[VERIFY] Markers¶
Open questions from this audit.
| ID | Question | Where it matters |
|---|---|---|
| [VERIFY-1] | Is conf/credentials.json committed (vs gitignored)? |
security.md F-10; if committed, immediate rotation needed |
| [VERIFY-2] | What Apptype value does admin_console_R send? Does it match the BE's expectations for any per-Apptype branching? |
architecture-overview.md; authentication.md |
| [VERIFY-3] | Are unauthenticated endpoints (/authenticate, /webauthenticate) rate-limited at nginx? |
security.md F-9; defence against credential-stuffing |
| [VERIFY-4] | Does production run nodemon (per scripts.start) or node (under PM2 override)? |
build-and-deploy.md N-7 |
| [VERIFY-5] | Are the 4 byte-identical helpers also byte-identical in designer-api/helper/? |
code-overlap.md — affects shared-package extraction strategy |
| [VERIFY-6] | Are the webhook body-parser exemptions vestigial, or planned future handlers? | API-inventory.md; security.md F-6 |
| [VERIFY-7] | Confirm the SQL-injection spot-check in routes/auth.js/routes/routes.js — any place where ${...} interpolates from req.query or req.body into a SQL string |
security.md F-8 |
| [VERIFY-8] | What's the deploy mechanism? (No Dockerfile / Jenkinsfile in repo.) | build-and-deploy.md |
| [VERIFY-9] | Is the in-memory revokedTokens Set actually populated anywhere (i.e., does logout call into it)? |
authentication.md; security.md F-3 |
| [VERIFY-10] | Token format produced by helper/tokenGenerator.js — does it include iat / exp? |
authentication.md; security.md F-4 |