clapointe-carbonleo stops the API keys from leaking into every browser
A one-line security fix that yanks two AI provider keys out of the public web bundle, where any user could have read them.
The team caught a genuine leak in the upstream code. The keys that let the app talk to its AI providers (Anthropic, which makes Claude, and Google's Gemini) were being loaded in a way that bakes them straight into the code shipped to every visitor's browser. In plain terms: anyone using the app could have opened their browser's developer tools and copied the keys, then run up charges on someone else's account.
The fix removes those reads entirely. clapointe-carbonleo's deployment manages keys on the server instead, where users never see them - the correct place for a secret to live. It's a tiny change, but it closes a real hole.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?