Skip to content

matematicsolutions/patron

Repository files navigation

Patron

License: AGPL v3 Tests AI Act RODO Stack MCP Node

A local-first, self-hosted AI agent for a law firm. A zero-cloud, single-user desktop application (Electron): local SQLite by default (ADR-0053), 6 connectors to Polish and EU law (SAOS / NSA / ISAP / KRS / EUR-Lex / EU-Compliance), a hash-chained audit trail (AI Act art. 12), bring-your-own-model (Gemini / Claude / local Ollama / OpenRouter). A server mode (Postgres + MinIO) remains available as an alternative.

Patron is a fork of Mike (a document-centric legal assistant, AGPL-3.0). The Patron shell inherits AGPL-3.0 as a derivative work. It adds Polish localization, a Polish legal stack, and the compliance requirements a law firm needs. The full rules live in governance/CONSTITUTION.md.

Contents

  • frontend/ - Next.js application
  • backend/ - Express API, MCP client, audit trail, tool dispatch
  • backend/src/lib/input-security/ - a local, deterministic scan of incoming documents (prompt injection / hidden PDF actions / obfuscation) before they reach the model or RAG (ADR-0019/0020)
  • backend/src/lib/mcp-security/ - a local, deterministic scan of MCP connector definitions (typosquatting / description drift / hidden instructions / tool poisoning) BEFORE they are loaded into the MCP contract (ADR-0025/0028)
  • backend/schema.sql - Postgres schema (server mode, Supabase-compatible); desktop mode uses local SQLite (ADR-0053)
  • governance/ - Patron AI Constitution + Implementation Playbook + ADRs
  • deploy/ - deployment runbook (docker-compose)
  • scripts/bundle-mcp.cjs - bundler that packs the 6 MCP servers into the backend image

MCP connectors for Polish and EU law (separate repos)

Connector Domain Returns
mcp-saos common courts, Sad Najwyzszy (Supreme Court), Trybunal Konstytucyjny (Constitutional Tribunal), KIO search / get_judgment / search_by_case
mcp-nsa NSA (Supreme Administrative Court) + 16 WSA (regional administrative courts) case law (CBOSA) search / get_judgment / search_by_case
mcp-isap Polish legislation (Dziennik Ustaw / Journal of Laws + Monitor Polski, Sejm ELI) search_acts / get_act / get_act_text
mcp-krs Krajowy Rejestr Sadowy (National Court Register, Ministry of Justice) get_entity / get_entity_full / get_board
mcp-eu-sparql EU law (EUR-Lex + CJEU, live SPARQL) search_by_celex / search_by_date_range / search_cjeu
mcp-eu-compliance offline EU compliance (GDPR, AI Act, DORA, NIS2, eIDAS 2.0, CRA) eu_search / eu_article / eu_compare / eu_check_applicability / eu_evidence

Production deployment

Full runbook: deploy/README.md. The short version:

# 1. Clone the 7 repos (patron + 6 mcp-*)
git clone matematicsolutions/patron && cd patron
for d in mcp-saos mcp-nsa mcp-isap mcp-krs mcp-eu-sparql mcp-eu-compliance; do
  (cd .. && git clone matematicsolutions/$d && cd $d && npm install && npm run build)
done

# 2. Bundle MCP into the backend image
node scripts/bundle-mcp.cjs

# 3. Configure secrets
cp .env.docker.example .env.docker
nano .env.docker

# 4. Up
docker compose --env-file .env.docker up -d

This requires a separately provisioned Supabase + MinIO (a separate stack). See the runbook.

Governance (before deployment)

The firm reads and signs the Constitution v1.6.1 before deployment (the signature section is at the end of the file).

Open standard - MCS v0.1

Patron is the reference implementation of the open citation standard MateMatic Connector Standard (MCS) v0.1: the structuredContent.citations contract (source_id / url / exact_quote / locator / confidence) plus a 3-color credibility gradient (verbatim / paraphrase / unverified = existence / content / fragment) plus a conformance test (citation roundtrip). Any legal-source connector that satisfies MCS plugs into the citation-verification layer with no changes.

License

The stack is dual-licensed (see ADR-0002):

  • patron (this repo, the shell) - AGPL-3.0-only (LICENSE + NOTICE)
  • mcp-saos, mcp-nsa, mcp-isap, mcp-krs, mcp-eu-sparql, mcp-eu-compliance - MIT

A self-hosting firm can use, modify, and distribute Patron inside its organization with no extra obligations. A competitor that offers Patron as SaaS to third parties must open its modifications.

