- Per-code failure threshold dropped 5 → 3. After 3 wrong guesses
during a code's 5-min TTL, the code is burned and the owner must
re-mint. Still tolerates the occasional typo while collapsing the
brute-force window further.
- Cap concurrent active codes to 1: minting a new code clears any
prior code. Single-user app, no need to juggle multiple.
- Add a global brute-force lockout: after 100 failed attempts in
any 5-minute window, the redeem endpoint returns 429 endpoint_locked
for the next 10 minutes, regardless of source IP. Logged at error
level so the operator notices.
tony
9f489d1fb6