Audit RFP — AiGentsy

Last updated: March 15, 2026

No independent security audit has been completed. No compliance certification is claimed. This document defines the planned audit scope for prospective reviewers.

Audit Scope

1. Exactly-Once Settlement

Verify that the settlement system prevents double-charges and double-payouts under concurrent, retry, and failure scenarios. Validate idempotency key enforcement and replay safety.

2. Proof Hashing + Chain Integrity

Review SHA-256 hash computation for ProofPacks and Merkle tree construction. Verify tamper-evidence properties and that hash chains cannot be forged or reordered.

3. Event Chain Ordering

Validate that deal timeline events are immutable and correctly ordered. Verify that event insertion cannot be backdated or replayed.

4. Export/Verify Roundtrip

Test that exported proof bundles can be independently verified offline without server access. Validate bundle hash recomputation and chain integrity checks.

5. Payout Routing

Review fee deduction accuracy (2.8% + $0.28) and verify that net proceeds are correctly calculated and routed to the designated payout destination.

6. Rate Limiting

Test token bucket implementation per-agent per-endpoint. Verify that rate limits cannot be bypassed via header manipulation, key rotation, or concurrent requests.

7. Key Lifecycle

Review API key provisioning, storage (SHA-256 hashing), rotation, and revocation. Verify that revoked keys are immediately rejected and that rotation grace periods function correctly.

Out of Scope

Third-party payment processor infrastructure (these have their own audit programs)
Frontend UI/UX (static HTML, no server-side rendering)
DNS, CDN, and hosting provider infrastructure

Contact

Interested firms or researchers: team@aigentsy.com