ax-audit 2.4.0 → 3.0.0

package/dist/checks/tls-https.js

@@ -0,0 +1,164 @@
+import { guideUrl } from '../guide-urls.js';
+import { buildResult } from './utils.js';
+/**
+ * "tls-https" — verify the site is served over HTTPS, that bare HTTP redirects to HTTPS,
+ * and that HSTS is properly configured (with `preload` + `includeSubDomains` for full
+ * coverage). Many AI agents refuse to fetch plaintext HTTP and downgrade trust on
+ * misconfigured TLS.
+ *
+ * The check intentionally avoids verifying the certificate chain — Node's `fetch` already
+ * fails on invalid certificates, so a successful HTTPS fetch is itself a positive signal.
+ */
+export const meta = {
+    id: 'tls-https',
+    name: 'TLS / HTTPS',
+    description: 'Checks HTTPS, HTTP→HTTPS redirect, and HSTS configuration',
+    weight: 5,
+};
+const HSTS_MIN_MAX_AGE = 15_768_000;
+const HSTS_PRELOAD_MIN_MAX_AGE = 31_536_000;
+export default async function check(ctx) {
+    const start = performance.now();
+    const findings = [];
+    let score = 100;
+    let parsed;
+    try {
+        parsed = new URL(ctx.url);
+    }
+    catch {
+        findings.push({
+            status: 'fail',
+            message: `Invalid URL: ${ctx.url}`,
+            hint: 'Provide a fully qualified URL including scheme (https://...).',
+            learnMoreUrl: guideUrl(meta.id, 'invalid-url'),
+        });
+        return buildResult(meta, 0, findings, start);
+    }
+    if (parsed.protocol === 'https:') {
+        findings.push({ status: 'pass', message: 'Site is served over HTTPS' });
+    }
+    else {
+        findings.push({
+            status: 'fail',
+            message: `Site is served over ${parsed.protocol.replace(':', '').toUpperCase()} (not HTTPS)`,
+            hint: 'Serve the site over HTTPS. Most AI crawlers refuse plaintext HTTP and downgrade trust on insecure origins.',
+            learnMoreUrl: guideUrl(meta.id, 'no-https'),
+        });
+        score -= 50;
+    }
+    if (parsed.protocol === 'https:') {
+        const httpUrl = `http://${parsed.host}${parsed.pathname || ''}`;
+        const httpRes = await ctx.fetch(httpUrl);
+        const finalUrl = httpRes.url || '';
+        if (httpRes.ok && /^https:\/\//i.test(finalUrl)) {
+            findings.push({ status: 'pass', message: 'HTTP requests redirect to HTTPS' });
+        }
+        else if (!httpRes.ok && httpRes.status === 0) {
+            findings.push({
+                status: 'pass',
+                message: 'HTTP endpoint not reachable (HTTPS-only — acceptable)',
+            });
+        }
+        else if (httpRes.ok && /^http:\/\//i.test(finalUrl)) {
+            findings.push({
+                status: 'fail',
+                message: 'HTTP request did not redirect to HTTPS',
+                detail: `Final URL: ${finalUrl}`,
+                hint: 'Configure your server to 301-redirect every http:// request to https://. Otherwise agents may cache the insecure variant.',
+                learnMoreUrl: guideUrl(meta.id, 'no-redirect'),
+            });
+            score -= 15;
+        }
+        else {
+            findings.push({
+                status: 'warn',
+                message: 'Could not verify HTTP→HTTPS redirect',
+                detail: `HTTP ${httpRes.status} on ${httpUrl}`,
+                hint: 'Test manually: a request to http://your-site.com should respond with 301 → https://your-site.com.',
+                learnMoreUrl: guideUrl(meta.id, 'redirect-unknown'),
+            });
+            score -= 5;
+        }
+    }
+    const hsts = ctx.headers['strict-transport-security'];
+    if (!hsts) {
+        findings.push({
+            status: 'warn',
+            message: 'No Strict-Transport-Security header',
+            hint: 'Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. This locks browsers and many agents to HTTPS for 1 year.',
+            learnMoreUrl: guideUrl(meta.id, 'no-hsts'),
+        });
+        score -= 15;
+    }
+    else {
+        const maxAge = parseHstsMaxAge(hsts);
+        const includesSubDomains = /includeSubDomains/i.test(hsts);
+        const preload = /preload/i.test(hsts);
+        if (maxAge === null) {
+            findings.push({
+                status: 'warn',
+                message: 'HSTS header has no max-age directive',
+                detail: hsts,
+                hint: 'Set a numeric max-age, e.g., max-age=31536000.',
+                learnMoreUrl: guideUrl(meta.id, 'hsts-no-maxage'),
+            });
+            score -= 10;
+        }
+        else if (maxAge < HSTS_MIN_MAX_AGE) {
+            findings.push({
+                status: 'warn',
+                message: `HSTS max-age is short (${maxAge}s = ~${Math.round(maxAge / 86400)} days)`,
+                hint: `Use at least max-age=${HSTS_MIN_MAX_AGE} (~6 months); preload list submission requires max-age=${HSTS_PRELOAD_MIN_MAX_AGE} (1 year).`,
+                learnMoreUrl: guideUrl(meta.id, 'hsts-short'),
+            });
+            score -= 5;
+        }
+        else {
+            findings.push({ status: 'pass', message: `HSTS max-age=${maxAge}` });
+        }
+        if (includesSubDomains) {
+            findings.push({ status: 'pass', message: 'HSTS includes subdomains' });
+        }
+        else {
+            findings.push({
+                status: 'warn',
+                message: 'HSTS does not include subdomains',
+                hint: 'Add includeSubDomains to apply HSTS across api., docs., etc. Required for preload list submission.',
+                learnMoreUrl: guideUrl(meta.id, 'hsts-no-subdomains'),
+            });
+            score -= 5;
+        }
+        if (preload) {
+            if (maxAge !== null && maxAge >= HSTS_PRELOAD_MIN_MAX_AGE && includesSubDomains) {
+                findings.push({ status: 'pass', message: 'HSTS preload-eligible' });
+            }
+            else {
+                findings.push({
+                    status: 'warn',
+                    message: 'HSTS has preload directive but does not satisfy preload-list requirements',
+                    hint: `Preload requires max-age >= ${HSTS_PRELOAD_MIN_MAX_AGE} and includeSubDomains. See https://hstspreload.org.`,
+                    learnMoreUrl: guideUrl(meta.id, 'hsts-preload-invalid'),
+                });
+                score -= 5;
+            }
+        }
+        else {
+            findings.push({
+                status: 'warn',
+                message: 'HSTS lacks the preload directive',
+                hint: 'Add preload (and ensure max-age >= 31536000 + includeSubDomains) and submit the domain at https://hstspreload.org for browser-built-in HTTPS enforcement.',
+                learnMoreUrl: guideUrl(meta.id, 'hsts-no-preload'),
+            });
+            score -= 3;
+        }
+    }
+    return buildResult(meta, score, findings, start);
+}
+function parseHstsMaxAge(value) {
+    const m = value.match(/max-age\s*=\s*"?(\d+)"?/i);
+    if (!m)
+        return null;
+    const n = Number(m[1]);
+    return Number.isFinite(n) ? n : null;
+}
+//# sourceMappingURL=tls-https.js.map

