Fix: stop shipping Anthropic and Gemini API keys in the browser bundle
Upstream Mike reads `NEXT_PUBLIC_ANTHROPIC_API_KEY` and `NEXT_PUBLIC_GEMINI_API_KEY` into the static user profile - which means those values land in the client JS bundle and ship to every browser. clapointe-carbonleo patches this with two lines.
The bug is in frontend/src/contexts/UserProfileContext.tsx. The static profile object uses process.env.NEXT_PUBLIC_* reads to populate claudeApiKey and geminiApiKey. Anything prefixed NEXT_PUBLIC_ in a Next.js app is inlined at build time and included in the client-side bundle - that is the entire point of the prefix. Setting a production API key in those variables exposes it to anyone who opens DevTools.
The fix replaces both reads with the string "configured", used only as a sentinel to gate UI (whether a model shows as available in the selector). Actual model calls run server-side against backend-held keys, so the sentinel string never reaches an API. Two lines changed, bug closed.
If you have inherited the upstream code, check for any NEXT_PUBLIC_*_API_KEY, NEXT_PUBLIC_*_SECRET, or NEXT_PUBLIC_*_TOKEN reads in your frontend codebase - same class of mistake, same exposure. The "configured" sentinel works as long as the backend actually has the keys provisioned; if a key is missing, the UI will claim the model is available when it is not. A /models/available endpoint from the backend would be more accurate, but that is a cleanup, not a security issue.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?