Discover MCP server card [warning]! No MCP server card was found at current, transitional, or linked discovery paths.INFODiscover MCP server card candidateCount=5INFOBuild MCP server-card candidate list currentPath="/.well-known/mcp-server-card" transitionalPaths=["/.well-known/mcp/server-card.json","/.well-known/mcp/server-cards.json","/mcp.json","/.well-known/mcp.json"] linkedPaths=[]PASSCheck whether page claims MCP support actual=false expected="true only when HTML or Link headers mention MCP" textMatches=[] headerLinkCount=0INFOTrying to fetch /.well-known/mcp-server-card url="https://coder.com/.well-known/mcp-server-card" source="current"FAIL/.well-known/mcp-server-card did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /.well-known/mcp/server-card.json url="https://coder.com/.well-known/mcp/server-card.json" source="transitional"FAIL/.well-known/mcp/server-card.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /.well-known/mcp/server-cards.json url="https://coder.com/.well-known/mcp/server-cards.json" source="transitional"FAIL/.well-known/mcp/server-cards.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /mcp.json url="https://coder.com/mcp.json" source="transitional"FAIL/mcp.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /.well-known/mcp.json url="https://coder.com/.well-known/mcp.json" source="transitional"FAIL/.well-known/mcp.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"WARNNo MCP server card was found reason="No MCP server card was found at current, transitional, or linked discovery paths."

Detect OAuth/OIDC applicability [warning]! Generic authentication signals were found, but no OAuth/OIDC discovery signal was detected.INFODetect OAuth/OIDC applicabilityINFOInspecting homepage, headers, and known auth/API signals for OAuth or OIDC claims applies=false signalsCount=0 genericAuthSignalsCount=1 checkedCount=2WARNCheck OAuth/OIDC applicability signal actual=false expected="true when metadata exists or OAuth/OIDC is claimed" checked=[{"path":"/.well-known/openid-configuration","statusCode":404,"contentType":"text/html; charset=utf-8","length":53803},{"path":"/.well-known/oauth-authorization-server","statusCode":404,"contentType":"text/html; charset=utf-8","length":53803}]WARNDetect OAuth/OIDC applicability completed with warnings issue="Generic authentication signals were found, but no OAuth/OIDC discovery signal was detected."

Detect protected-resource applicability [warning]! Generic authentication signals were found, but no OAuth Protected Resource metadata signal was detected.INFODetect protected-resource applicabilityINFOInspecting auth headers, MCP/OAuth claims, and protected-resource hints applies=false requiresAuthorizationServers=false signalsCount=0 genericAuthSignalsCount=1 checkedCount=1WARNCheck protected-resource metadata applicability actual=false expected="true when RFC 9728 metadata exists or support is claimed" checked=[{"url":"https://coder.com/.well-known/oauth-protected-resource","path":"/.well-known/oauth-protected-resource","source":"root-well-known","resourceIdentifier":"https://coder.com","statusCode":404,"contentType":"text/html; charset=utf-8","length":53803}]WARNDetect protected-resource applicability completed with warnings issue="Generic authentication signals were found, but no OAuth Protected Resource metadata signal was detected."