package/dist/checks/tls-https.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls-https.js","sourceRoot":"","sources":["../../src/checks/tls-https.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,IAAI,GAAc;IAC7B,EAAE,EAAE,WAAW;IACf,IAAI,EAAE,aAAa;IACnB,WAAW,EAAE,2DAA2D;IACxE,MAAM,EAAE,CAAC;CACV,CAAC;AAEF,MAAM,gBAAgB,GAAG,UAAU,CAAC;AACpC,MAAM,wBAAwB,GAAG,UAAU,CAAC;AAE5C,MAAM,CAAC,OAAO,CAAC,KAAK,UAAU,KAAK,CAAC,GAAiB;IACnD,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,KAAK,GAAG,GAAG,CAAC;IAEhB,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gBAAgB,GAAG,CAAC,GAAG,EAAE;YAClC,IAAI,EAAE,+DAA+D;YACrE,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,aAAa,CAAC;SAC/C,CAAC,CAAC;QACH,OAAO,WAAW,CAAC,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,uBAAuB,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,cAAc;YAC5F,IAAI,EAAE,4GAA4G;YAClH,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC;SAC5C,CAAC,CAAC;QACH,KAAK,IAAI,EAAE,CAAC;IACd,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,UAAU,MAAM,CAAC,IAAI,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAChE,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QACnC,IAAI,OAAO,CAAC,EAAE,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC,CAAC;QAChF,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,uDAAuD;aACjE,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,OAAO,CAAC,EAAE,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,wCAAwC;gBACjD,MAAM,EAAE,cAAc,QAAQ,EAAE;gBAChC,IAAI,EAAE,2HAA2H;gBACjI,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,aAAa,CAAC;aAC/C,CAAC,CAAC;YACH,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,sCAAsC;gBAC/C,MAAM,EAAE,QAAQ,OAAO,CAAC,MAAM,OAAO,OAAO,EAAE;gBAC9C,IAAI,EAAE,mGAAmG;gBACzG,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,kBAAkB,CAAC;aACpD,CAAC,CAAC;YACH,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,qCAAqC;YAC9C,IAAI,EAAE,wIAAwI;YAC9I,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC;SAC3C,CAAC,CAAC;QACH,KAAK,IAAI,EAAE,CAAC;IACd,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEtC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,sCAAsC;gBAC/C,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,gDAAgD;gBACtD,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,gBAAgB,CAAC;aAClD,CAAC,CAAC;YACH,KAAK,IAAI,EAAE,CAAC;QACd,CAAC;aAAM,IAAI,MAAM,GAAG,gBAAgB,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,0BAA0B,MAAM,QAAQ,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,QAAQ;gBACnF,IAAI,EAAE,wBAAwB,gBAAgB,0DAA0D,wBAAwB,YAAY;gBAC5I,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,CAAC;aAC9C,CAAC,CAAC;YACH,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,gBAAgB,MAAM,EAAE,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,kBAAkB,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,kCAAkC;gBAC3C,IAAI,EAAE,oGAAoG;gBAC1G,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,oBAAoB,CAAC;aACtD,CAAC,CAAC;YACH,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,IAAI,wBAAwB,IAAI,kBAAkB,EAAE,CAAC;gBAChF,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC,CAAC;YACtE,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,2EAA2E;oBACpF,IAAI,EAAE,+BAA+B,wBAAwB,sDAAsD;oBACnH,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,sBAAsB,CAAC;iBACxD,CAAC,CAAC;gBACH,KAAK,IAAI,CAAC,CAAC;YACb,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,kCAAkC;gBAC3C,IAAI,EAAE,2JAA2J;gBACjK,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,iBAAiB,CAAC;aACnD,CAAC,CAAC;YACH,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAClD,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC"}

