npm - @kirkelabs/agent-readiness-scan - Versions diffs - 0.1.0 → 0.2.0 - Mend

@kirkelabs/agent-readiness-scan 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md +50 -0
package/CITATION.cff +30 -30
package/README.md +144 -142
package/bin/cli.js +175 -172
package/package.json +69 -64
package/src/checks/04-mcp-exposure.js +165 -104
package/src/checks/05-agentic-commerce.js +152 -85
package/src/generators.js +228 -174
package/src/index.js +127 -126

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,50 @@
+# Changelog
+All notable changes to this project are documented here. The format is
+based on [Keep a Changelog](https://keepachangelog.com/), and this project
+adheres to [Semantic Versioning](https://semver.org/).
+## [0.2.0] — 2026-06-17
+### Added
+- **Open Agent Access (OAA) + x402 recognition** — the scanner now credits
+  the OAA stack as a standards-neutral, additive option in two dimensions:
+  - _Agentic-commerce manifests (check 05):_ a policy at
+    `/.well-known/agent-access.json` advertising an x402 `charge` rule is
+    recognized as a third valid declaration alongside ACP and UCP. The
+    0/5/7 ladder now counts distinct valid declarations among {ACP, UCP,
+    OAA-x402}.
+  - _MCP exposure (check 04):_ a server-card `authorization.model:
+"open-agent-access"` (or `authorization.policy` URL) is credited as a
+    scoped-auth posture equivalent to OAuth-protected-resource (+2), with a
+    further +1 when the referenced policy enforces per-call gating
+    (`requireAgentIdentity` + a deny/charge rule). The dimension remains
+    capped at 7.
+- New `/.well-known/agent-access.json` scaffold in the generated customs
+  declaration, plus an `authorization` block in the generated MCP server
+  card pointing at it.
+- Fetch wiring for `/.well-known/agent-access.json`.
+- Tests covering OAA-x402 commerce scoring, OAA-guard MCP scoring, and
+  regression tests asserting ACP/UCP/OAuth-only sites score identically to
+  before.
+- npm publish configuration: `publishConfig.access: public`, a
+  `prepublishOnly` lint+test guard, and a release-triggered GitHub Actions
+  publish workflow.
+### Changed
+- Documentation (`README.md`, `docs/METHODOLOGY.md`) updated to describe the
+  OAA signals, the exact evidence each requires, and the scoring ladders,
+  with a plain disclosure that OAA is implemented by Kirke Labs (the tool's
+  author) and is held to the same evidentiary bar as the other standards.
+### Unchanged (by design)
+- No dimension weights changed. A site declaring only ACP/UCP (commerce) or
+  OAuth/PKCE (MCP auth) scores exactly as it did in 0.1.0.
+## [0.1.0] — 2026-06-01
+- Initial release: 8-dimension agent-readiness scorer + customs-declaration
+  generator.

package/CITATION.cff CHANGED Viewed

@@ -1,30 +1,30 @@
-cff-version: 1.2.0
-message: "If you use this software, please cite it as below."
-title: "agent-readiness-scan"
-abstract: "Open-source customs-house auditor for AI agents: scores 8 weighted dimensions covering crawler policy, agent-action surfaces (MCP/ACP), Product/Offer completeness, and brand identity corroboration. Generates a drop-in customs declaration (robots.txt + .well-known/ manifests)."
-type: software
-license: MIT
-repository-code: "https://github.com/KirkeLabs/agent-readiness-scan"
-url: "https://kirkelabs.github.io/agent-readiness-scan/"
-version: 0.1.0
-date-released: 2026-06-01
-authors:
-  - given-names: Soleman
-    family-names: El Gelawi
-    email: soleman@kirkelabs.com
-    affiliation: "Kirke Labs"
-    # sameAs: https://www.linkedin.com/in/soleman-gelawi/ , https://github.com/sgelawi
-  - given-names: Steve
-    family-names: Kirton
-    email: steve@kirkelabs.com
-    affiliation: "Kirke Labs"
-    # sameAs: https://www.linkedin.com/in/stevekirton-kirkelabs/
-keywords:
-  - ai-agents
-  - mcp
-  - acp
-  - agentic-commerce
-  - crawler-policy
-  - web-bot-auth
-  - schema-org
-  - algorand
+cff-version: 1.2.0
+message: 'If you use this software, please cite it as below.'
