A local-first, self-hosted AI agent for a law firm. A zero-cloud, single-user desktop application (Electron): local SQLite by default (ADR-0053), 6 connectors to Polish and EU law (SAOS / NSA / ISAP / KRS / EUR-Lex / EU-Compliance), a hash-chained audit trail (AI Act art. 12), bring-your-own-model (Gemini / Claude / local Ollama / OpenRouter). A server mode (Postgres + MinIO) remains available as an alternative.
Patron is a fork of Mike (a document-centric legal assistant, AGPL-3.0). The Patron shell inherits AGPL-3.0 as a derivative work. It adds Polish localization, a Polish legal stack, and the compliance requirements a law firm needs. The full rules live in governance/CONSTITUTION.md.
frontend/- Next.js applicationbackend/- Express API, MCP client, audit trail, tool dispatchbackend/src/lib/input-security/- a local, deterministic scan of incoming documents (prompt injection / hidden PDF actions / obfuscation) before they reach the model or RAG (ADR-0019/0020)backend/src/lib/mcp-security/- a local, deterministic scan of MCP connector definitions (typosquatting / description drift / hidden instructions / tool poisoning) BEFORE they are loaded into the MCP contract (ADR-0025/0028)backend/schema.sql- Postgres schema (server mode, Supabase-compatible); desktop mode uses local SQLite (ADR-0053)governance/- Patron AI Constitution + Implementation Playbook + ADRsdeploy/- deployment runbook (docker-compose)scripts/bundle-mcp.cjs- bundler that packs the 6 MCP servers into the backend image
| Connector | Domain | Returns |
|---|---|---|
mcp-saos |
common courts, Sad Najwyzszy (Supreme Court), Trybunal Konstytucyjny (Constitutional Tribunal), KIO | search / get_judgment / search_by_case |
mcp-nsa |
NSA (Supreme Administrative Court) + 16 WSA (regional administrative courts) case law (CBOSA) | search / get_judgment / search_by_case |
mcp-isap |
Polish legislation (Dziennik Ustaw / Journal of Laws + Monitor Polski, Sejm ELI) | search_acts / get_act / get_act_text |
mcp-krs |
Krajowy Rejestr Sadowy (National Court Register, Ministry of Justice) | get_entity / get_entity_full / get_board |
mcp-eu-sparql |
EU law (EUR-Lex + CJEU, live SPARQL) | search_by_celex / search_by_date_range / search_cjeu |
mcp-eu-compliance |
offline EU compliance (GDPR, AI Act, DORA, NIS2, eIDAS 2.0, CRA) | eu_search / eu_article / eu_compare / eu_check_applicability / eu_evidence |
Full runbook: deploy/README.md. The short version:
# 1. Clone the 7 repos (patron + 6 mcp-*)
git clone matematicsolutions/patron && cd patron
for d in mcp-saos mcp-nsa mcp-isap mcp-krs mcp-eu-sparql mcp-eu-compliance; do
(cd .. && git clone matematicsolutions/$d && cd $d && npm install && npm run build)
done
# 2. Bundle MCP into the backend image
node scripts/bundle-mcp.cjs
# 3. Configure secrets
cp .env.docker.example .env.docker
nano .env.docker
# 4. Up
docker compose --env-file .env.docker up -dThis requires a separately provisioned Supabase + MinIO (a separate stack). See the runbook.
- Patron AI Constitution v1.6.1 - 9 principles, product boundaries, roles (Administrator / Operator / Inspector), audit, and evolution. Mapped to AI Act art. 12, RODO art. 5/25/30/32, and professional ethics. Art. 5 covers input-document control.
- Implementation Playbook - a 6-8 week step-by-step rollout with a RACI matrix.
- ADRs - Architecture Decision Records (0001-0130), including 0001 hash-chain, 0002 dual-license, 0019 input-document scan, 0020 wiring into ingest.
The firm reads and signs the Constitution v1.6.1 before deployment (the signature section is at the end of the file).
Patron is the reference implementation of the open citation standard
MateMatic Connector Standard (MCS) v0.1: the
structuredContent.citations contract (source_id / url / exact_quote / locator / confidence)
plus a 3-color credibility gradient (verbatim / paraphrase / unverified =
existence / content / fragment) plus a conformance test (citation roundtrip). Any legal-source
connector that satisfies MCS plugs into the citation-verification layer with no changes.