package/dist/checks/utils.d.ts

@@ -1,4 +1,16 @@
-import type { CheckMeta, CheckResult, Finding } from '../types.js';
+import type { CheckMeta, CheckResult, FetchResponse, Finding } from '../types.js';
 export declare function clampScore(score: number): number;
 export declare function buildResult(meta: CheckMeta, score: number, findings: Finding[], start: number): CheckResult;
+/**
+ * Validate the `Content-Type` of a fetched resource against a list of acceptable MIME types.
+ *
+ * Returns:
+ * - `null` when the content type is acceptable (no finding to add)
+ * - a `Finding` describing the mismatch otherwise (caller decides whether to apply a score penalty)
+ */
+export declare function checkContentType(res: FetchResponse, expected: string[], context: {
+    checkId: string;
+    resourceLabel: string;
+    anchor: string;
+}): Finding | null;
 //# sourceMappingURL=utils.d.ts.map

package/dist/checks/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/checks/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAEnE,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW,CAS3G"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/checks/utils.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAElF,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW,CAS3G;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,aAAa,EAClB,QAAQ,EAAE,MAAM,EAAE,EAClB,OAAO,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClE,OAAO,GAAG,IAAI,CAkBhB"}

package/dist/checks/utils.js

@@ -1,3 +1,4 @@
+import { guideUrl } from '../guide-urls.js';
 export function clampScore(score) {
     return Math.max(0, Math.min(100, score));
 }
@@ -11,4 +12,31 @@ export function buildResult(meta, score, findings, start) {
         duration: Math.round(performance.now() - start),
     };
 }
+/**
+ * Validate the `Content-Type` of a fetched resource against a list of acceptable MIME types.
+ *
+ * Returns:
+ * - `null` when the content type is acceptable (no finding to add)
+ * - a `Finding` describing the mismatch otherwise (caller decides whether to apply a score penalty)
+ */
+export function checkContentType(res, expected, context) {
+    const ct = (res.headers['content-type'] ?? '').toLowerCase();
+    if (!ct) {
+        return {
+            status: 'warn',
+            message: `${context.resourceLabel} has no Content-Type header`,
+            hint: `Serve ${context.resourceLabel} with one of: ${expected.join(', ')}.`,
+            learnMoreUrl: guideUrl(context.checkId, context.anchor),
+        };
+    }
+    if (expected.some((mime) => ct.includes(mime)))
+        return null;
+    return {
+        status: 'warn',
+        message: `${context.resourceLabel} Content-Type is "${ct.split(';')[0]}"`,
+        detail: `Expected one of: ${expected.join(', ')}`,
+        hint: `Configure your server to serve ${context.resourceLabel} as ${expected[0]} so AI agents parse it correctly.`,
+        learnMoreUrl: guideUrl(context.checkId, context.anchor),
+    };
+}
 //# sourceMappingURL=utils.js.map

