willchen96 stops the browser from reaching straight into client data
A backend hardening pass moves profile data off the public client and starts checking who's allowed to touch what.
Until now, the browser could read and write user profile data directly against the data layer. willchen96 has closed that door: profile reads and writes now travel through the backend, where access can actually be checked before anything happens. The same pass added rate limiting - caps on how often a client can hammer the server - plus a standard set of security headers, and moved tracking of who holds an API key onto the server instead of trusting the browser to work it out.
The chat side got the same treatment. Creating a chat or opening a streaming session now confirms you genuinely have access to the project you're attaching it to, closing a gap where someone could plausibly bolt a conversation onto a project they didn't own. The Assistant and Tabular Review tools were also pinned to specific projects rather than floating loose at the user level.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?