Onboarding, workspace defaults, project settings, and RBAC + auth hardening

Workspace LLM defaults and onboarding LLM step — Added a Workspace LLM & Defaults page and an LLM defaults step in the onboarding flow so teams can pick a provider, model, and optional API key that projects can inherit.
Project settings: inherit or override workspace defaults — Projects can now either inherit workspace LLM and other defaults or store their own overrides; new UI and API flags make switching between inheritance and per-project settings explicit.
RBAC & org teardown handling — Introduced a permissions catalog and grants table, a repository API for permissions, and safe org-teardown that revokes entitlements, clears settings, and deletes projects when an organization is removed.

Added a Workspace LLM & Defaults page allowing workspace-level publish mode, theme, visibility and LLM provider/model selection.frontend
Added an onboarding LLM defaults step so new users can save workspace defaults during setup and mark onboarding complete.frontend
Added a user-visible option to create projects that inherit workspace defaults, and snapshot workspace values at project creation.frontend

Updated project settings UI to show a clear ‘Use workspace defaults’ toggle and display the effective provider/model when inheritance is enabled.frontend
Stored project-level visibility passwords as hashed values and ensured project creation respects reserved slugs and returns useful errors.backend
Made the onboarding flow and sidebar behavior smoother by hiding the main sidebar during onboarding and setting an onboarding-complete cookie for faster subsequent access.frontend
Improved the project creation UX to post-process slugs and redirect reliably after creation.frontend
Added a workspace settings page that shows masked workspace API keys and supports replacing them, plus a provider/model matrix for projects to inherit.frontend

Hardened API endpoints to require and validate caller identity (x-clerk-user-id) and checked installation and owner ownership before returning GitHub data.auth
Enforced project ownership checks on sensitive endpoints (resync, settings updates, project modifications) so only authorized users or org members can act.auth
Hashed visibility passwords with bcrypt before persisting to never store plain-text secrets.auth

Added a server-side resolver for actor and project/org access to centralize authorization checks used across endpoints.backend
Implemented enforcement of a free-plan monthly commit cap by counting commit entries in a UTC month window and skipping processing when the cap is reached.backend
Queued and audited repo-connected events and ensured project settings are snapshotted during project creation for predictable behavior.backend

Added a permission catalog and permission_grants table (RBAC scaffolding) and a PermissionRepository to manage grants programmatically.database
Added support in the project-settings repository to delete all settings for a subject and wired cleanup into organization deletion flows.database
Added a changelog entry count query used to enforce free-plan monthly limits and adjusted database exports to expose the new repositories.database

Blocked GitHub repo/branch listings when the installation is not owned by the calling user to prevent cross-account access to repo metadata.integrations
Updated client-side GitHub proxy routes to forward caller identity so server-side ownership checks can run consistently.integrations

Updated prompt-builder and settings-resolver tests and messages to reflect project-level system prompt naming and inheritance behavior.
Added unit tests around onboarding guard logic and changelog entry counting.