Validate RFC 9309 core syntax [fail]! robots.txt was found but did not contain a valid, parseable User-agent group.INFOValidate RFC 9309 core syntaxINFOParsing robots.txt into User-agent groups and Allow/Disallow recordsPASSCheck User-agent group count actual=1 expected=">= 1 parseable group" parsedUserAgents=["*"]FAILCheck malformed lines and orphan Allow/Disallow records actual={"invalidLines":0,"orphanRecords":6} expected={"invalidLines":0,"orphanRecords":0}FAILAllow/Disallow records appeared before any User-agent group orphanRecords=[{"directive":"allow","value":"/","line":33},{"directive":"disallow","value":"/client-ip-geolocation","line":34},{"directive":"disallow","value":"/plans/","line":35},{"directive":"disallow","value":"/constellation","line":36},{"directive":"disallow","value":"/cdn-cgi/","line":37}]

Detect WebMCP runtime API [informational]INFODetect WebMCP runtime API status="informational"INFOProbe rendered browser for WebMCP runtime objects SKIPCheck current W3C runtime API actual="not detected" expected="document.modelContext/registerTool available"INFOWebMCP evidence was recorded for context. status="informational"Probe WebMCP operability [warning]! No WebMCP surface was found to probe.INFOProbe WebMCP operability status="warning"INFORun safe WebMCP operability checks safeProbeOnly=trueWARNCheck usable WebMCP evidence actual=0 expected="at least 1 usable runtime, declarative, annotation, or static manifest signal"WARNWebMCP operability warning warning="No WebMCP surface was found to probe."WARNWebMCP operability warning warning="Conventional WebMCP manifest paths were checked but did not return a valid manifest."WARNNo WebMCP surface was found to probe.Validate declarative WebMCP form tools [informational]! No W3C-style declarative WebMCP form attributes were found.INFOValidate declarative WebMCP form tools status="informational"INFOInspect visible forms and controls for current declarative WebMCP attributes annotatedElements=0 formsWithAttributes=0 controlsWithAttributes=0SKIPValidate declarative WebMCP attribute quality actual=0 expected=0INFONo W3C-style declarative WebMCP form attributes were found. status="informational"Validate MCP-aware HTML annotations [informational]! No data-mcp-tool or hyphenated WebMCP compatibility annotations were found.INFOValidate MCP-aware HTML annotations status="informational"INFOInspect HTML for MCP compatibility annotations compatibilityAttributeCount=0 dataMcpToolCount=0 examples=[]SKIPValidate compatibility annotation quality actual=0 expected=0INFONo data-mcp-tool or hyphenated WebMCP compatibility annotations were found. status="informational"Validate static WebMCP JSON compatibility [warning]! No static WebMCP JSON manifest or WMCP interaction graph was found.INFOValidate static WebMCP JSON compatibility status="warning"INFODiscover static WebMCP manifest candidates conventionalPaths=["/.well-known/webmcp.json","/webmcp.json"] checkedCount=2 profileCounts={}INFOWebMCP manifest candidate checked source="path" path="/.well-known/webmcp.json" url="https://developers.cloudflare.com/.well-known/webmcp.json" statusCode=404 contentType="text/html"INFOWebMCP manifest candidate checked source="path" path="/webmcp.json" url="https://developers.cloudflare.com/webmcp.json" statusCode=404 contentType="text/html"WARNValidate discovered static WebMCP metadata actual={"validManifestCount":0,"invalidManifestCount":0,"toolCount":0,"wmcpActionCount":0} expected="at least 1 valid tools[] manifest or WMCP graph when static metadata is present"WARNNo static WebMCP JSON manifest or WMCP interaction graph was found.Validate WebMCP tool metadata quality [informational]INFOValidate WebMCP tool metadata quality status="informational"INFOInspect WebMCP tool names, descriptions, schemas, and safety hints toolCount=0SKIPCheck tool metadata findings actual={"issueCount":0,"warningCount":0} expected="0 issues and 0 warnings"INFOWebMCP evidence was recorded for context. status="informational"Review WebMCP security and policy signals [informational]INFOReview WebMCP security and policy signals status="informational"INFOInspect WebMCP security and policy signals permissionsPolicy="(missing)" failureCount=0 warningCount=0PASSCheck security findings actual={"failures":0,"warnings":0} expected="0 failures and 0 warnings"INFOWebMCP evidence was recorded for context. status="informational"

