Turbine Legal: Mike hard-forked for aviation-leasing contract management on Azure/S3/Vercel
beautech-aero's single merged PR replaces the entire Mike infrastructure stack and builds a matter command center for Beautech's aviation-leasing legal team on top of it. Most of the 17k-line diff is Beautech-specific product code and package-lock churn. A handful of standalone pieces - JWT revocation, AES-256 key encryption, LLM concurrency limiting - are extractable.
PR #1 (22f9039d) is a hard fork reposition in one commit. igor-ctrl describes it in AGENTS.md as a five-phase migration tracked at /Users/igor/.Codex/plans/groovy-spinning-rain.md. The infrastructure swap is complete on paper but not in code: Cloudflare R2 is gone (AWS S3 in), Cloudflare Pages/OpenNext is gone (Vercel in), Gemini is deleted, and the DB target is Azure Postgres with a legal_platform schema. But the Kysely migration from Supabase is only about 20% done - routes/user.ts and the auth routes are migrated; the remaining ~80-120 .from(...) call sites in projects.ts, documents.ts, tabular.ts, workflows.ts, and chat.ts still hit lib/supabase.ts. This fork is mid-rewrite.
The product additions are purpose-built for Beautech and not meaningfully portable. The /matters route (912 LOC) wraps projects with lifecycle metadata and external link tables for Salesforce, Dropbox Business, and DocuSign. MatterCommandCenter.tsx (309 LOC) provides the UI. routes/integrations.ts (257 LOC) manages encrypted integration connections. The Dropbox integration requires team-scoped tokens validated through team/token/get_authenticated_admin; Salesforce feeds matter creation; DocuSign handles envelope lifecycle and webhooks. All of this is tightly coupled to Beautech's legal workflow.
The pieces worth extracting manually, in rough order:
- LLM concurrency semaphore (
lib/llm/limiter.ts, 39 LOC).withLlmConcurrency(fn)wraps any async call;LLM_CONCURRENCYdefaults to 8. Protects tabular-review fan-out from tripping OpenAI's rate limits. - AES-256-GCM key encryption (
lib/crypto.ts, 67 LOC). Encrypts per-user API keys at rest; decrypt failures returnnullrather than throwing. Format:base64(iv|authTag|ciphertext). - JWT token-version revocation (
middleware/auth.ts,lib/auth.ts). Single indexed lookup againstusers.token_versionandusers.password_changed_aton every request - enables "log out everywhere" without a session table. The CSRF middleware'sX-Requested-With: XMLHttpRequestcheck is also clean. - OpenAI adapter with
max_completion_tokens(lib/llm/openai.ts, 215 LOC). Upstream still usesmax_tokens; this fork corrects it for current GPT chat models.
A few caveats: the entire feature landed as one commit with no splitting, so cherry-pick is not viable - hand-extract what you want. About 23k lines of the raw diff is package-lock.json churn. There is no test suite; the only validation is backend/src/smoke/turbineLegalSmoke.ts (105 LOC) plus build. The Kysely migration is explicitly incomplete.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?