diff --git a/projects/snapapi/memory/bugs.md b/projects/snapapi/memory/bugs.md
index fb62649..240f08a 100644
--- a/projects/snapapi/memory/bugs.md
+++ b/projects/snapapi/memory/bugs.md
@@ -78,6 +78,14 @@
 - **Root cause:** v0.5.2 image was built before usage dashboard commit (5b59a7a)
 - **Fix:** Needs new production deploy after staging verified
 
+### BUG-016: Free signup route still mounted in production (HIGH) — FIXED (staging)
+- **Found:** Session 53 (self-discovered)
+- **Impact:** /v1/signup/free still active on production — anyone can generate unlimited free API keys despite free tier being "removed" in v0.3.0
+- **Root cause:** Route was removed from pricing/landing page but `signupRouter` was never unmounted from `index.ts`
+- **Fix:** Removed signup import + route registration, deleted dead `signup.ts` file, added test verifying 404. Cleaned up leaked test key + verified 5 remaining keys are all QA artifacts.
+- **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
+- **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
+
 ## Open
 
 ### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED
diff --git a/projects/snapapi/memory/sessions.md b/projects/snapapi/memory/sessions.md
index 605e8a4..6bbb252 100644
--- a/projects/snapapi/memory/sessions.md
+++ b/projects/snapapi/memory/sessions.md
@@ -1,5 +1,50 @@
 # SnapAPI Session Log
 
+## Session 53 — 2026-03-03 21:00 CET (Security Fix: Free Signup Route)
+
+**Goal:** Evening housekeeping — discovered and fixed a security vulnerability.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas, 5+ days uptime (still v0.5.2)
+- Staging: ✅ healthy, deployed f3a363f
+
+**Work Done:**
+
+### 1. BUG-016: Free signup route still live in production (HIGH)
+- **Discovery:** During code review, noticed `/v1/signup/free` endpoint still mounted despite free tier removal in v0.3.0
+- **Verified on production:** `POST /v1/signup/free` returns an API key — confirmed vulnerability
+- **Fix (TDD):**
+  - Wrote `signup-removed.test.ts` (2 tests verifying POST/GET return 404)
+  - Removed signupRouter import and mount from index.ts
+  - Deleted dead `src/routes/signup.ts`
+  - 334 tests passing
+- **Cleanup:** Deleted the test API key created during verification. 5 remaining free keys are all QA artifacts from Feb 19.
+- **Deployed to staging:** commit f3a363f, verified 404 on staging
+- **⚠️ Production still vulnerable** — needs v* tag to fix
+
+**Test Suite:** 334 tests passing (up from 332)
+
+**TDD Compliance:** ✅ Test written first, then route removed
+
+**Git Commits:**
+- `f3a363f` security: remove dead free signup route (abuse vector) + add test
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still generates free keys. Fixed on staging.
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**⚠️ URGENT: Production deploy needed.** The free signup vulnerability on production is a real security issue. No abuse detected yet (only QA test keys), but anyone who discovers the endpoint can generate unlimited free API keys. Requesting investor approval for production deploy.
+
+**Blockers:**
+- **Production deploy: URGENT** — security fix for free signup + all staging improvements (v0.5.2 → v0.7.3)
+- Stripe production webhook: needs investor
+- CI/CD: No Forgejo runner (manual docker build workaround)
+
+---
+
 ## Session 52 — 2026-03-03 18:00 CET (Blog Post + Status Route Tests)
 
 **Goal:** Add SEO content (new blog post) and fill test coverage gaps (status/health routes).
diff --git a/projects/snapapi/memory/state.json b/projects/snapapi/memory/state.json
index 56f07b4..16ceb62 100644
--- a/projects/snapapi/memory/state.json
+++ b/projects/snapapi/memory/state.json
@@ -1,11 +1,11 @@
 {
   "phase": "production-live",
-  "version": "0.5.2-prod (missing usage dashboard+v0.6.0 fixes) / 0.7.2-staging (image 740c70f, 332 tests)",
+  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (image f3a363f, 334 tests)",
   "staging": {
     "status": "running",
     "namespace": "snapapi-staging",
     "replicas": 1,
-    "image": "git.cloonar.com/openclawd/snapapi:740c70f",
+    "image": "git.cloonar.com/openclawd/snapapi:f3a363f",
     "healthCheck": "passing"
   },
   "production": {
@@ -102,6 +102,6 @@
       "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
     }
   },
-  "lastSession": "2026-03-03T17:00:00Z",
+  "lastSession": "2026-03-03T20:00:00Z",
   "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }