Verify Markers — Open Questions
Status: Audit v0.1 (2026-05-09).
This file consolidates every [VERIFY-*] marker raised across the audit deep-dives. Each entry needs follow-up confirmation by the team or a deeper investigation step.
How to use this file
- Pick an item, investigate, and write the answer next to it.
- When confirmed, update the source doc with the verified information and remove the marker here.
- If the marker turns into a finding, add it to
enterprise-readiness.md § Risk Register.
Items marked (Phase 0a) should be answered as part of the immediate-week security hygiene sweep. Items marked (Phase 0) can wait up to 3 months. Items without a phase tag are research-only and can be answered when convenient.
Architecture / Routing / State
| ID |
Question |
Source doc |
Phase |
| VERIFY-RT-1 |
Are template/sample routes (/charts, /forms, /typography, /components, /pages, /users.vue, etc.) reachable from the production app's navigation? |
routing-and-state.md |
0a |
| VERIFY-RT-2 |
Which carousel-editor variant is canonical (carouseleditor, carouseleditor1, carouselcpeditor)? |
routing-and-state.md |
0a |
| VERIFY-RT-3 |
Are errorCaptured / Vue.config.errorHandler set anywhere? |
routing-and-state.md |
0 |
| VERIFY-RT-4 |
What does autodc represent in root Vuex state? |
routing-and-state.md |
0 |
API Consumption
| ID |
Question |
Source doc |
Phase |
| VERIFY-API-1 |
Does the backend's auth middleware accept token, Authorization, and Authorization: Bearer X interchangeably? |
api-consumption.md |
0 |
| VERIFY-API-2 |
What is the backend token's TTL? Affects token-refresh UX cost/benefit. |
api-consumption.md |
0 |
| VERIFY-API-3 |
Does any code de-duplicate in-flight identical requests? |
api-consumption.md |
0 |
| VERIFY-API-4 |
/auth/getuaccounts vs /auth/getUAccounts — which is canonical? |
api-consumption.md |
1 |
| VERIFY-API-5 |
/auth/getBillingInfo vs /auth/getBillinginfo — which is canonical? |
api-consumption.md |
1 |
| VERIFY-API-6 |
/getGenerateContentStatus vs /auth/getGenerateContentStatus — both endpoints exist; behaviour difference? |
api-consumption.md |
1 |
Authentication (client)
| ID |
Question |
Source doc |
Phase |
| VERIFY-AUTH-1 |
Does the backend support setting an httpOnly Set-Cookie on auth response? Required for moving the token off browser-readable cookies. |
authentication-client.md |
0 |
| VERIFY-AUTH-2 |
Does the backend re-validate roleType on every privileged endpoint? (Frontend role gates are user-editable.) |
authentication-client.md |
0 |
| VERIFY-AUTH-3 |
Does the backend explicitly check social: true before accepting the placeholder password '##########'? |
authentication-client.md |
0 |
| VERIFY-AUTH-4 |
Is Facebook auth wired through some mechanism that justifies the auth._token.facebook cookie read in plugins/auth.js? Or is it dead code? |
authentication-client.md |
0a |
| VERIFY-AUTH-5 |
MFA: enforcement model? Methods (SMS / email / TOTP)? Optional/required? |
authentication-client.md |
1 |
| VERIFY-AUTH-6 |
CSRF posture — does the backend validate Origin and/or require a CSRF token? Cookies are SameSite=None. |
authentication-client.md |
0 |
| VERIFY-AUTH-7 |
Does the backend validate the requesting user's accountId membership on every authenticated request? |
authentication-client.md |
0 |
Security
| ID |
Question |
Source doc |
Phase |
| VERIFY-SEC-1 |
What scope is the GOOGLE_API_KEY granted; is it bundled into the client? |
security.md |
0a |
| VERIFY-SEC-2 |
Verify no OAuth client secrets (EXPRESS_SECRET, TWITTER_CUSTOMER_SECRET, TWITTER_CLIENT_SECRET, FACEBOOK_CLIENT_SECRET) in production bundle. Run grep on a fresh build. |
