nwhitehouse's fork gets a real security pass

A single sweeping hardening commit signals nwhitehouse is preparing to host actual user data.

securitymulti-tenant

This is the kind of work you do once you've decided your product is going to hold real client information, not just demo data. The team turned on row-level security across tenant tables (so one customer's records are walled off from another's at the database layer), added server-side middleware to lock down HTTP headers, hardened how download links are issued, and added sanitisers so anything the AI assistant renders into the chat window can't smuggle in malicious markup.

Alongside the code, two security audit documents were added to the repo, and the fork's storage handling was consolidated to remove a duplicated client-and-server pathway that's a common source of bugs. A handful of older AI-vendor-specific code paths were retired in the same pass.

So what Anyone evaluating a Mike fork for real client work should look here first - this is the baseline of multi-tenant safety the others can be measured against.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

SHA	Subject	Author	Date
`325ff20c`	Harden auth RLS and rendering paths	Nick Whitehouse	2026-05-03	↗ GitHub

SHA

Subject

Author

Date

325ff20c

Harden auth RLS and rendering paths

Nick Whitehouse

2026-05-03

↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-110.md from inside the repo you want the changes in.

nwhitehouse's fork gets a real security pass

Commits in this thread

Capture this thread into my fork