MetaCity's Confidential Infrastructure Audit Was Published to a Public URL by the Firm That Wrote It — The Report Grades Every Core Platform System and Only One Receives a Passing Score

Harwick & Maren, the third-party infrastructure consultancy retained by MetaCity to conduct its annual systems audit, accidentally published the full 214-page report to an unlisted but publicly accessible URL at 6:47 AM EST. The document was live for 38 minutes before being removed. In that window, screenshots of the executive summary spread across every major MetaCity community forum. The summary grades eleven core platform systems on a scale of A through F. Ten receive D or F ratings. The one passing grade goes to CDN delivery.

Harwick & Maren are not a controversial firm. They have conducted infrastructure audits for seven major virtual platforms over the past decade and their reports are considered among the most methodologically rigorous in the industry. MetaCity has retained them for three consecutive annual cycles. The reports from the first two years have never been made public — MetaCity is not required to publish them, and has not volunteered to do so. This year's report joined that tradition of confidentiality for approximately six hours before a junior associate at Harwick & Maren uploaded a finalized PDF to the firm's client delivery portal using a permissions setting that made the URL publicly resolvable to anyone who navigated to it. The error was discovered and corrected. Not before thirty-eight minutes had passed.

The executive summary grades eleven systems on a scale ranging from A to F, with plus and minus gradations. The methodology is described in the appendix: each grade reflects a composite of uptime reliability over the assessed period, failure rate per million transactions, recovery time from identified incidents, architectural technical debt score, and an assessment of the gap between documented system specifications and observed behavior. The CDN delivery layer — which manages asset serving for images, audio, video, and interface elements — receives a B+. The note reads: 'Consistently reliable, well-maintained, adequate headroom for projected growth.' The remaining ten systems receive grades between D- and F. The moderation infrastructure, physics engine, and dispute resolution system each receive an F. No note accompanies any F grade. The methodology section explains that F grades are issued when a system 'fails to meet minimum baseline requirements on three or more of the five assessment criteria.'

Ten Out of Eleven. One Passing Grade. It Goes to the Part Nobody Sees.

The identity layer receives a D with the following note: 'Systemic vulnerability to synthetic account registration has not been substantively addressed since the 2024 assessment. Recommended remediation from the prior report was not implemented. Scope of problem has grown.' The notification routing system receives a D+ with a note referencing the 48-hour delay incident from earlier this month as 'consistent with predicted failure mode documented in prior cycle.' The economy engine receives a D- with a note that reads, in full: 'Currency integrity risk elevated. Reserve modeling assumptions do not reflect observed transaction patterns. Recommend independent financial audit.' These phrases are not the language of a report that expects its findings to remain private. They are the language of a report written with the understanding that the client would read them in confidence and act on them privately. That assumption did not survive the morning.

Community response to the leak has divided largely along predictable lines. Users who have spent months documenting platform failures responded to the grades as confirmation of what they already believed. Users who maintain that criticism of MetaCity is exaggerated have focused on methodology disputes — arguing that infrastructure grading systems are not standardized, that the Harwick & Maren criteria are overly stringent, and that a D in 'dispute resolution' does not necessarily mean users are being poorly served. Both groups agree on one thing: MetaCity has not commented. The platform's communications team has not issued a statement acknowledging the leak, confirming the document's authenticity, or disputing any of its findings. Harwick & Maren's website is currently returning a 503 error. The report is available in full on eleven separate community mirror sites. The CDN delivering those mirrors is working fine.