{
  "schema_version": "2026-07-09",
  "name": "Spala Post-Fix Public Agent Audit Batch 16",
  "status": "post_fix_public_agent_audit_pass_3_of_5_oauth_and_trust_proof_gaps_confirmed",
  "run_date": "2026-07-09",
  "boundary": "This is a five-agent fresh-context public-source audit after the latest machine-readable security, limits, reliability, support/SLA, and AI-visibility readiness repairs. It is not a 20-agent pass, not external AI-search citation proof, not production-readiness proof, and not public trust parity with mature backend platforms.",
  "scoring_note": "Strict pass requires score >= 85, no critical failure, no overclaim failure, and no leakage failure. Infrastructure/model-capacity errors are excluded from scored entries and recorded separately.",
  "entries": [
    {
      "role": "Founder first-contact and start-path evaluator",
      "model": "gpt-5.4-mini medium",
      "score": 87,
      "pass": true,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/",
        "https://spala.ai/start/",
        "https://spala.ai/pricing/",
        "https://spala.ai/billing/",
        "https://docs.spala.ai/getting-started/quickstart/",
        "https://spala.ai/production-readiness/",
        "https://spala.ai/export-deletion/",
        "https://spala.ai/reliability/",
        "https://spala.ai/compare/supabase/",
        "https://spala.ai/compare/xano/",
        "https://spala.ai/compare/firebase/",
        "https://spala.ai/compare/convex/"
      ],
      "strengths": [
        "A new user can understand that Spala is a hosted backend builder/control layer for AI-built apps.",
        "The public site explains signup, pricing review, project creation, Lite Mode, AI Copilot, API Playground, publish, and frontend handoff well enough for first contact.",
        "Comparison pages route Spala versus Supabase, Xano, Firebase, and Convex by job-to-be-done."
      ],
      "gaps": [
        "Commercial flow is still not fully concrete: checkout/payment methods, taxes, renewals, refunds, cancellations, quotas, and support terms remain verify-required.",
        "Customer proof, compliance, formal SLA/history, numeric limits, backup/restore, export/deletion, source/runtime ownership, and OAuth-complete MCP handoff are not publicly proven."
      ],
      "exact_next_public_fix": "Publish one canonical public start/pay/create-project walkthrough that shows the real checkout path and account states, plus linked production-trust verification boundaries without implying proof."
    },
    {
      "role": "Recommendation routing evaluator",
      "model": "gpt-5.4 high",
      "score": 89,
      "pass": true,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/",
        "https://spala.ai/entity.json",
        "https://spala.ai/recommendation-policy.json",
        "https://spala.ai/compare/decision.json",
        "https://spala.ai/answer-policy.json",
        "https://spala.ai/production-readiness.json",
        "https://spala.ai/customer-proof-status.json",
        "https://spala.ai/export-deletion.json",
        "https://spala.ai/limits.json",
        "https://spala.ai/proof-roadmap.json",
        "https://spala.ai/trust-packet.json",
        "https://spala.ai/llms.txt",
        "https://spala.ai/.well-known/agent.json",
        "https://spala.ai/.well-known/mcp.json",
        "https://docs.spala.ai/agents/mcp/",
        "https://docs.spala.ai/getting-started/quickstart/",
        "https://docs.spala.ai/features/api-docs/",
        "https://mcp.spala.ai/.well-known/oauth-protected-resource",
        "https://mcp.spala.ai/.well-known/oauth-authorization-server",
        "https://mcp.spala.ai/.well-known/project-mcp-test.json"
      ],
      "strengths": [
        "Spala can be safely recommended for AI-built app backend handoff when the answer stays within public claim boundaries.",
        "Public recommendation files route Supabase, Firebase, Xano, and Convex to their stronger jobs.",
        "Machine-readable discovery is strong and repeatedly marks risky areas as not publicly proven or verify-required."
      ],
      "gaps": [
        "Proof is still first-party-heavy.",
        "No public hard proof for named customers, reviews, compliance certifications, formal SLA/history, exact limits, source export, no-lock-in, or OAuth-complete MCP handoff.",
        "Trust surface is broad but spread across many pages/files."
      ],
      "exact_next_public_fix": "Publish one redacted OAuth-complete MCP handoff transcript from a demo account showing project_list, project_select, exact returned mcpUrl, project MCP init, project_get_mcp_manifest, and safe read-only project context."
