Safe local testing guide added to onboarding path

fayerman-source added a dedicated guide for evaluating Mike with sensitive legal workflows, linked from the setup README so it sits on the path a first-time self-hoster actually follows. The guide pushes toward disposable infrastructure, synthetic documents, spend-capped API keys, and keeping service-role secrets off the frontend.

securityinfrastructure

The concrete change is two-part. First, a new evaluation guide routed directly into the README setup flow. It tells new operators to use synthetic documents rather than real client files, cap provider API key spend before testing, and keep service-role and model-provider credentials server-side. The logic is simple: Mike will attract legal users who want to test it against real-looking workflows, so the default path should route them toward containment from the start.

Second, the Supabase service-role key was pulled from the frontend example env file. The service-role key bypasses Supabase row-level security entirely. Putting it in a client-side example config is a footgun for anyone who copies .env.example into their frontend without thinking. Removing it reduces the chance that a hurried first setup lands a privileged credential somewhere it can be reached from the browser bundle.

Nothing executable changed. This is posture work in the docs and the scaffolding new operators copy from.

So what Worth a look if you're preparing Mike for non-engineer evaluators, particularly lawyers who may test it against real documents before understanding the security surface. The service-role key removal from the frontend env example is also a straightforward cleanup worth carrying forward regardless.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?