Detect WebMCP runtime API [informational]INFODetect WebMCP runtime API status="informational"INFOProbe rendered browser for WebMCP runtime objects SKIPCheck current W3C runtime API actual="not detected" expected="document.modelContext/registerTool available"INFOWebMCP evidence was recorded for context. status="informational"Probe WebMCP operability [warning]! No WebMCP surface was found to probe.INFOProbe WebMCP operability status="warning"INFORun safe WebMCP operability checks safeProbeOnly=trueWARNCheck usable WebMCP evidence actual=0 expected="at least 1 usable runtime, declarative, annotation, or static manifest signal"WARNWebMCP operability warning warning="No WebMCP surface was found to probe."WARNWebMCP operability warning warning="Conventional WebMCP manifest paths were checked but did not return a valid manifest."WARNNo WebMCP surface was found to probe.Validate declarative WebMCP form tools [informational]! No W3C-style declarative WebMCP form attributes were found.INFOValidate declarative WebMCP form tools status="informational"INFOInspect visible forms and controls for current declarative WebMCP attributes annotatedElements=0 formsWithAttributes=0 controlsWithAttributes=0SKIPValidate declarative WebMCP attribute quality actual=0 expected=0INFONo W3C-style declarative WebMCP form attributes were found. status="informational"Validate MCP-aware HTML annotations [informational]! No data-mcp-tool or hyphenated WebMCP compatibility annotations were found.INFOValidate MCP-aware HTML annotations status="informational"INFOInspect HTML for MCP compatibility annotations compatibilityAttributeCount=0 dataMcpToolCount=0 examples=[]SKIPValidate compatibility annotation quality actual=0 expected=0INFONo data-mcp-tool or hyphenated WebMCP compatibility annotations were found. status="informational"Validate static WebMCP JSON compatibility [warning]! No static WebMCP JSON manifest or WMCP interaction graph was found.INFOValidate static WebMCP JSON compatibility status="warning"INFODiscover static WebMCP manifest candidates conventionalPaths=["/.well-known/webmcp.json","/webmcp.json"] checkedCount=2 profileCounts={}INFOWebMCP manifest candidate checked source="path" path="/.well-known/webmcp.json" url="https://coder.com/.well-known/webmcp.json" statusCode=404 contentType="text/html; charset=utf-8"INFOWebMCP manifest candidate checked source="path" path="/webmcp.json" url="https://coder.com/webmcp.json" statusCode=404 contentType="text/html; charset=utf-8"WARNValidate discovered static WebMCP metadata actual={"validManifestCount":0,"invalidManifestCount":0,"toolCount":0,"wmcpActionCount":0} expected="at least 1 valid tools[] manifest or WMCP graph when static metadata is present"WARNNo static WebMCP JSON manifest or WMCP interaction graph was found.Validate WebMCP tool metadata quality [informational]INFOValidate WebMCP tool metadata quality status="informational"INFOInspect WebMCP tool names, descriptions, schemas, and safety hints toolCount=0SKIPCheck tool metadata findings actual={"issueCount":0,"warningCount":0} expected="0 issues and 0 warnings"INFOWebMCP evidence was recorded for context. status="informational"Review WebMCP security and policy signals [informational]INFOReview WebMCP security and policy signals status="informational"INFOInspect WebMCP security and policy signals permissionsPolicy="camera=(), microphone=(), geolocation=()" failureCount=0 warningCount=0PASSCheck security findings actual={"failures":0,"warnings":0} expected="0 failures and 0 warnings"INFOWebMCP evidence was recorded for context. status="informational"

Validate OpenAPI shape [fail]! missing openapi/swagger version; missing info.title; missing info.version; no paths or webhooks defined; no operations defined; no operation responses definedINFOValidate OpenAPI shape status="fail"INFOValidate required OpenAPI shape versionFamily="missing" pathCount=0 webhookCount=0 operationCount=0FAILCheck operations define responses actual=0 expected="every operation should define responses"FAILCheck info metadata actual={"hasInfoTitle":false,"hasInfoVersion":false} expected="info.title and info.version present"FAILOpenAPI shape issue issue="missing openapi/swagger version"FAILOpenAPI shape issue issue="missing info.title"FAILOpenAPI shape issue issue="missing info.version"FAILOpenAPI shape issue issue="no paths or webhooks defined"FAILOpenAPI shape issue issue="no operations defined"FAILOpenAPI shape issue issue="no operation responses defined"FAILmissing openapi/swagger version; missing info.title; missing info.version; no paths or webhooks defined; no operations defined; no operation responses definedCheck machine-usable details [fail]! OpenAPI is valid, but missing schemas, parameters, servers, auth, operation IDs, tags, or examples reduces machine usability.INFOCheck machine-usable details status="fail"INFOInspect machine-usable operation details hasServers=false hasSecuritySchemes=false hasExplicitNoAuth=false requestBodyOperationCount=0 parameterOperationCount=0 responseSchemaOperationCount=0 operationIdCount=0 taggedOperationCount=0 exampleOperationCount=0WARNCheck OpenAPI operations include enough detail for agents to call them safely actual="2 machine-usability warning(s)" expected="servers, auth/no-auth signals, operationIds, parameters, request bodies, responses, tags, and examples where relevant"WARNMachine-usability warning warning="No server, host, or basePath information was found."WARNMachine-usability warning warning="No security schemes or explicit no-auth declaration were found."FAILOpenAPI is valid, but missing schemas, parameters, servers, auth, operation IDs, tags, or examples reduces machine usability.