Classify AI crawler rules [fail]! No explicit User-agent rules were found for major AI crawler tokens.INFOClassify AI crawler rulesINFOParsing User-agent groups and Allow/Disallow records for known AI crawler tokens evaluatedPath="/"INFOEvaluating exact User-agent matches before wildcard fallback exactAiPolicyCount=0 totalCrawlerTokens=18FAILNo explicit AI crawler User-agent groups were found examplesExpected=["GPTBot","OAI-SearchBot","ClaudeBot","Google-Extended","CCBot"]FAILCompare explicit AI crawler coverage actual=0 expected="> 0 explicit non-search AI crawler policies" missingTokens=["GPTBot","OAI-SearchBot","ChatGPT-User","ClaudeBot","Claude-SearchBot","Claude-User","Google-Extended","Applebot-Extended","Amazonbot","Amzn-SearchBot","Amzn-User","PerplexityBot"]INFOResolved effective root-path policy for crawler tokens blocked=0 allowed=21 unspecified=0

Organization entity [fail]! No Organization or Organization subtype was found in Schema.org structured data.INFOOrganization entityINFOLooking for Organization or Organization subtype in structured data observedTypes=[]FAILCheck Organization entity presence actual=false expected=true fields=[{"name":"Organization.@type","present":false},{"name":"Organization.@id","present":false},{"name":"Organization.name","present":false},{"name":"Organization.url","present":false},{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false}]FAILOrganization entity is missingWebSite entity [fail]! No WebSite entity was found in Schema.org structured data.INFOWebSite entityINFOLooking for WebSite entity in structured data FAILCheck WebSite entity presence actual=false expected=true fields=[{"name":"WebSite.@type","present":false},{"name":"WebSite.@id","present":false},{"name":"WebSite.name","present":false},{"name":"WebSite.url","present":false},{"name":"WebSite.publisher.@id","present":false},{"name":"WebSite.publisher.name","present":false},{"name":"WebSite.publisher.url","present":false}]FAILWebSite entity is missingIdentity fields [fail]! Missing identity field(s): Organization.name, Organization.url, WebSite.name, WebSite.url.INFOIdentity fieldsINFOChecking Organization and WebSite name/url fields FAILCheck required identity fields actual=0 expected=4 missing=["Organization.name","Organization.url","WebSite.name","WebSite.url"] organizationFields=[{"name":"Organization.@type","present":false},{"name":"Organization.@id","present":false},{"name":"Organization.name","present":false},{"name":"Organization.url","present":false},{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false}] websiteFields=[{"name":"WebSite.@type","present":false},{"name":"WebSite.@id","present":false},{"name":"WebSite.name","present":false},{"name":"WebSite.url","present":false},{"name":"WebSite.publisher.@id","present":false},{"name":"WebSite.publisher.name","present":false},{"name":"WebSite.publisher.url","present":false}]WARNCheck identity URLs match scanned origin actual={"organizationUrlMatchesOrigin":false,"websiteUrlMatchesOrigin":false} expected={"organizationUrlMatchesOrigin":true,"websiteUrlMatchesOrigin":true}FAILIdentity fields are missing missing=["Organization.name","Organization.url","WebSite.name","WebSite.url"]WebSite publisher linkage [fail]! WebSite.publisher is missing.INFOWebSite publisher linkageINFOChecking whether WebSite.publisher points to the Organization entity FAILCheck publisher presence actual=false expected=true publisher={"present":false,"matchesOrganization":false} website={} organization={}FAILCheck publisher matches Organization actual=false expected=trueFAILWebSite publisher is missingOrganization trust fields [fail]! Organization schema is missing logo and sameAs or public contact evidence.INFOOrganization trust fieldsINFOChecking logo, sameAs, and public contact evidence FAILCheck logo presence actual=false expected=true fields=[{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false},{"name":"Organization.contactPoint","present":false},{"name":"Organization.telephone","present":false},{"name":"Organization.email","present":false},{"name":"Organization.address","present":false}]FAILCheck sameAs or contact evidence actual=0 expected=">= 1" sameAsCount=0 contactSignalCount=0 fields=[{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false},{"name":"Organization.contactPoint","present":false},{"name":"Organization.telephone","present":false},{"name":"Organization.email","present":false},{"name":"Organization.address","present":false}]FAILOrganization trust fields are missing

Fetch discovery metadata [fail]! OAuth/OIDC was claimed or referenced, but no registered OAuth/OIDC discovery document was found.INFOFetch discovery metadataINFOTrying OAuth/OIDC well-known metadata candidates checkedCount=2INFOChecked discovery candidate path="/.well-known/openid-configuration" statusCode=404 contentType="text/html" length=32241INFOChecked discovery candidate path="/.well-known/oauth-authorization-server" statusCode=404 contentType="text/html" length=32241FAILCheck discovery metadata fetch succeeded actual=2 expected="HTTP 2xx JSON metadata document"FAILFetch discovery metadata failed issue="OAuth/OIDC was claimed or referenced, but no registered OAuth/OIDC discovery document was found."

