# anc.dev — Agent-Readiness Audit

Website: [https://anc.dev/](https://anc.dev/)

**Score:** 76% (relative to the checks that apply to this site)
**Global:** 65% of a maximally agent-ready site

## Discoverability (4/5)

### PASS — /robots.txt present

- Goal: Publish robots.txt and state your crawl policy explicitly.
- Result: Verified (https://anc.dev/robots.txt -> 200)
- Resources: [RFC 9309](https://www.rfc-editor.org/rfc/rfc9309), [Fix skill](https://anc.dev/web-audit/skill/robots)

### PASS — /sitemap.xml present

- Goal: Publish sitemap.xml so agents can enumerate your content URLs.
- Result: Verified (https://anc.dev/sitemap.xml -> 200)
- Resources: [sitemaps.org](https://www.sitemaps.org/protocol.html), [Fix skill](https://anc.dev/web-audit/skill/sitemap)

### MISSING — Homepage sends RFC 8288 Link headers pointing at agent resources

- Goal: Advertise machine surfaces in a Link response header on / for header-only discovery.
- Result: Not found (https://anc.dev/ -> 200 (header link no match /rel="?(service-desc|describedby|api-catalog|service-doc)"?/))
- Fix: Send a `Link` response header on `/` (RFC 8288) whose `rel` points at your machine surfaces, so an agent reading only response headers finds them without parsing HTML or probing `/.well-known`. Use the RFC 8631 service trio and the RFC 9727 catalog: `rel="service-desc"` at a machine-readable description (OpenAPI, or an MCP server card), `rel="service-doc"` at the human-readable doc, `rel="service-meta"` at the service-context declaration, and `rel="api-catalog"` at your `/.well-known/api-catalog` index. Example: `Link: </.well-known/api-catalog>; rel="api-catalog", </.well-known/mcp/server-card.json>; rel="service-desc"`.
- Resources: [RFC 8288 (Link)](https://www.rfc-editor.org/rfc/rfc8288), [RFC 8631 (service links)](https://www.rfc-editor.org/rfc/rfc8631), [RFC 9727 (api-catalog)](https://www.rfc-editor.org/rfc/rfc9727), [Fix skill](https://anc.dev/web-audit/skill/link-headers)

```text
Goal: Advertise machine surfaces in a Link response header on / for header-only discovery
Issue: https://anc.dev/ -> 200 (header link no match /rel="?(service-desc|describedby|api-catalog|service-doc)"?/)
Fix: Send a `Link` response header on `/` (RFC 8288) whose `rel` points at your machine surfaces, so an agent reading only response headers finds them without parsing HTML or probing `/.well-known`. Use the RFC 8631 service trio and the RFC 9727 catalog: `rel="service-desc"` at a machine-readable description (OpenAPI, or an MCP server card), `rel="service-doc"` at the human-readable doc, `rel="service-meta"` at the service-context declaration, and `rel="api-catalog"` at your `/.well-known/api-catalog` index. Example: `Link: </.well-known/api-catalog>; rel="api-catalog", </.well-known/mcp/server-card.json>; rel="service-desc"`.
Skill: https://anc.dev/web-audit/skill/link-headers
Docs: https://www.rfc-editor.org/rfc/rfc8288, https://www.rfc-editor.org/rfc/rfc8631, https://www.rfc-editor.org/rfc/rfc9727
```

### PASS — Root HTML links to machine surfaces via <link rel>

- Goal: Point link rel elements at your machine surfaces from the root HTML head.
- Result: Verified (https://anc.dev/ -> 200)
- Resources: [RFC 8631 (service-desc/doc)](https://www.rfc-editor.org/rfc/rfc8631), [Fix skill](https://anc.dev/web-audit/skill/root-link-rel)

### PASS — DNS for AI Discovery (DNS-AID) records under _agents (IETF draft)

- Goal: Publish DNSSEC-signed SVCB records under _agents for DNS-level agent discovery.
- Result: Verified (_index._agents.anc.dev: 1 record(s) via https://cloudflare-dns.com/dns-query)
- Resources: [DNS-AID draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/), [Fix skill](https://anc.dev/web-audit/skill/dns-aid)