+title: 'agent-readiness-scan'
+abstract: 'Open-source customs-house auditor for AI agents: scores 8 weighted dimensions covering crawler policy, agent-action surfaces (MCP/ACP), Product/Offer completeness, and brand identity corroboration. Generates a drop-in customs declaration (robots.txt + .well-known/ manifests).'
+type: software
+license: MIT
+repository-code: 'https://github.com/KirkeLabs/agent-readiness-scan'
+url: 'https://kirkelabs.github.io/agent-readiness-scan/'
+version: 0.2.0
+date-released: 2026-06-17
+authors:
+  - given-names: Soleman
+    family-names: El Gelawi
+    email: soleman@kirkelabs.com
+    affiliation: 'Kirke Labs'
+    # sameAs: https://www.linkedin.com/in/soleman-gelawi/ , https://github.com/sgelawi
+  - given-names: Steve
+    family-names: Kirton
+    email: steve@kirkelabs.com
+    affiliation: 'Kirke Labs'
+    # sameAs: https://www.linkedin.com/in/stevekirton-kirkelabs/
+keywords:
+  - ai-agents
+  - mcp
+  - acp
+  - agentic-commerce
+  - crawler-policy
+  - web-bot-auth
+  - schema-org
+  - algorand

package/README.md CHANGED Viewed

@@ -1,142 +1,144 @@
-# agent-readiness-scan
-[![npm version](https://img.shields.io/npm/v/@kirkelabs/agent-readiness-scan?color=00dc94&style=flat)](https://www.npmjs.com/package/@kirkelabs/agent-readiness-scan)
-[![License: MIT](https://img.shields.io/badge/license-MIT-00dc94?style=flat)](./LICENSE)
-[![Node](https://img.shields.io/badge/node-%3E%3D20-00dc94?style=flat)](https://nodejs.org)
-[![CI](https://img.shields.io/badge/CI-passing-00dc94?style=flat)](./.github/workflows/ci.yml)
-**Is your brand ready for AI agents to act on it?** Audit your customs-house posture — crawler policy, MCP/ACP exposure, agent-actionable Product/Offer, brand identity corroboration — and get the drop-in files to fix it.
-```bash
-npx @kirkelabs/agent-readiness-scan https://your-site.com
-```
-No install. No account. No data leaves your machine.
-> Built by Soleman El Gelawi (CTO, [Kirke Labs](https://www.kirkelabs.com)), with Steve Kirton — open-sourced as a gift to the Algorand ecosystem. MIT licensed. Use it, fork it, ship it.
----
-## What is this?
-The open web is becoming a customs house. AI search, agentic commerce (ACP, Universal Cart), bot authentication (Web Bot Auth), crawler policy (Cloudflare Content Signals), and the EU DSA / DMA all push in the same direction: every web property now needs a *declared access posture*, not just a content strategy.
-`agent-readiness-scan` audits that posture. It fetches a URL plus seven `.well-known/*` paths plus `robots.txt`, and scores 8 dimensions covering:
-- **Crawler policy** — does your `robots.txt` name the major AI bots individually, with declared use-policy signals?
-- **Bot authentication** — is a Web Bot Auth key directory present?
-- **Agent action surfaces** — MCP server card, Agentic Commerce Protocol manifest, Google Universal Cart manifest?
-- **Commerce structured data** — are your Product/Offer JSON-LD blocks complete enough for agent-driven checkout?
-- **Identity corroboration** — does the `sameAs` graph reach registry-grade sources (Wikidata, Crunchbase, Companies House, SEC EDGAR, GLEIF)?
-- **Source operations & regulatory transparency** — dateModified, security.txt, T&Cs, contact, privacy.
-Then it generates the files you need to fix the gaps — a drop-in `robots.txt`, `.well-known/security.txt`, MCP server card, and ACP manifest scaffolds.
