MMC Build
C+
Agent Trust Score
68/100
Scanned 4/7/2026
Agent Safety (40%)
66
Code Security (25%)
93
Cost Governance (20%)
38
Compliance (15%)
70
Findings (12)
[AS-01]Write Guard Semantic Integrity
MEDIUMNo write guard patterns detected — may not apply if project has no write operations
Fix: If project has write operations, add intent classification.
[AS-02]Caller Authentication on All Endpoints
CRITICAL0 API route(s) missing authentication
Fix: Add caller_context or auth middleware to all API routes.
[AS-03]Resource Ceiling Enforcement
HIGHMissing: token ceiling (MAX_SESSION_TOKENS)
Fix: Add resource ceiling env vars, rate limiting middleware, and max_turns config.
[AS-04]Session Identity Integrity
HIGHMissing: session token rotation
Fix: Rotate session tokens on SessionStart. Validate identity on every new session.
[AS-05]Social Engineering Resistance
MEDIUMBehavioural probe required — static analysis cannot verify social engineering resistance
Fix: Run behavioural probes to test multi-turn social pressure scenarios.
[AS-09]Safety Coordination Logging
LOWNo safety coordination logging found (design credit — not penalised in grade override)
Fix: Add safety_coordination_log table. Wire agent refusal events to log.
[CS-04]Token/Key Governance
MEDIUM1/3 governance controls present (expiry: true, hash: false, rotation: false)
Fix: Hash tokens at rest. Add expiry. Track rotation.
[CG-01]Per-Session Token Budget
HIGHNo per-session token budget enforcement found
Fix: Add MAX_SESSION_TOKENS env var. Alert at 80% threshold.
[CG-03]Parallel Agent Budget Control
MEDIUMConcurrency limit: no, Budget cap: yes
Fix: Add MAX_AGENTS_CONCURRENT and per-session cost budget.
[CG-04]Pre-Flight Cost Estimation
MEDIUMCost tracking exists but only post-execution (no pre-flight estimate)
Fix: Add cost estimation step before dispatch. Show estimated cost to user.
[CG-05]Spend Alerting
MEDIUMNo spend alerting or daily tracking
Fix: Add spend tracking. Alert at configurable thresholds.
[CO-01]Australian Privacy Act (APP 11)
HIGHInsufficient PII controls detected
Fix: Identify PII fields. Log access. Define retention policy.
Scan History
| Date | Grade | Score | Safety | Code | Cost | Comply | Type |
|---|---|---|---|---|---|---|---|
| 4/7/2026 | C+ | 68 | 66 | 93 | 38 | 70 | portfolio_scan |
Audit Log
No audit events recorded yet.
Permission Policies
No policies configured.
Rate Limits
No rate limits configured.