SD-101

In-memory rate limiter × serverless fan-out — PARKED. RT L5 finding: Architect and Sentinel independently identified that the in-memory rate limiter does not share state across Vercel serverless instances. A distributed attacker could bypass per-instance limits on /api/run-bout. Mitigated by DB-level credit preauthorization (shared state — no credits, no bout). Both agents assessed below 0.50 confidence threshold. Conditions for escalation: (a) intro credit pool large enough to sustain attack, (b) per-bout API cost exceeds credit charge, (c) >50 concurrent Vercel instances — currently none hold simultaneously. Tracked on GitHub Issues (#373, sanitised, no operational context).

Parked

---

← all decisions