-Companion to [`@kirkelabs/ai-legibility-scan`](https://github.com/KirkeLabs/ai-legibility-scan): that one scores how *legible* your site is to an AI crawler. This one scores how *agent-ready* it is once the crawler can read it.
-## Why?
-The strategic paper this tool is built on — [*The Web Becomes a Customs House*](https://www.kirkelabs.com/papers/customs-house) — argues that the new web bargain is declared-access-for-action. A page may be cited without being visited; a product may be transacted without a click. Existing "AI visibility" tools tell you you're invisible. This one is a free CLI that audits your *customs-house posture* and hands you the drop-in declarations to fix it.
-## Install
-Nothing to install — use `npx`:
-```bash
-npx @kirkelabs/agent-readiness-scan https://your-site.com
-```
-Or add it to a project:
-```bash
-npm i -D @kirkelabs/agent-readiness-scan
-```
-Requires Node.js ≥ 20.
-## Quickstart
-```bash
-# default scan
-npx @kirkelabs/agent-readiness-scan https://your-site.com
-# write artefacts to ./report
-npx @kirkelabs/agent-readiness-scan https://your-site.com --out ./report
-# machine-readable output for scripting
-npx @kirkelabs/agent-readiness-scan https://your-site.com --json
-```
-Files land in the output directory (default `./agent-readiness-out/`):
-| File / Directory | What it is |
-|---|---|
-| `score.json` | Machine-readable result — gate your CI on it |
-| `report.md` | Human-readable findings |
-| `scorecard.html` | Self-contained shareable scorecard |
-| `customs-declaration/robots.txt` | Drop-in robots.txt with per-AI-bot rules + Cloudflare Content Signals |
-| `customs-declaration/.well-known/security.txt` | RFC 9116 scaffold |
-| `customs-declaration/.well-known/mcp/server-card.json` | MCP server card scaffold |
-| `customs-declaration/.well-known/acp/manifest.json` | Agentic Commerce Protocol manifest scaffold |
-## How it scores
-Eight weighted dimensions, normalised to 0–100 and graded A–F:
-| # | Dimension | Weight | What it checks |
-|---|---|---|---|
-| 1 | Per-bot crawler policy | 10 | robots.txt names individual AI bots (GPTBot, ClaudeBot, OAI-SearchBot, PerplexityBot, Google-Extended, anthropic-ai, Claude-Web, ChatGPT-User, Claude-User, CCBot, Bytespider, Amazonbot, Applebot-Extended, meta-externalagent) |
-| 2 | Declared use-policy signals | 7 | Cloudflare Content Signals (search / ai-input / ai-train), `noai` / `noimageai` meta, `X-Robots-Tag` |
-| 3 | Bot-Auth readiness | 5 | `/.well-known/http-message-signatures-directory` (Web Bot Auth, IETF draft) |
-| 4 | MCP exposure | 7 | `/.well-known/mcp/server-card.json` + `/.well-known/oauth-protected-resource` with PKCE/S256 (NSA May-2026 guidance) |
-| 5 | Agentic-commerce manifests | 7 | `/.well-known/acp/manifest.json` (OpenAI/Stripe) and/or `/.well-known/ucp` (Google Universal Cart) |
-| 6 | Agent-actionable Product/Offer | 7 | Product/Offer JSON-LD completeness (price, availability, priceValidUntil-future, shippingDetails, acceptedPaymentMethod, hasMerchantReturnPolicy, aggregateRating) |
-| 7 | Brand identity corroboration | 8 | sameAs to registry-grade sources (Wikidata, Crunchbase, OpenCorporates, Companies House, SEC EDGAR, GLEIF, plus LinkedIn/GitHub) |
-| 8 | Source provenance & regulatory | 5 | dateModified/datePublished, security.txt, T&Cs, contact, privacy policy |
-Full rubric, thresholds and rationale: **[docs/METHODOLOGY.md](./docs/METHODOLOGY.md)**.
