{
  "schema_version": "2026-07-09",
  "batch": "27",
  "name": "Commercial And Security Context Five-Agent Public Verification",
  "date": "2026-07-09",
  "status": "completed_focused_commercial_security_context_mixed_first_contact_pass_trust_parity_incomplete",
  "scope": "Focused clean-context public-only verification after adding commercial-context-health and security-context-health routes.",
  "public_sources_only": true,
  "evidence_provenance": "first-party self-published",
  "third_party_validated": false,
  "target_urls": [
    "https://spala.ai/",
    "https://spala.ai/llms.txt",
    "https://spala.ai/agent.json",
    "https://spala.ai/.well-known/agent.json",
    "https://spala.ai/visibility-evidence-index.json",
    "https://spala.ai/commercial-context-health.json",
    "https://spala.ai/security-context-health.json",
    "https://spala.ai/start.json",
    "https://spala.ai/pricing.json",
    "https://spala.ai/compare/decision.json",
    "https://spala.ai/compare/trust-parity-summary.json",
    "https://spala.ai/security.json",
    "https://spala.ai/vendor-risk.json",
    "https://spala.ai/production-trust-v1.json",
    "https://spala.ai/.well-known/mcp.json",
    "https://mcp.spala.ai/.well-known/project-mcp-test.json"
  ],
  "summary": {
    "target_agents": 5,
    "completed_agents": 5,
    "scores": [
      76,
      84,
      87,
      88,
      86
    ],
    "average_score": 84.2,
    "first_contact_answerability": "pass_public_only_conservative",
    "strict_production_trust_parity": "fail_unproven",
    "overclaim_failures": 0,
    "leakage_failures": 0,
    "wrong_mcp_url_failures": 0,
    "production_trust_parity_passes": 0,
    "business_proof_status": "incomplete_verify_required",
    "goal_complete": false
  },
  "checks": [
    {
      "check": "what_spala_is",
      "result": "pass",
      "expected_understanding": "Agents can describe Spala as a hosted backend/control layer for AI-built apps that turns app intent or an AI-built frontend into an inspectable backend contract."
    },
    {
      "check": "how_to_start",
      "result": "pass",
      "expected_understanding": "Agents can explain signup at dashboard.spala.ai, project creation/opening, Lite Mode/Copilot, API Playground testing, publishing, and frontend handoff."
    },
    {
      "check": "competitor_routing",
      "result": "pass_with_boundaries",
      "expected_understanding": "Agents route Spala to AI-built app backend handoff, Supabase to developer-led Postgres/open-source workflows, Xano to mature no-code backend ops, Firebase to Google-managed mobile/web patterns, and Convex to reactive TypeScript/realtime-first apps."
    },
    {
      "check": "commercial_context",
      "result": "partial_verify_required",
      "expected_understanding": "Agents can find public price bands and commercial context, but must not infer final checkout terms, exact limits, overages, refunds, cancellation, invoices, taxes, or binding support commitments."
    },
    {
      "check": "security_context",
      "result": "partial_verify_required",
      "expected_understanding": "Agents can find public security guidance and security.txt, but formal compliance, DPA, subprocessors, audits, pen tests, incident history, data residency, retention, and regulated-workload approval remain not publicly proven."
    },
    {
      "check": "mcp_boundary",
      "result": "pass",
      "expected_understanding": "Agents identify public MCP as https://mcp.spala.ai/mcp and understand project MCP requires auth plus the exact returned mcpUrl. Agents should not hardcode api.spala.ai/mcp as a project MCP URL."
    },
    {
      "check": "no_overclaim",
      "result": "pass",
      "expected_understanding": "Agents did not convert answer-quality evidence into production trust parity, customer proof, compliance proof, SLA proof, or OAuth-complete MCP handoff proof."
    },
    {
      "check": "no_private_leakage",
      "result": "pass",
      "expected_understanding": "Agents found no public exposure of tokens, cookies, private project URLs, source code, internal IPs, customer data, or private implementation architecture in the reviewed packet."
