clapointe-carbonleo rebuilt this fork's login and hosting, then walked it back

A big bundle of divergence - a new sign-in system, a hosting move, and a rebrand - was proposed back to the base project and closed minutes later with no explanation.

securityinfrastructure

This fork has drifted a long way from the original, and clapointe-carbonleo tried to fold that whole drift back into the shared base in one go. The headline pieces:

  • New sign-in: swapped the old login for email/password accounts run through Supabase (a hosted authentication and database service), with the backend now genuinely checking each user's credentials instead of waving requests through.
  • A hosting move: shifted the app off Cloudflare and onto Vercel (a rival app-hosting platform), reworking how the backend runs and which sites it trusts.
  • A rebrand: a substantial reskin of the interface under a new "CarbonIQ" look, plus smaller correctness cleanups.

It never merged. The request was filed against the base project's main line and closed roughly four minutes later with no description, so this reads as a mis-aimed or instantly-retracted proposal rather than work anyone actually reviewed.

So what Anyone tracking who is making Mike production-ready - real accounts, real hosting - should keep an eye on this fork, even though this attempt to share the work back fizzled.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

18 commits from clapointe-carbonleo/mike-legal, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
e6568f87 feat(mike): ic - remove auth - fix sql - all users 'internal' for now clapointe-carbonleo 2026-05-06 ↗ GitHub
a15cd5a1 update(UI): CarbonIQ design refactor clapointe-carbonleo 2026-05-06 ↗ GitHub
cbd47b90 Switch frontend from Cloudflare to Vercel clapointe-carbonleo 2026-05-06 ↗ GitHub
8796dfef Remove Cloudflare dependencies for Vercel deployment clapointe-carbonleo 2026-05-06 ↗ GitHub
af9f6107 Merge pull request #1 from clapointe-carbonleo/feat/CarbonIQ-imp clapointe-carbonleo 2026-05-06 ↗ GitHub
Feat/carbon iq imp
1b9a6630 Remove all Cloudflare and AWS SDK dependencies for Vercel clapointe-carbonleo 2026-05-06 ↗ GitHub
e4b92c1d Merge remote main, keep local package.json without AWS SDK clapointe-carbonleo 2026-05-06 ↗ GitHub
c79bdaef Remove package-lock.json to clear stale dependencies clapointe-carbonleo 2026-05-06 ↗ GitHub
c0ee368b Upgrade Next.js to 16.2.4 to fix CVE-2025-66478 clapointe-carbonleo 2026-05-06 ↗ GitHub
0785addf Restore AWS SDK packages needed for R2 storage clapointe-carbonleo 2026-05-06 ↗ GitHub
0756a87d Fix CORS to allow production frontend URL clapointe-carbonleo 2026-05-06 ↗ GitHub
35fd7788 Configure backend as Vercel serverless function clapointe-carbonleo 2026-05-06 ↗ GitHub
c52c1648 Remove NEXT_PUBLIC API keys - hardcode availability instead clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body
API keys must never be NEXT_PUBLIC_* (they end up in the browser bundle).
Model availability now hardcoded to 'configured' so all models show as available.
The backend uses its own server-side keys for actual API calls.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
9e02ae0e Fix /projects endpoint: filter shared_with client-side clapointe-carbonleo 2026-05-06 ↗ GitHub
The .contains() method doesn't work for JSONB arrays in Supabase JS client.
Changed to fetch all non-owned projects and filter by shared_with email client-side.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
333172e1 feat(git): add vercel to gitignore clapointe-carbonleo 2026-05-06 ↗ GitHub
2217a5df Add Supabase email/password authentication clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body
- AuthContext now uses real Supabase session (onAuthStateChange)
- (pages) layout redirects to /login when not authenticated
- Login page with Carbonleo brand styling (dark bg, yellow CTA)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fffe4396 Validate real Supabase JWT in requireAuth middleware clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body
Replaces hardcoded 'internal' userId with the actual Supabase user ID
extracted from the Bearer token sent by the frontend. Each user now has
their own isolated data in the database.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
17605a51 Fix CORS: allow mike-legal-three.vercel.app clapointe-carbonleo 2026-05-07 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-772.md from inside the repo you want the changes in.

⬇ Download capture-thread-772.md