hoogvliets lays the whole fork open for the maintainer
A license obligation became a full-source disclosure, and what it reveals is a hardened, privacy-minded build.
The code under Mike carries a copyleft license (AGPL-3.0), which asks anyone running a modified version in public to make their source available. hoogvliets took that seriously and published the entire downstream fork in one place - backend, frontend, database, tests, and docs - so the original maintainer could see the full picture.
What the disclosure shows is a build reworked for real client data:
- Account deletion with a recovery window - users can wipe their account and data, and undo it before it's permanent.
- Cross-tenant walls - each client's data stays isolated from every other client's.
- Bring-your-own AI keys, stored encrypted - teams can plug in their own model-provider keys without leaving them exposed.
- Usage limits on the AI - a guard against runaway calls and cost.
- A security-focused test suite - checks for cross-tenant leaks and auth gaps on every change.
The all-in-one branch was closed rather than merged, but the same work continues in smaller, reviewable pieces.
So what Anyone weighing this fork for live client matters should read the security and privacy work first - and now they can, because it's all in the open.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?