Validate CSP frame-ancestors [fail]! frame-ancestors contains invalid source expressions: cloudflare.com, *.cloudflare.com.INFOValidate CSP frame-ancestorsINFORead CSP frame-ancestors signals enforcingHeaderPresent=true reportOnlyHeaderPresent=false metaFrameAncestors=false policyCount=1 duplicateDirectives=[]FAILCompare effective frame-ancestors directive actual={"values":["'self'","cloudflare.com","*.cloudflare.com"],"mode":"malformed","valid":false,"restrictive":false,"broadSources":[]} expected="valid restrictive enforcing frame-ancestors" issue="frame-ancestors contains invalid source expressions: cloudflare.com, *.cloudflare.com."FAILframe-ancestors contains invalid source expressions: cloudflare.com, *.cloudflare.com.Validate X-Frame-Options [fail]! No valid X-Frame-Options fallback is present.INFOValidate X-Frame-OptionsINFORead X-Frame-Options fallback value="missing" parsedValues=[] normalizedValues=[]FAILCompare X-Frame-Options value actual="missing" expected="DENY or SAMEORIGIN" valid=false obsoleteAllowFrom=false duplicateOrConflicting=false issue="No valid X-Frame-Options fallback is present."FAILNo valid X-Frame-Options fallback is present.Review observed browser responses [warning]! One or more same-origin HTML documents observed by Chrome did not emit valid frame protection.INFOReview observed browser responsesINFOSample Chrome-observed same-origin responses observedResponseCount=37 sameOriginCount=32 htmlDocumentCount=1WARNCompare observed HTML frame protection actual={"missingOrInvalidFrameProtectionCount":1,"broadFrameAncestorsCount":0,"affected":[{"url":"https://developers.cloudflare.com/","status":200,"resourceType":"document","contentType":"text/html","contentSecurityPolicy":"form-action 'self'; frame-src 'self' company-target.com *.company-target.com cloudflarestream.com *.cloudflarestream.com youtube-nocookie.com *.youtube-nocookie.com videodelivery.net *.videodelivery.net cloudflare.com *.cloudflare.com; frame-ancestors 'self' cloudflare.com *.cloudflare.com; script-s","contentSecurityPolicyReportOnly":null}]} expected="0 missing/invalid or broad same-origin HTML responses" issue="One or more same-origin HTML documents observed by Chrome did not emit valid frame protection."WARNOne or more same-origin HTML documents observed by Chrome did not emit valid frame protection.

Warn when auth surface lacks Auth.md [warning]! The site appears to support login, signup, account access, or credentials but does not publish /auth.md.INFOWarn when auth surface lacks Auth.mdWARNThe site appears to support login, signup, account access, or credentials but does not publish /auth.md.

Detect protected-resource applicability [warning]! Generic authentication signals were found, but no OAuth Protected Resource metadata signal was detected.INFODetect protected-resource applicabilityINFOInspecting auth headers, MCP/OAuth claims, and protected-resource hints applies=false requiresAuthorizationServers=false signalsCount=0 genericAuthSignalsCount=3 checkedCount=1WARNCheck protected-resource metadata applicability actual=false expected="true when RFC 9728 metadata exists or support is claimed" checked=[{"url":"https://developers.cloudflare.com/.well-known/oauth-protected-resource","path":"/.well-known/oauth-protected-resource","source":"root-well-known","resourceIdentifier":"https://developers.cloudflare.com","statusCode":404,"contentType":"text/html","length":32241}]WARNDetect protected-resource applicability completed with warnings issue="Generic authentication signals were found, but no OAuth Protected Resource metadata signal was detected."

Discover RSL declarations [warning]! No RSL declarations were found.INFODiscover RSL declarationsINFOChecking robots.txt License records, HTTP Link rel=license headers, HTML license links, and inline RSL XML robotsFound=trueSKIPCount discovered RSL declarations actual=0 expected=">= 1 when RSL licensing terms are published" sources={}WARNNo RSL declarations were found on any supported discovery surface.

Fetch /.well-known/tdmrep.json [warning]! No TDMRep declaration was found at /.well-known/tdmrep.json.INFOFetch /.well-known/tdmrep.jsonINFORequesting origin-level TDMRep declaration at /.well-known/tdmrep.jsonWARNCompare TDMRep file response actual=404 expected="2xx with JSON array when origin-level TDMRep is published" contentType="text/html" length=32241WARNNo TDMRep declaration was found at /.well-known/tdmrep.json. 