package/dist/checks/utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/checks/utils.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAe,EAAE,KAAa,EAAE,QAAmB,EAAE,KAAa;IAC5F,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;QACxB,QAAQ;QACR,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;KAChD,CAAC;AACJ,CAAC"}
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/checks/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAe,EAAE,KAAa,EAAE,QAAmB,EAAE,KAAa;IAC5F,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;QACxB,QAAQ;QACR,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;KAChD,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAkB,EAClB,QAAkB,EAClB,OAAmE;IAEnE,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7D,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,OAAO,CAAC,aAAa,6BAA6B;YAC9D,IAAI,EAAE,SAAS,OAAO,CAAC,aAAa,iBAAiB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YAC3E,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC;SACxD,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,OAAO;QACL,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,GAAG,OAAO,CAAC,aAAa,qBAAqB,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG;QACzE,MAAM,EAAE,oBAAoB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACjD,IAAI,EAAE,kCAAkC,OAAO,CAAC,aAAa,OAAO,QAAQ,CAAC,CAAC,CAAC,mCAAmC;QAClH,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC;KACxD,CAAC;AACJ,CAAC"}

package/dist/checks/well-known-ai.d.ts

@@ -0,0 +1,17 @@
+import type { CheckContext, CheckResult, CheckMeta } from '../types.js';
+/**
+ * "well-known-ai" — emerging AI-specific discovery files that don't have a settled spec yet
+ * but are already published by some sites and read by some agents. Each file present is a
+ * positive signal (bonus); none of them are individually required, so a site that publishes
+ * just one or two should not be punished. The score reflects coverage of this small bundle.
+ *
+ * Files probed:
+ * - `/.well-known/ai.txt` (Spawning AI — opt-in/opt-out for AI training)
+ * - `/.well-known/genai.txt` (proposed — generative AI policy)
+ * - `/ai-plugin.json` and `/.well-known/ai-plugin.json` (legacy ChatGPT plugin manifest)
+ * - `/agents.json` (Wildcard / OpenAgents — emerging agent capability manifest)
+ * - `/.well-known/nlweb.json` (Microsoft NLWeb — natural-language site interface)
+ */
+export declare const meta: CheckMeta;
+export default function check(ctx: CheckContext): Promise<CheckResult>;
+//# sourceMappingURL=well-known-ai.d.ts.map

package/dist/checks/well-known-ai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"well-known-ai.d.ts","sourceRoot":"","sources":["../../src/checks/well-known-ai.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAA0B,MAAM,aAAa,CAAC;AAGhG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,IAAI,EAAE,SAKlB,CAAC;AAmEF,wBAA8B,KAAK,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA+C3E"}

