Most Chrome extensions that hit external APIs route your requests through the developer's backend. That's not a conspiracy theory — it's just the default architecture. You need a server to hide your API keys, log errors, maybe rate-limit abuse. The tradeoff is that every query you make goes through someone else's infrastructure. For a reading tool that sees every word you highlight on every page you visit, that felt like the wrong tradeoff. rabbitholes sends requests directly from your browser to api.anthropic.com and api.search.brave.com. No intermediary server. No request log I could read even if I wanted to. Your Anthropic API key lives in chrome.storage.sync — encrypted by Chrome, never transmitted anywhere except straight to Anthropic. Making this work without a backend required solving one real problem: you can't safely embed an API key in extension source code, because anyone who installs the extension can extract it. The answer is to not embed a key at all.…