## Content for agents (6/7)

### PASS — /llms.txt present with a summary and link index

- Goal: Serve /llms.txt with a title, summary, and categorized link index.
- Result: Verified (https://anc.dev/llms.txt -> 200)
- Resources: [llmstxt.org](https://llmstxt.org/), [Fix skill](https://anc.dev/web-audit/skill/llms-txt)

### PASS — /llms-full.txt present (single-fetch full corpus)

- Goal: Serve the whole docs corpus as markdown at /llms-full.txt for one-fetch ingestion.
- Result: Verified (https://anc.dev/llms-full.txt -> 200)
- Resources: [llmstxt.org](https://llmstxt.org/), [Fix skill](https://anc.dev/web-audit/skill/llms-full-txt)

### N/A — Per-section llms.txt files resolve under content subdirectories

- Goal: Serve a scoped llms.txt inside each major content section.
- Result: Not implemented, optional (https://anc.dev/.well-known/llms.txt -> 404)
- Resources: [llmstxt.org](https://llmstxt.org/), [Fix skill](https://anc.dev/web-audit/skill/llms-txt-scoped)

### N/A — Per-section llms-full.txt files resolve under content subdirectories

- Goal: Serve a scoped llms-full.txt corpus inside each major content section.
- Result: Not implemented, optional (https://anc.dev/.well-known/llms-full.txt -> 404)
- Resources: [llmstxt.org](https://llmstxt.org/), [Fix skill](https://anc.dev/web-audit/skill/llms-full-txt-scoped)

### PASS — Root HTML has a descriptive <meta name="description">

- Goal: Add a meta description naming what the service does and its agent entry points.
- Result: Verified (https://anc.dev/ -> 200)
- Resources: [MDN meta description](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/meta/name), [Fix skill](https://anc.dev/web-audit/skill/root-meta-description)

### PASS — Root HTML embeds Schema.org JSON-LD

- Goal: Embed Schema.org JSON-LD so agents get typed facts without inference.
- Result: Verified (https://anc.dev/ -> 200)
- Resources: [Schema.org](https://schema.org/docs/gs.html), [Fix skill](https://anc.dev/web-audit/skill/schema-org-jsonld)

### PASS — Root HTML uses semantic landmarks

- Goal: Use semantic landmarks so the HTML path is parseable structure, not div soup.
- Result: Verified (https://anc.dev/ -> 200)
- Resources: [MDN content sectioning](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements#content_sectioning), [Fix skill](https://anc.dev/web-audit/skill/semantic-html)

### MISSING — Root HTML has a <noscript> with machine entry points

- Goal: Give non-JS agents a noscript block listing your machine entry points.
- Result: Not found (https://anc.dev/ -> 200 (body no match /<noscript/))
- Fix: Add a `<noscript>` block to your root HTML that links your machine entry points: `llms.txt`, your OpenAPI or MCP endpoint, and any `.well-known` cards. It hands a fetch-only crawler or a non-JS agent a concrete, in-body list of where the structured surfaces live, so it never has to run the client bundle or infer them from the visible page.
- Resources: [MDN noscript](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/noscript), [Fix skill](https://anc.dev/web-audit/skill/noscript-fallback)

```text
Goal: Give non-JS agents a noscript block listing your machine entry points
Issue: https://anc.dev/ -> 200 (body no match /<noscript/)
Fix: Add a `<noscript>` block to your root HTML that links your machine entry points: `llms.txt`, your OpenAPI or MCP endpoint, and any `.well-known` cards. It hands a fetch-only crawler or a non-JS agent a concrete, in-body list of where the structured surfaces live, so it never has to run the client bundle or infer them from the visible page.
Skill: https://anc.dev/web-audit/skill/noscript-fallback
Docs: https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/noscript
```

### PASS — Accept text/markdown content negotiation returns markdown

- Goal: Honor Accept text/markdown on content URLs with raw markdown, not HTML chrome.
- Result: Verified (https://anc.dev/ -> 200)
- Resources: [RFC 7763 (text/markdown)](https://www.rfc-editor.org/rfc/rfc7763), [Fix skill](https://anc.dev/web-audit/skill/accept-markdown)

