MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · willchen96/mike · this thread

willchen96 gives stored API keys their own lock and key

Mike will no longer quietly reuse a shared database secret to encrypt the API keys users hand over - it now insists on a dedicated one.

securityinfrastructure

When a user stores a third-party API key in Mike, that key gets encrypted at rest. Until now the system would, if no purpose-built secret was set, silently fall back to the same master key that guards the database itself. willchen96 has cut those fallbacks out. The encryption now demands its own dedicated secret and refuses to handle stored keys without it, with a startup error that says exactly what's missing.

The point is separation of concerns. Tangling user secrets up with the database master key meant rotating one could put the other at risk, and made it genuinely hard to know which key was protecting what in any given deployment. Anyone running this stack will now have to provision that dedicated secret before the service will store keys at all - a deliberate trade of one-time setup friction for cleaner, safer key rotation down the line.

So what Anyone self-hosting Mike or evaluating its security posture should note the new required secret and the cleaner separation it buys.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from willchen96/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
b4ba2742 fix: update encryption key retrieval to use only USER_API_KEYS_ENCRYPTION_SECRET; remove supabase secret key fallback willchen96 2026-05-16 ↗ GitHub
aed8c42e Merge pull request #137 from willchen96/require-user-api-key-secret cosimoastrada 2026-05-16 ↗ GitHub 
fix: update encryption key retrieval to use only USER_API_KEYS_ENCRYPTION_SECRET

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-476.md from inside the repo you want the changes in.

⬇ Download capture-thread-476.md