Route profile reads through the backend and add basic API hardening

willchen96 pulled `user_profiles` access off the public Supabase client and routed it through backend API routes, added rate limiting and security headers, and closed a gap where a client could attach a chat to a project it didn't own.

securitymulti-tenant

The headline change is architectural: user_profiles reads and writes no longer happen directly from the browser against the data layer. They go through backend routes, which is where access control actually belongs. Alongside that, the backend got standard security headers and basic rate limiting - neither sophisticated, but both previously absent.

The chat path got two fixes. Chat creation and the streaming endpoint now validate project access before associating a chat with a project. Before this, a client could plausibly attach a chat to a project it didn't own. Assistant streaming state updates were also fixed. Project-scoped routes were added for the Assistant and Tabular Review surfaces so those tools have an explicit project relationship rather than floating at the user level.

The PR also includes OSS-export housekeeping: a single schema.sql replaces the previous one-shot migration export, and public legal and support pages were added. Testing was limited to a frontend production build. There's no mention of backend test coverage for the new validation paths.

So what Worth reviewing if your deployment currently exposes `user_profiles` directly from the client or lacks project-access validation on chat creation. The absence of backend test coverage for the new validation paths means you'd want to add your own before relying on them in production.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from willchen96/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
ba6f7711 Sync security and backend profile updates willchen96 2026-05-08 ↗ GitHub
7f5dd217 Merge pull request #46 from willchen96/sync/security-profile-chat-headers cosimoastrada 2026-05-08 ↗ GitHub
Sync security and backend profile updates

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-261.md from inside the repo you want the changes in.

⬇ Download capture-thread-261.md