Cloudflare Worker that renders every page of turva.dev at the edge, with a deterministic head and matching /.well-known/ manifests. AI agents and scanners read the same payload as humans, straight from the Worker.
This repository is the open-source reference implementation behind turva.dev, which ranks first of publicly-scanned sites on the startuphub.ai agent-readiness leaderboard and scores a perfect 100/100 Level 5 Agent-Native on Cloudflare Agent-Ready. The Worker is public on purpose: a buyer can read every line before deciding anything.
turva.dev offers agent-readiness audits and advisory, and the wider work of making the data agents act on and the decisions they make reliable, across use cases from commerce and monitoring to operations under bad connectivity.
What you buy is expertise and implementation, not access to a tool. The scoring is done by independent third-party scanners, isitagentready.com and startuphub.ai, so the numbers above are verifiable rather than asserted. This repository is the reference implementation and the manifests behind that work.
- Renders every page (home, guides, blog, services, company, legal, contact) from markdown held in the Worker, each with a canonical
<head>(meta, OpenGraph, JSON-LD, canonical). - Serves the manifests agents look for:
/llms.txt, plus these/.well-known/files:ai.txt,agent.json,mcp/server-card.json,agent-card.json,ai-catalog.json,ap2,acp,x402,x402-mesh.json,ucp, and OAuth discovery (oauth-authorization-server), among others; the full inventory is in the Endpoints table below. - Maintains
robots.txtandsitemap.xmlaligned with the same source of truth.
Measured on https://turva.dev on 2026-07-02. Two independent public scanners, listed once each.
| Scanner | Result |
|---|---|
| Cloudflare Agent-Ready (isitagentready.com) | 100/100, Level 5 Agent-Native |
| startuphub.ai Agent Readiness | 100/100 (A+), first of publicly-scanned sites on the leaderboard |
Cloudflare Agent-Ready and isitagentready.com are the same scanner on two domains, so they count as one result.
These six category scores come from the startuphub.ai scan. The Cloudflare Agent-Ready scan uses a different model (no Quality category, Commerce optional), so this breakdown is StartupHub's.
| Category | Score |
|---|---|
| Discoverability | 100/100 |
| Content | 100/100 |
| Access Control | 100/100 |
| Capabilities | 100/100 |
| Commerce | 100/100 |
| Quality | 100/100 |
Agent-readiness is one axis; the domain's own web security is another. turva.dev publishes its own scan results so a buyer can see the same house is in order, not just claimed. Measured on turva.dev on 2026-07-01.
| Scanner | Result |
|---|---|
| Hardenize | All 13 categories passed |
| Internet.nl | 98/100 |
On Internet.nl, IPv6, DNSSEC and RPKI pass in full. The single deduction is one HTTPS sub-test, the hash function for key exchange. The result is documented, not hidden.
Every claim above is publicly auditable. Run the scanners yourself or open the company record.
- StartupHub leaderboard: https://www.startuphub.ai/agent-readiness
- isitagentready scan: https://isitagentready.com/turva.dev
- Hardenize report: https://www.hardenize.com/report/turva.dev
- Internet.nl report: https://internet.nl/site/turva.dev/
- Company (Finnish Business Information System): https://tietopalvelu.ytj.fi/yritys/3600281-7
A consolidated, self-contained reference to the surfaces agents read, with a short definition of each and a link to its full guide, is in docs/agent-readiness.md.
Plain-language explanations of the surfaces this Worker implements, and why each one matters to an AI agent. Published on turva.dev.
- Agent-readiness guides (index)
- What an agent-readiness audit is
- llms.txt explained
- Serving markdown to agents
- Response headers that help agents
- Sitemaps, robots.txt and agent access
- Prerendering and why agents see empty pages
- MCP server cards explained
- What agents.json is
- The /.well-known directory for agents
- How agents authenticate
- JSON-LD and structured data for agents
- x402 and agent payments
- SEO and agent-readiness are not the same
- Why agent-readiness should be measured, not asserted
- Common agent-readiness gaps on marketing sites
- Choosing an agent-readiness audit
- How to get your site cited by AI assistants
- Agent commerce discovery: A2A, AP2, and ACP
- Agent-readiness, AEO and GEO: how they relate
- Agentic commerce readiness
- Letting agents act on data: the decision envelope
- AI agent use cases
- Open Knowledge Format (OKF) explained
- Agentic Resource Discovery and ai-catalog.json
Notes on AI agents and the work of letting them read a site and act on a system safely. Published on turva.dev.
