Safe local testing guide added to onboarding path
fayerman-source added a dedicated guide for evaluating Mike with sensitive legal workflows, linked from the setup README so it sits on the path a first-time self-hoster actually follows. The guide pushes toward disposable infrastructure, synthetic documents, spend-capped API keys, and keeping service-role secrets off the frontend.
The concrete change is two-part. First, a new evaluation guide routed directly into the README setup flow. It tells new operators to use synthetic documents rather than real client files, cap provider API key spend before testing, and keep service-role and model-provider credentials server-side. The logic is simple: Mike will attract legal users who want to test it against real-looking workflows, so the default path should route them toward containment from the start.
Second, the Supabase service-role key was pulled from the frontend example env file. The service-role key bypasses Supabase row-level security entirely. Putting it in a client-side example config is a footgun for anyone who copies .env.example into their frontend without thinking. Removing it reduces the chance that a hurried first setup lands a privileged credential somewhere it can be reached from the browser bundle.
Nothing executable changed. This is posture work in the docs and the scaffolding new operators copy from.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?