package/dist/checks/well-known-ai.js

@@ -0,0 +1,123 @@
+import { guideUrl } from '../guide-urls.js';
+import { buildResult } from './utils.js';
+/**
+ * "well-known-ai" — emerging AI-specific discovery files that don't have a settled spec yet
+ * but are already published by some sites and read by some agents. Each file present is a
+ * positive signal (bonus); none of them are individually required, so a site that publishes
+ * just one or two should not be punished. The score reflects coverage of this small bundle.
+ *
+ * Files probed:
+ * - `/.well-known/ai.txt` (Spawning AI — opt-in/opt-out for AI training)
+ * - `/.well-known/genai.txt` (proposed — generative AI policy)
+ * - `/ai-plugin.json` and `/.well-known/ai-plugin.json` (legacy ChatGPT plugin manifest)
+ * - `/agents.json` (Wildcard / OpenAgents — emerging agent capability manifest)
+ * - `/.well-known/nlweb.json` (Microsoft NLWeb — natural-language site interface)
+ */
+export const meta = {
+    id: 'well-known-ai',
+    name: 'AI Well-Known',
+    description: 'Checks emerging AI-specific discovery files (ai.txt, agents.json, ai-plugin.json, nlweb)',
+    weight: 3,
+};
+const PROBES = [
+    {
+        paths: ['/.well-known/ai.txt'],
+        label: 'ai.txt',
+        hint: 'Publish /.well-known/ai.txt declaring opt-in/opt-out signals for AI training. See https://site.spawning.ai/spawning-ai-txt for the format.',
+        guideAnchor: 'ai-txt',
+    },
+    {
+        paths: ['/.well-known/genai.txt'],
+        label: 'genai.txt',
+        hint: 'Publish /.well-known/genai.txt declaring your generative-AI usage policy.',
+        guideAnchor: 'genai-txt',
+    },
+    {
+        paths: ['/.well-known/ai-plugin.json', '/ai-plugin.json'],
+        label: 'ai-plugin.json',
+        hint: 'Publish /ai-plugin.json (legacy ChatGPT plugin manifest). Schema: name_for_model, description_for_model, api.url. Still consumed by some agents.',
+        guideAnchor: 'ai-plugin',
+        parser: (body) => {
+            try {
+                const data = JSON.parse(body);
+                return Boolean(data.name_for_model || data.name_for_human || data.schema_version);
+            }
+            catch {
+                return false;
+            }
+        },
+    },
+    {
+        paths: ['/agents.json', '/.well-known/agents.json'],
+        label: 'agents.json',
+        hint: 'Publish /agents.json describing your site as a callable agent (OpenAgents / Wildcard emerging spec). Includes name, description, and operations[].',
+        guideAnchor: 'agents-json',
+        parser: (body) => {
+            try {
+                const data = JSON.parse(body);
+                return Boolean(data.name || data.operations || data.agents);
+            }
+            catch {
+                return false;
+            }
+        },
+    },
+    {
+        paths: ['/.well-known/nlweb.json', '/nlweb.json'],
+        label: 'nlweb.json',
+        hint: 'Publish /.well-known/nlweb.json (Microsoft NLWeb) so agents can interact with the site through a natural-language interface.',
+        guideAnchor: 'nlweb',
+        parser: (body) => {
+            try {
+                JSON.parse(body);
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+    },
+];
+export default async function check(ctx) {
+    const start = performance.now();
+    const findings = [];
+    let presentCount = 0;
+    for (const probe of PROBES) {
+        let hit = null;
+        for (const path of probe.paths) {
+            const res = await ctx.fetch(`${ctx.url}${path}`);
+            if (res.ok && res.body.trim().length > 0) {
+                hit = { path, res };
+                break;
+            }
+        }
+        if (!hit) {
+            findings.push({
+                status: 'warn',
+                message: `${probe.label} not found`,
+                detail: `Tried: ${probe.paths.join(', ')}`,
+                hint: probe.hint,
+                learnMoreUrl: guideUrl(meta.id, probe.guideAnchor),
+            });
+            continue;
+        }
+        if (probe.parser && !probe.parser(hit.res.body)) {
+            findings.push({
+                status: 'warn',
+                message: `${probe.label} present at ${hit.path} but does not look valid`,
+                hint: probe.hint,
+                learnMoreUrl: guideUrl(meta.id, `${probe.guideAnchor}-invalid`),
+            });
+            continue;
+        }
+        presentCount++;
+        findings.push({ status: 'pass', message: `${probe.label} present at ${hit.path}` });
+    }
+    const score = Math.round((presentCount / PROBES.length) * 100);
+    findings.unshift({
+        status: presentCount > 0 ? 'pass' : 'warn',
+        message: `${presentCount}/${PROBES.length} emerging AI discovery files published`,
+    });
+    return buildResult(meta, score, findings, start);
+}
+//# sourceMappingURL=well-known-ai.js.map

package/dist/checks/well-known-ai.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"well-known-ai.js","sourceRoot":"","sources":["../../src/checks/well-known-ai.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,IAAI,GAAc;IAC7B,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,eAAe;IACrB,WAAW,EAAE,0FAA0F;IACvG,MAAM,EAAE,CAAC;CACV,CAAC;AAUF,MAAM,MAAM,GAAY;IACtB;QACE,KAAK,EAAE,CAAC,qBAAqB,CAAC;QAC9B,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,4IAA4I;QAClJ,WAAW,EAAE,QAAQ;KACtB;IACD;QACE,KAAK,EAAE,CAAC,wBAAwB,CAAC;QACjC,KAAK,EAAE,WAAW;QAClB,IAAI,EAAE,2EAA2E;QACjF,WAAW,EAAE,WAAW;KACzB;IACD;QACE,KAAK,EAAE,CAAC,6BAA6B,EAAE,iBAAiB,CAAC;QACzD,KAAK,EAAE,gBAAgB;QACvB,IAAI,EAAE,kJAAkJ;QACxJ,WAAW,EAAE,WAAW;QACxB,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACf,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;gBACzD,OAAO,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC;YACpF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;IACD;QACE,KAAK,EAAE,CAAC,cAAc,EAAE,0BAA0B,CAAC;QACnD,KAAK,EAAE,aAAa;QACpB,IAAI,EAAE,oJAAoJ;QAC1J,WAAW,EAAE,aAAa;QAC1B,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACf,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;gBACzD,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9D,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;IACD;QACE,KAAK,EAAE,CAAC,yBAAyB,EAAE,aAAa,CAAC;QACjD,KAAK,EAAE,YAAY;QACnB,IAAI,EAAE,8HAA8H;QACpI,WAAW,EAAE,OAAO;QACpB,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACf,IAAI,CAAC;gBACH,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACjB,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,CAAC,KAAK,UAAU,KAAK,CAAC,GAAiB;IACnD,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,GAAG,GAAgD,IAAI,CAAC;QAC5D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC;YACjD,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzC,GAAG,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;gBACpB,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,YAAY;gBACnC,MAAM,EAAE,UAAU,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC1C,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,WAAW,CAAC;aACnD,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,eAAe,GAAG,CAAC,IAAI,0BAA0B;gBACxE,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,GAAG,KAAK,CAAC,WAAW,UAAU,CAAC;aAChE,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,YAAY,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,eAAe,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;IAC/D,QAAQ,CAAC,OAAO,CAAC;QACf,MAAM,EAAE,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC1C,OAAO,EAAE,GAAG,YAAY,IAAI,MAAM,CAAC,MAAM,wCAAwC;KAClF,CAAC,CAAC;IAEH,OAAO,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;AACnD,CAAC"}

