Route profile reads through the backend and add basic API hardening
willchen96 pulled `user_profiles` access off the public Supabase client and routed it through backend API routes, added rate limiting and security headers, and closed a gap where a client could attach a chat to a project it didn't own.
The headline change is architectural: user_profiles reads and writes no longer happen directly from the browser against the data layer. They go through backend routes, which is where access control actually belongs. Alongside that, the backend got standard security headers and basic rate limiting - neither sophisticated, but both previously absent.
The chat path got two fixes. Chat creation and the streaming endpoint now validate project access before associating a chat with a project. Before this, a client could plausibly attach a chat to a project it didn't own. Assistant streaming state updates were also fixed. Project-scoped routes were added for the Assistant and Tabular Review surfaces so those tools have an explicit project relationship rather than floating at the user level.
The PR also includes OSS-export housekeeping: a single schema.sql replaces the previous one-shot migration export, and public legal and support pages were added. Testing was limited to a frontend production build. There's no mention of backend test coverage for the new validation paths.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?