CaseMark fork bring-up: Supabase/R2 replaced with Case.dev Vault and Better Auth

This is the fork's founding commit bundle. Two massive diffs (+9804 and +7335 lines across 78 and 74 files) replace Mike's upstream Supabase auth, Supabase Postgres client, and Cloudflare R2 storage with Case.dev Vault as the document store, Better Auth with encrypted per-user keys, and a new `postgresCompat.ts` shim for raw SQL access. A follow-up commit hardens the public release with rate limiting, expiring download tokens, and the removal of plaintext provider key columns.

infrastructuresecurity

The architectural swap touches nearly every backend module. supabase.ts and supabase*.ts are removed entirely. In their place: caseClient.ts (the Case.dev API wrapper), caseCredentials.ts (encrypted per-user key storage with AES-256-GCM), caseModels.ts, caseSkills.ts, caseSync.ts, caseMatters.ts, and postgresCompat.ts (a 500+ LOC PostgREST-style query builder over raw SQL). Case Vault becomes the canonical store for uploads, generated DOCX files, PDF renditions, downloads, and AI grounding. A migrate-r2-to-case.ts backfill handles existing R2 rows.

Demo Mode lands at the same time: demoMode.ts and demoUsage.ts implement a lifetime per-user budget enforced against a shared Case.dev key, with two new tables (demo_user_usage, demo_usage_events) and about a dozen MIKE_DEMO_* env vars.

The security hardening commit (e2ee94d) is the most independently useful piece. It adds express-rate-limit on /api/auth, introduces assertDownloadSigningSecret() that refuses placeholder secrets at boot, drops the plaintext claude_api_key and gemini_api_key columns from user_profiles (migration 008), and removes the "dev-secret" fallback in the download token signing path. The HMAC download token implementation in downloadTokens.ts - using crypto.timingSafeEqual for comparison - is worth reading on its own if you're building similar signed-URL infrastructure.

The developer helper (scripts/mike-dev.sh) supports start, stop, restart, status, and logs, writing PID and log files under .mike-dev/. status flags placeholder env values that still need real values before auth or storage will work.

So what The architecture here - Vault-backed storage, Better Auth with encrypted provider keys, postgres-compat shim, Case Skills as the workflows surface - is the foundation everything else on this fork builds on. The diffs are too interlocked to cherry-pick piecemeal unless you're adopting the same Case.dev dependencies. Three smaller pieces are more portable: the download-token signing and expiry pattern, the rate-limiter wiring on auth and AI routes, and migration `008` dropping plaintext provider key columns. `postgresCompat.ts` is a significant internal dependency that later commits keep patching; treat it as a liability if you're evaluating the total maintenance cost.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

5 commits from CaseMark/mikeoss-casedotdev, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
2e6b6604 Prepare Case.dev public fork kveton 2026-05-02 ↗ GitHub
1c8769ce Complete Case.dev integration polish kveton 2026-05-04 ↗ GitHub
b81944c4 Trigger Vercel review checks kveton 2026-05-04 ↗ GitHub
e2ee94d0 Harden public release security kveton 2026-05-04 ↗ GitHub
bd36bdd5 Merge pull request #1 from CaseMark/codex/public-casedev-release Scott Kveton 2026-05-04 ↗ GitHub
Complete Case.dev integration polish

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-32.md from inside the repo you want the changes in.

⬇ Download capture-thread-32.md