. clapointe-carbonleo's deployment manages keys on the server instead, where users never see them - the correct place for a secret to live. It's a tiny change, but it closes a real hole.

So what If your firm forked Mike, check for this same pattern and apply the fix today - exposed AI keys are both a security and a billing liability.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from clapointe-carbonleo/mike-legal, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
c52c1648 Remove NEXT_PUBLIC API keys - hardcode availability instead clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body
API keys must never be NEXT_PUBLIC_* (they end up in the browser bundle).
Model availability now hardcoded to 'configured' so all models show as available.
The backend uses its own server-side keys for actual API calls.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-10.md from inside the repo you want the changes in.

⬇ Download capture-thread-10.md