The checks

State-changing tools must document/guard side effects so agents do not mutate blindly.

A privacy_mode parameter lets agents request non-sensitive responses.

Plaintext HTTP exposes tokens and tool traffic to interception.

HSTS/CSP/X-Content-Type-Options harden the server against common web attacks.

Agents cannot connect safely if they cannot tell whether/how to authenticate.

Standard OAuth metadata lets agents programmatically obtain access.

A public /.git or /.env leaks source history and live credentials — critical.

Wildcard + credentials CORS is a classic data-exfiltration misconfiguration.

recommended_first_calls tells an agent how to start — the onboarding contract.

Standard discovery tools (capabilities, inventory) let agents self-orient.

A concise machine summary tells LLMs what the server is and how to use it.

The /.well-known card is how agents discover the server, transport and tools.

The skills discovery index lets agents find and verify your capabilities.

A standard catalog points agents to your OpenAPI, docs and status.

Explicit AI-bot rules + Content-Signal declare how agents may use your content.

JSON-LD, OpenGraph and Markdown-for-Agents make the page machine-legible.

Agents reject or mis-call tools whose input schemas are invalid or missing.

Consistent snake_case verb_noun names make tools predictable for models to select.

Rich descriptions are the only thing a model has to decide when/how to call a tool.

readOnly/destructive hints let agents reason about safety before calling.

Exposing resources lets agents pull context without bespoke tool calls.

A smoke script proves the server actually boots — the baseline of trust.