Review the core business logic of this app for abuse scenarios: Can a user access another user's resources by changing an ID? Can free-tier limits be bypassed? Can the same action be triggered multiple times (double submissions)? Are there race conditions on critical operations like payments or account creation?