-## Use in CI
-The CLI exits non-zero when the score drops below 50:
-```yaml
-# .github/workflows/agent-readiness.yml
-- run: npx @kirkelabs/agent-readiness-scan https://staging.your-site.com
-```
-## Programmatic use
-```js
-import { scan } from '@kirkelabs/agent-readiness-scan';
-const result = await scan('https://your-site.com');
-console.log(result.score, result.grade);
-```
-## Limitations (read this)
-This tool measures **heuristic indicators** of agent-readiness. A high score makes a site easier for an AI agent to discover, declare access to, and act on — it is **not a guarantee** of agent uptake, citation, or transaction. The weights are informed by 2026 standards work (MCP, ACP, UCP, Web Bot Auth, Content Signals) but are judgement calls, documented openly in [docs/METHODOLOGY.md](./docs/METHODOLOGY.md). See also [`SECURITY.md`](./SECURITY.md).
-Most of the dimensions check standards that are *emerging*, not universal. A v0.1.0 score below 50 is normal today; a score above 80 puts you among the earliest customs-house operators. The bar will rise.
-## Audit, recon, fix — three steps to lift your score
-Once the scanner has graded your site, two prompt templates let Claude Code in your source repo do the rest:
-1. **[docs/RECON_PROMPT.md](./docs/RECON_PROMPT.md)** — read-only reconnaissance prompt that greps the codebase and returns a structured report of your framework, existing manifests, identity URLs, and routes.
-2. **[docs/PROMPT_TEMPLATE.md](./docs/PROMPT_TEMPLATE.md)** — the fix prompt. Fill in the placeholders informed by the recon, paste into a new Claude Code session to ship the customs declaration.
-## Companion tool
-See also [`@kirkelabs/ai-legibility-scan`](https://github.com/KirkeLabs/ai-legibility-scan) — scores how legible your page is to AI *crawlers* (the layer below this one). Together they cover the audit-recon-fix loop for both halves of the customs-house thesis: legibility + declared access.
-## Contributing
-Issues and PRs welcome — especially scoring false positives, new checks tracking emerging standards, and additional identity-registry coverage. See [CONTRIBUTING.md](./CONTRIBUTING.md) and the [Code of Conduct](./CODE_OF_CONDUCT.md).
-## Licence
-[MIT](./LICENSE) © 2026 Kirke Labs — Soleman El Gelawi and Steve Kirton. A genuine gift to the community — attribution appreciated, not required.
-— [www.kirkelabs.com](https://www.kirkelabs.com)
+# agent-readiness-scan
+[![npm version](https://img.shields.io/npm/v/@kirkelabs/agent-readiness-scan?color=00dc94&style=flat)](https://www.npmjs.com/package/@kirkelabs/agent-readiness-scan)
+[![License: MIT](https://img.shields.io/badge/license-MIT-00dc94?style=flat)](./LICENSE)
+[![Node](https://img.shields.io/badge/node-%3E%3D20-00dc94?style=flat)](https://nodejs.org)
+[![CI](https://img.shields.io/badge/CI-passing-00dc94?style=flat)](./.github/workflows/ci.yml)
+**Is your brand ready for AI agents to act on it?** Audit your customs-house posture — crawler policy, MCP/ACP exposure, agent-actionable Product/Offer, brand identity corroboration — and get the drop-in files to fix it.
+```bash
+npx @kirkelabs/agent-readiness-scan https://your-site.com
+```
+No install. No account. No data leaves your machine.
+> Built by Soleman El Gelawi (CTO, [Kirke Labs](https://www.kirkelabs.com)), with Steve Kirton — open-sourced as a gift to the Algorand ecosystem. MIT licensed. Use it, fork it, ship it.
+---
+## What is this?
+The open web is becoming a customs house. AI search, agentic commerce (ACP, Universal Cart), bot authentication (Web Bot Auth), crawler policy (Cloudflare Content Signals), and the EU DSA / DMA all push in the same direction: every web property now needs a _declared access posture_, not just a content strategy.
+`agent-readiness-scan` audits that posture. It fetches a URL plus seven `.well-known/*` paths plus `robots.txt`, and scores 8 dimensions covering:
+- **Crawler policy** — does your `robots.txt` name the major AI bots individually, with declared use-policy signals?
+- **Bot authentication** — is a Web Bot Auth key directory present?
