kveton wants the browser to stop holding the keys
A wide security pass that pulls secrets, file checks, and access rules back behind the server, though it never made it into the main project.
kveton put up a single, focused hardening pass with one clear idea: stop trusting the browser with things it shouldn't touch. It bundled several distinct moves:
- Encrypted API keys: users' AI provider keys get encrypted at rest, and the browser is only ever told whether a key exists, never shown the key itself.
- Locked-down data access: application data moves behind server-side APIs so the browser can't read database tables directly, and profile lookups return only what the client actually needs.
- Upload checks: uploaded PDFs and Word documents are validated by their real contents before anything is stored or converted, catching mislabeled or malformed files before they hit the pipeline.
- Tighter tenant boundaries: access rules around document review, project sharing, and chat scoping were tightened so one client can't reach another's material.
- Housekeeping: sensitive AI and document logging was removed and vulnerable dependencies were patched.
The author reported clean builds, tests, and audits, but the pull request was closed a few days later and did not land upstream.
So what Anyone building a multi-tenant legal product should read this as a hardening checklist, and as a reminder that even a clean, tested security pass can still get bounced.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?