MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · clapointe-carbonleo/mike-legal · this thread

Carbonleo rebuilt the front door but left the locks off inside

clapointe-carbonleo replaced Mike's login screen with a branded sign-in flow, but the checks that decide who can see what never got reconnected.

securitymulti-tenant

The fork started by stripping authentication entirely, hard-coding every visitor as a single "internal" user. A few hours later the team course-corrected, adding a real email-and-password login page styled in Carbonleo's black-and-yellow palette and wiring proper user identity back into the backend.

What didn't come back are the access checks - the small piece of code that asks "is this user actually allowed to see this project, document, or review?" That helper is still set to answer "yes" for everyone. The result: people log in with real identities, but the system treats every record as visible to anyone who can get through the front door.

So what Any legal team eyeing this fork as a starting point for multi-user work should know the authorization layer needs rebuilding before it leaves the sandbox.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

3 commits from clapointe-carbonleo/mike-legal, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
e6568f87 feat(mike): ic - remove auth - fix sql - all users 'internal' for now clapointe-carbonleo 2026-05-06 ↗ GitHub
2217a5df Add Supabase email/password authentication clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body 
- AuthContext now uses real Supabase session (onAuthStateChange)
- (pages) layout redirects to /login when not authenticated
- Login page with Carbonleo brand styling (dark bg, yellow CTA)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fffe4396 Validate real Supabase JWT in requireAuth middleware clapointe-carbonleo 2026-05-06 ↗ GitHub
commit body 
Replaces hardcoded 'internal' userId with the actual Supabase user ID
extracted from the Bearer token sent by the frontend. Each user now has
their own isolated data in the database.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-8.md from inside the repo you want the changes in.

⬇ Download capture-thread-8.md