Validate declared usage preferences [warning]! No Content-Usage or Content-Signal declarations were found.INFOValidate declared usage preferencesINFOParsing declared preferences into terms and values recordCount=0SKIPSkipping declaration validation because no Content-Usage or Content-Signal records were declared.SKIPCompare declared records to validation requirement actual=0 expected="No validation needed when no records are declared"WARNNo Content-Usage or Content-Signal declarations were present.

Discover RSL declarations [warning]! No RSL declarations were found.INFODiscover RSL declarationsINFOChecking robots.txt License records, HTTP Link rel=license headers, HTML license links, and inline RSL XML robotsFound=trueSKIPCount discovered RSL declarations actual=0 expected=">= 1 when RSL licensing terms are published" sources={}WARNNo RSL declarations were found on any supported discovery surface.

Fetch /.well-known/tdmrep.json [warning]! No TDMRep declaration was found at /.well-known/tdmrep.json.INFOFetch /.well-known/tdmrep.jsonINFORequesting origin-level TDMRep declaration at /.well-known/tdmrep.jsonWARNCompare TDMRep file response actual=404 expected="2xx with JSON array when origin-level TDMRep is published" contentType="text/html; charset=utf-8" length=53803WARNNo TDMRep declaration was found at /.well-known/tdmrep.json. 

Page landmarks [fail]! Expected exactly one visible main landmark; found 0.INFOPage landmarksFAILCheck page landmarks evidence actual={"counts":{"main":0,"roleMain":0,"nav":2,"roleNavigation":0,"header":1,"roleBanner":0,"footer":1,"pageFooter":1,"roleContentinfo":0},"main":false} expected="semantic HTML evidence for this step"FAILPage landmarks failed issue="Expected exactly one visible main landmark; found 0."Heading structure [fail]! Headings skip levels or include empty heading elements.INFOHeading structureFAILCheck heading structure evidence actual={"counts":{"h1":1,"visibleH1":1,"headings":17,"emptyHeadings":0},"meaningfulH1":true} expected="semantic HTML evidence for this step"FAILHeading structure failed issue="Headings skip levels or include empty heading elements."Links [fail]! 5 links are missing accessible names.INFOLinksFAILCheck links evidence actual={"counts":{"links":85,"inaccessibleLinks":5,"nonCrawlableLinks":0,"genericLinks":4},"accessibleLinks":false} expected="semantic HTML evidence for this step"FAILLinks failed issue="5 links are missing accessible names."Buttons and interactive controls [fail]! 1 button controls are missing accessible names.INFOButtons and interactive controlsFAILCheck buttons and interactive controls evidence actual={"counts":{"buttons":20,"inaccessibleButtons":1},"accessibleButtons":false} expected="links, buttons, and form controls expose accessible names"FAILButtons and interactive controls failed issue="1 button controls are missing accessible names."