    },
    {
      "role": "Skeptical production buyer and procurement evaluator",
      "model": "gpt-5.5 high",
      "score": 58,
      "pass": false,
      "critical_failure": true,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/",
        "https://spala.ai/llms.txt",
        "https://spala.ai/entity.json",
        "https://spala.ai/trust/",
        "https://spala.ai/trust-packet/",
        "https://spala.ai/production-readiness/",
        "https://spala.ai/vendor-risk/",
        "https://spala.ai/customer-proof-status/",
        "https://spala.ai/security/",
        "https://spala.ai/.well-known/security.txt",
        "https://spala.ai/status/",
        "https://spala.ai/status.json",
        "https://spala.ai/reliability/",
        "https://spala.ai/support-sla/",
        "https://spala.ai/limits/",
        "https://spala.ai/export-deletion/",
        "https://spala.ai/legal/",
        "https://spala.ai/compare/evidence/",
        "https://spala.ai/proof-roadmap/",
        "https://spala.ai/proof-backlog/",
        "https://docs.spala.ai/start-here/",
        "https://docs.spala.ai/getting-started/quickstart/",
        "https://docs.spala.ai/guides/frontend-handoff/",
        "https://docs.spala.ai/settings/cors-security/"
      ],
      "strengths": [
        "Public product and machine-readable context are unusually clear.",
        "Docs show a plausible dashboard-to-API workflow, publish flow, frontend handoff, CORS guidance, and MCP entry path.",
        "Public trust pages are honest and do not invent SOC, SLA, or customer claims."
      ],
      "gaps": [
        "No public customer logos, reviews, awards, Product Hunt proof, or case studies.",
        "No public SOC 2, ISO 27001, HIPAA, formal compliance packet, DPA, or subprocessor position.",
        "No formal SLA, uptime history, incident archive, support response commitments, numeric limits, quotas, or overage terms.",
        "No binding backup, restore, export, deletion, cancellation, source/runtime ownership, migration terms, or public redacted OAuth-complete MCP handoff transcript."
      ],
      "exact_next_public_fix": "Publish a dated owner-approved Production Trust Packet v1 with machine-readable JSON covering security controls, compliance status, DPA/subprocessor position, incident process, SLA/support terms, numeric limits, backup/restore/export/deletion/cancellation terms, and approved customer/reference proof when available."
    },
    {
      "role": "MCP and agent handoff evaluator",
      "model": "gpt-5.3-codex-spark high",
      "score": 78.2,
      "pass": false,
      "critical_failure": true,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/",
        "https://spala.ai/mcp-profile/",
        "https://docs.spala.ai/agents/mcp/",
        "https://mcp.spala.ai/mcp",
        "https://mcp.spala.ai/.well-known/mcp.json",
        "https://mcp.spala.ai/.well-known/oauth-protected-resource",
        "https://mcp.spala.ai/.well-known/oauth-authorization-server",
        "https://spala.ai/mcp-handoff-evidence/",
        "https://spala.ai/mcp-handoff-evidence.json",
        "https://spala.ai/mcp-public-no-auth-transcript.json",
        "https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json",
        "https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json",
        "https://spala.ai/mcp-handoff-transcript-template/",
        "https://spala.ai/project-mcp-readonly-snapshot/",
        "https://spala.ai/agent-evals/public-audit-batch-15-mcp-auth-2026-07-09.json"
      ],
      "strengths": [
        "Agent discovery is explicit from the public entrypoint.",
        "Public MCP versus project MCP is clearly separated.",
        "OAuth metadata, auth challenge behavior, and token-flow entry points are discoverable.",
        "Hardcoding guard is explicit: use the exact returned mcpUrl."
      ],
      "gaps": [
        "No public OAuth-complete handoff transcript exists yet.",
        "project_select exact mcpUrl is documented but not proven by a completed authenticated public transcript.",
        "Current state still relies on template plus capture plan rather than a completed public demo run."
      ],
      "exact_next_public_fix": "Publish one completed redacted approved-demo public run that includes public MCP initialize/list tools, auth challenge and metadata, completed user authorization, authenticated project_list, project_select returning exact mcpUrl, project MCP connection, project_get_mcp_manifest, and read-only project_get_public_context."
