External Audit Status¶
As of v1.1.7: no external audit has been performed.
This document tracks the audit posture of alphafold-sovereign-mcp.
Audit findings, when they exist, will be summarised here with the
issue and PR numbers that resolved them.
What has been audited¶
The repository receives automated code review from gemini-code-assist[bot]
on every pull request. Cumulative review activity through v1.1.4:
| Surface | Auditor | Date(s) | PRs reviewed | Outcome |
|---|---|---|---|---|
| Engineering (code, docs, tests, CI, manifests, release process) | gemini-code-assist[bot] (automated) |
2026-05-11 → 2026-05-17 | #2, #6, #15, #16, #17, #18, #19, #30 | Cumulative ~13 inline suggestions across docs, manifests, dependency hygiene, and ACMG warning surfaces. Every suggestion resolved via a follow-up commit; see each PR's Conversation tab for the resolution trail. |
What has NOT been audited¶
| Surface | Why this matters | When | Tracked at |
|---|---|---|---|
ACMG/AMP criterion mapping (tools/precision_medicine.py) |
The mapping is implemented from Richards et al. 2015 but no clinical geneticist has signed off. | Roadmap step 3 of v1.2.0 — see STATUS.md | LIMITATIONS L1 |
Druggability tier heuristic (tools/precision_medicine.py) |
The score cut-offs (HOT/WARM/COLD) are author judgement, not calibrated. | Roadmap step 4 of v1.2.0 | LIMITATIONS L2 |
| End-to-end real-API behaviour | All tests mock the upstream APIs. We have not run the pipeline against held-out variants/targets with known expected outputs. | Roadmap step 1 of v1.2.0 (examples/ golden notebooks) |
LIMITATIONS L3 |
| Threat model | First STRIDE-style review was written by the maintainer in v1.1.0-rc1 (see docs/threat-model.md). External STRIDE review by a security professional has not been performed. |
Defer until external security audit | docs/threat-model.md |
| Independent security audit | No external penetration test or code-security audit yet. | Defer until v1.2.0 release | This document |
| Performance / load behaviour | No production deployment yet. | Defer until first real deployment | LIMITATIONS L4 |
How to request an audit¶
If you are a researcher, auditor, or compliance officer interested in reviewing this project, please:
- Open a GitHub issue with the
auditlabel describing the audit scope you have in mind. - Mention the maintainer (
@smaniches). - For sensitive findings, follow the disclosure process in SECURITY.md.
Audit log¶
This section is appended to when audits complete. Each entry has: - Date - Auditor identity and credentials - Scope reviewed - Findings (high / medium / low / informational) - Resolution PRs
| Date | Auditor | Scope | Findings | Status |
|---|---|---|---|---|
| 2026-05-11 | gemini-code-assist[bot] |
PR #2 — STATUS / LIMITATIONS docs review | 2 inline suggestions on ACMG warning surfaces | Resolved in commit ae42b59 |
| 2026-05-16 | gemini-code-assist[bot] |
PR #6 — MONDO disease-label fix | 1 inline suggestion (direct attribute access vs. getattr default) |
Resolved in PR #13 |
| 2026-05-17 | gemini-code-assist[bot] |
PR #16 — prepare v1.1.1 release | 3 inline suggestions (maturity field consistency across smithery.yaml, server.json, .well-known/mcp.json) |
Resolved in PR #17 |
| 2026-05-17 | gemini-code-assist[bot] |
PR #17 — finish v1.1.1 stable-release framing pass | 2 inline suggestions (uvx idiom; Development Status :: 5 - Production/Stable classifier) |
Resolved in commit ed08229 |
| 2026-05-17 | gemini-code-assist[bot] |
PR #18 — v1.1.2 metadata-coherence | 2 inline suggestions (CHANGELOG PRs #17 → PR #17; smithery.yaml missing maturity: stable) |
Resolved in commit a5a4202 |
| 2026-05-17 | gemini-code-assist[bot] |
PR #19 — v1.1.3 dep-trim + Minerva CVE close | 2 inline suggestions (CHANGELOG Six → Seven; Dependabot ecosystem pip → uv) |
Resolved in commit 61ed61c |
| 2026-05-17 | gemini-code-assist[bot] |
PR #30 — v1.1.4 accuracy patch | 1 inline suggestion (internal consistency: this audit summary itself said "through v1.1.3" while the document header said "As of v1.1.4") | Resolved in this commit |
Last updated: 2026-05-17.