| [VERIFY-1] |
Is auth-redirect actually applied? |
security.md F-1 — high-impact; if missing, fix immediately |
| [VERIFY-2] |
Where is the Polotno license key? Hardcoded or env? |
polotno-integration.md, security.md |
| [VERIFY-3] |
Is bcryptjs actually used in the FE? |
dependencies-inventory.md, security.md F-9 |
| [VERIFY-4] |
What does start.sh do? (EFS-mount wait, nuxt start, nginx start, ...) |
build-and-deploy.md |
| [VERIFY-5] |
What does nginx.conf configure? (HSTS, X-Frame-Options, body size, server header) |
build-and-deploy.md, security.md |
| [VERIFY-6] |
What's the actual deploy mechanism? (No Jenkinsfile/Actions in repo) |
build-and-deploy.md |
| [VERIFY-7] |
What does the Hotjar config exclude? Are sensitive fields masked? |
observability.md, security.md F-PII |
| [VERIFY-8] |
Are Vue 3 deps (@vue/compiler-sfc, @vue/server-renderer) actually used somewhere? |
dependencies-inventory.md N-1 |
| [VERIFY-9] |
What is the response shape from /webauthenticate? What field names? |
authentication-client.md |
| [VERIFY-10] |
Are BE handlers consistently checking role_type, or is FE gating the only enforcement? |
security.md F-4 |
| [VERIFY-11] |
The recent commit 074b9ec excluded role_type == 13 from many nav items — what is role_type 13? |
architecture-overview.md, routing-and-state.md |
| [VERIFY-12] |
Are vue-toastification and vue-notification both used, or is one dead? |
ui-component-library.md |
| [VERIFY-13] |
Where is the Polotno license imported from? |
polotno-integration.md P-1 |
| [VERIFY-14] |
Does the FE rebuild polotno-bundle.js in CI, or is the committed bundle the deployed one? |
polotno-integration.md, build-and-deploy.md |