MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · willchen96/mike · this thread

willchen96 pulls user data off the browser and adds guardrails to chat

A backend hardening pass moves profile access server-side, validates project ownership on chats, and adds rate limits and security headers.

securitymulti-tenant

The big move is that user profile reads and writes no longer happen directly from the browser against the data layer - they now go through backend API routes, with the server tracking whether a user has an API key on file rather than letting the frontend guess. Standard security headers and basic rate limiting landed in the same pass.

Chat got the other half of the attention. Creating a chat or streaming into one now checks that the user actually owns the project the chat is being attached to, closing a gap where a client could plausibly hang a conversation off someone else's project. The Assistant and Tabular Review tools were also pulled under specific projects rather than floating at the user level. Testing signal is a clean frontend build; willchen96 didn't mention backend tests for the new ownership checks.

So what Anyone evaluating Mike forks for client work should note this one is taking multi-tenant boundaries seriously, even if the verification story is still light.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?