Verification Report¶
Summary¶
| Category | Count |
|---|---|
| Claims verified ✅ | 14 |
| Claims with drift 🔧 | 0 |
| Claims requiring follow-up ⚠ | 9 |
A. Verified claims¶
| Claim | Where claimed | How verified |
|---|---|---|
269 endpoint registrations in routes/routes.js |
architecture-overview.md, API-inventory.md | grep -cE "router\.(get\|post\|put\|delete)\(" routes/routes.js → 269 |
57 job_*.js files in root |
architecture-overview.md, jobs-inventory.md | ls job_*.js \| wc -l → 57 |
routes/routes.js is 13608 lines |
architecture-overview.md | wc -l routes/routes.js → 13608 |
helper/index.js is 88 lines (only helper file) |
architecture-overview.md | wc -l helper/index.js → 88; ls helper/ → only index.js |
Zero filename overlap with someli-api's job_*.js |
jobs-inventory.md, code-overlap.md | enumerated; no matches |
actions/actions.js differs from someli-api's |
code-overlap.md | diff shows ~285+ line drift (null handling additions in someli-api) |
modules/dbDriver/lib/mysql.js differs from someli-api's |
code-overlap.md | diff -q reports differ |
Slack bot token hardcoded in teamsnotification.js |
security.md F-1 | head teamsnotification.js confirms |
Unsplash key hardcoded in routes/routes.js |
security.md F-2 | grep'd at line ~50 of routes/routes.js |
server.js has CORS wildcard + malformed Allow-Credentials header |
security.md F-4, authentication.md | cat server.js confirms |
| 30 deps + 0 devDeps (apart from nodemon as runtime dep) | dependencies-inventory.md | cat package.json |
No middlewares/ directory |
architecture-overview.md, authentication.md | ls designer-api/ shows no middlewares/ |
| Multi-stage Dockerfile (builder + runtime) | build-and-deploy.md | cat Dockerfile |
.env is COPY'd into the Docker runtime image |
build-and-deploy.md F-D1 | Dockerfile line: COPY .env conf.js favicon.ico ./ |
B. Drifted claims¶
None.
C. Follow-up needed¶
| ID | Item | Why deferred |
|---|---|---|
| [VERIFY-1] | Is conf/credentials.json actually committed (vs gitignored)? |
git ls-files conf/credentials.json needed |
| [VERIFY-2] | Is the Polotno license key hardcoded in routes/routes.js? |
Targeted grep needed |
| [VERIFY-3] | Is @sendgrid/mail actually needed (since SENDGRID_API_KEY is in conf.js but no SendGrid SDK in package.json)? |
Check whether email is sent here |
| [VERIFY-4] | Total per-job cron schedules (some called out, most TBD) | Per-file grep -n cron.schedule |
| [VERIFY-5] | Per-handler auth checks in routes/routes.js — which endpoints are publicly callable? |
Per-handler audit |
| [VERIFY-6] | Does routes/routes.js importing content_generation_bot.js cause duplicate cron scheduling vs PM2-run bot? |
Check the deploy's actual PM2 manifest |
| [VERIFY-7] | What's in push.sh? |
cat push.sh |
| [VERIFY-8] | What's in nginx.conf? Specifically: HSTS, X-Frame-Options, body size, server header suppression |
cat nginx.conf + audit |
| [VERIFY-9] | What's the deploy + PM2 process model? | Talk to ops owner |
D. Notes for next re-verification¶
- The repo moves slowly (~5 commits over 12 months at audit time). Re-verify every 12 months.
- If the industry-clone-job refactor lands, jobs-inventory.md becomes mostly obsolete; rewrite.
- If
middlewares/auth.jsis added, updateauthentication.md,security.mdF-3 → resolved. - If
.env COPYis removed from Dockerfile, updatebuild-and-deploy.mdF-D1. - If a CI workflow lands, update
build-and-deploy.md.