Production Audit

Live audit: March 19, 2026

This report reflects the live production deployment on https://agentos-app.vercel.app. No P0 or P1 findings were observed in this pass. The remaining open issue is the custom-domain DNS cutover.

Platform features audited

Runtime functions audited

102

Catalog items under crew coverage

P2Resolved

https://agentos-app.vercel.app/api/ops/crew

Observed behavior

Anonymous callers could enumerate the full 102-item active and standby crew matrix, including per-item topology and queue state.

Risk

That exposed more control-plane inventory than a public health surface should reveal.

Exact fix recommendation

Keep public ops access summary-only. Require an ops-admin bearer token for per-item matrix details, failovers, and incident history. This fix is already live.

P3Resolved

https://agentos-app.vercel.app/docs/api

Observed behavior

The API reference documented stale signup and health contracts that no longer matched the live routes.

Risk

Developers could copy invalid request payloads or expect fields that the live API does not return.

Exact fix recommendation

Document only the route contracts that were re-verified against production. This fix is already live.

Verified production routes

https://agentos-app.vercel.app/health -> 200
https://agentos-app.vercel.app/studio -> 200
https://agentos-app.vercel.app/ops -> 200
https://agentos-app.vercel.app/docs/features -> 200
https://agentos-app.vercel.app/api/ops/metrics -> 200

Residual risk and testing gaps

The live audit covered route availability, auth boundaries, Studio command execution, password reset request and confirm behavior, and public ops redaction.
A full paid-skill commerce flow and third-party MCP action flow were not executed in production during this pass.
FFP consensus remains available in the product, but the current deployment is configured with FFP disabled by default until you choose to enable it.

Readiness assessment

Agent OS is live and ready for public traffic.