MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · rafal-fryc/mikelocal · this thread

rafal-fryc ports Mike to the desktop

A serious effort to turn the cloud legal-AI stack into a single-user Windows app you install with a double-click.

infrastructuresecurity

rafal-fryc's fork rebuilds Mike as an Electron desktop app - the cloud database is swapped for a local file, cloud storage becomes a folder on disk, and the whole thing lives inside a workspace you pick at launch. A login screen and a hashed local password gate access; documents and keys stay on the machine.

What sets this apart from a weekend port is the discipline around it. The fork ships with a written decisions log, a deferred-work list, and a pre-ship code review by three reviewers - two of whom flagged it as not ready on first pass. A second commit closes out every critical finding (signing secrets, sandboxing, content-security policy, path-traversal guards) before the version tag. A 500-line README documents the architecture and threat model end-to-end.

So what If you've ever wanted a legal-AI tool that runs entirely on a lawyer's laptop with no cloud account, this is the most credible attempt yet.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

3 commits from rafal-fryc/mikelocal, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
e2a80b08 Convert to local desktop app (Electron + SQLite + workspace folder) riffyraf 2026-05-01 ↗ GitHub
commit body 
Replace every cloud dependency with a local equivalent and ship as a
downloadable Windows app:

- Electron shell with workspace picker, scrypt-hashed local password,
  lock screen on every launch
- Supabase Auth → local HS256 JWT (Node crypto, no library deps)
- Supabase Postgres → SQLite via better-sqlite3 with a Postgrest-shaped
  compat shim, so existing route handlers stay unchanged
- S3/R2 storage → local filesystem under <workspace>/files with
  path-traversal guard and short-lived token-bearing URLs
- API key management via existing Settings UI, persisted in user_profiles
- LibreOffice runtime detection with graceful degradation
- electron-builder NSIS installer config, Next.js standalone build
- Full README rewrite for end users plus DECISIONS.md, TODO.md, and
  per-phase notes under .claude/phases/

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
79acd8a6 feat(security): address review-critical findings + lock-screen polish riffyraf 2026-05-03 ↗ GitHub
commit body 
- Critical (5): per-launch DOWNLOAD_SIGNING_SECRET, JWT alg/typ + exp
  type-guard in verifyLocalJwt, sandbox:true on the renderer, raw-stream
  log gated behind MIKE_DEBUG_RAW_STREAM, drop dead workflow column
  insert.
- Session 1 (security): CSP on packaged builds, DevTools gated to
  unpackaged + non-lock-screen, dotenv only loaded in standalone dev,
  pickWorkspace realpath + install-dir guard.
- Session 2 (backend): belt-and-braces user_id on documents DELETE +
  project_id on folder cleanup, global Express error handler,
  127.0.0.1 in signed URLs, 60s timeout + 200MB cap on LibreOffice
  conversion.
- Session 3 (frontend): drop dead incrementMessageCredits, cache JWT
  module-scope in supabase shim, suppress double-loading spinners after
  unlock.
- Lock screen: scope display:flex so .status[hidden] actually hides
  the "Starting Mike..." spinner.

DECISIONS.md updated for the lockout-state choice.
TODO.md updated with the deferred Important + Minor items.
.gitignore now excludes /vendor/ and backend/.dist-bundle/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
b89e5763 docs(readme): comprehensive project guide riffyraf 2026-05-03 ↗ GitHub
commit body 
Replace minimal README with full project documentation:
architecture overview (process model + IPC surface + supabase shim),
security model (threat model + scrypt params + JWT verifier + sandbox/CSP +
filesystem guard + lockout-state caveat), data layout, build
prerequisites + EPERM/Developer Mode notes, expanded project layout,
tech stack table, full diff-from-upstream summary, known limitations,
and contributor conventions. Also fixes the stale "LibreOffice not
bundled" line - it has been bundled since the LO-installer fix.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-100.md from inside the repo you want the changes in.

⬇ Download capture-thread-100.md