WebSite entity [fail]! No WebSite entity was found in Schema.org structured data.INFOWebSite entityINFOLooking for WebSite entity in structured data FAILCheck WebSite entity presence actual=false expected=true fields=[{"name":"WebSite.@type","present":false},{"name":"WebSite.@id","present":false},{"name":"WebSite.name","present":false},{"name":"WebSite.url","present":false},{"name":"WebSite.publisher.@id","present":false},{"name":"WebSite.publisher.name","present":false},{"name":"WebSite.publisher.url","present":false}]FAILWebSite entity is missingIdentity fields [warning]! Missing identity field(s): WebSite.name, WebSite.url.INFOIdentity fieldsINFOChecking Organization and WebSite name/url fields organizationFormat="json-ld"WARNCheck required identity fields actual=2 expected=4 missing=["WebSite.name","WebSite.url"] organizationFields=[{"name":"Organization.@type","present":true,"value":"Organization","format":"json-ld"},{"name":"Organization.@id","present":false,"format":"json-ld"},{"name":"Organization.name","present":true,"value":"Coder","format":"json-ld"},{"name":"Organization.url","present":true,"value":"https://coder.com/","format":"json-ld"},{"name":"Organization.logo","present":true,"value":"https://coder.com/coder-logo-horizontal.png","format":"json-ld"},{"name":"Organization.sameAs","present":true,"value":["https://www.linkedin.com/company/coderhq/","https://x.com/coderhq","https://www.youtube.com/channel/UCWexK_ECcUU3vEIdb-Vykfw","https://github.com/coder"],"format":"json-ld"}] websiteFields=[{"name":"WebSite.@type","present":false},{"name":"WebSite.@id","present":false},{"name":"WebSite.name","present":false},{"name":"WebSite.url","present":false},{"name":"WebSite.publisher.@id","present":false},{"name":"WebSite.publisher.name","present":false},{"name":"WebSite.publisher.url","present":false}]WARNCheck identity URLs match scanned origin actual={"organizationUrlMatchesOrigin":true,"websiteUrlMatchesOrigin":false} expected={"organizationUrlMatchesOrigin":true,"websiteUrlMatchesOrigin":true}WARNIdentity fields are partially complete missing=["WebSite.name","WebSite.url"]WebSite publisher linkage [fail]! WebSite.publisher is missing.INFOWebSite publisher linkageINFOChecking whether WebSite.publisher points to the Organization entity organizationFormat="json-ld"FAILCheck publisher presence actual=false expected=true publisher={"present":false,"matchesOrganization":false} website={} organization={"name":"Coder","url":"https://coder.com/"}FAILCheck publisher matches Organization actual=false expected=trueFAILWebSite publisher is missing

Evaluate fetch baseline [fail]! CSP does not define default-src; several fetch directives may have no restrictive fallback.INFOEvaluate fetch baselineINFOEvaluate resource loading fallback explicitFetchDirectives=[]FAILCompare fetch baseline actual="0 explicit fetch directives" expected="restricted default-src or broad explicit fetch coverage" issue="CSP does not define default-src; several fetch directives may have no restrictive fallback."FAILCSP does not define default-src; several fetch directives may have no restrictive fallback.Evaluate script execution [fail]! No script-src or default-src directive constrains script execution.INFOEvaluate script executionINFOInspect effective script directive FAILCompare script execution posture actual={"hasNonce":false,"hasHash":false,"hasStrictDynamic":false,"hasUnsafeInline":false,"hasUnsafeEval":false,"hasWildcardHost":false,"hasBroadScheme":false,"dangerousSchemes":[]} expected="constrained script sources without unsafe execution allowances" issue="No script-src or default-src directive constrains script execution."FAILNo script-src or default-src directive constrains script execution.Review hardening directives [warning]! CSP is missing recommended hardening directives: object-src, base-uri.INFOReview hardening directivesINFOInspect CSP hardening directives frameAncestors=["'self'","http://coder.lookbookhq.com","https://coder.lookbookhq.com","http://coder.pathfactory.com","https://coder.pathfactory.com","http://resources.coder.com","https://resources.coder.com","https://help.coder.com","https://coder.zendesk.com"] formCount=0WARNCompare recommended hardening coverage actual=["object-src","base-uri"] expected="no missing object-src/base-uri/form-action requirements" issue="CSP is missing recommended hardening directives: object-src, base-uri."WARNCSP is missing recommended hardening directives: object-src, base-uri.Review CSP reporting [warning]! CSP does not define a reporting endpoint.INFOReview CSP reportingINFOInspect CSP reporting directives reportOnlyHeaderPresent=false reportOnlyDirectives=[]WARNCompare violation reporting configuration actual="no reporting endpoint" expected="report-to or report-uri present" issue="CSP does not define a reporting endpoint."WARNCSP does not define a reporting endpoint.