## Bot & crawl policy (3/3)

### PASS — robots.txt declares AI-crawler rules (RFC 9309)

- Goal: State your AI-crawler policy in robots.txt with explicit User-agent rules.
- Result: Verified (https://anc.dev/robots.txt -> 200)
- Resources: [RFC 9309](https://www.rfc-editor.org/rfc/rfc9309), [Fix skill](https://anc.dev/web-audit/skill/robots-ai-rules)

### PASS — robots.txt declares Content-Signal AI-usage preferences

- Goal: Declare Content-Signal AI-usage preferences in robots.txt.
- Result: Verified (https://anc.dev/robots.txt -> 200)
- Resources: [contentsignals.org](https://contentsignals.org/), [Fix skill](https://anc.dev/web-audit/skill/content-signals)

### N/A — Web Bot Auth signature directory present (informational)

- Goal: Publish an HTTP Message Signatures directory if your site sends signed bot traffic.
- Result: Not implemented, optional (https://anc.dev/.well-known/http-message-signatures-directory -> 404 (status 404 not in [200]))
- Resources: [Web Bot Auth draft](https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/), [Fix skill](https://anc.dev/web-audit/skill/web-bot-auth)

### PASS — /.well-known/security.txt present (RFC 9116)

- Goal: Publish security.txt with a Contact and Expires field.
- Result: Verified (https://anc.dev/.well-known/security.txt -> 200)
- Resources: [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116), [Fix skill](https://anc.dev/web-audit/skill/security-txt)

## MCP & API (8/12)

### PASS — initialize handshake returns serverInfo + protocolVersion

- Goal: Answer JSON-RPC initialize with serverInfo and protocolVersion so clients can begin a session.
- Result: Verified (serverInfo anc, protocol 2025-06-18)
- Resources: [MCP lifecycle](https://modelcontextprotocol.io/specification/2025-06-18/basic/lifecycle), [Fix skill](https://anc.dev/web-audit/skill/mcp-initialize)

### MISSING — An OpenAPI description is published

- Goal: Publish an OpenAPI description so non-MCP agents can call your HTTP API.
- Result: Not found (https://anc.dev/openapi.json -> 404 (status 404 not in [200]))
- Fix: If your service exposes an HTTP/REST API (separate from any MCP endpoint), publish an OpenAPI 3.1 description of it at `/openapi.json` (or `/openapi.yaml`, or `/.well-known/openapi.json`). Non-MCP agents use it to discover endpoints, parameters, and response shapes, and to generate typed clients. A service whose only machine surface is MCP has no REST API to describe here.
- Resources: [OpenAPI 3.1](https://spec.openapis.org/oas/latest.html), [Fix skill](https://anc.dev/web-audit/skill/openapi)

```text
Goal: Publish an OpenAPI description so non-MCP agents can call your HTTP API
Issue: https://anc.dev/openapi.json -> 404 (status 404 not in [200])
Fix: If your service exposes an HTTP/REST API (separate from any MCP endpoint), publish an OpenAPI 3.1 description of it at `/openapi.json` (or `/openapi.yaml`, or `/.well-known/openapi.json`). Non-MCP agents use it to discover endpoints, parameters, and response shapes, and to generate typed clients. A service whose only machine surface is MCP has no REST API to describe here.
Skill: https://anc.dev/web-audit/skill/openapi
Docs: https://spec.openapis.org/oas/latest.html
```

### N/A — Referenced JSON Schemas resolve as application/schema+json

- Goal: Serve the JSON Schemas your API references so agents can validate payloads pre-flight.
- Result: Not applicable (no JSON Schema references detected)
- Resources: [JSON Schema](https://json-schema.org/specification), [Fix skill](https://anc.dev/web-audit/skill/json-schemas)

### MISSING — CORS preflight (OPTIONS) succeeds with Access-Control-Allow-* headers

- Goal: Answer OPTIONS preflights on the MCP endpoint with Access-Control-Allow-* headers.
- Result: Not found (405 allow-origin absent)
- Fix: Answer the `OPTIONS` preflight on your MCP endpoint with `204` (or `200`) and the `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, and `Access-Control-Allow-Headers` response headers, so a browser-origin agent can call the endpoint. If your MCP surface is deliberately server-to-agent only (no browser clients), this SHOULD is a considered choice, not a defect.
- Resources: [MDN CORS preflight](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request), [Fix skill](https://anc.dev/web-audit/skill/mcp-cors-preflight)

```text
Goal: Answer OPTIONS preflights on the MCP endpoint with Access-Control-Allow-* headers
Issue: 405 allow-origin absent
Fix: Answer the `OPTIONS` preflight on your MCP endpoint with `204` (or `200`) and the `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, and `Access-Control-Allow-Headers` response headers, so a browser-origin agent can call the endpoint. If your MCP surface is deliberately server-to-agent only (no browser clients), this SHOULD is a considered choice, not a defect.
Skill: https://anc.dev/web-audit/skill/mcp-cors-preflight
Docs: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
```

