Add BMad review epic addendums for all 6 products

Per-product surgical additions to existing epics (not cross-cutting):
- P1 route: 8pts (key redaction, SSE billing, token math, CI runner)
- P2 drift: 12pts (mTLS revocation, state lock recovery, pgmq visibility, RLS leak, entropy scrubber)
- P3 alert: 10pts (HMAC replay, claim-check, out-of-order correlation, free tier, tenant isolation)
- P4 portal: 9pts (partial scan recovery, ownership conflicts, Meilisearch rebuild, VCR freshness, free tier)
- P5 cost: 7pts (concurrent baselines, remediation RBAC, Clock interface, property tests, Redis fallback)
- P6 run: 15pts (shell AST parsing, canary suite, intervention TTL, streaming audit, crypto signatures)

Total: 61 story points across 30 new stories

products/01-llm-cost-router/epics/epic-addendum-bmad.md

@@ -0,0 +1,64 @@
+# dd0c/route — Epic Addendum (BMad Review Findings)
+
+**Source:** BMad Code Review (March 1, 2026)
+**Approach:** Surgical additions to existing epics — no new epics created.
+
+---
+
+## Epic 1 Addendum: Proxy Engine
+
+### Story 1.5: API Key Redaction in Error Traces
+As a security-conscious developer, I want all API keys scrubbed from panic traces, error logs, and telemetry events, so that a proxy crash never leaks customer credentials.
+
+**Acceptance Criteria:**
+- Custom panic handler intercepts all panics and runs `redact_sensitive()` before logging.
+- Regex patterns cover `sk-*`, `sk-ant-*`, `sk-proj-*`, `Bearer *` tokens.
+- Telemetry events never contain raw API keys (verified by unit test scanning serialized JSON).
+- Error responses to clients never echo back the Authorization header value.
+
+**Estimate:** 2 points
+
+### Story 1.6: SSE Disconnect Billing Accuracy
+As an engineering manager, I want billing to reflect only the tokens actually streamed to the client, so that early disconnects don't charge for undelivered tokens.
+
+**Acceptance Criteria:**
+- When a client disconnects mid-stream, the proxy aborts the upstream connection within 1 second.
+- Usage record reflects only tokens in chunks that were successfully flushed to the client.
+- Disconnect during prompt processing (before first token) records 0 completion tokens.
+- Provider connection count returns to 0 after client disconnect (no leaked connections).
+
+**Estimate:** 3 points
+
+---
+
+## Epic 2 Addendum: Router Brain
+
+### Story 2.5: Token Calculation Edge Cases
+As a billing-accurate platform, I want token counting to handle Unicode, CJK, and emoji correctly per provider tokenizer, so that cost calculations match provider invoices within 1%.
+
+**Acceptance Criteria:**
+- Uses `cl100k_base` for OpenAI models, Claude tokenizer for Anthropic models.
+- Token count for emoji sequences (🌍🔥) matches provider's count within 1%.
+- CJK characters tokenized correctly (each char = 1+ tokens).
+- Property test: 10K random strings, our count vs mock provider count within 1% tolerance.
+
+**Estimate:** 2 points
+
+---
+
+## Epic 8 Addendum: Infrastructure & DevOps
+
+### Story 8.7: Dedicated CI Runner for Latency Benchmarks
+As a solo founder, I want proxy latency benchmarks to run on a dedicated self-hosted runner (NAS), so that P99 measurements are reproducible and not polluted by shared CI noise.
+
+**Acceptance Criteria:**
+- GitHub Actions workflow triggers on pushes to `src/proxy/**`.
+- Runs `cargo bench --bench proxy_latency` on self-hosted runner.
+- Fails the build if P99 exceeds 5ms.
+- Results stored in `target/criterion/` for trend tracking.
+
+**Estimate:** 1 point
+
+---
+
+**Total Addendum:** 8 points across 4 stories