Loading repository data…
Loading repository data…
erekola / repository
The open-source Cloudflare Worker behind turva.dev. One source renders every page as HTML, markdown and JSON, so people and AI agents read the same content.
Cloudflare Worker that renders every page of turva.dev at the edge, with a deterministic head and matching /.well-known/ manifests. AI agents and scanners read the same payload as humans, straight from the Worker.
This repository is the open-source reference implementation behind turva.dev, which ranks first of publicly-scanned sites on the startuphub.ai agent-readiness leaderboard and scores a perfect 100/100 Level 5 Agent-Native on Cloudflare Agent-Ready. The Worker is public on purpose: a buyer can read every line before deciding anything.
turva.dev offers agent-readiness audits and advisory, and the wider work of making the data agents act on and the decisions they make reliable, across use cases from commerce and monitoring to operations under bad connectivity.
What you buy is expertise and implementation, not access to a tool. The scoring is done by independent third-party scanners, isitagentready.com and startuphub.ai, so the numbers above are verifiable rather than asserted. This repository is the reference implementation and the manifests behind that work.
<head> (meta, OpenGraph, JSON-LD, canonical)./llms.txt, plus these /.well-known/ files: ai.txt, agent.json, mcp/server-card.json, agent-card.json, ai-catalog.json, ap2, acp, x402, x402-mesh.json, ucp, and OAuth discovery (oauth-authorization-server), among others; the full inventory is in the Endpoints table below.robots.txt and sitemap.xml aligned with the same source of truth.Measured on https://turva.dev on 2026-07-13. Two independent public scanners, listed once each.
| Scanner | Result |
|---|---|
| Cloudflare Agent-Ready (isitagentready.com) | 100/100, Level 5 Agent-Native |
| startuphub.ai Agent Readiness | 100/100 (A+), first of publicly-scanned sites on the leaderboard |
Cloudflare Agent-Ready and isitagentready.com are the same scanner on two domains, so they count as one result.
These six category scores come from the startuphub.ai scan. The Cloudflare Agent-Ready scan uses a different model (no Quality category, Commerce optional), so this breakdown is StartupHub's.
| Category | Score |
|---|---|
| Discoverability | 100/100 |
| Content | 100/100 |
| Access Control | 100/100 |
| Capabilities | 100/100 |
| Commerce | 100/100 |
| Quality | 100/100 |
Agent-readiness is one axis; the domain's own web security is another. turva.dev publishes its own scan results so a buyer can see the same house is in order, not just claimed. Measured on turva.dev on 2026-07-13.
| Scanner | Result |
|---|---|
| Hardenize | All 13 categories passed |
| Internet.nl | 98/100 |
On Internet.nl, IPv6, DNSSEC and RPKI pass in full. The single deduction is one HTTPS sub-test, the hash function for key exchange. The result is documented, not hidden.
Every claim above is publicly auditable. Run the scanners yourself or open the company record.
A consolidated, self-contained reference to the surfaces agents read, with a short definition of each and a link to its full guide, is in docs/agent-readiness.md.
Plain-language explanations of the surfaces this Worker implements, and why each one matters to an AI agent. Published on turva.dev.
Notes on AI agents and the work of letting them read a site and act on a system safely. Published on turva.dev.
The Worker renders the whole site at the edge. Every page is built from a single source-of-truth object in the Worker: page content as markdown, plus a shared canonical <head> and JSON-LD. There is no separate CMS or origin to proxy. Agent routes (/.well-known/*, robots.txt, sitemap.xml, /x402) are served from the same Worker, and static assets such as images come from Workers Assets.
Because the site has no CMS or plugins, nothing can drift between what humans see and what agents and scanners see.
| Path | Purpose |
|---|---|
/ and all HTML routes | Rendered by the Worker from markdown |
/.well-known/ai.txt | AI agent disclosure |
/llms.txt | LLM consumption guide |
/llms-full.txt | The whole site as one text file |
/.well-known/agent.json | ai-plugin / agent manifest |
/.well-known/mcp/server-card.json | MCP server card |
/.well-known/agent-card.json | A2A agent card |
/.well-known/ai-catalog.json | Agentic Resource Discovery catalog |
/.well-known/agent-skills/index.json | Agent skills index |
/openapi.json | OpenAPI description |
/.well-known/api-catalog | API catalog linkset (RFC 9727) |
/.well-known/ap2 | Agent Payments Protocol pointer |
/.well-known/acp | Agent Commerce Protocol manifest |
/.well-known/x402 | x402 payment manifest |
/.well-known/x402-mesh.json | x402 mesh manifest |
/.well-known/ucp | Universal Commerce Profile |
/.well-known/mpp | MPP discovery manifest |
/.well-known/oauth-authorization-server | OAuth / auth discovery |
/.well-known/oauth-protected-resource | OAuth protected resource metadata |
/auth.md | Agent registration metadata (public key at /.well-known/mcp-registry-auth) |
/agent/auth/register, /agent/auth/claim, /agent/auth/revoke | Agent identity registration, out-of-band flow |
/oauth/authorize, /oauth/token | OAuth endpoints (spec-valid closed errors, see /auth.md) |
Requires a Cloudflare account and the wrangler CLI. No runtime secret is needed; the Worker renders the whole site itself.
cd turva-worker/turva-worker
npm install
npx wrangler deploy
Route the Worker to your domain under Workers & Pages, your-worker, Settings, Domains & Routes.
MIT licensed. Fork it, replace the source-of-truth object with your own data, then deploy.
If you want an audit of your domain against the same scanner set and a tailored configuration, see turva.dev or Erik Rekola on LinkedIn.
Responsible disclosure: see SECURITY.md. Contact: info@turva.dev
The Worker source is MIT. The live turva.dev Agent AP
/api and /api/v1 | API index JSON |
/api/agent/audit, /api/agent/advisory, /api/agent/implementation | x402 payable service routes (HTTP 402, quote-on-request) |
/api/acp/checkout_sessions | ACP checkout sessions (stateless, buyer review before payment) |
/.well-known/agent-skills/<name>/skill.md | Individual agent skill files |
/.well-known/signatures.json | Ed25519 signatures for the signed manifests |
/.well-known/jwks.json | Public keys for verifying the signatures |
/.well-known/security.txt | Security contact (RFC 9116) |
/x402 | HTTP 402 payment-required endpoint |
/robots.txt | Crawler directives |
/sitemap.xml | URL index |
/blog/feed.xml | Blog RSS feed |
/<indexnow-key>.txt | IndexNow key file; a weekly cron resubmits the canonical URLs |
| Aliases | /ai.txt, /security.txt, /.well-known/mcp.json, /.well-known/openid-configuration, /.well-known/openapi.json, favicons, and fediverse redirects (host-meta, webfinger, nodeinfo) |
/llms-txt-validator | llms.txt structure checker (HTML form, JSON for agents) |
/badge and /badge.svg | Agent-ready badge criteria and embeddable SVG |