Jeroen1991z hardens key storage and teaches Mike to read redlines

Two upgrades land together: encrypted API keys at rest, and the AI can finally see tracked changes in Word and PDF documents.

contract-reviewsecurity

The mikeNL fork closes a quiet but real gap: API keys used to sit in the database as raw text, and now they're encrypted before they're written and decrypted only when the backend needs them. It's the kind of fix every fork of Mike will eventually need.

The second piece is more interesting for legal work. When a reviewer marks up a contract - insertions, deletions, margin comments - most AI tools see a flattened document and miss the negotiation entirely. Jeroen1991z's fork extracts those tracked changes from both Word and PDF files and feeds them to the assistant with markers so it knows what was added, cut, or commented on. The PDF path leans on PyMuPDF, a Python library for reading PDF internals, which adds a small deployment wrinkle.

So what Anyone running contract-review or redline workflows on Mike should watch this fork - reading tracked changes is table stakes for legal AI, and most forks still can't.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from Jeroen1991z/mikeNL, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date

7735ccfd Add API key encryption and DOCX/PDF redline extraction Claude 2026-05-05 ↗ GitHub

SHA	Subject	Author	Date
`7735ccfd`	Add API key encryption and DOCX/PDF redline extraction	Claude	2026-05-05	↗ GitHub
commit body - AES-256-GCM encryption for user API keys at rest (encryption.ts) - userSettings.ts decrypts keys on read; user.ts PUT /user/api-key encrypts on write - Frontend routes API key saves through backend endpoint instead of direct Supabase writes - DOCX tracked-changes extraction: renderParagraphRedline surfaces {++ins++}, {--del--}, {>>comments<<} - PDF redline extraction via Python/PyMuPDF subprocess (pdfRedlineExtract.ts + scripts/redline_extract.py) - System prompt updated to explain tracked-change markers to the AI - .env.example documents MIKENL_ENCRYPTION_KEY and PYTHON_BIN https://claude.ai/code/session_016JxWnFc3baeDgkzDgxY6ex

commit body

- AES-256-GCM encryption for user API keys at rest (encryption.ts)
- userSettings.ts decrypts keys on read; user.ts PUT /user/api-key encrypts on write
- Frontend routes API key saves through backend endpoint instead of direct Supabase writes
- DOCX tracked-changes extraction: renderParagraphRedline surfaces {++ins++}, {--del--}, {>>comments<<}
- PDF redline extraction via Python/PyMuPDF subprocess (pdfRedlineExtract.ts + scripts/redline_extract.py)
- System prompt updated to explain tracked-change markers to the AI
- .env.example documents MIKENL_ENCRYPTION_KEY and PYTHON_BIN

https://claude.ai/code/session_016JxWnFc3baeDgkzDgxY6ex

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-14.md from inside the repo you want the changes in.

⬇ Download capture-thread-14.md