Patron is a fork of Mike (AGPL-3.0, (c) 2025 Will Chen). Full attribution: NOTICE.


Local development

The rest of this README covers the local (development) setup. For a production deployment, use deploy/README.md (Docker).

Contents (legacy)

  • frontend/ - Next.js application
  • backend/ - Express API, Supabase access, document processing, and database schema
  • backend/schema.sql - Supabase schema for fresh databases
  • backend/migrations/ - incremental database updates for existing deployments

Prerequisites

  • Node.js 20 or newer
  • npm
  • git
  • A Supabase project
  • A Cloudflare R2 bucket, MinIO bucket, or another S3-compatible bucket
  • At least one supported model provider API key: Anthropic, Google Gemini, or OpenAI
  • LibreOffice installed locally if you need DOC/DOCX to PDF conversion

Database Setup

For a new Supabase database, open the Supabase SQL editor and run:

-- copy and run the contents of:
-- backend/schema.sql

The schema file is based on supabase-migration.sql and folds in the later files in backend/migrations/.

For an existing database, do not run the full schema file over production data. Apply the incremental files in backend/migrations/ instead.

Environment

Create local env files:

touch backend/.env
touch frontend/.env.local

Create backend/.env:

PORT=3001
FRONTEND_URL=http://localhost:3000
DOWNLOAD_SIGNING_SECRET=replace-with-a-random-32-byte-hex-string
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_SECRET_KEY=your-supabase-service-role-key

R2_ENDPOINT_URL=https://your-account-id.r2.cloudflarestorage.com
R2_ACCESS_KEY_ID=your-r2-access-key
R2_SECRET_ACCESS_KEY=your-r2-secret-key
R2_BUCKET_NAME=patron

GEMINI_API_KEY=your-gemini-key
ANTHROPIC_API_KEY=your-anthropic-key
OPENAI_API_KEY=your-openai-key
RESEND_API_KEY=your-resend-key
USER_API_KEYS_ENCRYPTION_SECRET=your-long-random-secret

Create frontend/.env.local:

NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY=your-supabase-anon-key
NEXT_PUBLIC_API_BASE_URL=http://localhost:3001

Supabase values come from the project dashboard. Use the project URL for SUPABASE_URL / NEXT_PUBLIC_SUPABASE_URL, the service role key for the backend SUPABASE_SECRET_KEY, and the anon/public key for NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY. If your Supabase project shows multiple key formats, use the legacy JWT-style anon and service role keys expected by the Supabase client libraries.

Provider keys are only needed for the models and email features you plan to use. Model provider keys can be configured in backend/.env for the whole instance, or per user in Account > Models & API Keys. If a provider key is present in backend/.env, that provider is available by default and the matching browser API key field is read-only.

Install

Install each app package:

npm install --prefix backend
npm install --prefix frontend

Run Locally

Start the backend:

npm run dev --prefix backend

Start the main app:

npm run dev --prefix frontend

Open http://localhost:3000.

First Run

  1. Sign up in the app.
  2. If you did not set provider keys in backend/.env, open Account > Models & API Keys and add an Anthropic, Gemini, or OpenAI API key.
  3. Create or open a project and start chatting with documents.

Troubleshooting

Sign-up confirmation email never arrives. Confirmation emails are sent by Supabase Auth, not by Mike. For local development, the simplest fix is to disable email confirmation in Supabase > Authentication > Providers > Email. For production, configure custom SMTP in Supabase; the built-in mailer is heavily rate-limited and may be restricted on newer projects.

The model picker shows a missing-key warning. Add a key for that provider in Account > Models & API Keys, or configure the provider key in backend/.env and restart the backend.

DOC or DOCX conversion fails. Install LibreOffice locally and restart the backend so document conversion commands are available on the process path.

Useful Checks

npm run build --prefix backend
npm run build --prefix frontend
npm run lint --prefix frontend

About

Self-hosted, GDPR-safe AI agent for law firms. Zero-cloud, hash-chained audit trail (AI Act art. 12), bring-your-own-model, 9 language editions. Hard fork of willchen96/mike, AGPL-3.0.

Topics

Resources

License

Contributing

Security policy

Stars

7 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors