Lockdown — Heimdall Hunts the Bifrost

The Vercel production deploy had fallen to a rate-limit wall — api-upload-free capped at 5,000 file uploads. The build passed cleanly; the fault lay in the delivery path. The CLI uploads each output file individually, and the free tier simply ran dry.

Added --archive=tgz to both vercel-production.yml and vercel-preview.yml, bundling hundreds of file uploads into a single tarball. The account-wide cooldown (~3 hours) still held, but future deploys would never hit the cap again.

Heimdall was summoned to draft a full external penetration test plan. He surveyed the attack surface — 7 API routes, OAuth PKCE, Stripe payment flows, the LLM import pipeline, localStorage token storage, and MDX rendering with rehype-raw.

The plan mapped 10 test categories against OWASP Top 10, identified 4 high-confidence risk hypotheses (refresh token in localStorage, non-distributed rate limiter, session_id entitlement migration, rehype-raw injection), and flagged 7 pre-existing issues from prior reviews. Estimated effort: 14–22 person-days for gray-box, 8–12 for minimum viable.

Odin's decree was swift: Heimdall-led, zero budget, black-box, starting immediately. No GCP Console, no Vercel dashboard — pure external testing with free tools only. Stripe test mode. Source maps only if publicly served.

Freya interviewed Odin via /plan-w-team to refine scope. The 8 test areas were consolidated into 5 GitHub issues: recon + infra (#470), auth + API authz (#471), injection + SSRF (#472), client-side + payment (#473), and a final report (#474) blocked by all four.

Four Heimdall agents were dispatched to Depot sandboxes in parallel — each running claude-haiku-4-5 against the live production site at fenrir-ledger.vercel.app.

Each sandbox received a tailored prompt: recon and header analysis, OAuth and JWT manipulation, SSRF and LLM prompt injection probing, and client-side XSS with Stripe webhook forgery. All four confirmed launch and began their hunt. Fire-and-forget — --resume to check progress later.

A recurring error — Issue not found on project board — had been dismissed as cosmetic. Odin decreed: investigate and fix. The root cause: gh project item-add was redundant because a GitHub Action already auto-adds issues to the board. The two raced, causing the error.

Removed the redundant gh project item-add call from both plan-w-team.md and issue-template.md. HKR: branch, commit, PR #477, merge, back on main. Clean.