CaseMark fork bring-up: Supabase/R2 replaced with Case.dev Vault and Better Auth
This is the fork's founding commit bundle. Two massive diffs (+9804 and +7335 lines across 78 and 74 files) replace Mike's upstream Supabase auth, Supabase Postgres client, and Cloudflare R2 storage with Case.dev Vault as the document store, Better Auth with encrypted per-user keys, and a new `postgresCompat.ts` shim for raw SQL access. A follow-up commit hardens the public release with rate limiting, expiring download tokens, and the removal of plaintext provider key columns.
The architectural swap touches nearly every backend module. supabase.ts and supabase*.ts are removed entirely. In their place: caseClient.ts (the Case.dev API wrapper), caseCredentials.ts (encrypted per-user key storage with AES-256-GCM), caseModels.ts, caseSkills.ts, caseSync.ts, caseMatters.ts, and postgresCompat.ts (a 500+ LOC PostgREST-style query builder over raw SQL). Case Vault becomes the canonical store for uploads, generated DOCX files, PDF renditions, downloads, and AI grounding. A migrate-r2-to-case.ts backfill handles existing R2 rows.
Demo Mode lands at the same time: demoMode.ts and demoUsage.ts implement a lifetime per-user budget enforced against a shared Case.dev key, with two new tables (demo_user_usage, demo_usage_events) and about a dozen MIKE_DEMO_* env vars.
The security hardening commit (e2ee94d) is the most independently useful piece. It adds express-rate-limit on /api/auth, introduces assertDownloadSigningSecret() that refuses placeholder secrets at boot, drops the plaintext claude_api_key and gemini_api_key columns from user_profiles (migration 008), and removes the "dev-secret" fallback in the download token signing path. The HMAC download token implementation in downloadTokens.ts - using crypto.timingSafeEqual for comparison - is worth reading on its own if you're building similar signed-URL infrastructure.
The developer helper (scripts/mike-dev.sh) supports start, stop, restart, status, and logs, writing PID and log files under .mike-dev/. status flags placeholder env values that still need real values before auth or storage will work.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?