Discover A2A Agent Card [warning]! No A2A Agent Card was found at the current, legacy, or fallback discovery paths.INFODiscover A2A Agent CardINFOTry A2A discovery paths in priority order paths=["/.well-known/agent-card.json","/.well-known/agent.json","/agent-card.json","/.well-known/a2a/agent-card.json"]WARNA2A candidate path did not return a usable card path="/.well-known/agent-card.json" statusCode=404 contentType="text/html; charset=utf-8"WARNA2A candidate path did not return a usable card path="/.well-known/agent.json" statusCode=404 contentType="text/html; charset=utf-8"WARNA2A candidate path did not return a usable card path="/agent-card.json" statusCode=404 contentType="text/html; charset=utf-8"WARNA2A candidate path did not return a usable card path="/.well-known/a2a/agent-card.json" statusCode=404 contentType="text/html; charset=utf-8"WARNNo A2A Agent Card candidate was selectedWARNNo A2A Agent Card was found at the current, legacy, or fallback discovery paths.

Discover agents.json [warning]! No Wildcard-style agents.json file was found.INFODiscover agents.jsonINFOTry agents.json discovery paths in priority order paths=["/.well-known/agents.json","/agents.json"]WARNagents.json candidate path did not return a usable contract path="/.well-known/agents.json" statusCode=404 contentType="text/html; charset=utf-8"WARNagents.json candidate path did not return a usable contract path="/agents.json" statusCode=404 contentType="text/html; charset=utf-8"WARNNo agents.json candidate was selectedWARNNo Wildcard-style agents.json file was found.

Query DNS-AID records [warning]! No DNS-AID HTTPS/SVCB records were found under _agents.INFOQuery DNS-AID recordsINFOBuild DNS-AID query names from hostname hostname="coder.com" labels=["_index._agents.coder.com","_a2a._agents.coder.com"] claimedOnPage=falseWARNDNS query returned no DNS-AID answers name="_index._agents.coder.com" rrtype="HTTPS" resolver="cloudflare-doh-json" rcode=3 ad=false answerCount=0WARNDNS query returned no DNS-AID answers name="_index._agents.coder.com" rrtype="SVCB" resolver="cloudflare-doh-json" rcode=3 ad=false answerCount=0WARNDNS query returned no DNS-AID answers name="_index._agents.coder.com" rrtype="ANY" resolver="node-resolveAny-fallback" answerCount=0 error="queryAny ETIMEOUT _index._agents.coder.com"WARNDNS query returned no DNS-AID answers name="_a2a._agents.coder.com" rrtype="HTTPS" resolver="cloudflare-doh-json" rcode=3 ad=false answerCount=0WARNDNS query returned no DNS-AID answers name="_a2a._agents.coder.com" rrtype="SVCB" resolver="cloudflare-doh-json" rcode=3 ad=false answerCount=0WARNDNS query returned no DNS-AID answers name="_a2a._agents.coder.com" rrtype="ANY" resolver="node-resolveAny-fallback" answerCount=0 error="queryAny ETIMEOUT _a2a._agents.coder.com"WARNCompare total DNS-AID answer count actual=0 expected="> 0"WARNNo DNS-AID HTTPS/SVCB records were found under _agents.Check DNSSEC authentication evidence [warning]! DNSSEC authentication evidence was not visible for the DNS-AID labels or hostname.INFOCheck DNSSEC authentication evidenceWARNCompare DNSSEC authenticated-data flag actual=false expected=trueWARNCompare visible DNSSEC material actual=false expected=trueWARNResolver did not confirm authenticated DNSSEC data name="_index._agents.coder.com" rrtype="HTTPS" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_index._agents.coder.com" rrtype="SVCB" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_index._agents.coder.com" rrtype="ANY" resolver="node-resolveAny-fallback" dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_a2a._agents.coder.com" rrtype="HTTPS" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_a2a._agents.coder.com" rrtype="SVCB" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_a2a._agents.coder.com" rrtype="ANY" resolver="node-resolveAny-fallback" dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_index._agents.coder.com" rrtype="DNSKEY" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="_a2a._agents.coder.com" rrtype="DNSKEY" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNResolver did not confirm authenticated DNSSEC data name="coder.com" rrtype="DNSKEY" resolver="cloudflare-doh-json" ad=false dnssecTypes=[]WARNDNSSEC authentication evidence was not visible for the DNS-AID labels or hostname.