Find Referrer-Policy header [fail]! Referrer-Policy header is missing.INFOFind Referrer-Policy headerINFORead Referrer-Policy delivery header="referrer-policy" value="missing" metaReferrerPolicyCount=0 browserDefault="strict-origin-when-cross-origin"FAILRequire explicit HTTP Referrer-Policy header actual="missing" expected="HTTP response header present" issue="Referrer-Policy header is missing."FAILReferrer-Policy header is missing.Review observed browser responses [warning]! One or more same-origin HTML documents observed by Chrome did not emit Referrer-Policy.INFOReview observed browser responsesINFOSample Chrome-observed same-origin responses observedResponseCount=37 sameOriginCount=32 htmlDocumentCount=1WARNCompare observed Referrer-Policy coverage actual={"missingPolicyCount":1,"unsafeOrInvalidPolicyCount":0,"weakPolicyCount":0,"affected":[{"url":"https://developers.cloudflare.com/","status":200,"resourceType":"document","contentType":"text/html","referrerPolicy":null,"classification":"invalid"}]} expected="0 missing, unsafe, invalid, or weak same-origin HTML responses" issue="One or more same-origin HTML documents observed by Chrome did not emit Referrer-Policy."WARNOne or more same-origin HTML documents observed by Chrome did not emit Referrer-Policy.

Discover MCP server card [warning]! The MCP server card was found only at a transitional or linked path.INFODiscover MCP server card candidateCount=5INFOBuild MCP server-card candidate list currentPath="/.well-known/mcp-server-card" transitionalPaths=["/.well-known/mcp/server-card.json","/.well-known/mcp/server-cards.json","/mcp.json","/.well-known/mcp.json"] linkedPaths=[]INFOTrying to fetch /.well-known/mcp-server-card url="https://developers.cloudflare.com/.well-known/mcp-server-card" source="current"FAIL/.well-known/mcp-server-card did not return a usable server card statusCode=404 contentType="text/html"INFOTrying to fetch /.well-known/mcp/server-card.json url="https://developers.cloudflare.com/.well-known/mcp/server-card.json" source="transitional"PASS/.well-known/mcp/server-card.json returned a successful response statusCode=200 contentType="application/json; charset=utf-8" finalUrl="https://developers.cloudflare.com/.well-known/mcp/server-card.json"INFOTrying to fetch /.well-known/mcp/server-cards.json url="https://developers.cloudflare.com/.well-known/mcp/server-cards.json" source="transitional"FAIL/.well-known/mcp/server-cards.json did not return a usable server card statusCode=404 contentType="text/html"INFOTrying to fetch /mcp.json url="https://developers.cloudflare.com/mcp.json" source="transitional"FAIL/mcp.json did not return a usable server card statusCode=404 contentType="text/html"INFOTrying to fetch /.well-known/mcp.json url="https://developers.cloudflare.com/.well-known/mcp.json" source="transitional"FAIL/.well-known/mcp.json did not return a usable server card statusCode=404 contentType="text/html"WARNCheck selected card is published at the current well-known path actual="/.well-known/mcp/server-card.json" expected="/.well-known/mcp-server-card" source="transitional" finalUrl="https://developers.cloudflare.com/.well-known/mcp/server-card.json"WARNMCP server card was discovered through a transitional or linked path path="/.well-known/mcp/server-card.json" source="transitional" reason="The MCP server card was found only at a transitional or linked path."Validate MCP remotes [warning]! At least one MCP remote is cross-origin and was not actively probed by this scanner.INFOValidate MCP remotes remoteCount=27PASSCheck at least one MCP remote is declared actual=27 expected="> 0"PASSCheck invalid remote count actual=0 expected=0 invalidRemotes=[]WARNCheck same-origin remote coverage actual=0 expected=27PASSRemote #0 is syntactically usable index=0 source="remotes" type="streamable-http" url="https://mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]PASSRemote #1 is syntactically usable index=1 source="remotes" type="streamable-http" url="https://docs.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=false issues=[]PASSRemote #2 is syntactically usable index=2 source="remotes" type="streamable-http" url="https://observability.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]PASSRemote #3 is syntactically usable index=3 source="remotes" type="streamable-http" url="https://bindings.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]PASSRemote #4 is syntactically usable index=4 source="remotes" type="streamable-http" url="https://builds.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]PASSRemote #5 is syntactically usable index=5 source="remotes" type="streamable-http" url="https://containers.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]PASSRemote #6 is syntactically usable index=6 source="remotes" type="streamable-http" url="https://browser.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]PASSRemote #7 is syntactically usable index=7 source="remotes" type="streamable-http" url="https://logs.mcp.cloudflare.com/mcp" sameOrigin=false authRequired=true issues=[]WARNMCP remotes are valid but not all can be actively probed reason="At least one MCP remote is cross-origin and was not actively probed by this scanner."Validate HTTP delivery [warning]! CORS header Access-Control-Allow-Origin is absent.INFOValidate HTTP delivery finalUrl="https://developers.cloudflare.com/.well-known/mcp/server-card.json"PASSCheck server card returned HTTP 2xx actual=200 expected="200-299"PASSCheck card is served as JSON actual="application/json; charset=utf-8" expected="application/json or +json"PASSCheck card is served over HTTPS actual="https:" expected="https:"WARNCheck browser-readable CORS header actual="missing" expected="Access-Control-Allow-Origin present"WARNCheck cache header is present actual="missing" expected="Cache-Control present"WARNMCP server-card HTTP delivery has non-blocking issues issues=["CORS header Access-Control-Allow-Origin is absent.","Cache-Control is absent."] reason="CORS header Access-Control-Allow-Origin is absent."Probe same-origin MCP endpoint [warning]! MCP remotes were discovered, but none could be safely probed by this scanner.INFOProbe same-origin MCP endpoint probeCount=27INFOSelecting same-origin unauthenticated MCP remotes for a bounded initialize probeSKIPSkipped MCP endpoint probe url="https://mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://docs.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://observability.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://bindings.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://builds.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://containers.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://browser.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."SKIPSkipped MCP endpoint probe url="https://logs.mcp.cloudflare.com/mcp" reason="Cross-origin MCP remote was validated syntactically but not actively probed."WARNCheck successful initialize probe count actual=0 expected="> 0 when a safe same-origin unauthenticated remote exists" activeProbeCount=0 authBlocked=0WARNMCP endpoint probe could not fully confirm operability reason="MCP remotes were discovered, but none could be safely probed by this scanner."