package/dist/constants.d.ts

@@ -1,9 +1,28 @@
 import type { Grade, SecurityHeader } from './types.js';
 export declare const VERSION: string;
 export declare const USER_AGENT: string;
+/**
+ * Known AI / LLM crawlers grouped by primary purpose. The audit recommends explicit
+ * `User-agent:` rules for every entry so site operators can see exactly which agents
+ * have access. Buckets:
+ *
+ * - `training`   — bots that scrape content for model training corpora
+ * - `search`     — bots that fetch on behalf of a live answer engine / search UI
+ * - `fetching`   — generic on-demand fetchers (browsing, summarization, automation)
+ */
 export declare const AI_CRAWLERS: Record<string, string[]>;
 export declare const ALL_AI_CRAWLERS: string[];
+/**
+ * The "must-configure" subset — these are the agents a typical operator should grant
+ * (or knowingly deny) explicit access to. ax-audit grades the robots.txt section heavily
+ * on coverage of this short list, while still rewarding broader explicit rules.
+ */
 export declare const CORE_AI_CRAWLERS: string[];
+/**
+ * Default weight per check (sum: 100). Individual `CheckMeta.weight` overrides this map.
+ * Keep weights aligned with real-world impact — discovery + content-rendering are the
+ * highest-leverage signals for AI agents.
+ */
 export declare const CHECK_WEIGHTS: Record<string, number>;
 export declare const GRADES: Grade[];
 export declare const AGENT_JSON_REQUIRED_FIELDS: string[];

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAKxD,eAAO,MAAM,OAAO,EAAE,MAAoB,CAAC;AAC3C,eAAO,MAAM,UAAU,QAAqE,CAAC;AAE7F,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAmChD,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,MAAM,EAA8E,CAAC;AAEnH,eAAO,MAAM,gBAAgB,EAAE,MAAM,EAOpC,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAUhD,CAAC;AAEF,eAAO,MAAM,MAAM,EAAE,KAAK,EAKzB,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,MAAM,EAA6C,CAAC;AAE7F,eAAO,MAAM,4BAA4B,EAAE,MAAM,EAA2B,CAAC;AAE7E,eAAO,MAAM,gBAAgB,EAAE,cAAc,EAQ5C,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAKxD,eAAO,MAAM,OAAO,EAAE,MAAoB,CAAC;AAC3C,eAAO,MAAM,UAAU,QAAqE,CAAC;AAE7F;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CA8ChD,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,MAAM,EAA8E,CAAC;AAEnH;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,EASpC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAehD,CAAC;AAEF,eAAO,MAAM,MAAM,EAAE,KAAK,EAKzB,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,MAAM,EAA6C,CAAC;AAE7F,eAAO,MAAM,4BAA4B,EAAE,MAAM,EAA2B,CAAC;AAE7E,eAAO,MAAM,gBAAgB,EAAE,cAAc,EAQ5C,CAAC"}