Validate skill entries [warning]! One or more Agent Skills entries have quality or trust warnings.INFOValidate skill entriesWARNCompare advertised skill count actual=3 expected="> 0"WARNCompare valid skill entry count actual=3 expected="same as advertised skill count"WARNSkill entry warning skill={"index":0,"valid":true,"name":"modules","type":"skill-md","description":"Add a Coder module from registry.coder.com/modules to an existing Coder template, or update one that is already there. Use for requests like \"add the Cursor IDE to my template\", \"give workspaces JetBrains access\", \"set up code-server\", \"wire in dotfiles\", \"install Claude Code in this template\", or \"pin module versions\". Do not use for installing or upgrading Coder itself (use the setup skill), authoring a brand-new template from scratch (use the templates skill), or publishing a custom module to the registry.","url":"https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/modules/SKILL.md","digest":"sha256:7c8f06cc2ee3ebc505a372adef7a1130bcec78fc4515e08373fc2a1bb8b104ba","resolvedUrl":"https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/modules/SKILL.md","originClass":"external","missing":[],"invalid":[],"warnings":["artifact URL is cross-origin; clients must treat it as a separate trust boundary"]}WARNSkill entry warning skill={"index":1,"valid":true,"name":"setup","type":"skill-md","description":"Install, deploy, or bootstrap a new Coder (coder/coder) deployment end-to-end. Use for first-time setup on Docker, Kubernetes/Helm, a VM, cloud, HTTPS/domain setup, creating the first admin, pushing a starter template, or building the first workspace. Do not use for upgrades, debugging an existing deployment, editing an existing template, or configuring OAuth/OIDC on a running deployment.","url":"https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/setup/SKILL.md","digest":"sha256:62ad3665166ffd790a7666a1d6ca1ef5f945863c00c01b697b269b3a218feaef","resolvedUrl":"https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/setup/SKILL.md","originClass":"external","missing":[],"invalid":[],"warnings":["artifact URL is cross-origin; clients must treat it as a separate trust boundary"]}WARNSkill entry warning skill={"index":2,"valid":true,"name":"templates","type":"skill-md","description":"Create, edit, push, or version a Coder template. Use for requests like \"scaffold a Docker template\", \"build a Kubernetes template\", \"add a coder_parameter for the Git repo URL\", \"push my template to this Coder deployment\", \"update the existing aws-linux template to add JetBrains\", or \"deprecate this template version\". Do not use for installing or upgrading Coder itself (use the setup skill), adding a single module to a template that already builds (use the modules skill), or authoring custom Terraform providers unrelated to Coder.","url":"https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/templates/SKILL.md","digest":"sha256:31baa658b438de38f191b9517d05137acd46873673f835ba00ac4256a95b2859","resolvedUrl":"https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/templates/SKILL.md","originClass":"external","missing":[],"invalid":[],"warnings":["artifact URL is cross-origin; clients must treat it as a separate trust boundary"]}WARNOne or more Agent Skills entries have quality or trust warnings.Validate skill content [warning]! description is short; stronger skills describe both task scope