+- **Agent action surfaces** — MCP server card, Agentic Commerce Protocol manifest, Google Universal Cart manifest, Open Agent Access + x402 policy?
+- **Commerce structured data** — are your Product/Offer JSON-LD blocks complete enough for agent-driven checkout?
+- **Identity corroboration** — does the `sameAs` graph reach registry-grade sources (Wikidata, Crunchbase, Companies House, SEC EDGAR, GLEIF)?
+- **Source operations & regulatory transparency** — dateModified, security.txt, T&Cs, contact, privacy.
+Then it generates the files you need to fix the gaps — a drop-in `robots.txt`, `.well-known/security.txt`, MCP server card, and ACP manifest scaffolds.
+Companion to [`@kirkelabs/ai-legibility-scan`](https://github.com/KirkeLabs/ai-legibility-scan): that one scores how _legible_ your site is to an AI crawler. This one scores how _agent-ready_ it is once the crawler can read it.
+## Why?
+The strategic paper this tool is built on — [_The Web Becomes a Customs House_](https://www.kirkelabs.com/papers/customs-house) — argues that the new web bargain is declared-access-for-action. A page may be cited without being visited; a product may be transacted without a click. Existing "AI visibility" tools tell you you're invisible. This one is a free CLI that audits your _customs-house posture_ and hands you the drop-in declarations to fix it.
+## Install
+Nothing to install — use `npx`:
+```bash
+npx @kirkelabs/agent-readiness-scan https://your-site.com
+```
+Or add it to a project:
+```bash
+npm i -D @kirkelabs/agent-readiness-scan
+```
+Requires Node.js ≥ 20.
+## Quickstart
+```bash
+# default scan
+npx @kirkelabs/agent-readiness-scan https://your-site.com
+# write artefacts to ./report
+npx @kirkelabs/agent-readiness-scan https://your-site.com --out ./report
+# machine-readable output for scripting
+npx @kirkelabs/agent-readiness-scan https://your-site.com --json
+```
+Files land in the output directory (default `./agent-readiness-out/`):
+| File / Directory                                       | What it is                                                            |
+| ------------------------------------------------------ | --------------------------------------------------------------------- |
+| `score.json`                                           | Machine-readable result — gate your CI on it                          |
+| `report.md`                                            | Human-readable findings                                               |
+| `scorecard.html`                                       | Self-contained shareable scorecard                                    |
+| `customs-declaration/robots.txt`                       | Drop-in robots.txt with per-AI-bot rules + Cloudflare Content Signals |
+| `customs-declaration/.well-known/security.txt`         | RFC 9116 scaffold                                                     |
+| `customs-declaration/.well-known/mcp/server-card.json` | MCP server card scaffold                                              |
+| `customs-declaration/.well-known/acp/manifest.json`    | Agentic Commerce Protocol manifest scaffold                           |
+## How it scores
+Eight weighted dimensions, normalised to 0–100 and graded A–F:
+| #   | Dimension                      | Weight | What it checks                                                                                                                                                                                                                   |
+| --- | ------------------------------ | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 1   | Per-bot crawler policy         | 10     | robots.txt names individual AI bots (GPTBot, ClaudeBot, OAI-SearchBot, PerplexityBot, Google-Extended, anthropic-ai, Claude-Web, ChatGPT-User, Claude-User, CCBot, Bytespider, Amazonbot, Applebot-Extended, meta-externalagent) |
+| 2   | Declared use-policy signals    | 7      | Cloudflare Content Signals (search / ai-input / ai-train), `noai` / `noimageai` meta, `X-Robots-Tag`                                                                                                                             |
+| 3   | Bot-Auth readiness             | 5      | `/.well-known/http-message-signatures-directory` (Web Bot Auth, IETF draft)                                                                                                                                                      |
+| 4   | MCP exposure                   | 7      | `/.well-known/mcp/server-card.json` + scoped auth via `/.well-known/oauth-protected-resource` with PKCE/S256 (NSA May-2026 guidance) **or** an Open Agent Access policy guard — accepted as equivalent postures                  |
+| 5   | Agentic-commerce manifests     | 7      | `/.well-known/acp/manifest.json` (OpenAI/Stripe), `/.well-known/ucp` (Google Universal Cart), and/or `/.well-known/agent-access.json` (Open Agent Access + x402 on Algorand) — accepted as standards-neutral alternatives        |
+| 6   | Agent-actionable Product/Offer | 7      | Product/Offer JSON-LD completeness (price, availability, priceValidUntil-future, shippingDetails, acceptedPaymentMethod, hasMerchantReturnPolicy, aggregateRating)                                                               |
+| 7   | Brand identity corroboration   | 8      | sameAs to registry-grade sources (Wikidata, Crunchbase, OpenCorporates, Companies House, SEC EDGAR, GLEIF, plus LinkedIn/GitHub)                                                                                                 |
+| 8   | Source provenance & regulatory | 5      | dateModified/datePublished, security.txt, T&Cs, contact, privacy policy                                                                                                                                                          |
+Full rubric, thresholds and rationale: **[docs/METHODOLOGY.md](./docs/METHODOLOGY.md)**.
