snapapi: session 54 — cancelled tier fix, security improvements, 338 tests

projects/snapapi/memory/bugs.md

@@ -86,6 +86,26 @@
 - **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
 - **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
 
+### BUG-017: Cancelled subscriptions get free tier (100 req/mo) instead of 0 (MEDIUM) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Cancelled customers get downgraded to 'free' tier with 100 requests/month forever — free tier was removed in v0.3.0
+- **Root cause:** `downgradeByCustomer()` set tier to `'free'` which still had a 100-request limit
+- **Fix:** Added `'cancelled'` tier with 0 limit. `downgradeByCustomer()` now sets to `'cancelled'`.
+- **Deployed to staging:** Yes (commit 9575d31). 338 tests passing.
+- **Production:** Awaiting investor approval for v* tag
+
+### BUG-018: Recovery endpoint logs full API keys (LOW) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Full API keys logged during recovery requests — potential key theft via log access
+- **Fix:** Removed `key` field from logger call, now only logs email
+- **Deployed to staging:** Yes (commit 9575d31)
+
+### BUG-019: No rate limiting on billing endpoints (MEDIUM) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Checkout, portal, and recovery endpoints had no rate limiting — could be spammed
+- **Fix:** Added IP-based rate limit (10 req/15min) to billing router, excluding webhook endpoint
+- **Deployed to staging:** Yes (commit 9575d31)
+
 ## Open
 
 ### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED