Big consolidation merge: KairosVista feature branch and upstream/main land together

Commit `63b978a` merges ecarjat's KairosVista feature branch and `upstream/main` in one shot. It's not a unit of change to import directly, but it's the right place to look if you want to understand how this fork diverged from upstream and how ecarjat resolved conflicts.

securitycompliance

The KairosVista side brings Google-OAuth-only auth, a Docker dev stack, folder-grouped tabular reviews, per-user page limits, and native PDF vision. From upstream the merge pulls in Next.js and @opennextjs/cloudflare dep updates, a major README rewrite, an HMAC DOWNLOAD_SIGNING_SECRET fail-fast check in downloadTokens.ts, the official upstream fix for the JSONB shared_with filter, and path-style S3 hardening in access.ts and tabular.ts.

Two conflict-resolution choices stand out. The merge keeps the fork's env-configurable R2_FORCE_PATH_STYLE flag instead of upstream's hardcoded version - a more flexible call. It also keeps the Docker and local Supabase README section alongside upstream's structural rewrite, resulting in a net +105/-0 on README.md.

Two things in this commit you should not follow. First, two binary PDFs are added: BPGO-NovaBank Contrat initial...pdf (5.6 MB) and BPGO-Avt NovaBank-Maintenance.pdf (730 KB). These look like sample client documents that have no place in a source repo. Second, a 204-line supabase/snippets/Untitled query 932.sql shows up - an exported SQL editor scratch file. Neither should come along if you're cherry-picking from this fork.

The frontend/bun.lock shrinks by roughly 1,700 lines in the same commit, which suggests a lockfile regeneration or a dependency cleanup that's hard to audit without expanding the file.

So what Don't import this commit wholesale. Use it as a reference point: the `R2_FORCE_PATH_STYLE` env-var flexibility is worth considering, and the upstream conflict resolutions are worth reviewing. Skip the binary PDFs and the SQL snippet entirely.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from ecarjat/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
63b978a5 Merge oauth-profile-security-cleanup and upstream/main into main Emmanuel Carjat 2026-05-12 ↗ GitHub
commit body
- Merge KairosVista branch (OAuth, Docker stack, folder-grouped tabular
  reviews, per-user page limit, PDF vision for scanned documents)
- Merge upstream commits: Next/Cloudflare dep updates, README improvements,
  JSONB shared_with filter fix, path-style S3 hardening, HMAC secret
  fail-fast, comment cleanup in access.ts and tabular.ts
- Keep env-configurable R2_FORCE_PATH_STYLE (overrides upstream hardcode)
- Keep Docker + local Supabase section alongside upstream README rewrite

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-399.md from inside the repo you want the changes in.

⬇ Download capture-thread-399.md