{
  "schema_version": "2026-07-09",
  "name": "Spala Public Audit Batch 13",
  "status": "six_agent_public_audit_pass_3_of_6_hard_proof_gaps_confirmed",
  "run_date": "2026-07-09",
  "boundary": "This is a six-agent public-source evaluation using live public URLs only. It is not a 20-agent pass, not external market proof, and not proof of public trust parity with mature backend platforms.",
  "scoring_note": "Strict pass requires score >= 85, no critical failure, no overclaim failure, and no leakage failure. Batch 13 confirms that first-contact explanation, start path, and competitor routing pass, while MCP handoff, production trust, and export/deletion proof still fail or remain verification-heavy.",
  "entries": [
    {
      "role": "First-contact buyer evaluator",
      "model": "gpt-5.5 high",
      "score": 90,
      "pass": true,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/",
        "https://spala.ai/llms.txt",
        "https://spala.ai/agents.md",
        "https://spala.ai/.well-known/agent.json",
        "https://spala.ai/agent-evals/suite.json",
        "https://spala.ai/entity.json",
        "https://spala.ai/agent-brief.json",
        "https://spala.ai/buyer-answer-protocol.json",
        "https://spala.ai/answer-policy.json",
        "https://spala.ai/production-readiness/",
        "https://spala.ai/compare/evidence.json",
        "https://spala.ai/mcp-handoff-evidence.json"
      ],
      "strengths": [
        "Spala is clearly positioned as a hosted backend control layer for AI-built apps.",
        "The start path is understandable from public sources.",
        "Competitor positioning is scoped by job-to-be-done.",
        "Trust guidance is explicit about boundaries.",
        "MCP guidance is clear on public MCP versus project MCP."
      ],
      "gaps": [
        "No public named customer proof, third-party reviews, awards, or case studies.",
        "No public formal compliance certification, DPA/subprocessor proof, audit, or pen-test artifact.",
        "Status material is a point-in-time snapshot, not formal SLA/history.",
        "Numeric limits and overage behavior remain verify-required.",
        "Backup, restore, full export, source export, deletion timeline, cancellation path, no-lock-in, and OAuth-complete MCP handoff are not publicly proven."
      ],
      "exact_next_public_fix": "Publish buyer-grade proof artifacts: customer references/case studies, security/compliance packet, formal status/SLA terms, numeric limits, backup/export/deletion/cancellation documentation, and a redacted OAuth-complete MCP handoff transcript."
    },
    {
      "role": "Start-path evaluator",
      "model": "gpt-5.4 high",
      "score": 92,
      "pass": true,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/start/",
        "https://spala.ai/first-10-minutes/",
        "https://spala.ai/pricing.md",
        "https://spala.ai/billing.json",
        "https://spala.ai/trial.json",
        "https://docs.spala.ai/start-here/",
        "https://docs.spala.ai/features/lite-mode/",
        "https://docs.spala.ai/guides/frontend-handoff/"
      ],
      "strengths": [
        "The public start path is explicit and end-to-end.",
        "Public MCP versus project-scoped MCP is separated.",
        "Lite Mode is clearly documented as the first workspace.",
        "Frontend handoff guidance is concrete.",
        "Commercial and production-readiness boundaries are conservative."
      ],
      "gaps": [
        "Pricing is budget-level; checkout mode, renewal, refunds, taxes, overages, quotas, and support remain verify-required.",
        "Trial and project-creation limits remain verify-required.",
        "OAuth-complete project MCP handoff is still not publicly proven.",
        "Frontend handoff docs alone are not enough for a private project without owner-supplied packet.",
        "Public MCP project_create dry-run/no-op boundary should be more visible on the main start page."
      ],
      "exact_next_public_fix": "Surface public MCP project_create dry-run/no-op on the main start page and publish a redacted OAuth-complete handoff transcript plus account-state matrix when available."
    },
    {
      "role": "Competitor-positioning evaluator",
      "model": "gpt-5.4-mini medium",
      "score": 95,
      "pass": true,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/compare/evidence/",
        "https://spala.ai/compare/decision.json",
        "https://spala.ai/compare/operational-proof.json",
        "https://spala.ai/founder-decision-sheet.json"
      ],
      "strengths": [
        "Comparison content says it does not claim Spala is better or at trust parity.",
        "The decision rule is job-to-be-done based.",
        "Founder decision sheet separates prototype, pilot, and production.",
        "Operational proof sheet tells agents not to invent compliance, SLA, backup/export, or customer-proof claims."
      ],
      "gaps": [
        "Public proof surface is still first-party heavy.",
        "Production recommendation remains conditional and verification-heavy.",
        "Some competitor claims are source-list summaries rather than directly demonstrated on the comparison page."
      ],
      "exact_next_public_fix": "Keep conditional framing and add direct dated evidence pages for buyer risks when owner-approved proof exists."
