Workspace defaults, onboarding LLM step, project settings, RBAC & auth hardening

New onboarding step to set workspace LLM defaults — Added a new onboarding step that lets you pick a default LLM provider, model, and (optionally) provide an API key for the workspace. These workspace defaults are surfaced in a new Workspace LLM & Defaults settings page and are offered as the default source for new projects.
Project settings can inherit workspace defaults (or override them) — Projects can now inherit workspace LLM and visibility defaults, or keep per-project overrides. When a project is created we snapshot workspace defaults into the project so teams keep explicit control while benefiting from easier setup.

Added an onboarding LLM defaults step so new workspaces can set a default provider, model, and optional API key during setup.frontend
Added a Workspace LLM & Defaults settings page to view and change workspace-wide defaults and API keys.frontend
Added a project creation proxy API and client flows so the web app can create projects while preserving owner context.backend

Enabled projects to inherit workspace settings (provider, model, publish mode, theme, visibility) via a new "Use workspace defaults" option in project settings.frontend
Snapshot workspace defaults into new projects at creation time so projects keep predictable settings even if workspace defaults change later.backend
Improved settings UX across workspace and project pages (visibility password handling, model selection, clearer source labels).frontend
Hid the main sidebar during the onboarding flow and added a cookie-based onboarding guard so users are guided through initial setup.frontend
Added client-side helpers and server routes to simplify selecting GitHub repos/branches from the UI (with proper caller context).frontend

Hardened API routes by requiring and verifying caller identity (x-clerk-user-id) and denying GitHub installation access when the installation is not owned by the caller.auth
Stored visibility passwords hashed with bcrypt instead of plain text and updated create/update flows to hash passwords before saving.backend
Added a free-plan monthly commit cap check to worker processing to prevent unexpected LLM usage and surface a safe skip path when the cap is reached.backend

Added new API routes for workspace settings, onboarding LLM defaults, onboarding status, and project settings flags (including use_workspace_defaults).backend
Protected project resync and settings endpoints so only project owners or valid org members can perform actions.auth

Added RBAC scaffolding: permission catalog and permission_grants tables plus a PermissionRepository to manage grants.database
Implemented org teardown handling: entitlements and permission grants are revoked, project settings and projects are cleaned up when an organization is deleted.database
Added project_settings.deleteAllForSubject and a changelog entry count query used to enforce monthly free-plan caps.database

GitHub connect flows now ensure the requesting user is the installer and proxy GitHub list requests through authenticated client endpoints.integrations

Updated tests and prompt-builder naming to reflect project-scoped prompts and system prompt semantics.