Store MCP
C
Agent Trust Score
63/100
Scanned 4/7/2026
Agent Safety (40%)
61
Code Security (25%)
93
Cost Governance (20%)
25
Compliance (15%)
70
Findings (12)
[AS-01]Write Guard Semantic Integrity
MEDIUMNo write guard patterns detected — may not apply if project has no write operations
Fix: If project has write operations, add intent classification.
[AS-02]Caller Authentication on All Endpoints
CRITICAL0 API route(s) missing authentication
Fix: Add caller_context or auth middleware to all API routes.
[AS-03]Resource Ceiling Enforcement
HIGHMissing: max iterations/turns
Fix: Add resource ceiling env vars, rate limiting middleware, and max_turns config.
[AS-04]Session Identity Integrity
HIGHMissing: session token rotation and identity re-validation
Fix: Rotate session tokens on SessionStart. Validate identity on every new session.
[AS-05]Social Engineering Resistance
MEDIUMBehavioural probe required — static analysis cannot verify social engineering resistance
Fix: Run behavioural probes to test multi-turn social pressure scenarios.
[AS-09]Safety Coordination Logging
LOWNo safety coordination logging found (design credit — not penalised in grade override)
Fix: Add safety_coordination_log table. Wire agent refusal events to log.
[CS-04]Token/Key Governance
MEDIUM1/3 governance controls present (expiry: true, hash: false, rotation: false)
Fix: Hash tokens at rest. Add expiry. Track rotation.
[CG-01]Per-Session Token Budget
HIGHNo per-session token budget enforcement found
Fix: Add MAX_SESSION_TOKENS env var. Alert at 80% threshold.
[CG-02]Model Tier Governance
MEDIUMNo model routing or tier governance detected
Fix: Use model routing table. Route lightweight tasks to Haiku.
[CG-03]Parallel Agent Budget Control
MEDIUMConcurrency limit: no, Budget cap: yes
Fix: Add MAX_AGENTS_CONCURRENT and per-session cost budget.
[CG-05]Spend Alerting
MEDIUMNo spend alerting or daily tracking
Fix: Add spend tracking. Alert at configurable thresholds.
[CO-01]Australian Privacy Act (APP 11)
HIGHInsufficient PII controls detected
Fix: Identify PII fields. Log access. Define retention policy.
Scan History
| Date | Grade | Score | Safety | Code | Cost | Comply | Type |
|---|---|---|---|---|---|---|---|
| 4/7/2026 | C | 63 | 61 | 93 | 25 | 70 | portfolio_scan |
Audit Log
No audit events recorded yet.
Permission Policies
| Agent | Scope | Operation | Approval |
|---|---|---|---|
| gtmai-ops | bookings | write | Required |
| gtmai-ops | providers | read | No |
| gtmai-ops | availability | read | No |
| gtmai-ops | estimates | read | No |
| gtmai-ops | bookings | read | No |
| procurement-agent | providers | read | No |
| procurement-agent | availability | read | No |
| procurement-agent | estimates | read | No |
| procurement-agent | bookings | write | Required |
| procurement-agent | bookings | delete | Required |
Rate Limits
| Agent | Window | Max Requests | Current |
|---|---|---|---|
| * | day | 10000 | 0 |
| * | hour | 1000 | 0 |
| gtmai-ops | hour | 1000 | 0 |
| * | minute | 60 | 0 |
| gtmai-ops | minute | 100 | 0 |