### PASS — unknown JSON-RPC method returns -32601

- Goal: Reject unknown JSON-RPC methods with error -32601 instead of a hang or 500.
- Result: Verified (error code -32601)
- Resources: [JSON-RPC 2.0](https://www.jsonrpc.org/specification#error_object), [Fix skill](https://anc.dev/web-audit/skill/mcp-unknown-method)

### MISSING — POST response carries Access-Control-Allow-Origin

- Goal: Echo Access-Control-Allow-Origin on the actual MCP POST response.
- Result: Not found (allow-origin absent)
- Fix: Echo `Access-Control-Allow-Origin` on the actual `POST` response, not only on the preflight. A browser blocks the response body when the header is absent even if the preflight passed. Omit it deliberately only if browser-origin agents are not a supported client.
- Resources: [MDN CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS), [Fix skill](https://anc.dev/web-audit/skill/mcp-cors-actual)

```text
Goal: Echo Access-Control-Allow-Origin on the actual MCP POST response
Issue: allow-origin absent
Fix: Echo `Access-Control-Allow-Origin` on the actual `POST` response, not only on the preflight. A browser blocks the response body when the header is absent even if the preflight passed. Omit it deliberately only if browser-origin agents are not a supported client.
Skill: https://anc.dev/web-audit/skill/mcp-cors-actual
Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS
```

### PASS — tools/list returns a tools array with input schemas

- Goal: Return tools/list entries with name, description, and a JSON inputSchema.
- Result: Verified (13 tools, 13 with input schema)
- Resources: [MCP tools](https://modelcontextprotocol.io/specification/2025-06-18/server/tools), [Fix skill](https://anc.dev/web-audit/skill/mcp-tools-list)

### PASS — Root HTML exposes WebMCP browser tools

- Goal: Expose page tools to browser agents via WebMCP.
- Result: Verified (https://anc.dev/ -> 200)
- Resources: [WebMCP spec](https://webmachinelearning.github.io/webmcp/), [Fix skill](https://anc.dev/web-audit/skill/webmcp)

### PASS — initialize advertises capabilities (tools / resources / prompts)

- Goal: Advertise the capability groups your MCP server implements in the initialize result.
- Result: Verified (serverInfo anc, protocol 2025-06-18)
- Resources: [MCP lifecycle](https://modelcontextprotocol.io/specification/2025-06-18/basic/lifecycle), [Fix skill](https://anc.dev/web-audit/skill/mcp-capabilities)

### BROKEN — GET on the MCP endpoint fast-fails (not a held-open hang)

- Goal: Answer GET on the MCP endpoint fast (a fast-fail status or a documented surface), never a held-open hang.
- Result: Present but broken (https://anc.dev/mcp -> 200 (status 200 not in [405, 400, 404, 406]))
- Fix: Answer a `GET` on the MCP endpoint promptly; this check fails only when the connection is held open. A streamable-HTTP `GET` routed into the transport opens the server-to-client SSE notification stream, and a stateless server (nothing to push) parks that connection until the caller times out. Answer one of two ways instead: fast-fail non-`POST` at the router with `405 Method Not Allowed` and an `Allow: POST` header; or serve a documented surface on `GET` (a human- and agent-readable docs page, or a redirect to your `.well-known` MCP server card) so the `GET` returns content rather than a rejection. Any prompt, completed response passes (a fast-fail status, or a documented `2xx`/redirect); only a held-open hang or a `5xx` fails.
- Resources: [MCP transports](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports), [Fix skill](https://anc.dev/web-audit/skill/mcp-get-fast-fail)

```text
Goal: Answer GET on the MCP endpoint fast (a fast-fail status or a documented surface), never a held-open hang
Issue: https://anc.dev/mcp -> 200 (status 200 not in [405, 400, 404, 406])
Fix: Answer a `GET` on the MCP endpoint promptly; this check fails only when the connection is held open. A streamable-HTTP `GET` routed into the transport opens the server-to-client SSE notification stream, and a stateless server (nothing to push) parks that connection until the caller times out. Answer one of two ways instead: fast-fail non-`POST` at the router with `405 Method Not Allowed` and an `Allow: POST` header; or serve a documented surface on `GET` (a human- and agent-readable docs page, or a redirect to your `.well-known` MCP server card) so the `GET` returns content rather than a rejection. Any prompt, completed response passes (a fast-fail status, or a documented `2xx`/redirect); only a held-open hang or a `5xx` fails.
Skill: https://anc.dev/web-audit/skill/mcp-get-fast-fail
Docs: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports
```

