MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · easterbrooka/mike · this thread

easterbrooka switches Mike's secrets to envelope encryption

API keys, model settings and shared-workflow records now live as encrypted blobs, with the plaintext kept on standby during cutover.

securityinfrastructure

easterbrooka has flipped the live request path onto envelope-encrypted storage: every user API key, model preference and workflow share is now sealed under a per-user key, while the old plaintext columns keep getting written in parallel so a rollback to an earlier image stays safe through the soak period. A one-shot backfill walks existing rows and seeds the encrypted columns where they're missing.

The trickier piece is sharing. Anywhere Mike used to match collaborators by email address - access checks, the shared-workflow list, share creation - it now matches on a keyed hash instead, so the database never has to see the address in the clear to find a record. Production deploys now refuse to start unless the key-management service and the hashing secret are both configured, making a half-wired environment fail at boot rather than at the first user request.

So what Worth a look for any legal-ops or compliance lead who has to answer the 'where exactly do you store our keys and our colleagues' emails?' question on a vendor questionnaire.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?