and when to use the skill.INFOValidate skill contentWARNCompare skill artifact content failures actual=0 expected=0 name="modules" type="skill-md" url="https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/modules/SKILL.md"WARNSkill content validation warning name="modules" warning="description is short; stronger skills describe both task scope and when to use the skill."WARNSkill content validation warning name="modules" warning="description does not clearly state when an agent should activate the skill."WARNCompare skill artifact content failures actual=0 expected=0 name="setup" type="skill-md" url="https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/setup/SKILL.md"WARNSkill content validation warning name="setup" warning="description is short; stronger skills describe both task scope and when to use the skill."WARNSkill content validation warning name="setup" warning="description does not clearly state when an agent should activate the skill."WARNCompare skill artifact content failures actual=0 expected=0 name="templates" type="skill-md" url="https://raw.githubusercontent.com/coder/skills/030803838526f47fa11648198ef9001acb3b3de2/skills/templates/SKILL.md"WARNSkill content validation warning name="templates" warning="description is short; stronger skills describe both task scope and when to use the skill."WARNSkill content validation warning name="templates" warning="description does not clearly state when an agent should activate the skill."WARNdescription is short; stronger skills describe both task scope and when to use the skill.Review skill artifact security [warning]! SKILL.md references external URLs; fetched content is an additional trust boundary (https://coder.com/docs/llms.txt, https://coder.com/docs/llms-full.txt, https://registry.coder.com/mcp`, https://registry.coder.com/modules).INFOReview skill artifact securityFAILCompare security finding count actual=5 expected=0WARNAgent Skills artifact security warning finding="SKILL.md references external URLs; fetched content is an additional trust boundary (https://coder.com/docs/llms.txt, https://coder.com/docs/llms-full.txt, https://registry.coder.com/mcp`, https://registry.coder.com/modules)."WARNAgent Skills artifact security warning finding="SKILL.md references shell or code-execution patterns that can modify systems, fetch remote code, or move data."WARNAgent Skills artifact security warning finding="SKILL.md references external URLs; fetched content is an additional trust boundary (https://coder.com/docs/llms.txt, https://coder.com/docs/llms-full.txt, https://coder.com/install.sh, http://localhost:7080`)."WARNAgent Skills artifact security warning finding="SKILL.md references shell or code-execution patterns that can modify systems, fetch remote code, or move data."WARNAgent Skills artifact security warning finding="SKILL.md references external URLs; fetched content is an additional trust boundary (https://coder.com/docs/llms.txt, https://coder.com/docs/llms-full.txt, https://registry.coder.com/templates, https://registry.coder.com/modules, https://github.com/coder/registry/blob/main/AGENTS.md, https://github.com/coder/registry/blob/main/.github/PULL_REQUEST_TEMPLATE.md)."WARNSKILL.md references external URLs; fetched content is an additional trust boundary (https://coder.com/docs/llms.txt, https://coder.com/docs/llms-full.txt, https://registry.coder.com/mcp`, https://registry.coder.com/modules).

