MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · amal66/mike · this thread

amal66 closes a door that let users read each other's data

A fork tightens who can open structured documents - and fixes a bug that several Mike forks all hit independently.

securityinfrastructure

amal66's work targets a class of bug that keeps showing up across Mike forks: a user could reach spreadsheet-style documents that belonged to someone else, simply because the access check wasn't there. This is the unglamorous, high-stakes kind of flaw - no crash, no error, just one client's data quietly visible to another. The fix adds a proper ownership check before those documents can be opened, and a second change makes sure email-based access matching doesn't break just because one address was typed in capitals and another in lowercase.

Underneath, amal66 also reorganised how the application handles incoming requests, checking that each one is shaped correctly before it's allowed through. That's plumbing, but it's the plumbing that makes the access rules above enforceable and harder to forget next time.

So what Anyone running a Mike fork that stores client documents should look at this - it's the strongest data-access fix in the run.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from amal66/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
bfb2466e refactor(chapter-10): split routes into modules with validation and access guards Amal 2026-05-24 ↗ GitHub
commit body 
Chapter: 10 - API boundaries.

Plain-English map:
Introduce a module layer for API routes, validate incoming request shapes with
Zod, and add authorization checks around tabular document access.

Why it matters:
Large route files make it hard to see where trust boundaries are. Validation
and access checks need to sit at the boundary before data reaches deeper code.

Principle:
Validate inputs and authorize data access close to the edge of the system.

Precedent borrowed:
Upstream PR #155 and the fork report's strongest security signal: multiple
forks independently patched CWE-639 style tabular-document access bugs.

Upstream base: willchen96/mike@d39f580.
Original local commit: f913869.
08dd7159 fix(chapter-16): normalize shared-email access checks Amal 2026-05-24 ↗ GitHub
commit body 
Chapter: 16 - Consistent identity matching.

Plain-English map:
Lowercase emails before checking whether a user has shared access to a
project.

Why it matters:
People do not think of email case as meaningful. Access checks that disagree
with that expectation create confusing denials and uneven security behavior.

Principle:
Normalize identity fields before comparing them.

Precedent borrowed:
Upstream PR #79.

Upstream base: willchen96/mike@d39f580.
Original local commit: e740508.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-587.md from inside the repo you want the changes in.

⬇ Download capture-thread-587.md