package/dist/constants.js

@@ -5,6 +5,15 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
 export const VERSION = pkg.version;
 export const USER_AGENT = `ax-audit/${pkg.version} (https://github.com/lucioduran/ax-audit)`;
+/**
+ * Known AI / LLM crawlers grouped by primary purpose. The audit recommends explicit
+ * `User-agent:` rules for every entry so site operators can see exactly which agents
+ * have access. Buckets:
+ *
+ * - `training`   — bots that scrape content for model training corpora
+ * - `search`     — bots that fetch on behalf of a live answer engine / search UI
+ * - `fetching`   — generic on-demand fetchers (browsing, summarization, automation)
+ */
 export const AI_CRAWLERS = {
     training: [
         'GPTBot',
@@ -25,6 +34,13 @@ export const AI_CRAWLERS = {
         'DeepSeek-AI',
         'PanguBot',
         'Diffbot',
+        'MistralAI-User',
+        'Kangaroo Bot',
+        'Timpibot',
+        'omgili',
+        'omgilibot',
+        'ImagesiftBot',
+        'Webzio-Extended',
     ],
     search: [
         'OAI-SearchBot',
@@ -38,10 +54,19 @@ export const AI_CRAWLERS = {
         'Petalbot',
         'Google-CloudVertexBot',
         'Gemini',
+        'GeminiBot',
+        'KagiBot',
+        'NeevaBot',
+        'PhindBot',
     ],
-    fetching: ['FirecrawlAgent', 'Facebookbot'],
+    fetching: ['FirecrawlAgent', 'Facebookbot', 'Bingbot', 'Goose', 'AwarioBot', 'AwarioRssBot', 'AwarioSmartBot'],
 };
 export const ALL_AI_CRAWLERS = [...AI_CRAWLERS.training, ...AI_CRAWLERS.search, ...AI_CRAWLERS.fetching];
+/**
+ * The "must-configure" subset — these are the agents a typical operator should grant
+ * (or knowingly deny) explicit access to. ax-audit grades the robots.txt section heavily
+ * on coverage of this short list, while still rewarding broader explicit rules.
+ */
 export const CORE_AI_CRAWLERS = [
     'GPTBot',
     'ClaudeBot',
@@ -49,17 +74,29 @@ export const CORE_AI_CRAWLERS = [
     'Claude-SearchBot',
     'Google-Extended',
     'PerplexityBot',
+    'OAI-SearchBot',
+    'CCBot',
 ];
+/**
+ * Default weight per check (sum: 100). Individual `CheckMeta.weight` overrides this map.
+ * Keep weights aligned with real-world impact — discovery + content-rendering are the
+ * highest-leverage signals for AI agents.
+ */
 export const CHECK_WEIGHTS = {
-    'llms-txt': 15,
-    'robots-txt': 15,
-    'structured-data': 13,
-    'http-headers': 13,
-    'agent-json': 10,
-    mcp: 10,
-    'security-txt': 8,
-    'meta-tags': 8,
-    openapi: 8,
+    'llms-txt': 11,
+    'robots-txt': 11,
+    'html-rendering': 9,
+    'structured-data': 9,
+    'http-headers': 9,
+    'agent-json': 7,
+    mcp: 7,
+    'seo-basics': 7,
+    'security-txt': 6,
+    'meta-tags': 6,
+    openapi: 6,
+    'tls-https': 5,
+    sitemap: 4,
+    'well-known-ai': 3,
 };
 export const GRADES = [
     { min: 90, label: 'Excellent', color: 'green' },

