**File:** `packages/agent/src/routes/herald-api.ts` + `index.ts` `heraldRouter` mounted without `verifyJwt`. Anyone can approve/reject tweets via `POST /api/herald/approve/:id`, view DMs and budget data. **Fix:** Add `verifyJwt` + admin role check. Ref: PR #70 audit
File:
packages/agent/src/routes/herald-api.ts+index.tsheraldRoutermounted withoutverifyJwt. Anyone can approve/reject tweets viaPOST /api/herald/approve/:id, view DMs and budget data.Fix: Add
verifyJwt+ admin role check.Ref: PR #70 audit