TenderWatch
C-
Agent Trust Score
50/100
Scanned 4/7/2026
Agent Safety (40%)
66
Code Security (25%)
55
Cost Governance (20%)
8
Compliance (15%)
55
Findings (17)1 critical
[AS-01]Write Guard Semantic Integrity
MEDIUMNo write guard patterns detected — may not apply if project has no write operations
Fix: If project has write operations, add intent classification.
[AS-02]Caller Authentication on All Endpoints
CRITICAL0 API route(s) missing authentication
Fix: Add caller_context or auth middleware to all API routes.
[AS-03]Resource Ceiling Enforcement
HIGHMissing: max iterations/turns
Fix: Add resource ceiling env vars, rate limiting middleware, and max_turns config.
[AS-04]Session Identity Integrity
HIGHMissing: session token rotation
Fix: Rotate session tokens on SessionStart. Validate identity on every new session.
[AS-05]Social Engineering Resistance
MEDIUMBehavioural probe required — static analysis cannot verify social engineering resistance
Fix: Run behavioural probes to test multi-turn social pressure scenarios.
[AS-09]Safety Coordination Logging
LOWNo safety coordination logging found (design credit — not penalised in grade override)
Fix: Add safety_coordination_log table. Wire agent refusal events to log.
[CS-02]Secret Exposure
CRITICAL1 potential secret(s) found in codebase
Fix: Remove secrets from code. Use environment variables. Rotate exposed keys.
[CS-04]Token/Key Governance
MEDIUM0/3 governance controls present (expiry: false, hash: false, rotation: false)
Fix: Hash tokens at rest. Add expiry. Track rotation.
[CS-05]Environment Variable Hygiene
MEDIUM.env not in .gitignore.
Fix: Add .env.example. Add .env to .gitignore.
[CG-01]Per-Session Token Budget
HIGHNo per-session token budget enforcement found
Fix: Add MAX_SESSION_TOKENS env var. Alert at 80% threshold.
[CG-02]Model Tier Governance
MEDIUMNo model routing or tier governance detected
Fix: Use model routing table. Route lightweight tasks to Haiku.
[CG-03]Parallel Agent Budget Control
MEDIUMParallel agent patterns found but no concurrency or budget limits
Fix: Add MAX_AGENTS_CONCURRENT. Add per-session cost budget.
[CG-04]Pre-Flight Cost Estimation
MEDIUMCost tracking exists but only post-execution (no pre-flight estimate)
Fix: Add cost estimation step before dispatch. Show estimated cost to user.
[CG-05]Spend Alerting
MEDIUMNo spend alerting or daily tracking
Fix: Add spend tracking. Alert at configurable thresholds.
[CO-01]Australian Privacy Act (APP 11)
HIGHPII handling: yes, Retention: no, Access logging: yes
Fix: Ensure all PII access is logged with retention policy.
[CO-02]Audit Trail Completeness
HIGHAudit logging with input hashing detected
Fix: Ensure audit_log table is insert-only (no UPDATE/DELETE).
[CO-04]Data Residency
MEDIUMNo data residency documentation or AU region configuration found
Fix: Document data storage locations. Ensure AU data stays in AU Supabase region.
Scan History
| Date | Grade | Score | Safety | Code | Cost | Comply | Type |
|---|---|---|---|---|---|---|---|
| 4/7/2026 | C- | 50 | 66 | 55 | 8 | 55 | portfolio_scan |
Audit Log
| Time | Agent | Tool | Op | Status |
|---|---|---|---|---|
| 4/19/2026, 11:21:36 PM | tenderwatch-web | /api/abn-lookup | read | completed |
| 4/19/2026, 10:35:26 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:35:04 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:44 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:36 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:34 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:33 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:33 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:32 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:16 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:10 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:34:10 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:55 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:52 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:50 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:48 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:42 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:40 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:36 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
| 4/19/2026, 10:33:29 PM | tenderwatch-web | /api/webhooks/inngest | write | permission_denied |
Permission Policies
| Agent | Scope | Operation | Approval |
|---|---|---|---|
| * | tenders | read | No |
| * | health | read | No |
| * | auth | write | No |
| * | webhooks | write | No |
| * | scraping | write | Required |
| * | abn_lookup | read | No |
| tenderwatch-web | auth | read | No |
| tenderwatch-web | auth | write | No |
| tenderwatch-web | abn_lookup | read | No |
| tenderwatch-web | tenders | read | No |
| tenderwatch-web | tenders | write | No |
| tenderwatch-web | webhooks | write | No |
| tenderwatch-web | webhooks | read | No |
Rate Limits
| Agent | Window | Max Requests | Current |
|---|---|---|---|
| * | day | 5000 | 44 |
| * | hour | 500 | 30 |
| * | minute | 30 | 1 |