Transparency commitments

Six worker classes, each with a documented detection set:

• · browser — visual regression, console, forms, auth flows (Playwright + vision)
• · api — endpoint testing, auth boundaries, rate limits, injection probes
• · load — P50/P95/P99, RPS knee, resource pressure (k6)
• · security — OWASP Top 10, header hygiene, TLS posture
• · accessibility — WCAG 2.2 AA via axe-core, keyboard navigation
• · business_logic — intent-based critical-flow validation

L1 ships every worker as an in-process stub with realistic-shape findings; real Playwright/k6/OWASP/axe-core scanners are L2 operator infrastructure.

Each finding gets one of: critical, high, medium, low, info. The score is rule-based per worker and sometimes adjusted by KB pattern maturity. We publish the severity rules at /knowledge-base.

• · The total finding count is always disclosed. Free tier shows 5 + a count of the rest.
• · The worker breakdown is always available in /api/v1/scans/:id/results.
• · The fee math is computationally verifiable at /api/fee-audit/policy.
• · Every brain emission is mirrored locally at brain_events — no behind-the-scenes telemetry the customer can’t see.

• · Scan artifacts (screenshots, logs) retained 90 days by default.
• · Findings + KB patterns retained indefinitely (anonymized).
• · Brain events retained 180 days.
• · Per-account training_opt_out available; redacts your samples in the agent training export.
• · Read the Privacy Policy for the full text.

• · Ownership verification is required before any scan (DNS / file / email / OAuth). Audit trail at ownership_verifications.
• · ToS acceptance required at signup with version + IP capture in tos_acceptances.
• · CFAA / Computer Misuse Act compliance language in the Terms.
• · Draft v1 of the legal docs is pending fintech/SaaS attorney review per spec.

Browse the public Knowledge Base at /knowledge-base. example_sites_seen is redacted for non-operators.