Discover A2A Agent Card [warning]! No A2A Agent Card was found at the current, legacy, or fallback discovery paths.INFODiscover A2A Agent CardINFOTry A2A discovery paths in priority order paths=["/.well-known/agent-card.json","/.well-known/agent.json","/agent-card.json","/.well-known/a2a/agent-card.json"]WARNA2A candidate path did not return a usable card path="/.well-known/agent-card.json" statusCode=404 contentType="text/html"WARNA2A candidate path did not return a usable card path="/.well-known/agent.json" statusCode=404 contentType="text/html"WARNA2A candidate path did not return a usable card path="/agent-card.json" statusCode=404 contentType="text/html"WARNA2A candidate path did not return a usable card path="/.well-known/a2a/agent-card.json" statusCode=404 contentType="text/html"WARNNo A2A Agent Card candidate was selectedWARNNo A2A Agent Card was found at the current, legacy, or fallback discovery paths.

Discover agents.json [warning]! No Wildcard-style agents.json file was found.INFODiscover agents.jsonINFOTry agents.json discovery paths in priority order paths=["/.well-known/agents.json","/agents.json"]WARNagents.json candidate path did not return a usable contract path="/.well-known/agents.json" statusCode=404 contentType="text/html"WARNagents.json candidate path did not return a usable contract path="/agents.json" statusCode=404 contentType="text/html"WARNNo agents.json candidate was selectedWARNNo Wildcard-style agents.json file was found.

Parseability [fail]! Detected structured data could not be parsed for: rdfa.INFOParseabilityINFOChecking detected structured data for parse errors formatsFound=["rdfa"]FAILCheck invalid detected formats actual=1 expected=0 invalidPresentFormats=["rdfa"] parseErrors=[{"format":"rdfa","error":"property attributes found without a typeof subject: meta[property=\"image\"] value=\"https://developers.cloudflare.com/cf-twitter-card.png\" html=\"<meta property=\"image\" content=\"https://developers.cloudflare.com/cf-twitter-card.png\">\""}]FAILDetected structured data has fatal parse issues invalidPresentFormats=["rdfa"]Schema.org entity typing [fail]! Structured data was detected, but no typed Schema.org entities were extracted.INFOSchema.org entity typingINFOExtracting typed Schema.org entities from parsed structured dataFAILCheck extracted Schema.org type count actual=0 expected="> 0" schemaTypes=[] entityCount=0FAILNo typed Schema.org entities were extractedPage-relevant schema family [fail]! The page has specific visible content intent, but structured data does not include a matching primary schema family.INFOPage-relevant schema familyINFOInferring specific page intent and comparing it with detected Schema.org typesFAILCheck schema types matching specific visible page intent actual=0 expected="> 0" inferredIntents=["software"] expectedTypes=["SoftwareApplication","WebApplication","MobileApplication"] matchingTypes=[] observedTypes=[]FAILNo primary schema family matches the inferred page intent expectedTypes=["SoftwareApplication","WebApplication","MobileApplication"] primaryTypes=[]