Advertised Markdown alternate [fail]INFOAdvertised Markdown alternateFAILCheck advertised Markdown alternate candidates actual=1 expected="> 0 when HTML advertises a Markdown alternate" advertisedUrls=["https://coder.com/index.md"] candidateCount=0FAILAdvertised Markdown alternate failed Conventional .md mirror [informational]INFOConventional .md mirrorINFOCheck conventional Markdown mirror candidates actual=0 expected="> 0 when a conventional mirror is discoverable" conventionalUrls=[] candidateCount=0PASSConventional .md mirror recorded for context status="informational"

Schema.org attribution [warning]! Schema.org attribution is incomplete or relies only on publisher/fallback evidence.INFOSchema.org attributionINFOChecking structured data for author, creator, and publisher contributorsWARNCheck named Schema.org author count actual=0 expected="> 0" authorCount=0 publisherCount=1 namedContributors=1 authors=[] publishers=[{"role":"publisher","name":"Coder","type":"Organization","url":"https://coder.com/","sameAs":[],"format":"json-ld","mergedName":false}] formats=["json-ld"]WARNSchema.org attribution is incomplete or fallback-only authorCount=0 publisherCount=1 authors=[] publishers=[{"role":"publisher","name":"Coder","type":"Organization","url":"https://coder.com/","sameAs":[],"format":"json-ld","mergedName":false}]

Check API catalog HEAD Link header [warning]! HEAD /.well-known/api-catalog did not expose a Link header with rel="api-catalog".INFOCheck API catalog HEAD Link headerINFOSend HEAD request to API catalog path attempted=true statusCode=200 contentType="application/linkset+json; profile=\"https://www.rfc-editor.org/info/rfc9727\""WARNCompare HEAD Link rel=api-catalog count actual=0 expected="> 0"WARNHEAD /.well-known/api-catalog did not expose a Link header with rel="api-catalog". status="warning"

Review observed browser responses [warning]! One or more same-origin browser-observed responses had missing or non-conformant nosniff headers.INFOReview observed browser responsesINFOSample Chrome-observed same-origin resources observedResponseCount=47 sameOriginCount=47 eligibleCount=47WARNCompare observed nosniff coverage actual={"missingNosniffCount":2,"malformedNosniffCount":0,"activeResourceMissingNosniffCount":0,"affected":[{"url":"https://coder.com/fonts/LayGrotesk-Medium.woff2","status":200,"resourceType":"font","contentType":"font/woff2"},{"url":"https://coder.com/fonts/FTSystemMono-Medium.woff2","status":200,"resourceType":"font","contentType":"font/woff2"}]} expected="0 missing or malformed eligible same-origin responses" issue="One or more same-origin browser-observed responses had missing or non-conformant nosniff headers."WARNOne or more same-origin browser-observed responses had missing or non-conformant nosniff headers.

Review subdomain scope [warning]! HSTS is valid, but includeSubDomains is absent.INFOReview subdomain scopeINFOInspect subdomain enforcement scope includeSubDomains=falseWARNCompare includeSubDomains coverage actual="absent" expected="included after subdomains are HTTPS-ready" issue="HSTS is valid, but includeSubDomains is absent."WARNHSTS is valid, but includeSubDomains is absent.

Review CSP and XFO interaction [warning]! CSP frame-ancestors and X-Frame-Options express different framing policies.INFOReview CSP and XFO interactionINFOCompare modern CSP and legacy XFO behavior modernBrowserMechanism="csp-frame-ancestors" cspOverridesXfo=true cspMode="explicit" xfoDirective="sameorigin"WARNCheck CSP/XFO policy alignment actual="conflict detected" expected="no conflicting framing policy" issue="CSP frame-ancestors and X-Frame-Options express different framing policies."WARNCSP frame-ancestors and X-Frame-Options express different framing policies.

Find advertised IndexNow key location [informational]! No IndexNow key location was advertised in HTML, Link headers, or robots.txt.INFOFind advertised IndexNow key locationINFOLook for IndexNow key hints in HTML, Link headers, and robots.txt supportedHints=["robots.txt IndexNow-Key","rel=indexnow-key","meta name=indexnow-key-location"]PASSCompare advertised key location count actual=0 expected="> 0"WARNNo IndexNow key location was advertised in HTML, Link headers, or robots.txt.Fetch and validate IndexNow key file [informational]! No discoverable IndexNow key file was found.INFOFetch and validate IndexNow key fileINFOLook for IndexNow key hints in HTML, Link headers, and robots.txt supportedHints=["robots.txt IndexNow-Key","rel=indexnow-key","meta name=indexnow-key-location"]PASSCompare advertised key location count actual=0 expected="> 0"INFOFetch each advertised same-origin key file and validate filename/body matchFAILCompare valid IndexNow key file count actual=0 expected="> 0"WARNNo discoverable IndexNow key file was found.