security.md |
0a |
| VERIFY-SEC-3 |
Does any flow put the auth token in URL params? Spot-check. |
security.md |
0 |
| VERIFY-SEC-4 |
Polotno license terms — does it tolerate public exposure of the SDK key? |
security.md |
0a |
| VERIFY-SEC-5 |
Backend CORS — confirm strict allowed-origins whitelist (not *). |
security.md |
0 |
Dependencies
| ID |
Question |
Source doc |
Phase |
| VERIFY-DEP-1 |
Is stripe (server-side Node SDK) imported anywhere in client code? |
dependencies-inventory.md |
0a |
| VERIFY-DEP-2 |
Which AWS services does the frontend actually use? Likely just S3 — migrate to AWS SDK v3 modular packages for ~80% bundle savings. |
dependencies-inventory.md |
1 |
| VERIFY-DEP-3 |
Where is bcryptjs used client-side, and is the use justified? |
dependencies-inventory.md |
0 |
| VERIFY-DEP-4 |
Webpack-bundle-analyzer: do passport* and express end up in the client bundle? |
dependencies-inventory.md |
0 |
| VERIFY-DEP-5 |
Run yarn audit against root and polotno-editor/; capture critical/high counts. |
dependencies-inventory.md |
0a |
| ID |
Question |
Source doc |
Phase |
| VERIFY-PERF-1 |
Run webpack-bundle-analyzer against a production build; capture per-route initial JS. |
performance.md |
0 |
| VERIFY-PERF-2 |
Count import * as foo patterns; these defeat tree-shaking. |
performance.md |
0 |
| VERIFY-PERF-3 |
lodash actual import style — from 'lodash' (full) vs from 'lodash/debounce' (per-method) vs lodash-es? |
performance.md |
0 |
Accessibility
| ID |
Question |
Source doc |
Phase |
| VERIFY-A11Y-1 |
Do any media queries handle prefers-reduced-motion? |
accessibility.md |
0 |
| VERIFY-A11Y-2 |
Spot-check 10 forms (login, signup, content creation, billing, settings) — every input has <label for> or aria-label? |
accessibility.md |
0 |
| VERIFY-A11Y-3 |
Count role="button" instances — should be using <button> instead |
accessibility.md |
1 |
| VERIFY-A11Y-4 |
Count <div @click=...> instances — should be <button> |
accessibility.md |
1 |
| VERIFY-A11Y-5 |
Count aria-* attribute usage; review for correctness |
accessibility.md |
1 |
| VERIFY-A11Y-6 |
Is there a "Skip to content" link? |
accessibility.md |
0 |
| VERIFY-A11Y-7 |
Polotno editor — keyboard accessible? |
accessibility.md |
1 |
| VERIFY-A11Y-8 |
Run automated contrast check (axe / pa11y) against UAT. |
accessibility.md |
0 |
| VERIFY-A11Y-9 |
Forms — error-message aria-describedby association? |
accessibility.md |
1 |
| VERIFY-A11Y-10 |
Polotno SDK's published WCAG conformance? |
accessibility.md |
1 |
Testing
| ID |
Question |
Source doc |
Phase |
| VERIFY-TEST-1 |
Is there a documented manual QA process / regression checklist? Who tests Polotno editor changes? |
testing.md |
0 |
Build & Deploy
| ID |
Question |
Source doc |
Phase |
| VERIFY-BD-1 |
Build time on a developer machine? |
build-and-deploy.md |
0 |
| VERIFY-BD-2 |
GH Actions vs Jenkins — which is canonical? |
build-and-deploy.md |
0a |
| VERIFY-BD-3 |
Read full .github/workflows/dev_app.yml; document the build steps. |
build-and-deploy.md |
0a |
| VERIFY-BD-4 |
Read full .github/workflows/uat_app_ecs.yml; document the build steps. |
build-and-deploy.md |
0a |
| VERIFY-BD-5 |
How does the team revert a bad dev_app deploy? |
build-and-deploy.md |
0a |
| VERIFY-BD-6 |
Confirm branch → environment → backend mapping. |
build-and-deploy.md |
0a |
| VERIFY-BD-7 |
Is CloudFront / a CDN in front of Lightsail / ECS? |
build-and-deploy.md |
0 |
| VERIFY-BD-8 |
Container user — root or non-root? |
build-and-deploy.md |
0 |
Observability
| ID |
Question |
Source doc |
Phase |
| VERIFY-OBS-1 |
