Skip to content

erekola/turva-worker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

112 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

turva-worker

Cloudflare Worker that renders every page of turva.dev at the edge, with a deterministic head and matching /.well-known/ manifests. AI agents and scanners read the same payload as humans, straight from the Worker.

This repository is the open-source reference implementation behind turva.dev, which ranks first of publicly-scanned sites on the startuphub.ai agent-readiness leaderboard and scores a perfect 100/100 Level 5 Agent-Native on Cloudflare Agent-Ready. The Worker is public on purpose: a buyer can read every line before deciding anything.

turva.dev offers agent-readiness audits and advisory, and the wider work of making the data agents act on and the decisions they make reliable, across use cases from commerce and monitoring to operations under bad connectivity.

What you buy is expertise and implementation, not access to a tool. The scoring is done by independent third-party scanners, isitagentready.com and startuphub.ai, so the numbers above are verifiable rather than asserted. This repository is the reference implementation and the manifests behind that work.

What it does

  • Renders every page (home, guides, blog, services, company, legal, contact) from markdown held in the Worker, each with a canonical <head> (meta, OpenGraph, JSON-LD, canonical).
  • Serves the manifests agents look for: /llms.txt, plus these /.well-known/ files: ai.txt, agent.json, mcp/server-card.json, agent-card.json, ai-catalog.json, ap2, acp, x402, x402-mesh.json, ucp, and OAuth discovery (oauth-authorization-server), among others; the full inventory is in the Endpoints table below.
  • Maintains robots.txt and sitemap.xml aligned with the same source of truth.

Scanner results

Measured on https://turva.dev on 2026-07-02. Two independent public scanners, listed once each.

Scanner Result
Cloudflare Agent-Ready (isitagentready.com) 100/100, Level 5 Agent-Native
startuphub.ai Agent Readiness 100/100 (A+), first of publicly-scanned sites on the leaderboard

Cloudflare Agent-Ready and isitagentready.com are the same scanner on two domains, so they count as one result.

startuphub.ai category breakdown

These six category scores come from the startuphub.ai scan. The Cloudflare Agent-Ready scan uses a different model (no Quality category, Commerce optional), so this breakdown is StartupHub's.

Category Score
Discoverability 100/100
Content 100/100
Access Control 100/100
Capabilities 100/100
Commerce 100/100
Quality 100/100

Web security

Agent-readiness is one axis; the domain's own web security is another. turva.dev publishes its own scan results so a buyer can see the same house is in order, not just claimed. Measured on turva.dev on 2026-07-01.

Scanner Result
Hardenize All 13 categories passed
Internet.nl 98/100

On Internet.nl, IPv6, DNSSEC and RPKI pass in full. The single deduction is one HTTPS sub-test, the hash function for key exchange. The result is documented, not hidden.

Verify

Every claim above is publicly auditable. Run the scanners yourself or open the company record.

Agent-readiness reference

A consolidated, self-contained reference to the surfaces agents read, with a short definition of each and a link to its full guide, is in docs/agent-readiness.md.

Agent-readiness guides

Plain-language explanations of the surfaces this Worker implements, and why each one matters to an AI agent. Published on turva.dev.

Blog

Notes on AI agents and the work of letting them read a site and act on a system safely. Published on turva.dev.

How it works

The Worker renders the whole site at the edge. Every page is built from a single source-of-truth object in the Worker: page content as markdown, plus a shared canonical <head> and JSON-LD. There is no separate CMS or origin to proxy. Agent routes (/.well-known/*, robots.txt, sitemap.xml, /x402) are served from the same Worker, and static assets such as images come from Workers Assets.

Because the site has no CMS or plugins, nothing can drift between what humans see and what agents and scanners see.

Endpoints

Path Purpose
/ and all HTML routes Rendered by the Worker from markdown
/.well-known/ai.txt AI agent disclosure
/llms.txt LLM consumption guide
/llms-full.txt The whole site as one text file
/.well-known/agent.json ai-plugin / agent manifest
/.well-known/mcp/server-card.json MCP server card
/.well-known/agent-card.json A2A agent card
/.well-known/ai-catalog.json Agentic Resource Discovery catalog
/.well-known/agent-skills/index.json Agent skills index
/openapi.json OpenAPI description
/.well-known/api-catalog API catalog linkset (RFC 9727)
/.well-known/ap2 Agent Payments Protocol pointer
/.well-known/acp Agent Commerce Protocol manifest
/.well-known/x402 x402 payment manifest
/.well-known/x402-mesh.json x402 mesh manifest
/.well-known/ucp Universal Commerce Profile
/.well-known/mpp MPP discovery manifest
/.well-known/oauth-authorization-server OAuth / auth discovery
/.well-known/oauth-protected-resource OAuth protected resource metadata
/auth.md Agent registration metadata (public key at /.well-known/mcp-registry-auth)
/agent/auth/register, /agent/auth/claim, /agent/auth/revoke Agent identity registration, out-of-band flow
/oauth/authorize, /oauth/token OAuth endpoints (spec-valid closed errors, see /auth.md)
/api and /api/v1 API index JSON
/api/agent/audit, /api/agent/advisory, /api/agent/implementation x402 payable service routes (HTTP 402, quote-on-request)
/api/acp/checkout_sessions ACP checkout sessions (stateless, buyer review before payment)
/.well-known/agent-skills/<name>/skill.md Individual agent skill files
/.well-known/signatures.json Ed25519 signatures for the signed manifests
/.well-known/jwks.json Public keys for verifying the signatures
/.well-known/security.txt Security contact (RFC 9116)
/x402 HTTP 402 payment-required endpoint
/robots.txt Crawler directives
/sitemap.xml URL index
/blog/feed.xml Blog RSS feed
/<indexnow-key>.txt IndexNow key file; a weekly cron resubmits the canonical URLs
Aliases /ai.txt, /security.txt, /.well-known/mcp.json, /.well-known/openid-configuration, /.well-known/openapi.json, favicons, and fediverse redirects (host-meta, webfinger, nodeinfo)
/llms-txt-validator llms.txt structure checker (HTML form, JSON for agents)
/badge and /badge.svg Agent-ready badge criteria and embeddable SVG

Deploy

Requires a Cloudflare account and the wrangler CLI. No runtime secret is needed; the Worker renders the whole site itself.

cd turva-worker/turva-worker
npm install
npx wrangler deploy

Route the Worker to your domain under Workers & Pages, your-worker, Settings, Domains & Routes.

Use it for your own site

MIT licensed. Fork it, replace the source-of-truth object with your own data, then deploy.

If you want an audit of your domain against the same scanner set and a tailored configuration, see turva.dev or Erik Rekola on LinkedIn.

Security

Responsible disclosure: see SECURITY.md. Contact: info@turva.dev

License

The Worker source is MIT. The live turva.dev Agent API and its data are proprietary (see /legal).

MIT

About

The open-source Cloudflare Worker behind turva.dev. One source renders every page as HTML, markdown and JSON, so people and AI agents read the same content.

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors