MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · kveton/mike · this thread

kveton pitches a security hardening pass at willchen96/mike

A closed PR that would have moved sensitive data and user API keys out of the browser's reach.

securityinfrastructure

@kveton's proposal pulls the browser out of the trust boundary in several places at once. Instead of the frontend reading user profiles and other app data straight from Supabase (the hosted database the project runs on), those calls would route through backend APIs that hold the privileged keys. User-supplied LLM API keys get encrypted at rest, with the browser only ever told whether a key exists, not what it is.

The pass also validates uploaded PDFs and Word documents before anything touches storage, tightens who can see and edit shared review documents and chat projects, and rips out logging that was capturing raw model traffic and document content. Vulnerable dependencies on both sides get bumped, and a small set of backend security tests is added.

The PR was closed without merging on May 10, so none of this is live in the upstream fork.

So what Worth a look for anyone running a legal-AI tool where users paste their own model keys or upload client documents - it's a clear inventory of the boundaries that matter.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?