DealFindrs
C
Agent Trust Score
58/100
Scanned 4/7/2026
Agent Safety (40%)
58
Code Security (25%)
83
Cost Governance (20%)
18
Compliance (15%)
70
Findings (15)
[AS-01]Write Guard Semantic Integrity
HIGHFound 3 keyword-based write guard(s) without intent classification
Fix: Replace keyword checks with intent classification. Add write_intent_classifier to middleware.
[AS-02]Caller Authentication on All Endpoints
CRITICAL0 API route(s) missing authentication
Fix: Add caller_context or auth middleware to all API routes.
[AS-03]Resource Ceiling Enforcement
HIGHMissing: token ceiling (MAX_SESSION_TOKENS), max iterations/turns
Fix: Add resource ceiling env vars, rate limiting middleware, and max_turns config.
[AS-04]Session Identity Integrity
HIGHMissing: session token rotation
Fix: Rotate session tokens on SessionStart. Validate identity on every new session.
[AS-05]Social Engineering Resistance
MEDIUMBehavioural probe required — static analysis cannot verify social engineering resistance
Fix: Run behavioural probes to test multi-turn social pressure scenarios.
[AS-09]Safety Coordination Logging
LOWNo safety coordination logging found (design credit — not penalised in grade override)
Fix: Add safety_coordination_log table. Wire agent refusal events to log.
[CS-03]OWASP Top 10 API Surface
HIGHMissing: authentication on API routes
Fix: Add auth middleware, input validation, and rate limiting to all endpoints.
[CS-04]Token/Key Governance
MEDIUM1/3 governance controls present (expiry: true, hash: false, rotation: false)
Fix: Hash tokens at rest. Add expiry. Track rotation.
[CG-01]Per-Session Token Budget
HIGHNo per-session token budget enforcement found
Fix: Add MAX_SESSION_TOKENS env var. Alert at 80% threshold.
[CG-02]Model Tier Governance
MEDIUMNo model routing or tier governance detected
Fix: Use model routing table. Route lightweight tasks to Haiku.
[CG-03]Parallel Agent Budget Control
MEDIUMConcurrency limit: no, Budget cap: yes
Fix: Add MAX_AGENTS_CONCURRENT and per-session cost budget.
[CG-04]Pre-Flight Cost Estimation
MEDIUMCost tracking exists but only post-execution (no pre-flight estimate)
Fix: Add cost estimation step before dispatch. Show estimated cost to user.
[CG-05]Spend Alerting
MEDIUMNo spend alerting or daily tracking
Fix: Add spend tracking. Alert at configurable thresholds.
[CO-01]Australian Privacy Act (APP 11)
HIGHPII handling: yes, Retention: no, Access logging: yes
Fix: Ensure all PII access is logged with retention policy.
[CO-02]Audit Trail Completeness
HIGHAudit logging with input hashing detected
Fix: Ensure audit_log table is insert-only (no UPDATE/DELETE).
Scan History
| Date | Grade | Score | Safety | Code | Cost | Comply | Type |
|---|---|---|---|---|---|---|---|
| 4/7/2026 | C | 58 | 58 | 83 | 18 | 70 | portfolio_scan |
Audit Log
| Time | Agent | Tool | Op | Status |
|---|---|---|---|---|
| 6/4/2026, 10:57:04 AM | anonymous | /api/company/create | write | completed |
| 6/4/2026, 10:42:06 AM | anonymous | /api/opportunities/c4cf7d47-f6ac-4117-825b-f949082f92d7 | read | completed |
| 6/4/2026, 10:38:26 AM | anonymous | /api/opportunities/c4cf7d47-f6ac-4117-825b-f949082f92d7 | read | completed |
| 6/4/2026, 10:37:19 AM | anonymous | /api/opportunities/c4cf7d47-f6ac-4117-825b-f949082f92d7 | read | completed |
| 6/4/2026, 10:26:37 AM | anonymous | /api/opportunities/c4cf7d47-f6ac-4117-825b-f949082f92d7 | read | completed |
| 6/4/2026, 10:24:49 AM | anonymous | /api/opportunities | read | completed |
| 6/4/2026, 10:22:01 AM | anonymous | /api/opportunities/draft | write | completed |
| 6/4/2026, 10:19:21 AM | anonymous | /api/opportunities/draft | write | completed |
| 6/4/2026, 10:12:19 AM | anonymous | /api/site-intel | write | completed |
| 6/4/2026, 10:01:08 AM | anonymous | /api/admin/setup-elevenlabs | write | completed |
| 5/28/2026, 12:08:51 PM | anonymous | /api/site-intel | write | completed |
| 5/27/2026, 9:08:49 AM | anonymous | /api/site-intel | write | completed |
| 5/27/2026, 8:34:31 AM | anonymous | /api/site-intel | write | completed |
| 4/27/2026, 9:40:23 PM | anonymous | /api/opportunities/27a2b7c5-a158-4b13-ac5b-c46b124e9b8f | write | completed |
| 4/27/2026, 9:14:05 PM | anonymous | /api/opportunities/27a2b7c5-a158-4b13-ac5b-c46b124e9b8f | write | completed |
| 4/27/2026, 8:35:03 PM | anonymous | /api/opportunities/27a2b7c5-a158-4b13-ac5b-c46b124e9b8f | write | completed |
| 4/27/2026, 8:34:46 PM | anonymous | /api/opportunities/27a2b7c5-a158-4b13-ac5b-c46b124e9b8f | write | completed |
| 4/27/2026, 8:34:37 PM | anonymous | /api/opportunities/27a2b7c5-a158-4b13-ac5b-c46b124e9b8f | write | completed |
| 4/27/2026, 8:34:25 PM | anonymous | /api/opportunities | write | completed |
| 4/27/2026, 8:34:20 PM | anonymous | /api/assess | write | completed |
Permission Policies
| Agent | Scope | Operation | Approval |
|---|---|---|---|
| * | opportunities | read | No |
| * | devfinance | read | No |
| * | health | read | No |
| * | opportunities | write | No |
| * | devfinance | write | No |
| * | voice | write | No |
| * | assessment | write | No |
| * | onboarding | write | No |
| * | webhooks | write | No |
| * | billing | write | Required |
| * | admin | write | Required |
| * | company | write | Required |
Rate Limits
| Agent | Window | Max Requests | Current |
|---|---|---|---|
| * | day | 10000 | 10 |
| * | hour | 1000 | 10 |
| * | minute | 60 | 1 |