From e72b375557bd04a2980bdddbcaff0edba310a08d Mon Sep 17 00:00:00 2001
From: Saravana Achu Mac <saravanakumardb1@gmail.com>
Date: Mon, 4 May 2026 17:01:16 -0700
Subject: [PATCH] docs(C6): mark FMP key cleanup complete

Record the implementation commit that removes FMP demo-key ambiguity and documents the required API key.

Refs: docs/AUDIT_REDESIGN.md item C6.

Co-Authored-By: GPT-5 Codex <noreply@openai.com>
---
 docs/AUDIT_REDESIGN.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/AUDIT_REDESIGN.md b/docs/AUDIT_REDESIGN.md
index 0f7b3f9..e5f2661 100644
--- a/docs/AUDIT_REDESIGN.md
+++ b/docs/AUDIT_REDESIGN.md
@@ -46,7 +46,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
 | C3  | `/api/screener` passes `sector` query through to FMP without an allow-list. Low-impact injection, but should validate.              | 🟡       | ✅     | c173aeb    |
 | C4  | `/api/news` passes `symbols` through to Alpaca without validation.                                                                  | 🟡       | ✅     | 7c4b08c    |
 | C5  | Header `fetchMarketIndices` polls every 60 s even when the tab is hidden. Should pause via `document.visibilityState`.              | 🟡       | ✅     | e089832    |
-| C6  | `backend/.env.example` keeps `FMP_API_KEY=demo` AND `apiServer.ts` falls back to `'demo'`. Two sources of truth. Demo key is shared globally and rate-limited.  | 🟡       | ⬜     |            |
+| C6  | `backend/.env.example` keeps `FMP_API_KEY=demo` AND `apiServer.ts` falls back to `'demo'`. Two sources of truth. Demo key is shared globally and rate-limited.  | 🟡       | ✅     | 1377bf2    |
 | C7  | FMP `apikey` is sent as a query string → leaks into proxy / CDN logs. FMP doesn't support headers, so the only mitigation is server-side caching (see C2). | 🟡       | ⬜     |            |
 
 ## D. UX / UI polish