Reusable shared access code allows unlimited unauthorized access across sessions and devices

A single valid access code could be reused an unlimited number of times across multiple browser sessions, different browsers, and separate devices. There was no per-user binding, no use cap, and no expiry shorter than the rollout window.

The combination of low entropy (I-02), no use cap (this finding), and bypassable rate limiting (M-01) made the access gate weaker than intended.

Informational. The access gate is not a security boundary in the strict sense (this is staged rollout, not authorization for sensitive operations), but its effectiveness was lower than designed.

If the access gate needs to remain code-based, issue per-user codes that bind to a single device or session. Add a maximum-use counter and a short expiry. For higher assurance, prefer signed access tokens delivered via an authenticated channel rather than shared codes.

Novaswap: Confirmed. Zealynx: Fixed.