MEDIUM: 10x .catch(() => {}) silently swallowing errors in client code
MEDIUM: Floating-point REAL type for monetary amounts in SQLite
HIGH: No explicit JSON body size limit on express.json() - default 100KB
HIGH: No process-level unhandledRejection/uncaughtException handler
HIGH: Payment UPDATE/DELETE lack user_id in WHERE clause (defense-in-depth)
HIGH: SQL injection surface in analyticsService.js - string interpolation in WHERE clause
CRITICAL: Incomplete user deletion - orphaned data risk
CRITICAL: SMTP password stored in plaintext in SQLite
CRITICAL: Async route handlers lack try/catch - unhandled rejections crash process