The Agent Readiness Checklist: 30 Signals Every Business Should Have
Thirty boxes to check. Nine dimensions. One page. This is the condensed version of everything the AgentHermes scanner looks for across 500 scanned businesses — and the exact shortlist that separates Gold from Bronze. Print it, post it, ship it.
How to Use This Checklist
Each dimension lists 2-6 signals the scanner checks for. The weight in parentheses is the dimension's contribution to the headline score. Three dimensions (D2 API, D8 Reliability, D7 Security) together are 40% of the score — start there if you want the biggest lift per hour of engineering.
Pair this checklist with a live scan at /audit. The scanner returns pass / partial / fail per signal, so you can walk the checklist with your actual status next to every line.
The 32-Item Checklist
D1: Discovery (12%)
6 items- □HTTPS with a valid certificate across all hostnames
- □DNS resolves quickly (A/AAAA + SPF + DMARC on apex)
- □robots.txt allows GPTBot, ClaudeBot, PerplexityBot, Google-Extended
- □sitemap.xml published at the root and referenced in robots.txt
- □/.well-known/agent-card.json with MCP endpoint and A2A skills
- □llms.txt at the root, linking to docs, API, pricing, policies
D2: API Quality (15%)
3 items- □Published OpenAPI 3.0+ spec for every public endpoint
- □REST or GraphQL API that is genuinely callable (not just an iframe)
- □Versioning strategy — header, path, or date-based — clearly documented
D3: Onboarding (8%)
3 items- □Self-service signup without a sales call
- □Sandbox or test environment an agent can hit safely
- □Programmatic API key or OAuth credential creation
D4: Pricing (5%)
2 items- □Structured pricing visible without login
- □JSON-LD Offer schema on every pricing page
D5: Payment Processing (8%)
3 items- □Embedded checkout or Payment Element (not just hosted redirect)
- □Signed webhooks for order/payment/subscription events
- □Refund endpoint callable by the original buyer credential
D6: Data Quality (10%)
3 items- □JSON-LD markup (Organization, Product, Service, Offer)
- □Consistent structured error envelope with a stable code field
- □AGENTS.md at the repo or domain root for project context
D7: Security (12%)
3 items- □OAuth 2.0 or Bearer tokens for any mutating endpoint
- □TLS 1.3 negotiated, weak ciphers disabled
- □HSTS preloaded, secure cookies with SameSite
D8: Reliability (13%)
3 items- □Public status page at /status or status.yourdomain.com
- □/health endpoint returning a JSON envelope
- □Published SLA or uptime target on a stable URL
D9: Agent Experience (10%)
3 items- □X-Request-Id on every response
- □Idempotency-Key accepted on all POST endpoints
- □Rate-limit headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
Bonus: Agent-Native (7%)
3 items- □Open Graph tags + Twitter card on every public page
- □x402 micropayment support for agent-native per-call billing
- □MCP server linked from agent-card.json
Work It Top-Down: The First Six Wins
If you only ship six items this quarter, ship these six. They touch the highest-weighted dimensions and are cheap enough to land in a single PR each.
Ship an OpenAPI spec
D2 API Quality is the single largest weight (15%). Without a spec the scoring model caps you around 45.
Publish /.well-known/agent-card.json
One JSON file. Unlocks A2A discovery and MCP linking. +3 to D1.
Drop llms.txt at the root
95% of scanned businesses miss this. Markdown-only. +2 to D1, +1 to D6.
Wire X-Request-Id + Idempotency-Key
Two middleware lines. +4-5 to D9 Agent Experience in a single commit.
Stand up a status page
Statuspage or Atlassian scores 70 on D8 by existing. Add a /health endpoint alongside it.
Switch error responses to JSON envelopes
HTML error pages are the single biggest D6 failure mode. Consistent code + message + request_id fixes it.
These six together historically lift a Bronze-tier domain into Silver within 14 days. The remaining 24 items on the checklist are what separates Silver from Gold.
Five Checklist Items People Get Wrong
Hosted redirect ≠ checkout API
Stripe-hosted checkout is fine for humans, fails D5 for agents. Agents need a Payment Element or direct intent creation.
Swagger UI ≠ OpenAPI spec
A rendered docs site is useless to an agent. Ship the raw openapi.json, link it from agent-card.json.
robots.txt that blocks GPTBot
Fleet-wide pattern — businesses silently block GPTBot thinking it is a scraper. That is an instant D1 failure.
status.example.com with no API
A human-readable status page scores partial. Expose /status.json for full credit.
Idempotency-Key silently ignored
Accepting the header but not enforcing deduplication is worse than rejecting it. Agents re-fire on retry and you double-charge.
agent-card.json pointing at 404
About half the agent cards we scan reference MCP endpoints that return 404 or HTML. Fail fast here is worse than no card at all.
Frequently Asked Questions
Do I have to hit all 30 items to score Silver?
No. The median Silver-tier company on our 500-business leaderboard hits roughly 20 of the 30. The 10 they miss tend to be D4 Pricing schema, D5 payment webhooks, D9 idempotency keys, and agent-native extras like x402 support. Work top-down — Tier 1 dimensions (D2, D6, D7, D8, D9) carry 60% of the score, so prioritize those first.
Which item is the single biggest lever?
Publishing an OpenAPI spec. D2 API Quality is weighted 0.15 — the single largest of any dimension. Companies without a spec hit a ceiling around 45. Companies with one consistently score 60+. If you only have budget for one project, ship the spec at docs.yoursite.com/openapi.json and link it from your agent-card.json.
How do I know which items I already pass?
Run your domain through the free AgentHermes scanner at /audit. The result is a 9-dimension breakdown with pass / partial / fail for each signal. That lets you walk this checklist with your actual scores next to each item, so you know exactly which 10-12 fixes unlock the next tier.
Do ecommerce and SaaS follow different checklists?
The 30 signals are universal. The weights shift. The AgentHermes scanner has 27 vertical profiles that reweight the dimensions for ecommerce, fintech, healthcare, local services, and others. The checklist stays the same — a restaurant still needs TLS, a sitemap, a services schema, and an idempotency key on its booking endpoint. Just the priority of each line changes.
Can AgentHermes generate most of this automatically?
Yes. /connect auto-generates agent-card.json, llms.txt, agent-hermes.json, a hosted MCP endpoint, vertical-specific tools, and registry entries. The items it cannot ship for you are the ones tied to your own stack — TLS, OAuth, idempotency keys, status page, payment webhooks. The universal discovery files are one wizard away.
Walk the checklist against your live domain
The scanner returns pass / partial / fail for every checklist item. Know exactly which of the 30 signals your business already passes — and which ten fixes move you up a tier.