package/dist/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAG1C,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAErF,MAAM,CAAC,MAAM,OAAO,GAAW,GAAG,CAAC,OAAO,CAAC;AAC3C,MAAM,CAAC,MAAM,UAAU,GAAG,YAAY,GAAG,CAAC,OAAO,2CAA2C,CAAC;AAE7F,MAAM,CAAC,MAAM,WAAW,GAA6B;IACnD,QAAQ,EAAE;QACR,QAAQ;QACR,WAAW;QACX,YAAY;QACZ,cAAc;QACd,iBAAiB;QACjB,OAAO;QACP,YAAY;QACZ,oBAAoB;QACpB,sBAAsB;QACtB,WAAW;QACX,8BAA8B;QAC9B,mBAAmB;QACnB,WAAW;QACX,QAAQ;QACR,cAAc;QACd,aAAa;QACb,UAAU;QACV,SAAS;KACV;IACD,MAAM,EAAE;QACN,eAAe;QACf,cAAc;QACd,kBAAkB;QAClB,aAAa;QACb,eAAe;QACf,iBAAiB;QACjB,eAAe;QACf,QAAQ;QACR,UAAU;QACV,uBAAuB;QACvB,QAAQ;KACT;IACD,QAAQ,EAAE,CAAC,gBAAgB,EAAE,aAAa,CAAC;CAC5C,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAa,CAAC,GAAG,WAAW,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;AAEnH,MAAM,CAAC,MAAM,gBAAgB,GAAa;IACxC,QAAQ;IACR,WAAW;IACX,cAAc;IACd,kBAAkB;IAClB,iBAAiB;IACjB,eAAe;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAA2B;IACnD,UAAU,EAAE,EAAE;IACd,YAAY,EAAE,EAAE;IAChB,iBAAiB,EAAE,EAAE;IACrB,cAAc,EAAE,EAAE;IAClB,YAAY,EAAE,EAAE;IAChB,GAAG,EAAE,EAAE;IACP,cAAc,EAAE,CAAC;IACjB,WAAW,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;CACX,CAAC;AAEF,MAAM,CAAC,MAAM,MAAM,GAAY;IAC7B,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE;IAC/C,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE;IAC3C,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE;IAC3C,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;CACxC,CAAC;AAEF,MAAM,CAAC,MAAM,0BAA0B,GAAa,CAAC,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;AAE7F,MAAM,CAAC,MAAM,4BAA4B,GAAa,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;AAE7E,MAAM,CAAC,MAAM,gBAAgB,GAAqB;IAChD,EAAE,IAAI,EAAE,2BAA2B,EAAE,KAAK,EAAE,2BAA2B,EAAE,QAAQ,EAAE,IAAI,EAAE;IACzF,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,wBAAwB,EAAE,QAAQ,EAAE,IAAI,EAAE;IACnF,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACtE,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACxE,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACtE,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,KAAK,EAAE;IAC5E,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,yBAAyB,EAAE,QAAQ,EAAE,KAAK,EAAE;CACvF,CAAC"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAG1C,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAErF,MAAM,CAAC,MAAM,OAAO,GAAW,GAAG,CAAC,OAAO,CAAC;AAC3C,MAAM,CAAC,MAAM,UAAU,GAAG,YAAY,GAAG,CAAC,OAAO,2CAA2C,CAAC;AAE7F;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,WAAW,GAA6B;IACnD,QAAQ,EAAE;QACR,QAAQ;QACR,WAAW;QACX,YAAY;QACZ,cAAc;QACd,iBAAiB;QACjB,OAAO;QACP,YAAY;QACZ,oBAAoB;QACpB,sBAAsB;QACtB,WAAW;QACX,8BAA8B;QAC9B,mBAAmB;QACnB,WAAW;QACX,QAAQ;QACR,cAAc;QACd,aAAa;QACb,UAAU;QACV,SAAS;QACT,gBAAgB;QAChB,cAAc;QACd,UAAU;QACV,QAAQ;QACR,WAAW;QACX,cAAc;QACd,iBAAiB;KAClB;IACD,MAAM,EAAE;QACN,eAAe;QACf,cAAc;QACd,kBAAkB;QAClB,aAAa;QACb,eAAe;QACf,iBAAiB;QACjB,eAAe;QACf,QAAQ;QACR,UAAU;QACV,uBAAuB;QACvB,QAAQ;QACR,WAAW;QACX,SAAS;QACT,UAAU;QACV,UAAU;KACX;IACD,QAAQ,EAAE,CAAC,gBAAgB,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,CAAC;CAC/G,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAa,CAAC,GAAG,WAAW,CAAC,QAAQ,EAAE,GAAG,WAAW,CAAC,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;AAEnH;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAa;IACxC,QAAQ;IACR,WAAW;IACX,cAAc;IACd,kBAAkB;IAClB,iBAAiB;IACjB,eAAe;IACf,eAAe;IACf,OAAO;CACR,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAA2B;IACnD,UAAU,EAAE,EAAE;IACd,YAAY,EAAE,EAAE;IAChB,gBAAgB,EAAE,CAAC;IACnB,iBAAiB,EAAE,CAAC;IACpB,cAAc,EAAE,CAAC;IACjB,YAAY,EAAE,CAAC;IACf,GAAG,EAAE,CAAC;IACN,YAAY,EAAE,CAAC;IACf,cAAc,EAAE,CAAC;IACjB,WAAW,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;IACV,WAAW,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;IACV,eAAe,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,CAAC,MAAM,MAAM,GAAY;IAC7B,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE;IAC/C,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE;IAC3C,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE;IAC3C,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;CACxC,CAAC;AAEF,MAAM,CAAC,MAAM,0BAA0B,GAAa,CAAC,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;AAE7F,MAAM,CAAC,MAAM,4BAA4B,GAAa,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;AAE7E,MAAM,CAAC,MAAM,gBAAgB,GAAqB;IAChD,EAAE,IAAI,EAAE,2BAA2B,EAAE,KAAK,EAAE,2BAA2B,EAAE,QAAQ,EAAE,IAAI,EAAE;IACzF,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,wBAAwB,EAAE,QAAQ,EAAE,IAAI,EAAE;IACnF,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACtE,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACxE,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACtE,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,KAAK,EAAE;IAC5E,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,yBAAyB,EAAE,QAAQ,EAAE,KAAK,EAAE;CACvF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ax-audit",
-  "version": "2.4.0",
+  "version": "3.0.0",
   "description": "Audit websites for AI Agent Experience (AX) readiness. Lighthouse for AI Agents.",
   "type": "module",
   "license": "Apache-2.0",