{
  "generatedAt": "2026-07-10T04:02:04.592Z",
  "source": "Cloudflare Radar API (api.cloudflare.com/client/v4/radar/bots, live pull 2026-07-09)",
  "linter": "@sitedex/web-bot-auth-lint 0.2.0 (local dist, built from source)",
  "method": {
    "attemptsPerBot": 3,
    "timeoutMs": 20000,
    "retryOn": "network error, 5xx, 429",
    "userAgent": "web-bot-auth-lint-radar-study (+https://github.com/sitedex/web-bot-auth-lint)",
    "gradedAt": "2026-07-10T04:01:21.047Z",
    "bodyCap": "512 KiB (CLI readBodyCapped)",
    "schemes": "https only"
  },
  "population": {
    "totalBotsInSource": 684,
    "withSignatureAgentUrl": 79,
    "linted": 79
  },
  "grades": {
    "pass": 26,
    "pass_warn": 40,
    "fetch_error": 4,
    "fail": 9
  },
  "topIssues": [
    {
      "grade": "warn",
      "check": "thumbprint_kid",
      "count": 28
    },
    {
      "grade": "warn",
      "check": "cache_control",
      "count": 16
    },
    {
      "grade": "warn",
      "check": "response_signature",
      "count": 10
    },
    {
      "grade": "warn",
      "check": "content_type",
      "count": 10
    },
    {
      "grade": "fail",
      "check": "reachable",
      "count": 4
    },
    {
      "grade": "fail",
      "check": "json_parse",
      "count": 4
    },
    {
      "grade": "warn",
      "check": "well_known_path",
      "count": 3
    },
    {
      "grade": "warn",
      "check": "exp_hygiene",
      "count": 3
    },
    {
      "grade": "warn",
      "check": "not_redirected",
      "count": 2
    },
    {
      "grade": "warn",
      "check": "signature_verified",
      "count": 2
    },
    {
      "grade": "fail",
      "check": "nbf_hygiene",
      "count": 2
    },
    {
      "grade": "fail",
      "check": "keys_present",
      "count": 1
    },
    {
      "grade": "fail",
      "check": "x_valid",
      "count": 1
    },
    {
      "grade": "fail",
      "check": "signature_tag",
      "count": 1
    }
  ],
  "results": [
    {
      "slug": "agi-agent-2",
      "name": "AGI Agent",
      "operator": "AGI, Inc",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://api.agi.tech/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "CFtgCkbTK8KSwYj5E96RGZJcmLuIjOj5rcCPupChTQA",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "ai-search-external",
      "name": "AI Search External",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "AI_SEARCH",
      "signatureAgentUrl": "https://search.ai.cloudflare.com/external/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "warn",
          "detail": "Served at /external/.well-known/http-message-signatures-directory. Cloudflare, the dominant verifier, fetches /.well-known/http-message-signatures-directory unless another location is advertised via a Signature-Agent header. Move it there or advertise it.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-ap-northeast-1",
      "name": "Amazon Bedrock AgentCore Browser (AP Northeast)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://kzejmtkesloc1.keydirectory.signer.ap-northeast-1.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "7GV8UW5uqgVQUyyGHcCMFId758np49HmQR836przbBA",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-ap-south-1",
      "name": "Amazon Bedrock AgentCore Browser (AP South)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://wdfzm130yrb91.keydirectory.signer.ap-south-1.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": false,
      "httpStatus": null,
      "attempts": 3,
      "transientErrors": [
        "attempt 1: ETIMEDOUT: fetch failed",
        "attempt 2: ETIMEDOUT: fetch failed",
        "attempt 3: ETIMEDOUT: fetch failed"
      ],
      "grade": "fetch_error",
      "warnCount": 0,
      "failCount": 0,
      "findings": [],
      "keys": []
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-ap-southeast-1",
      "name": "Amazon Bedrock AgentCore Browser (AP Southeast 1)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://slf696jfe4gp0.keydirectory.signer.ap-southeast-1.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "yJvuT_BV7Bh-5-7q52JojnYGJJhPnPovwSxo52tpZX8",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-ap-southeast-2",
      "name": "Amazon Bedrock AgentCore Browser (AP Southeast)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://meh0x7tptr6o1.keydirectory.signer.ap-southeast-2.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "Y0Y9KQtdCz1gcIsVphQKp2NTzb3O5K3UEdsra04nefk",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-eu-central-1",
      "name": "Amazon Bedrock AgentCore Browser (EU Central 1)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://o42g509c7dlj6.keydirectory.signer.eu-central-1.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "TsrJ6TOUfApTa8i55-urn-PEPQ595_PbNT-PdYH2jiQ",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-eu-west-1",
      "name": "Amazon Bedrock AgentCore Browser (EU West 1)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://c3drvlj8gw240.keydirectory.signer.eu-west-1.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "-l7uDo1b55AmqPB7lac2BLHl-MnhQOy2ccCuDhaiaEE",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-us-east",
      "name": "Amazon Bedrock AgentCore Browser (US East 1)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://xhah6q48pbxb4.keydirectory.signer.us-east-1.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "70pdwksCIzTDt7zCZoqGouPcD476nwNoWQNNTmN5bl8",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-us-east-2",
      "name": "Amazon Bedrock AgentCore Browser (US East 2)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://ogtj5xdh5udp4.keydirectory.signer.us-east-2.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "83VamJGFEN-sjc3IKBA7_biG5zyJ1E6gA63ujKlCex4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "amazon-bedrock-agentcore-browser-us-west",
      "name": "Amazon Bedrock AgentCore Browser (US West 2)",
      "operator": "Amazon",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://bxtrz00tv0lm1.keydirectory.signer.us-west-2.on.aws/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "tmNl1zQSgQd9rE8cncbX_Ug2nvq6V38ThzavfvT_DPM",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "anchor-browser",
      "name": "Anchor Browser",
      "operator": "Anchor",
      "kind": "AGENT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://api.anchorbrowser.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "xA8MxwyS5igwFnAlQQ7Rnu2D4hDE0QqjQIKAQ51JQpU",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "apify-website-content-crawler",
      "name": "Apify Website Content Crawler",
      "operator": "Apify",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://api.apify.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "S5tJGJhYnre3a4qJE7nUArtrp0HpMJERoDKLpT_qUNg",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "arachnid-shield-api",
      "name": "Arachnid Shield API",
      "operator": "Canadian Centre for Child Protection",