Check API catalog HEAD Link header [warning]! HEAD /.well-known/api-catalog did not expose a Link header with rel="api-catalog".INFOCheck API catalog HEAD Link headerINFOSend HEAD request to API catalog path attempted=true statusCode=200 contentType="application/linkset+json; profile=\"https://www.rfc-editor.org/info/rfc9727\""WARNCompare HEAD Link rel=api-catalog count actual=0 expected="> 0"WARNHEAD /.well-known/api-catalog did not expose a Link header with rel="api-catalog". status="warning"Validate API catalog targets [fail]! API catalog target https://developers.cloudflare.com/api/index.md (service-doc) advertised text/markdown but returned text/plain; charset=utf-8.INFOValidate API catalog targetsINFOFetch same-origin API catalog targets and record same-site/external skipsPASSAPI catalog target is reachable rel="service-desc" href="https://developers.cloudflare.com/openapi.json" statusCode=200 contentType="application/json; charset=utf-8" advertisedType="application/json"FAILAPI catalog target failed validation rel="service-doc" href="https://developers.cloudflare.com/api/index.md" statusCode=200 contentType="text/plain; charset=utf-8" advertisedType="text/markdown" typeMatches=falsePASSAPI catalog target is reachable rel="service-doc" href="https://developers.cloudflare.com/api/" statusCode=200 contentType="text/html; charset=utf-8" advertisedType="text/html"SKIPSkipped API catalog target fetch rel="status" href="https://www.cloudflarestatus.com/api/v2/status.json" resolvedUrl="https://www.cloudflarestatus.com/api/v2/status.json" reason="External target was recorded but not fetched."FAILCompare API catalog target failure count actual=1 expected=0FAILAPI catalog target https://developers.cloudflare.com/api/index.md (service-doc) advertised text/markdown but returned text/plain; charset=utf-8.

Schema.org attribution [warning]! Schema.org attribution is incomplete or relies only on publisher/fallback evidence.INFOSchema.org attributionINFOChecking structured data for author, creator, and publisher contributorsWARNCheck named Schema.org author count actual=0 expected="> 0" authorCount=0 publisherCount=0 namedContributors=0 authors=[] publishers=[] formats=[]WARNSchema.org attribution is incomplete or fallback-only authorCount=0 publisherCount=0 authors=[] publishers=[]Author identity quality [fail]! No named author or publisher identity could be extracted.INFOAuthor identity qualityINFOChecking contributors for stable identity signalsFAILCheck identified contributor count actual=0 expected="> 0" namedContributors=0 identifiedContributors=[] unidentifiedContributors=[]FAILNo named contributor identity could be extracted

Evaluate fetch baseline [fail]! CSP does not define default-src; several fetch directives may have no restrictive fallback.INFOEvaluate fetch baselineINFOEvaluate resource loading fallback explicitFetchDirectives=["frame-src","script-src"]FAILCompare fetch baseline actual="0 explicit fetch directives" expected="restricted default-src or broad explicit fetch coverage" issue="CSP does not define default-src; several fetch directives may have no restrictive fallback."FAILCSP does not define default-src; several fetch directives may have no restrictive fallback.Evaluate script execution [warning]! script-src allows unsafe-inline without nonce or hash controls.INFOEvaluate script executionINFOInspect effective script directive effectiveDirective="script-src" sources=["'self'","cloudflarestream.com","*.cloudflarestream.com","cloudflareinsights.com","*.cloudflareinsights.com","cloudflare.com","*.cloudflare.com","google.com","*.google.com","demandbase.com","*.demandbase.com","bizible.com","*.bizible.com","jsdelivr.net","*.jsdelivr.net","'wasm-unsafe-eval'","'unsafe-inline'"]WARNCompare script execution posture actual={"hasNonce":false,"hasHash":false,"hasStrictDynamic":false,"hasUnsafeInline":true,"hasUnsafeEval":true,"hasWildcardHost":true,"hasBroadScheme":false,"dangerousSchemes":[]} expected="constrained script sources without unsafe execution allowances" issue="script-src allows unsafe-inline without nonce or hash controls."WARNscript-src allows unsafe-inline without nonce or hash controls.Review hardening directives [warning]! CSP is missing recommended hardening directives: object-src, base-uri.INFOReview hardening directivesINFOInspect CSP hardening directives formAction=["'self'"] frameAncestors=["'self'","cloudflare.com","*.cloudflare.com"] formCount=0WARNCompare recommended hardening coverage actual=["object-src","base-uri"] expected="no missing object-src/base-uri/form-action requirements" issue="CSP is missing recommended hardening directives: object-src, base-uri."WARNCSP is missing recommended hardening directives: object-src, base-uri.

