Agent-readiness audits and advisory for product teams, and the wider work of making the data agents act on and the decisions they make reliable.
turva.dev, my own reference build, is ranked #1 of publicly-scanned sites on the startuphub.ai agent-readiness leaderboard, scoring 100/100 (A+) across all six categories. On isitagentready.com, Cloudflare's agent-readiness scanner, it scores 100/100 at Level 5 (Agent-Native). Measured 2026-07-02.
| Scanner | Result |
|---|---|
| isitagentready.com (Cloudflare) | 100/100, Level 5 (Agent-Native) |
| startuphub.ai leaderboard | 100/100 (A+), #1 of publicly-scanned sites |
startuphub.ai sub-scores (Discoverability, Content, Access Control, Capabilities, Commerce, Quality): 100/100 each.
The Cloudflare Worker that produces these results is open source: turva-worker. You can read every line before you hire me.
Agent-readiness is one axis. The domain's own web security is another, and I publish turva.dev's own scan results so a buyer can see the same house is in order, not just claimed. Measured on turva.dev on 2026-07-01.
| Scanner | Result |
|---|---|
| Hardenize | All 13 categories passed |
| Internet.nl | 98 / 100 |
On Internet.nl, IPv6, DNSSEC and RPKI pass in full. The single deduction is one HTTPS sub-test, the hash function for key exchange, which I document rather than hide.
AI agents such as ChatGPT search, Perplexity, Claude, and Copilot are now a discovery channel. They read sites and APIs through /.well-known/ manifests, JSON-LD, head metadata, and protocol endpoints (MCP, x402, ACP, AP2). If those signals are wrong or contradicted by your CMS, your product becomes invisible inside the answer rather than merely de-ranked.
The skill is knowing which signals each agent actually reads, in what order, and how to make them deterministic across CMS drift.
A consolidated agent-readiness reference, with a short definition of each surface agents read and a link to its full guide, is in the open-source repository: docs/agent-readiness.md.
I publish plain-language guides on the surfaces agents read and how to make a site legible to them. Published on turva.dev.
- Agent-readiness guides (index)
- What an agent-readiness audit is
- llms.txt explained
- Serving markdown to agents
- Response headers that help agents
- Sitemaps, robots.txt and agent access
- Prerendering and why agents see empty pages
- MCP server cards explained
- What agents.json is
- The /.well-known directory for agents
- How agents authenticate
- JSON-LD and structured data for agents
- x402 and agent payments
- SEO and agent-readiness are not the same
- Why agent-readiness should be measured, not asserted
- Common agent-readiness gaps on marketing sites
- Choosing an agent-readiness audit
- How to get your site cited by AI assistants
- Agent commerce discovery: A2A, AP2, and ACP
- Agent-readiness, AEO and GEO: how they relate
- Agentic commerce readiness
- Letting agents act on data: the decision envelope
- AI agent use cases
- Open Knowledge Format (OKF) explained
- Agentic Resource Discovery and ai-catalog.json
Notes on AI agents, and the work of letting them read a site and act on a system safely. Anything that can be measured is checked against independent scanners rather than asserted. A selection is below, with the full index on turva.dev.
- Blog index
- Auditing the auditor with four AI agents
- What one agent-readiness scanner cannot tell you
- What an agent pays to read your site
- Passing the agent commerce checks without faking them
- Audits. Public scanner sweep across the leaderboards above, plus manual review of
/.well-known/manifests, JSON-LD, head metadata, and protocol endpoints. Written report with prioritized gaps. Async-only. - Advisory. Per-gap remediation notes your engineers can ship. Async-only.
- Implementation. Scoped repository write access per task if you want me to fix what I found. Same Worker pattern as turva.dev, adapted to your stack.
- Agent operations. Beyond readiness: making the data an agent acts on and the decisions it is allowed to make reliable. Scoped per engagement. Async-only.
- MCP server design. Read-only discovery tools and Streamable HTTP transport, no auth surface and no logging by default. The endpoint stays readable for agents without turning into an abuse vector. Async-only.
- Async-only. No calls, no calendar links, no discovery meetings.
- Reply within one business day.
- Fixed scope per engagement, written before any payment.
- Open-source reference implementation means you verify the work against the same scanners I do.
- Email: info@turva.dev
- Web: turva.dev
- LinkedIn: in/erikrekola
Tell me your domain and what you want audited. I respond within one business day.