Block a user
[H5] Server does not block self-role-demotion (only self-delete); lockout guard is client-only
[H4] token_blacklist cleanup_expired re-verifies every JWT signature; stores whole tokens in RAM
[H3] revoke_user_tokens is a 501 stub whose comment claims partial behavior
[H2] Bootstrap admin plaintext password written to .admin-credentials + info! log fallback
[H1] No rate-limit/lockout on the login path
[C5] Auto-update verified only by SHA-256 over same channel, no signature -> fleet-wide SYSTEM RCE on MITM
[C4] Agent block_in_place/Handle::block_on in main async session loop -> thread-starvation/deadlock
[C3] downloads.rs body().unwrap() on attacker-controlled Content-Disposition filename -> unauthenticated panic/DoS
[C2] Unauthenticated downloads.rs: hardcoded prod relay URL + default API-key fallback + false support-embedding docstring
[C1] Secrets/tokens in WebSocket URL query strings