clapointe-carbonleo plugs an API key leak in Mike's frontend

A two-line fix stops Anthropic and Gemini keys from being shipped to every user's browser.

securityinfrastructure

Upstream Mike had a quiet but serious bug: the frontend was reading API keys for Anthropic (Claude's maker) and Google's Gemini from environment variables prefixed in a way that Next.js - the web framework Mike is built on - bakes directly into the JavaScript sent to every visitor. Anyone loading the app could have pulled the keys out of the page source and run up bills on someone else's account.

clapointe-carbonleo's fix swaps the key reads for a harmless placeholder used only to decide whether the model picker shows Claude and Gemini as options. The actual AI calls already ran server-side with properly held keys, so nothing functional changes - the leak just stops. It's the kind of mistake that's easy to repeat across a codebase, and worth a sweep of any Mike fork to make sure no other credentials slipped through the same crack.

So what Anyone running a Mike fork in production should audit their frontend environment variables today - this is a live exposure, not a theoretical one.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from clapointe-carbonleo/mike-legal, oldest first. Source extracted verbatim from the harvested git log.

SHA	Subject	Author	Date
`c52c1648`	Remove NEXT_PUBLIC API keys - hardcode availability instead	clapointe-carbonleo	2026-05-06	↗ GitHub
commit body API keys must never be NEXT_PUBLIC_* (they end up in the browser bundle). Model availability now hardcoded to 'configured' so all models show as available. The backend uses its own server-side keys for actual API calls. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

SHA

Subject

Author

Date

c52c1648

Remove NEXT_PUBLIC API keys - hardcode availability instead

clapointe-carbonleo

2026-05-06

↗ GitHub

commit body

API keys must never be NEXT_PUBLIC_* (they end up in the browser bundle).
Model availability now hardcoded to 'configured' so all models show as available.
The backend uses its own server-side keys for actual API calls.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-10.md from inside the repo you want the changes in.