- Blog (index)
- How agent-ready are Finnish B2B sites? I scanned sixteen
- When honesty and the checker disagree
- What an agent pays to read your site
- When an agent can prove it is Claude
- What makes an AI agent's decisions reliable
- Owning your fediverse identity
- Passing the agent commerce checks without faking them
- Moving turva.dev off prerender.io
- What the Open Knowledge Format is, and what it is not
- Publishing an ai-catalog.json for agentic discovery
- What one agent-readiness scanner cannot tell you
- Agent access is now a setting
- A free llms.txt validator
- Auditing the auditor with four AI agents
- Moving the source from GitHub to Codeberg
- The page grew, the agent bill did not
- Four AI agents re-checked the guides
The Worker renders the whole site at the edge. Every page is built from a single source-of-truth object in the Worker: page content as markdown, plus a shared canonical <head> and JSON-LD. There is no separate CMS or origin to proxy. Agent routes (/.well-known/*, robots.txt, sitemap.xml, /x402) are served from the same Worker, and static assets such as images come from Workers Assets.
Because the site has no CMS or plugins, nothing can drift between what humans see and what agents and scanners see.
| Path | Purpose |
|---|---|
/ and all HTML routes |
Rendered by the Worker from markdown |
/.well-known/ai.txt |
AI agent disclosure |
/llms.txt |
LLM consumption guide |
/llms-full.txt |
The whole site as one text file |
/.well-known/agent.json |
ai-plugin / agent manifest |
/.well-known/mcp/server-card.json |
MCP server card |
/.well-known/agent-card.json |
A2A agent card |
/.well-known/ai-catalog.json |
Agentic Resource Discovery catalog |
/.well-known/agent-skills/index.json |
Agent skills index |
/openapi.json |
OpenAPI description |
/.well-known/api-catalog |
API catalog linkset (RFC 9727) |
/.well-known/ap2 |
Agent Payments Protocol pointer |
/.well-known/acp |
Agent Commerce Protocol manifest |
/.well-known/x402 |
x402 payment manifest |
/.well-known/x402-mesh.json |
x402 mesh manifest |
/.well-known/ucp |
Universal Commerce Profile |
/.well-known/mpp |
MPP discovery manifest |
/.well-known/oauth-authorization-server |
OAuth / auth discovery |
/.well-known/oauth-protected-resource |
OAuth protected resource metadata |
/auth.md |
Agent registration metadata (public key at /.well-known/mcp-registry-auth) |
/agent/auth/register, /agent/auth/claim, /agent/auth/revoke |
Agent identity registration, out-of-band flow |
/oauth/authorize, /oauth/token |
OAuth endpoints (spec-valid closed errors, see /auth.md) |
/api and /api/v1 |
API index JSON |
/api/agent/audit, /api/agent/advisory, /api/agent/implementation |
x402 payable service routes (HTTP 402, quote-on-request) |
/api/acp/checkout_sessions |
ACP checkout sessions (stateless, buyer review before payment) |
/.well-known/agent-skills/<name>/skill.md |
Individual agent skill files |
/.well-known/signatures.json |
Ed25519 signatures for the signed manifests |
/.well-known/jwks.json |
Public keys for verifying the signatures |
/.well-known/security.txt |
Security contact (RFC 9116) |
/x402 |
HTTP 402 payment-required endpoint |
/robots.txt |
Crawler directives |
/sitemap.xml |
URL index |
/blog/feed.xml |
Blog RSS feed |
/<indexnow-key>.txt |
IndexNow key file; a weekly cron resubmits the canonical URLs |
| Aliases | /ai.txt, /security.txt, /.well-known/mcp.json, /.well-known/openid-configuration, /.well-known/openapi.json, favicons, and fediverse redirects (host-meta, webfinger, nodeinfo) |
/llms-txt-validator |
llms.txt structure checker (HTML form, JSON for agents) |
/badge and /badge.svg |
Agent-ready badge criteria and embeddable SVG |
Requires a Cloudflare account and the wrangler CLI. No runtime secret is needed; the Worker renders the whole site itself.
cd turva-worker/turva-worker
npm install
npx wrangler deploy
Route the Worker to your domain under Workers & Pages, your-worker, Settings, Domains & Routes.
MIT licensed. Fork it, replace the source-of-truth object with your own data, then deploy.
If you want an audit of your domain against the same scanner set and a tailored configuration, see turva.dev or Erik Rekola on LinkedIn.
Responsible disclosure: see SECURITY.md. Contact: info@turva.dev
The Worker source is MIT. The live turva.dev Agent API and its data are proprietary (see /legal).