jchan7/mike: full rebrand to Bobby with a hardcoded dev-login bypass

Two commits rename everything from Mike to Bobby across 76 files and switch the package manager from bun to npm. Buried in the first commit is a client-side auth bypass: email `jason@rogo.ai` / password `jasonchan` skips Supabase entirely and stuffs a fake user into `localStorage`.

securitybranding

The rebrand in dbce928e is thorough: MikeMessage, MikeCitationAnnotation, MikeEditAnnotation, MikeFolder, MikeProject, MikeDocument, MikeChat all become Bobby*; mikeApi.ts and mike-icon.tsx are renamed; system prompts change from "You are Mike" to "You are Bobby"; the production URL becomes bobbyoss.com. The large diff count is mostly bun.lock deletion; fb270581 follows three seconds later to regenerate frontend/package-lock.json at 18,080 lines.

The security issue is in frontend/src/app/login/page.tsx. A new conditional checks for jason@rogo.ai / jasonchan and, on match, skips the Supabase auth flow, writes { id: "dev-jason", email: "jason@rogo.ai" } to localStorage["bobby_dev_user"], fires a bobby_dev_user_changed event, and navigates to /assistant. AuthContext.tsx is updated to pick up this key on mount and short-circuit onAuthStateChange for the duration of the session. signOut clears it.

The credentials are plaintext in the repo. Any deployed build of this fork ships with this bypass reachable from the login screen - it's not controlled by an environment variable. The intent reads as local development without a working Supabase configuration, but there is no mechanism to disable it in production.

The bun-to-npm switch has no behavioral effect but generates a large lockfile churn and drops the bun lockfile upstream maintains.

So what Skip entirely. The rebrand conflicts with every identifier in upstream mike if you want to track it, and the hardcoded login bypass is a liability in any deployed context. There is nothing in these commits worth cherry-picking.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from jchan7/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
dbce928e setting up Jason Chan 2026-05-02 ↗ GitHub
fb270581 Create package-lock.json Jason Chan 2026-05-02 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-105.md from inside the repo you want the changes in.

⬇ Download capture-thread-105.md