OAuth tokens not revoked on user deletion

When a user account is deleted, their active OAuth tokens remain valid until they naturally expire. This is a security issue — tokens should be revoke...

REST API missing cursor-based pagination

The REST API currently uses offset-based pagination which becomes unreliable and slow on large datasets. Cursor-based pagination would provide consist...

Rate limiting not applied to webhook endpoints

The incoming webhook endpoints (/api/webhooks/*) do not have rate limiting configured. A misconfigured or malicious integration could flood the queue...