MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · Lef-F/mike · this thread

Lef-F audits the patches they just merged

After pulling in eight upstream pull requests, Lef-F ran a code review on the result and found the security fixes had quietly left fresh holes.

securityintegration

Lef-F cherry-picked eight changes from another Mike fork - a mix of security hardening, support for OpenRouter as a third AI model provider, and user-configurable connectors that let Mike call out to external tools and services. Original authorship was preserved on every commit.

Then came the audit. Lef-F's review turned up four serious security gaps the upstream patches had either missed or newly opened, plus eight real bugs in features that had already shipped to users. One gap re-opened the exact vulnerability an upstream fix had just closed in a neighbouring file. Another left the most sensitive table - the one holding access tokens for those outside connectors - unlocked while every other user-data table was sealed off. Lef-F also extended Mike's existing at-rest encryption to cover those connector credentials, which an earlier migration had explicitly flagged as deferred work.

So what For anyone running a self-hosted Mike, this is a reminder that merging an upstream security fix is the start of the audit, not the end of it.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?