13 probes across 5 categories — Discoverability, Content, Bot Access Control, API / Auth / MCP / Skills, and Commerce. Mirrors the Cloudflare / isitagentready.com Agent Readiness Score. Tests Link headers, Markdown negotiation, Content Signals, Web Bot Auth, API Catalog (RFC 9727), MCP Server Card (SEP-2127), Agent Skills (v0.2.0), WebMCP, OAuth metadata, x402, MPP, UCP, ACP.
Pair with Agent Runtime Readiness → · AI Posture Audit → · MCP Server Audit →
Paste any homepage URL. The audit fetches via /.netlify/functions/fetch-page with proxied headers; nothing is stored server-side.
The first file any crawler reads. Must return HTTP 200 with text/plain and contain at least one valid User-agent: directive.
Either a Sitemap: line in robots.txt OR a reachable /sitemap.xml at the apex. Sitemaps power agent crawl planning.
HTTP Link: response headers point agents to discovery resources without parsing HTML. Recommended rel values: api-catalog, mcp-server-card, agent-skills, llms-txt, sitemap.
When an agent sends Accept: text/markdown, the server returns a Markdown variant of the page. Cloudflare's Markdown for Agents and equivalent origin negotiation both qualify.
Explicit per-bot directives for known AI crawlers: GPTBot, ClaudeBot, PerplexityBot, Google-Extended, Applebot-Extended, CCBot, Bytespider, etc. Even an Allow rule counts — silence does not.
A structured directive in robots.txt declaring AI usage preferences: Content-Signal: search=yes, ai-input=yes, ai-train=yes. Adopted by Cloudflare AI Crawl Control as the default response.
An IETF draft for cryptographically authenticating bots via HTTP Message Signatures. Public keys live at /.well-known/http-message-signatures-directory. Mainly relevant if you operate a friendly bot; absence on a content site is fine.
/.well-known/api-catalog serves application/linkset+json. Lets agents discover OpenAPI specs, service docs, status endpoints without parsing markup.
/.well-known/oauth-authorization-server or /.well-known/openid-configuration. Required only if your APIs are protected; intentionally absent on read-only public sites.
/.well-known/oauth-protected-resource. Tells agents which authorization server issues tokens for this resource. Static read-only sites can skip this honestly.
/.well-known/mcp/server-card.json. Declares serverInfo (name, version), one or more transports (http-stream, websocket, webmcp), and capabilities (tools, resources, prompts).
/.well-known/agent-skills/index.json. Lists SKILL.md files describing what an agent can do with your site. Each entry has name, type, description, url, and optionally a SHA-256 digest.
JS code that calls navigator.modelContext.provideContext() on page load to register tools with browser-side AI agents. Detected by inspecting the homepage HTML for the API call.
Coinbase-led protocol for agent-native HTTP payments. Protected routes return 402 with payment requirements that compatible agents fulfill automatically.
/openapi.json with x-payment-info extensions on payable operations.
/.well-known/ucp. Co-developed by Google, Shopify, Etsy.
/.well-known/acp.json. Stripe + OpenAI specification for agent-driven checkout.
Probes run via the jwatte.com fetch-page proxy with an Origin allow-list. Some hosts return different bodies to bots vs humans; this tool sends a generic UA. Score is point-in-time; some probes (Web Bot Auth, OAuth) are honestly absent on read-only static sites and should not be remediated.