MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · fayerman-source/mike · this thread

fayerman-source closes a cross-project folder gap

A quiet backend fix tightens the trust boundary between projects in a legal document workspace.

securitymulti-tenant

Project folders in Mike are meant to live inside a single project, but a handful of operations were taking folder IDs from the client without first checking that the folder actually belonged to the caller's project. In practice that meant a user acting in Project A could, in theory, hand the system a folder ID from Project B and have it accepted.

fayerman-source added ownership checks at the three places this could bite: moving a folder, moving a document into a folder, and deleting a folder along with its documents. Each now confirms the folder belongs to the current project before doing anything. It's the classic shape of an authorization gap - trusting an ID the client supplied - and the fix is correspondingly small and surgical, with no changes to the surrounding APIs.

So what Anyone running Mike in a multi-matter or multi-client setup should care: this is the kind of quiet boundary fix that keeps one matter's folders from leaking into another's.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from fayerman-source/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
7062a300 fix project folder boundary checks Eli Fayerman 2026-05-04 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-260.md from inside the repo you want the changes in.

⬇ Download capture-thread-260.md