Unauthenticated webhook grants credits
CriticalThe /api/webhooks/rc endpoint processes credit-grant events without verifying the signature header. Any caller can POST a valid payload and receive credits.
Dissent 1 model flagged as low-severity — disagreement captured in audit trail.
