The API rate limiting logic that Codex generated was wrong in a very specific way: it rate limited per API key, but the keys were rotating automatically. Effectively no rate limiting at all. Our competitor found this. They scraped our entire product database through the API over one weekend. Every user, every listing, every piece of proprietary data we had. We found out because they launched a competing feature using data that could only have come from us. We have no legal recourse because the data was technically public via the API.