+## Use in CI
+The CLI exits non-zero when the score drops below 50:
+```yaml
+# .github/workflows/agent-readiness.yml
+- run: npx @kirkelabs/agent-readiness-scan https://staging.your-site.com
+```
+## Programmatic use
+```js
+import { scan } from '@kirkelabs/agent-readiness-scan';
+const result = await scan('https://your-site.com');
+console.log(result.score, result.grade);
+```
+## Limitations (read this)
+This tool measures **heuristic indicators** of agent-readiness. A high score makes a site easier for an AI agent to discover, declare access to, and act on — it is **not a guarantee** of agent uptake, citation, or transaction. The weights are informed by 2026 standards work (MCP, ACP, UCP, Web Bot Auth, Content Signals) but are judgement calls, documented openly in [docs/METHODOLOGY.md](./docs/METHODOLOGY.md). See also [`SECURITY.md`](./SECURITY.md).
+Most of the dimensions check standards that are _emerging_, not universal. A score below 50 is normal today; a score above 80 puts you among the earliest customs-house operators. The bar will rise.
+**Disclosure:** Open Agent Access (OAA), one of the recognized signals in the MCP-exposure and agentic-commerce dimensions, is implemented by Kirke Labs — the author of this tool. OAA is scored as _one of several_ live standards (alongside ACP, UCP, and OAuth), never privileged: weights are unchanged and detection is held to the same evidence bar as the others. A site using only ACP/UCP/OAuth scores exactly as it did before OAA was recognized. See [docs/METHODOLOGY.md](./docs/METHODOLOGY.md#open-agent-access-oaa--x402--recognized-signals).
+## Audit, recon, fix — three steps to lift your score
+Once the scanner has graded your site, two prompt templates let Claude Code in your source repo do the rest:
+1. **[docs/RECON_PROMPT.md](./docs/RECON_PROMPT.md)** — read-only reconnaissance prompt that greps the codebase and returns a structured report of your framework, existing manifests, identity URLs, and routes.
+2. **[docs/PROMPT_TEMPLATE.md](./docs/PROMPT_TEMPLATE.md)** — the fix prompt. Fill in the placeholders informed by the recon, paste into a new Claude Code session to ship the customs declaration.
+## Companion tool
+See also [`@kirkelabs/ai-legibility-scan`](https://github.com/KirkeLabs/ai-legibility-scan) — scores how legible your page is to AI _crawlers_ (the layer below this one). Together they cover the audit-recon-fix loop for both halves of the customs-house thesis: legibility + declared access.
+## Contributing
+Issues and PRs welcome — especially scoring false positives, new checks tracking emerging standards, and additional identity-registry coverage. See [CONTRIBUTING.md](./CONTRIBUTING.md) and the [Code of Conduct](./CODE_OF_CONDUCT.md).
+## Licence
+[MIT](./LICENSE) © 2026 Kirke Labs — Soleman El Gelawi and Steve Kirton. A genuine gift to the community — attribution appreciated, not required.
+— [www.kirkelabs.com](https://www.kirkelabs.com)