FullStory / Hotjar / LogRocket — were they trial-installed and never finished? Wire them up or delete the plugin files. |
observability.md |
0a |
| VERIFY-OBS-2 |
Does the backend currently expose any per-account feature gates that the frontend reads? |
observability.md |
1 |
| VERIFY-OBS-3 |
How many GTM custom-event push sites are there? |
observability.md |
0 |
| VERIFY-OBS-4 |
Has the team used Microsoft Clarity dashboards to find bugs? Document the workflow. |
observability.md |
0 |
| VERIFY-OBS-5 |
Does the frontend send a correlation ID (X-Request-ID) on outbound requests? |
observability.md |
0 |
i18n
| ID |
Question |
Source doc |
Phase |
| VERIFY-I18N-1 |
Confirm /getLanguages is content-language only, not UI-translation locale. |
i18n.md |
1 |
| VERIFY-I18N-2 |
Is internationalisation on the product roadmap? Targets which markets? |
i18n.md |
1 |
SEO
| ID |
Question |
Source doc |
Phase |
| VERIFY-SEO-1 |
Count pages with custom head() blocks. |
seo-and-metadata.md |
0 |
| VERIFY-SEO-2 |
Any application/ld+json (structured data) in the codebase? |
seo-and-metadata.md |
1 |
| VERIFY-SEO-3 |
Hitting /<accid>/nonexistent — HTTP 200 or 404? |
seo-and-metadata.md |
0 |
| VERIFY-SEO-4 |
nginx error_page / try_files configuration for SPA fallback. |
seo-and-metadata.md |
0 |
| VERIFY-SEO-5 |
Per-page head() blocks on marketing pages (privacy, terms, plan, special_offer)? |
seo-and-metadata.md |
0 |
| VERIFY-SEO-6 |
Is the site verified in Google Search Console? |
seo-and-metadata.md |
1 |
UI Component Library
| ID |
Question |
Source doc |
Phase |
| VERIFY-UI-1 |
What's the actual reuse rate of Buttons/, Cards/, Forms/ primitives vs inline equivalents? |
ui-component-library.md |
1 |
| VERIFY-UI-2 |
What is the scope/intent of pModal.vue? |
ui-component-library.md |
1 |
| VERIFY-UI-3 |
Is the password-strength meter (vue-password-strength-meter + zxcvbn) used everywhere a password is set? |
ui-component-library.md |
1 |
| VERIFY-UI-4 |
Any prefers-color-scheme usage? |
ui-component-library.md |
1 |
Operational
| ID |
Question |
Source doc |
Phase |
| Operational-1 |
Confirm the deployed UAT URL for the live audit (header inspection, Lighthouse run, etc.) |
enterprise-readiness.md § 9 |
0a |
| Operational-2 |
Sentry / equivalent: budget approval needed before Phase 0 work begins. |
enterprise-readiness.md § 9 |
0a |
| Operational-3 |
Vue 3 migration: green light for Phase 2 with what team allocation? |
enterprise-readiness.md § 9 |
1 (decision) |
Team Practices & Governance
| ID |
Question |
Source doc |
Phase |
| VERIFY-TPG-1 |
Are required reviewers configured on PRs for main / uat_app / dev_app? |
enterprise-readiness.md § CMMI 14 |
0a |
| VERIFY-TPG-2 |
Is GitHub branch protection enabled on main / uat_app / dev_app? Convention says "don't push directly" but enforcement is unverified. |
enterprise-readiness.md § CMMI 14 |
0a |
| VERIFY-TPG-3 |
Where do postmortems live (if anywhere)? Notion, Confluence, separate repo? |
enterprise-readiness.md § CMMI 14 |
0 |
| VERIFY-TPG-4 |
What's the SonarQube/SonarCloud gate (sonar-project.properties exists; quality gate unknown)? |
../20-contributing.md § What is not reviewed |
0 |
| VERIFY-TPG-5 |
What is the documented release process for dev_app → uat_app → main promotion? |
../20-contributing.md § Releasing |
0 |
Maintenance
This file is the single source of truth for open audit questions. When all items here are resolved (or moved to the risk register), the audit version can advance from 0.1 to 0.2.
For the master-TDD integration, items remaining in this file at integration time go into the master TDD's "Open Questions" appendix tagged [WC].