### PASS — A .well-known MCP server card is published (SEP-1649)

- Goal: Publish an MCP server card at the canonical SEP-1649 path and 301 the legacy aliases to it.
- Result: Verified (https://anc.dev/.well-known/mcp/server-card.json -> 200)
- Resources: [SEP-1649](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/2127), [Fix skill](https://anc.dev/web-audit/skill/well-known-mcp-card)

### PASS — /.well-known/api-catalog published (RFC 9727)

- Goal: Serve an RFC 9727 api-catalog linkset indexing your API descriptions.
- Result: Verified (https://anc.dev/.well-known/api-catalog -> 200)
- Resources: [RFC 9727](https://www.rfc-editor.org/rfc/rfc9727), [Fix skill](https://anc.dev/web-audit/skill/api-catalog)

### PASS — A human/agent usage doc for the server resolves

- Goal: Publish a one-fetch markdown usage doc for your MCP server.
- Result: Verified (https://anc.dev/mcp-skill.md -> 200)
- Resources: [anc.dev example](https://anc.dev/mcp-skill.md), [Fix skill](https://anc.dev/web-audit/skill/mcp-usage-doc)

## Agent discovery & auth (4/4)

### PASS — OAuth/OIDC discovery metadata published

- Goal: Publish OAuth/OIDC discovery metadata if agents authenticate to your service.
- Result: Verified (https://anc.dev/.well-known/oauth-authorization-server -> 200)
- Resources: [RFC 8414](https://www.rfc-editor.org/rfc/rfc8414), [Fix skill](https://anc.dev/web-audit/skill/oauth-discovery)

### N/A — A2A Agent Card published for agent-to-agent discovery

- Goal: Publish an A2A Agent Card for agent-to-agent discovery.
- Result: Not implemented, optional (https://anc.dev/.well-known/agent-card.json -> 404 (status 404 not in [200]))
- Resources: [A2A protocol](https://a2a-protocol.org/latest/specification/), [Fix skill](https://anc.dev/web-audit/skill/a2a-agent-card)

### PASS — OAuth Protected Resource Metadata published (RFC 9728)

- Goal: Publish RFC 9728 protected-resource metadata for your authenticated MCP server.
- Result: Verified (https://anc.dev/.well-known/oauth-protected-resource -> 200)
- Resources: [RFC 9728](https://www.rfc-editor.org/rfc/rfc9728), [Fix skill](https://anc.dev/web-audit/skill/oauth-protected-resource)

### PASS — Agent-skills discovery index published

- Goal: Publish an agent-skills discovery index so agents can enumerate your skills.
- Result: Verified (https://anc.dev/.well-known/agent-skills/index.json -> 200)
- Resources: [Agent Skills Discovery](https://github.com/cloudflare/agent-skills-discovery), [Fix skill](https://anc.dev/web-audit/skill/agent-skills)

### PASS — Agent auth/registration metadata doc published

- Goal: Publish an auth.md telling agents how to obtain credentials.
- Result: Verified (https://anc.dev/auth.md -> 200)
- Resources: [anc.dev example](https://anc.dev/auth.md), [Fix skill](https://anc.dev/web-audit/skill/auth-md)

## Re-run this audit

Re-run from [anc.dev/web-audit](https://anc.dev/web-audit), or call the `audit_website` MCP tool.