Query DNS-AID records [warning]! No DNS-AID HTTPS/SVCB records were found under _agents.INFOQuery DNS-AID recordsINFOBuild DNS-AID query names from hostname hostname="developers.cloudflare.com" labels=["_index._agents.developers.cloudflare.com","_a2a._agents.developers.cloudflare.com"] claimedOnPage=falseWARNDNS query returned no DNS-AID answers name="_index._agents.developers.cloudflare.com" rrtype="HTTPS" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_index._agents.developers.cloudflare.com" rrtype="SVCB" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_index._agents.developers.cloudflare.com" rrtype="ANY" resolver="node-resolveAny-fallback" answerCount=0 error="queryAny ETIMEOUT _index._agents.developers.cloudflare.com"WARNDNS query returned no DNS-AID answers name="_a2a._agents.developers.cloudflare.com" rrtype="HTTPS" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_a2a._agents.developers.cloudflare.com" rrtype="SVCB" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_a2a._agents.developers.cloudflare.com" rrtype="ANY" resolver="node-resolveAny-fallback" answerCount=0 error="queryAny ETIMEOUT _a2a._agents.developers.cloudflare.com"WARNCompare total DNS-AID answer count actual=0 expected="> 0"WARNNo DNS-AID HTTPS/SVCB records were found under _agents.

Check machine-usable details [warning]! OpenAPI is valid, but missing schemas, parameters, servers, auth, operation IDs, tags, or examples reduces machine usability.INFOCheck machine-usable details status="warning"INFOInspect machine-usable operation details hasServers=true hasSecuritySchemes=true hasExplicitNoAuth=true requestBodyOperationCount=1263 parameterOperationCount=2954 responseSchemaOperationCount=3002 operationIdCount=3099 taggedOperationCount=3148 exampleOperationCount=1001WARNCheck OpenAPI operations include enough detail for agents to call them safely actual="5 machine-usability warning(s)" expected="servers, auth/no-auth signals, operationIds, parameters, request bodies, responses, tags, and examples where relevant"WARNMachine-usability warning warning="One or more operations are missing parameters or request bodies."WARNMachine-usability warning warning="One or more operations lack response schema or response media type detail."WARNMachine-usability warning warning="One or more operations are missing operationId."WARNMachine-usability warning warning="One or more operations do not include examples."WARNMachine-usability warning warning="One or more URLs look internal, private, credential-bearing, or admin-only."WARNOpenAPI is valid, but missing schemas, parameters, servers, auth, operation IDs, tags, or examples reduces machine usability.Review OpenAPI safety [fail]! Server URL points to localhost.INFOReview OpenAPI safety status="fail"INFOInspect advertised server URLs serverUrls=["https://api.cloudflare.com/client/v4"]FAILCheck for unsafe public server URLs actual=2 expected=0FAILUnsafe server URL advertised url="http://localhost:3000" issue="Server URL points to localhost."FAILUnsafe server URL advertised url="https://localhost:8001" issue="Server URL points to localhost."FAILServer URL points to localhost.

Validate skill content [fail]! Archive contains too many entries.INFOValidate skill contentFAILCompare skill artifact content failures actual=0 expected=0 name="agents-sdk" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/agents-sdk.tar.gz"FAILCompare skill artifact content failures actual=1 expected=0 name="cloudflare" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/cloudflare.tar.gz"FAILSkill content validation failure name="cloudflare" failure="Archive contains too many entries."FAILCompare skill artifact content failures actual=0 expected=0 name="cloudflare-email-service" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/cloudflare-email-service.tar.gz"FAILCompare skill artifact content failures actual=0 expected=0 name="durable-objects" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/durable-objects.tar.gz"FAILCompare skill artifact content failures actual=0 expected=0 name="sandbox-sdk" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/sandbox-sdk.tar.gz"FAILCompare skill artifact content failures actual=0 expected=0 name="turnstile-spin" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/turnstile-spin.tar.gz"FAILCompare skill artifact content failures actual=0 expected=0 name="web-perf" type="skill-md" url="https://developers.cloudflare.com/.well-known/agent-skills/web-perf/SKILL.md"FAILCompare skill artifact content failures actual=0 expected=0 name="workers-best-practices" type="archive" url="https://developers.cloudflare.com/.well-known/agent-skills/workers-best-practices.tar.gz"FAILCompare skill artifact content failures actual=0 expected=0 name="wrangler" type="skill-md" url="https://developers.cloudflare.com/.well-known/agent-skills/wrangler/SKILL.md"WARNSkill content validation warning name="wrangler" warning="description does not clearly state when an agent should activate the skill."WARNSkill content validation warning name="wrangler" warning="SKILL.md body is over 500 lines; move detailed material into references/ for progressive disclosure."FAILArchive contains too many entries.Review skill artifact security [warning]! Archive contains scripts/ entries; clients should not execute scripts by default.INFOReview skill artifact securityFAILCompare security finding count actual=3 expected=0WARNAgent Skills artifact security warning finding="Archive contains scripts/ entries; clients should not execute scripts by default."WARNAgent Skills artifact security warning finding="SKILL.md references external URLs; fetched content is an additional trust boundary (https://web.dev/articles/vitals`, https://developer.chrome.com/docs/devtools/performance`, https://developer.chrome.com/docs/lighthouse/performance/performance-scoring`)."WARNAgent Skills artifact security warning finding="SKILL.md references external URLs; fetched content is an additional trust boundary (https://developers.cloudflare.com/workers/wrangler/`, https://developers.cloudflare.com/workers/`, https://developers.cloudflare.com/workers/configuration/compatibility-dates/, http://localhost:8787/__scheduled)."WARNArchive contains scripts/ entries; clients should not execute scripts by default.

