Verification Report¶
Summary¶
| Category | Count |
|---|---|
| Claims verified ✅ | 13 |
| Claims with drift 🔧 | 0 |
| Claims requiring follow-up ⚠ | 6 |
A. Verified claims¶
| Claim | Where claimed | How verified |
|---|---|---|
routes/routes.js registers 31 endpoints |
API-inventory.md |
grep -cE "router\.(get\|post\|put\|delete)\(['\"]/" routes/routes.js → 31 |
routes/auth.js registers 9 endpoints |
API-inventory.md |
grep -cE "router\.(get\|post\|put\|delete)\(['\"]/" routes/auth.js → 9 |
routes/routes.js is 1400 lines |
architecture-overview.md |
wc -l routes/routes.js → 1400 |
routes/auth.js is 957 lines |
architecture-overview.md |
wc -l routes/auth.js → 957 |
helper/ has 10 files |
code-overlap.md, architecture-overview.md |
ls helper \| wc -l → 10 |
ragProcess.js, revokeToken.js, tokenGenerator.js, webScraping.js are byte-identical between this repo and someli-api/helper/ |
code-overlap.md |
per-file diff → 0 lines |
helper.js differs by 856 lines |
code-overlap.md |
diff helper/helper.js ../someli-api/helper/helper.js \| wc -l → 856 |
aiLogics.js differs by 396 lines |
code-overlap.md |
as above → 396 |
constants.js differs by 163 lines |
code-overlap.md |
as above → 163 |
basic.js differs by 119 lines |
code-overlap.md |
as above → 119 |
stockImage.js differs by 49 lines |
code-overlap.md |
as above → 49 |
Hardcoded expressSession secret "3eB(2:\srlI+qa5" in server.js |
security.md F-1 |
grep secret server.js confirms |
Hardcoded Slack bot token in routes/auth.js line 20-21 |
security.md F-2 |
grep -n xoxb routes/auth.js confirms |
B. Drifted claims¶
None.
C. Follow-up needed¶
| ID | Item | Why deferred |
|---|---|---|
| [VERIFY-1] | Is conf/credentials.json actually committed (rather than gitignored)? Probability of leak. |
Need to check git log --all -- conf/credentials.json |
| [VERIFY-2] | Confirm Apptype header value the admin FE sends — does it differ from customer FE's value? |
Spot-check FE source |
| [VERIFY-3] | Are the unauthenticated endpoints (/authenticate, /webauthenticate) rate-limited at nginx level? |
nginx config not in repo; ops owner needed |
| [VERIFY-4] | Does production actually run nodemon (per scripts.start) or is it overridden by PM2? |
PM2 ecosystem.config.js not in repo; ops owner needed |
| [VERIFY-5] | The 4 byte-identical helpers — are they also byte-identical in designer-api/helper/? |
Comparison not run in this audit |
| [VERIFY-6] | The webhook body-parser exemptions — vestigial, or planned? | Code archaeology / ask the team |
D. Notes for next re-verification¶
- The codebase moves slowly relative to
someli-api(admin scope evolves less). Re-verifying every 12 months is probably enough; sooner if a major feature lands. - Recount endpoints; update
API-inventory.mdif the count changes. - Re-run
diffon the helpers; updatecode-overlap.mddrift table. - If any of the security findings (F-1, F-2, F-3, F-4) are fixed, update
security.mdand bumpenterprise-readiness.mdsecurity pillar rating.