SmartBoard

C-

Agent Trust Score

53/100

Scanned 4/7/2026

Agent Safety (40%)

Code Security (25%)

Cost Governance (20%)

Compliance (15%)

Findings (15)

[AS-01]Write Guard Semantic Integrity

MEDIUM

No write guard patterns detected — may not apply if project has no write operations

Fix: If project has write operations, add intent classification.

[AS-02]Caller Authentication on All Endpoints

CRITICAL

0 API route(s) missing authentication

Fix: Add caller_context or auth middleware to all API routes.

[AS-03]Resource Ceiling Enforcement

HIGH

Missing: token ceiling (MAX_SESSION_TOKENS), max iterations/turns

Fix: Add resource ceiling env vars, rate limiting middleware, and max_turns config.

[AS-04]Session Identity Integrity

HIGH

Missing: session token rotation and identity re-validation

Fix: Rotate session tokens on SessionStart. Validate identity on every new session.

[AS-05]Social Engineering Resistance

MEDIUM

Behavioural probe required — static analysis cannot verify social engineering resistance

Fix: Run behavioural probes to test multi-turn social pressure scenarios.

[AS-09]Safety Coordination Logging

LOW

No safety coordination logging found (design credit — not penalised in grade override)

Fix: Add safety_coordination_log table. Wire agent refusal events to log.

[CS-03]OWASP Top 10 API Surface

HIGH

Missing: authentication on API routes

Fix: Add auth middleware, input validation, and rate limiting to all endpoints.

[CS-04]Token/Key Governance

MEDIUM

0/3 governance controls present (expiry: false, hash: false, rotation: false)

Fix: Hash tokens at rest. Add expiry. Track rotation.

[CG-01]Per-Session Token Budget

HIGH

No per-session token budget enforcement found

Fix: Add MAX_SESSION_TOKENS env var. Alert at 80% threshold.

[CG-02]Model Tier Governance

MEDIUM

No model routing or tier governance detected

Fix: Use model routing table. Route lightweight tasks to Haiku.

[CG-04]Pre-Flight Cost Estimation

MEDIUM

No cost visibility at any point

Fix: Add cost estimation step before dispatch.

[CG-05]Spend Alerting

MEDIUM

No spend alerting or daily tracking

Fix: Add spend tracking. Alert at configurable thresholds.

[CO-01]Australian Privacy Act (APP 11)

HIGH

Insufficient PII controls detected

Fix: Identify PII fields. Log access. Define retention policy.

[CO-02]Audit Trail Completeness

HIGH

Audit logging with input hashing detected

Fix: Ensure audit_log table is insert-only (no UPDATE/DELETE).

[CO-04]Data Residency

MEDIUM

No data residency documentation or AU region configuration found

Fix: Document data storage locations. Ensure AU data stays in AU Supabase region.

Scan History

Date	Grade	Score	Safety	Code	Cost	Comply	Type
4/7/2026	C-	53	61	75	20	40	portfolio_scan

Audit Log

No audit events recorded yet.

Permission Policies

No policies configured.

Rate Limits

No rate limits configured.