Advertised Markdown alternate [fail]INFOAdvertised Markdown alternateFAILCheck advertised Markdown alternate candidates actual=1 expected="> 0 when HTML advertises a Markdown alternate" advertisedUrls=["https://developers.cloudflare.com/index.md"] candidateCount=0FAILAdvertised Markdown alternate failed Conventional .md mirror [informational]INFOConventional .md mirrorINFOCheck conventional Markdown mirror candidates actual=0 expected="> 0 when a conventional mirror is discoverable" conventionalUrls=[] candidateCount=0PASSConventional .md mirror recorded for context status="informational"

Page landmarks [fail]! Expected exactly one visible main landmark; found 2.INFOPage landmarksFAILCheck page landmarks evidence actual={"counts":{"main":2,"roleMain":0,"nav":1,"roleNavigation":0,"header":1,"roleBanner":0,"footer":1,"pageFooter":0,"roleContentinfo":0},"main":false} expected="semantic HTML evidence for this step"FAILPage landmarks failed issue="Expected exactly one visible main landmark; found 2."Native semantics and ARIA [warning]! 1 ARIA/native semantic conflicts or redundancies were found.INFONative semantics and ARIAWARNCheck native semantics and aria evidence actual={"counts":{"ariaIssues":1},"nativeSemanticIntegrity":false} expected="native HTML semantics are present and not replaced by conflicting ARIA"WARNNative semantics and ARIA has a warning issue="1 ARIA/native semantic conflicts or redundancies were found."

Review subdomain scope [warning]! HSTS is valid, but includeSubDomains is absent.INFOReview subdomain scopeINFOInspect subdomain enforcement scope includeSubDomains=falseWARNCompare includeSubDomains coverage actual="absent" expected="included after subdomains are HTTPS-ready" issue="HSTS is valid, but includeSubDomains is absent."WARNHSTS is valid, but includeSubDomains is absent.Review preload opt-in [warning]! preload is present, but header-level preload requirements are missing: includeSubDomains, max-age >= 31536000.INFOReview preload opt-inINFOInspect preload opt-in preload=true includeSubDomains=false maxAge=15552000WARNCompare header-level preload requirements actual="not eligible by header" expected="preload + includeSubDomains + max-age >= 31536000" issue="preload is present, but header-level preload requirements are missing: includeSubDomains, max-age >= 31536000."WARNpreload is present, but header-level preload requirements are missing: includeSubDomains, max-age >= 31536000.

Find advertised IndexNow key location [informational]! No IndexNow key location was advertised in HTML, Link headers, or robots.txt.INFOFind advertised IndexNow key locationINFOLook for IndexNow key hints in HTML, Link headers, and robots.txt supportedHints=["robots.txt IndexNow-Key","rel=indexnow-key","meta name=indexnow-key-location"]PASSCompare advertised key location count actual=0 expected="> 0"WARNNo IndexNow key location was advertised in HTML, Link headers, or robots.txt.Fetch and validate IndexNow key file [informational]! No discoverable IndexNow key file was found.INFOFetch and validate IndexNow key fileINFOLook for IndexNow key hints in HTML, Link headers, and robots.txt supportedHints=["robots.txt IndexNow-Key","rel=indexnow-key","meta name=indexnow-key-location"]PASSCompare advertised key location count actual=0 expected="> 0"INFOFetch each advertised same-origin key file and validate filename/body matchFAILCompare valid IndexNow key file count actual=0 expected="> 0"WARNNo discoverable IndexNow key file was found.