EVIDENCE

turva.dev is my own reference build. It is ranked #1 of all publicly-scanned sites on the startuphub.ai agent-readiness leaderboard, with 100/100 verified by two independent scanners. Measured 2026-06-01.

- startuphub.ai leaderboard: #1 of top 100 sites, 100/100 (A+).

  Discoverability, Content, Access Control, Capabilities, Commerce, Quality:

  100/100 each. https://www.startuphub.ai/agent-readiness

- isitagentready.com: 100/100, Level 5 (Agent-Native).

  https://isitagentready.com/turva.dev

The Cloudflare Worker that produces these results is open source:

github.com/busygoat/turvadev-pretender. You can read every line before you

hire me.

Backed by a registered company, publicly verifiable:

Business ID 3600281-7, registered in Finland.

PRH/YTJ business register: https://tietopalvelu.ytj.fi/yritys/3600281-7

The process has three stages and no surprises

First, measurement. Two independent agent-readiness scanners read the

current state of the site or API and produce a numeric baseline plus

a categorized list of where points are missing.

Then a written report. Three to ten priority fixes in order of impact,

with technical reasoning written so the reader does not need an

agent-readiness background to follow it.

Then the fixes. I implement them, or your engineering team does the

work with the report as the spec. Both routes are supported and the

choice is yours.

All communication runs async. No calls and no calendar links. Live

meetings are not part of how this work is done. Short questions go

through Signal, longer documents through email and CryptPad. Everything

stays in writing, which means the work and the trail are auditable

end-to-end.

Production credentials are not requested. Write access to repositories

is not taken by default. Read access is enough for the audit, and

write access is scoped per task if implementation is purchased

separately.

The result shows up in scanner numbers. That is the contract. The next

scan reads higher than the previous one, in the categories the report

named, by the dates the report named.

Services

- Audit. Fixed scope, two to three weeks. Two independent scanners run

  against the site or API. Written report with a prioritized fix list.

  You receive a measured baseline and a clear "do this first" plan.

- Advisory. Monthly retainer, async-only. Ongoing review as the site,

  API or product evolves. Each scanner cycle reads higher than the last,

  or the report explains why a tradeoff was kept on purpose.

- Implementation. On request. Worker-level changes, well-known

  manifests, MCP server work, JSON-LD and Schema fixes. The improvement

  is verifiable against the audit baseline in the next scan.

- MCP server design. On request. Read-only discovery tools and

  streamable HTTP transport. No auth surface and no logging by default.

  The endpoint stays readable for agents and does not turn into an

  abuse vector.

- Internal workshops. On request, async-first. Recorded session or

  written guide. Topics include how scanners read your site, what x402

  and AP2 actually require in practice, and how to keep agent-readiness

  intact after the audit period ends.

Who I am

The work is done by one person under a registered company. My

background is engineering: measurement, testing, and reducing

things to what actually matters. I have worked in international

companies for years, moved from general security work into

agent-readiness, and kept only the tools and methods that hold up

in daily client work.

The reason this service exists is narrow on purpose. Agent-readiness

is a measurable property of a site, an API, or a product surface.

Either the scanners read it higher next week than this week, or they

do not. That is the question I answer.