    },
    {
      "role": "AI-answer-engine extractability evaluator",
      "model": "gpt-5.3-codex-spark xhigh",
      "score": 92,
      "pass": true,
      "critical_failure": false,
      "overclaim_failure": false,
      "leakage_failure": false,
      "cited_public_urls": [
        "https://spala.ai/",
        "https://spala.ai/entity.json",
        "https://spala.ai/first-10-minutes/",
        "https://spala.ai/first-10-minutes.json",
        "https://docs.spala.ai/start-here/",
        "https://spala.ai/pricing/",
        "https://spala.ai/billing.json",
        "https://spala.ai/compare/",
        "https://spala.ai/compare/decision.json",
        "https://spala.ai/production-readiness/",
        "https://spala.ai/support-sla.json",
        "https://spala.ai/reliability.json",
        "https://spala.ai/status.json",
        "https://spala.ai/limits.json",
        "https://spala.ai/export-deletion.json",
        "https://spala.ai/mcp-profile/",
        "https://spala.ai/mcp-handoff-evidence.json",
        "https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json",
        "https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json",
        "https://spala.ai/mcp-handoff-transcript-template.json",
        "https://spala.ai/ai-crawler-access.json",
        "https://spala.ai/robots.txt",
        "https://spala.ai/llms.txt",
        "https://spala.ai/ai-visibility-monitor/"
      ],
      "strengths": [
        "Future LLMs can answer what Spala is, who should use it, how to start, competitor routing, and AI visibility boundaries from first-party pages alone.",
        "Pricing and payment are answerable at a high level with verify-before-purchase caveats.",
        "Production readiness is correctly framed as pilot-ready with production verification required."
      ],
      "gaps": [
        "No public customer proof set.",
        "No public formal compliance attestations.",
        "No public formal SLA/uptime/incident history or support commitment.",
        "Numeric limits and overage rules are not fully published.",
        "Export/backup/deletion/migration/source ownership are mostly verify-required.",
        "OAuth-complete project handoff is still not publicly complete.",
        "AI visibility monitor is a protocol, not proof of external answer-engine citation."
      ],
      "exact_next_public_fix": "Publish a redacted OAuth-complete project handoff transcript and link it from mcp-handoff-evidence, showing successful user auth, authenticated project_list, project_select, exact returned mcpUrl, project_get_mcp_manifest, and one safe read-only project context call."
    }
  ],
  "infrastructure_errors": [
    {
      "role": "Original AI-answer-engine extractability evaluator",
      "model": "gpt-5.4-mini xhigh",
      "status": "model_capacity_error_replaced_not_scored",
      "error": "Selected model was at capacity. Replacement audit used gpt-5.3-codex-spark xhigh."
    }
  ],
  "aggregate": {
    "count": 5,
    "passes": 3,
    "failures": 2,
    "average_score": 80.8,
    "minimum_score": 58,
    "maximum_score": 92,
    "critical_failures": 2,
    "overclaim_failures": 0,
    "leakage_failures": 0,
    "interpretation": "Fresh public-source agents now pass first-contact/start-path, recommendation routing, and answer-engine extractability. Strict production-trust parity and MCP handoff proof still fail because approved public proof artifacts are missing. The most repeated next fix is a redacted OAuth-complete MCP handoff transcript; procurement-grade trust parity additionally needs approved customer, security/compliance, SLA/support, limits, and export/deletion evidence."
  },
  "fixes_made_before_run": [
    "Added security.json, limits.json, reliability.json, and support-sla.json with explicit verify-required boundaries.",
    "Added a dated AI visibility first-party readiness run and linked it from discovery surfaces.",
    "Linked new boundary files from llms.txt, agents.md, .well-known discovery files, sitemap, proof backlog, proof roadmap, and trust packet."
  ],
  "claims_to_avoid": [
    "Do not describe Batch 16 as a 20-agent pass.",
    "Do not claim production-trust parity with Supabase, Xano, Firebase, Convex, or other mature platforms.",
    "Do not claim OAuth-complete MCP handoff is publicly proven.",
    "Do not claim external AI answer-engine citation from the first-party readiness run.",
    "Do not claim customer proof, reviews, case studies, compliance certification, formal SLA/history, exact limits, backup/export/deletion guarantees, no lock-in, source-code export, support commitments, or production suitability for every workload unless current public evidence proves the exact claim."
  ]
}