kveton wants the browser to stop holding the keys

A wide security pass that pulls secrets, file checks, and access rules back behind the server, though it never made it into the main project.

securitymulti-tenant

kveton put up a single, focused hardening pass with one clear idea: stop trusting the browser with things it shouldn't touch. It bundled several distinct moves:

  • Encrypted API keys: users' AI provider keys get encrypted at rest, and the browser is only ever told whether a key exists, never shown the key itself.
  • Locked-down data access: application data moves behind server-side APIs so the browser can't read database tables directly, and profile lookups return only what the client actually needs.
  • Upload checks: uploaded PDFs and Word documents are validated by their real contents before anything is stored or converted, catching mislabeled or malformed files before they hit the pipeline.
  • Tighter tenant boundaries: access rules around document review, project sharing, and chat scoping were tightened so one client can't reach another's material.
  • Housekeeping: sensitive AI and document logging was removed and vulnerable dependencies were patched.

The author reported clean builds, tests, and audits, but the pull request was closed a few days later and did not land upstream.

So what Anyone building a multi-tenant legal product should read this as a hardening checklist, and as a reminder that even a clean, tested security pass can still get bounced.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?