Most sites expose two files from /.well-known/. Maybe security.txt and, if someone configured ACME, a certbot artifact. That's it. The other eleven things that can live there. All standards-defined, all useful in 2026. Don't get served because nobody remembered them at build time.
The .well-known Directory Audit probes every standard path in parallel, validates what's served, and generates files for what isn't. You paste a URL, you get back a coverage score and a copy-paste fix kit.
What it actually checks
The script fetches thirteen paths. The standards-mandated ones under /.well-known/:
security.txt. RFC 9116. Validates thatContact:andExpires:fields are present. If not, you have a file but it's not compliant.agent-card.json. The AI agent protocol handshake. AI models now check for this before scraping.ai-plugin.json. ChatGPT-plugin / AI-service manifest. Matters if you expose an API.change-password. The W3C redirect that tells password managers where to send users clicking "change compromised password."webfinger. Federated identity discovery. If you're on Mastodon or Bluesky and want to be verifiably you, this is the bridge.host-meta,assetlinks.json,apple-app-site-association,openid-configuration,nodeinfo. App-to-web links, OpenID discovery, federated metadata.
Plus three root-level companions that sit alongside: robots.txt, humans.txt, ads.txt.
The fix kit
When a file is missing, the tool generates a replacement with your host, name, and today's date already substituted in. security.txt comes pre-signed with a 365-day Expires. agent-card.json ships with no-auth as the default and your hostname plugged into the chat endpoint. change-password arrives as the Netlify _redirects line and the Apache .htaccess equivalent.
You can copy each one to clipboard or download it as the real file. For the hosting-config step, the generated LLM prompt asks Claude for the _headers / .htaccess / Nginx snippet to serve each file with the correct Content-Type.
Why this is suddenly load-bearing
Three things shifted in the last year.
AI agents discover via protocol. When a Claude skill or a Perplexity tool hits your domain, the first request is /.well-known/agent-card.json. No card, no clean surface. The model falls back to web-scraping your HTML and misses half your API.
Password managers honor change-password. Safari and 1Password route "change this leaked password" directly to /.well-known/change-password. Without the redirect, users land on your homepage, can't find the change flow, and give up. That's churn you don't need.
Security researchers expect security.txt. Responsible disclosure starts with a curl. No file means reports go through contact@ or. Worse. Get posted publicly because the researcher couldn't reach you privately.
Where this pairs with the other tools
The Mega Analyzer touches one or two .well-known files as part of a broader audit. This tool covers the full standard-defined set and generates fixes. Run both. The Mega Analyzer tells you the big-picture score; this tells you which identity files are still missing.
For the methodology, Chapter 4 of The $20 Dollar Agency. Technical SEO Files. Is the reference. Chapter 8 of The $100 Network. Underused Platform Features That Replace Paid Tools. Shows how to serve all of these from a Cloudflare Worker instead of paying an identity SaaS.