The stack is dual-licensed (see ADR-0002):
patron(this repo, the shell) - AGPL-3.0-only (LICENSE + NOTICE)mcp-saos,mcp-nsa,mcp-isap,mcp-krs,mcp-eu-sparql,mcp-eu-compliance- MIT
A self-hosting firm can use, modify, and distribute Patron inside its organization with no extra obligations. A competitor that offers Patron as SaaS to third parties must open its modifications.
Patron is a fork of Mike (AGPL-3.0, (c) 2025 Will Chen). Full attribution: NOTICE.
The rest of this README covers the local (development) setup.
For a production deployment, use deploy/README.md (Docker).
frontend/- Next.js applicationbackend/- Express API, Supabase access, document processing, and database schemabackend/schema.sql- Supabase schema for fresh databasesbackend/migrations/- incremental database updates for existing deployments
- Node.js 20 or newer
- npm
- git
- A Supabase project
- A Cloudflare R2 bucket, MinIO bucket, or another S3-compatible bucket
- At least one supported model provider API key: Anthropic, Google Gemini, or OpenAI
- LibreOffice installed locally if you need DOC/DOCX to PDF conversion
For a new Supabase database, open the Supabase SQL editor and run:
-- copy and run the contents of:
-- backend/schema.sqlThe schema file is based on supabase-migration.sql and folds in the later files in backend/migrations/.
For an existing database, do not run the full schema file over production data. Apply the incremental files in backend/migrations/ instead.
Create local env files:
touch backend/.env
touch frontend/.env.localCreate backend/.env:
PORT=3001
FRONTEND_URL=http://localhost:3000
DOWNLOAD_SIGNING_SECRET=replace-with-a-random-32-byte-hex-string
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_SECRET_KEY=your-supabase-service-role-key
R2_ENDPOINT_URL=https://your-account-id.r2.cloudflarestorage.com
R2_ACCESS_KEY_ID=your-r2-access-key
R2_SECRET_ACCESS_KEY=your-r2-secret-key
R2_BUCKET_NAME=patron
GEMINI_API_KEY=your-gemini-key
ANTHROPIC_API_KEY=your-anthropic-key
OPENAI_API_KEY=your-openai-key
RESEND_API_KEY=your-resend-key
USER_API_KEYS_ENCRYPTION_SECRET=your-long-random-secretCreate frontend/.env.local:
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY=your-supabase-anon-key
NEXT_PUBLIC_API_BASE_URL=http://localhost:3001Supabase values come from the project dashboard. Use the project URL for SUPABASE_URL / NEXT_PUBLIC_SUPABASE_URL, the service role key for the backend SUPABASE_SECRET_KEY, and the anon/public key for NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY. If your Supabase project shows multiple key formats, use the legacy JWT-style anon and service role keys expected by the Supabase client libraries.
Provider keys are only needed for the models and email features you plan to use. Model provider keys can be configured in backend/.env for the whole instance, or per user in Account > Models & API Keys. If a provider key is present in backend/.env, that provider is available by default and the matching browser API key field is read-only.
Install each app package:
npm install --prefix backend
npm install --prefix frontendStart the backend:
npm run dev --prefix backendStart the main app:
npm run dev --prefix frontendOpen http://localhost:3000.
- Sign up in the app.
- If you did not set provider keys in
backend/.env, open Account > Models & API Keys and add an Anthropic, Gemini, or OpenAI API key. - Create or open a project and start chatting with documents.
Sign-up confirmation email never arrives. Confirmation emails are sent by Supabase Auth, not by Mike. For local development, the simplest fix is to disable email confirmation in Supabase > Authentication > Providers > Email. For production, configure custom SMTP in Supabase; the built-in mailer is heavily rate-limited and may be restricted on newer projects.
The model picker shows a missing-key warning. Add a key for that provider in Account > Models & API Keys, or configure the provider key in backend/.env and restart the backend.
DOC or DOCX conversion fails. Install LibreOffice locally and restart the backend so document conversion commands are available on the process path.
npm run build --prefix backend
npm run build --prefix frontend
npm run lint --prefix frontend