docs(C6): mark FMP key cleanup complete

Record the implementation commit that removes FMP demo-key ambiguity and documents the required API key. Refs: docs/AUDIT_REDESIGN.md item C6. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
2026-05-04 17:01:16 -07:00 · 2026-05-04 17:01:16 -07:00 · e72b375557
commit e72b375557
parent 1377bf2453
1 changed files with 1 additions and 1 deletions
--- a/docs/AUDIT_REDESIGN.md
+++ b/docs/AUDIT_REDESIGN.md
@ -46,7 +46,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
 | C3  | `/api/screener` passes `sector` query through to FMP without an allow-list. Low-impact injection, but should validate.              | 🟡       | ✅     | c173aeb    |
 | C4  | `/api/news` passes `symbols` through to Alpaca without validation.                                                                  | 🟡       | ✅     | 7c4b08c    |
 | C5  | Header `fetchMarketIndices` polls every 60 s even when the tab is hidden. Should pause via `document.visibilityState`.              | 🟡       | ✅     | e089832    |
-| C6  | `backend/.env.example` keeps `FMP_API_KEY=demo` AND `apiServer.ts` falls back to `'demo'`. Two sources of truth. Demo key is shared globally and rate-limited.  | 🟡       | ⬜     |            |
+| C6  | `backend/.env.example` keeps `FMP_API_KEY=demo` AND `apiServer.ts` falls back to `'demo'`. Two sources of truth. Demo key is shared globally and rate-limited.  | 🟡       | ✅     | 1377bf2    |
 | C7  | FMP `apikey` is sent as a query string → leaks into proxy / CDN logs. FMP doesn't support headers, so the only mitigation is server-side caching (see C2). | 🟡       | ⬜     |            |

 ## D. UX / UI polish