willchen96 slams the door on cross-project folder snooping

An outside contributor closes a hole that let one project's folder operations reach into another's.

securityknowledge-management

Project folders are how Mike keeps each matter's documents organised in its own walled garden. The problem: the routes handling those folders trusted whatever folder ID a caller handed them, without checking the folder actually belonged to the project being worked in. In practice that meant someone could reference a folder from a different project - and re-parent a folder under it, or file a document into it - quietly moving things across boundaries that were supposed to be sealed.

The fix, contributed by Eli Fayerman rather than the usual maintainer, threads a single ownership check through every folder operation: if the target folder doesn't belong to the current project, the request comes back as a plain "not found." No accidental reach-across, no leaking that the other project's folder even exists. It's small, self-contained, and ships without tests.

So what Anyone running Mike across multiple clients or matters should care - this was a real cross-project data-manipulation gap, now shut.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from willchen96/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
7062a300 fix project folder boundary checks Eli Fayerman 2026-05-04 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-602.md from inside the repo you want the changes in.

⬇ Download capture-thread-602.md