[VERIFY] Markers

Open questions from this audit.

ID	Question	Where it matters
[VERIFY-1]	Is conf/credentials.json actually committed (vs gitignored)? Probability of leaked Google service account.	security.md F-6
[VERIFY-2]	Is the Polotno license key hardcoded in routes/routes.js, or env-driven?	security.md F-9, configuration.md, media-processing.md F-M3
[VERIFY-3]	Is @sendgrid/mail actually needed? SENDGRID_API_KEY is in conf.js but no SDK is declared.	dependencies-inventory.md, configuration.md
[VERIFY-4]	Per-file cron schedules (many called out as TBD in jobs-inventory.md).	jobs-inventory.md, bots-inventory.md
[VERIFY-5]	Per-handler auth checks in routes/routes.js — enumerate which endpoints are unauthenticated.	authentication.md, security.md F-3
[VERIFY-6]	Does routes/routes.js importing content_generation_bot.js cause duplicate cron scheduling when the bot is also run as its own PM2 process?	bots-inventory.md B-2
[VERIFY-7]	Contents and intent of push.sh	build-and-deploy.md
[VERIFY-8]	Audit nginx.conf for HSTS, X-Frame-Options, body size, server header suppression	build-and-deploy.md D-5, security.md F-12
[VERIFY-9]	What is the deploy + PM2 process model in production? Is there an ecosystem.config.js held outside the repo?	build-and-deploy.md
[VERIFY-10]	Industry id → job_*.js mapping — confirm every job_.js targets a single tIndustries row, and the schedule frequencies don't collide on the same DB connection pool	jobs-inventory.md J-1
[VERIFY-11]	What does notificationformissing() actually report? Confirm the Slack message content.	notifications.md
[VERIFY-12]	Does the Slack notifier's node-schedule time zone resolve consistently across deploy boxes?	notifications.md F-N5
[VERIFY-13]	What's the total Polotno render volume per day? Cost?	media-processing.md, FinOps
[VERIFY-14]	What's the OpenAI cost per bot per month?	bots-inventory.md B-4, FinOps
[VERIFY-15]	How many distinct industries are actively generating content? (Some job_<industry>.js files may target dormant industries.)	jobs-inventory.md