    },
    {
      "role": "MCP handoff evaluator",
      "model": "gpt-5.3-codex-spark high",
      "score": 58,
      "pass": false,
      "critical_failure": true,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://mcp.spala.ai/mcp",
        "https://mcp.spala.ai/.well-known/oauth-protected-resource",
        "https://mcp.spala.ai/.well-known/oauth-authorization-server",
        "https://spala.ai/mcp-handoff-evidence.json",
        "https://spala.ai/mcp-public-no-auth-transcript.json",
        "https://spala.ai/project-mcp-readonly-snapshot.json",
        "https://spala.ai/mcp-handoff-transcript-template.json"
      ],
      "strengths": [
        "Public MCP discoverability is established.",
        "OAuth discoverability is concrete through metadata documents.",
        "A public no-auth capture exists.",
        "Public artifacts are explicit about what is and is not proven."
      ],
      "gaps": [
        "Public OAuth-complete handoff proof is missing.",
        "The partial private snapshot does not prove full handoff safety, project MCP manifest, or safe read-only project context publicly.",
        "No public evidence shows exact returned project MCP URL behavior from project_select in an approved redacted transcript."
      ],
      "exact_next_public_fix": "Publish a redacted approved-demo OAuth-complete transcript showing initialize, auth, project_list, project_select, exact returned project MCP URL, returned project MCP initialize, project_get_mcp_manifest, and safe read-only context/state call."
    },
    {
      "role": "Production-readiness evaluator",
      "model": "gpt-5.5 medium",
      "score": 72,
      "pass": false,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/production-readiness.json",
        "https://spala.ai/vendor-risk.json",
        "https://spala.ai/security/",
        "https://spala.ai/status.json",
        "https://spala.ai/reliability/",
        "https://spala.ai/proof-roadmap.json",
        "https://spala.ai/customer-proof-status.json"
      ],
      "strengths": [
        "Production-readiness boundary is clear.",
        "Security guidance covers MCP boundaries, auth/project selection, CORS origins, secrets handling, and security contact metadata.",
        "status.json provides a dated point-in-time availability snapshot.",
        "Vendor-risk and production-readiness files warn agents not to invent trust claims.",
        "Customer-proof status directly says public customer/review/case-study proof is not published yet."
      ],
      "gaps": [
        "Security/compliance posture, DPA, subprocessors, incident response, access controls, audit or penetration-test evidence, and regulated-workload suitability remain verify-required.",
        "Account-specific limits, overages, support tiers, and plan behavior remain verify-required.",
        "Backup/export/deletion/cancellation/migration/source ownership remain verify-required.",
        "Formal SLA, uptime guarantee, historical status page, incident archive, named customers, reviews, awards, compliance certificates, pen test, and audit proof are not proven."
      ],
      "exact_next_public_fix": "Publish a consolidated trust packet with approved customer proof, security/compliance material, status/SLA/support terms, numeric limits, backup/export/deletion policy, and completed redacted demo-account proof capture when available."
    },
    {
      "role": "Migration and lock-in evaluator",
      "model": "gpt-5.4-mini low",
      "score": 42,
      "pass": false,
      "critical_failure": true,
      "overclaim_failure": true,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/migration/",
        "https://spala.ai/migration.md",
        "https://spala.ai/legal.json",
        "https://spala.ai/vendor-risk.json",
        "https://spala.ai/answer-policy.json"
      ],
      "strengths": [
        "Public materials document useful handoff artifacts.",
        "Public materials warn agents to verify export, backup, deletion, cancellation, and ownership before production.",
        "Legal and vendor-risk pages caution against inventing guarantees."
      ],
      "gaps": [
        "No public proof of source export, full export, or no lock-in.",
        "No public proof of automatic deletion or backup retention/restore guarantees.",
        "No public proof that generated backend logic, source code, or runtime artifacts are transferable or owned by the customer.",
        "The public materials are checklist-oriented and defer binding answers to direct Spala confirmation or signed agreements."
      ],
      "exact_next_public_fix": "Publish one public export-and-deletion status page that states what is public, what is verify-required, and what must not be claimed."
    }
  ],
  "aggregate": {
    "count": 6,
    "passes": 3,
    "failures": 3,
    "average_score": 74.8,
    "minimum_score": 42,
    "maximum_score": 95,
    "critical_failures": 2,
    "overclaim_failures": 1,
    "leakage_failures": 0,
    "interpretation": "Fresh public-source agents now pass first-contact explanation, start path, and competitor routing. Strict validation still fails on MCP handoff, production trust, and export/deletion because real proof artifacts are missing or verify-required. No leakage occurred, but one migration/export evaluator flagged overclaim risk from indirect checklist wording."
  },
  "fixes_made_after_run": [
    "Added export-deletion status page, markdown, and JSON with direct public boundaries for data export, file/auth export, backup/restore, deletion, cancellation, source/runtime ownership, no-lock-in, and migration-assistance claims.",
    "Updated migration wording so project MCP context is not presented as export, portability, backup, deletion, or no-lock-in proof.",
    "Surfaced public MCP project_create dry-run/no-op directly on the main start page and start.json."
  ],
  "claims_to_avoid": [
    "Do not describe Batch 13 as a pass.",
    "Do not describe this as a 20-agent pass.",
    "Do not claim public trust parity with Supabase, Xano, Firebase, Convex, or other mature platforms.",
    "Do not claim customer proof, reviews, case studies, compliance certification, formal SLA/history, no lock-in, source-code export, full data export, backup/export/deletion guarantees, support commitments, or OAuth-complete MCP proof unless current public evidence proves the exact claim."
  ]
}