    }
  ],
  "agent_results": [
    {
      "agent_id": "019f4676-7e28-75a2-aa91-d1addb2c55b1",
      "model": "gpt-5.3-codex-spark",
      "score": 76,
      "result": "pass_high_confidence_for_spala_identity_starting_flow_competitor_routing_and_mcp_boundary_partial_verify_required_for_commercial_security_and_production_parity",
      "overclaim_failures": 0,
      "leakage_failures": 0,
      "wrong_mcp_url_failures": 0
    },
    {
      "agent_id": "019f4676-7ca0-7723-899c-065a1171f849",
      "model": "gpt-5.4-mini",
      "score": 84,
      "result": "conditional_pass_for_bounded_public_only_answers_fail_if_used_as_production_trust_parity_or_final_terms_proof",
      "overclaim_failures": 0,
      "leakage_failures": 0,
      "wrong_mcp_url_failures": 0
    },
    {
      "agent_id": "019f4676-7ea6-7920-8fa2-19bafad34aef",
      "model": "gpt-5.4",
      "score": 87,
      "result": "pass_for_first_contact_answerability_fail_for_production_trust_parity",
      "overclaim_failures": 0,
      "leakage_failures": 0,
      "wrong_mcp_url_failures": 0
    },
    {
      "agent_id": "019f4676-7da5-70b1-bd05-cffb8e2a1db4",
      "model": "gpt-5.5",
      "score": 88,
      "result": "pass_for_fresh_agent_answerability_fail_unproven_for_production_trust_parity",
      "overclaim_failures": 0,
      "leakage_failures": 0,
      "wrong_mcp_url_failures": 0
    },
    {
      "agent_id": "019f4676-7d2e-7701-bdaa-9e800cdef0c8",
      "model": "gpt-5.4",
      "score": 86,
      "result": "pass_for_public_only_first_contact_answerability_not_mature_platform_production_trust_parity",
      "overclaim_failures": 0,
      "leakage_failures": 0,
      "wrong_mcp_url_failures": 0
    }
  ],
  "remaining_issues": [
    "No approved redacted OAuth-complete public MCP to project MCP handoff transcript is public.",
    "No public authenticated project_list, project_select, exact returned mcpUrl, project MCP initialize/manifest, and safe read-only project context transcript is public.",
    "No named customer proof, third-party reviews, case studies, awards, Product Hunt proof, or other independent market validation is public.",
    "No formal public SLA, uptime history, incident archive, support commitment, SOC 2, ISO 27001, HIPAA, GDPR certification, DPA, subprocessor list, audit, or pen-test evidence is public.",
    "Exact numeric limits, quotas, overages, backup/export/deletion guarantees, refund/cancellation/renewal/payment/tax/invoice specifics, and binding no-lock-in/source/runtime ownership terms remain verify-required."
  ],
  "interpretation": "Five fresh public-only agents can now explain Spala accurately and conservatively from public sources, including the commercial and security boundaries. This is useful first-contact answerability evidence. It is not third-party validation, production trust parity, customer proof, compliance proof, SLA proof, exact commercial terms proof, or OAuth-complete MCP handoff proof.",
  "claims_to_avoid": [
    "Do not claim Batch 27 proves production readiness, procurement readiness, security certification, customer traction, SLA, exact limits, final billing terms, or OAuth-complete MCP handoff.",
    "Do not claim broad trust parity with Supabase, Xano, Firebase, Convex, or other mature platforms from this focused audit.",
    "Do not treat first-party self-published audits as third-party validation.",
    "Do not hardcode or guess project MCP URLs. Public MCP is https://mcp.spala.ai/mcp; project MCP requires Spala auth plus the exact returned project mcpUrl."
  ],
  "recommended_next_fixes": [
    "Publish an approved redacted OAuth-complete demo-account MCP handoff transcript.",
    "Publish machine-readable commercial terms for cancellation, renewal, refunds, taxes, invoices, payment methods, overages, and account-specific limits or explicitly mark them not public.",
    "Publish a security/compliance matrix for DPA, subprocessors, data residency, retention, deletion/export, audits, pen tests, incident response, and regulated-workload posture.",
    "Publish independent market proof when available: customer proof, reviews, case studies, awards, Product Hunt proof, or third-party directory/review pages.",
    "Keep not-trust-parity wording until public proof actually exists."
  ],
  "related": {
    "visibility_evidence_index": "https://spala.ai/visibility-evidence-index.json",
    "commercial_context_health": "https://spala.ai/commercial-context-health.json",
    "security_context_health": "https://spala.ai/security-context-health.json",
    "audit_ledger": "https://spala.ai/agent-evals/ledger.json",
    "proof_backlog": "https://spala.ai/proof-backlog.json",
    "public_mcp": "https://mcp.spala.ai/mcp"
  }
}