      "kind": "AGENT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://projectarachnid.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "artsdata-crawler",
      "name": "Artsdata Crawler",
      "operator": "Culture Creates",
      "kind": "BOT",
      "category": "AGGREGATOR",
      "signatureAgentUrl": "https://kg.artsdata.ca/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400, private).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "audd",
      "name": "AudD",
      "operator": "AudD, LLC",
      "kind": "BOT",
      "category": "OTHER",
      "signatureAgentUrl": "https://audd.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "browserbase",
      "name": "Browserbase",
      "operator": "Browserbase",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://www.browserbase.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 2 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "Yh_bzcdYulhUOBmhM5a5sEgtAapL1qo-vq_9yC1udAk",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        },
        {
          "kid": "3_MoXQC4LiHisq40Zx-Ru0YAuzNz2F0HrXk26NKpyhg",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "brynson-compliance-bot",
      "name": "Brynson Compliance Bot",
      "operator": "Brynson",
      "kind": "AGENT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://brynsights.brynson.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400, private).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "lkZ9PQEO5hyTKZ2dAgKAdm-VROhJ7C8A1Fr1b0fW2nA",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "builtwith",
      "name": "BuiltWith",
      "operator": "BuiltWith",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://builtwith.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"private\" has no positive max-age. Add one so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "cartai-agentic-commerce-as-a-service",
      "name": "CartAI Agentic Commerce as a Service",
      "operator": "CartAI",
      "kind": "AGENT",
      "category": "OTHER",
      "signatureAgentUrl": "https://cartai.us/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=150).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "JLLdCcE15G0jrMRXEl9gPHkC0MMRlF9WXPY8bcubmu4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 143,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "channel3bot",
      "name": "Channel3Bot",
      "operator": "Channel3",
      "kind": "BOT",
      "category": "AGGREGATOR",
      "signatureAgentUrl": "https://bot.trychannel3.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "N5WFufhphg6NMi9fmvhQXjD4lf8HyxplJWArtOxsgLA",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "chatgpt-agent",
      "name": "ChatGPT agent",
      "operator": "OpenAI",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://chatgpt.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 3,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "warn",
          "detail": "Key expires soon: otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg (6 day(s)).",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 6,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "cledara-saas-management-agent",
      "name": "Cledara SaaS Management Agent",
      "operator": "Cledara",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://gerard.cledara.ai/.well-known/http-message-signatures-directory/",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "warn",
          "detail": "The directory was reached via a redirect; it should be served directly at the well-known path.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "S1j_RrGXHaZLOKR1HoJfUbT6VYyrlin6tKVWd99R5z4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "cloudflare-ai-search",
      "name": "AI Search",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "AI_SEARCH",
      "signatureAgentUrl": "https://search.ai.cloudflare.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "cloudflare-browser-rendering",
      "name": "Cloudflare Browser Run",
      "operator": "Cloudflare",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "cloudflare-browser-rendering-crawler",
      "name": "Cloudflare Crawler",
      "operator": "Cloudflare",
      "kind": "AGENT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://web-bot-auth-crawl.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "cloudflare-customerslo-prober",
      "name": "Cloudflare CustomerSLO Prober (Staging)",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://bot-auth-worker-staging.product-sre.workers.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"no-store\" prevents caching. Drop no-store/no-cache so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "XDj4xR4EBJ9RrM9TtXSD1uNVPsbuf8Guk4cPpsmHuOo",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "cloudflare-customerslo-prober-2",
      "name": "Cloudflare CustomerSLO Prober",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://bot-auth-worker.product-sre.workers.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"no-store\" prevents caching. Drop no-store/no-cache so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "2xx8ljYkjOyRzUmxTx9F9mpIVbB6QXNCPZYMMv9h3y4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "cloudflare-radar-url-scanner",
      "name": "Cloudflare Radar URL Scanner",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://web-bot-auth-directory.radar-cfdata-org.workers.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 404,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 1,
      "failCount": 2,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "fail",
          "detail": "Returned HTTP 404, not 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as application/problem+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "fail",
          "detail": "The directory has no `keys` array.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        }
      ],
      "keys": []
    },
    {
      "slug": "cloudflare-web-scanner",
      "name": "Cloudflare Web Scanner",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_CRAWLER",
      "signatureAgentUrl": "https://d7c111cd-310f-45a1-bf94-1d7619c74a04.wba-bots.ai-audit.cfdata.org/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "6FX2t9BaDwQmAV6Yi3sTJ-DyDkmVWLPnuhtT69AG8W0",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "consentcheck",
      "name": "ConsentCheck Bot",
      "operator": "ConsentCheck",
      "kind": "BOT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://consentcheck.site/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 404,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 1,
      "failCount": 2,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "fail",
          "detail": "Returned HTTP 404, not 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as text/html.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "fail",
          "detail": "The response body is not valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        }
      ],
      "keys": []
    },
    {
      "slug": "cybaa-bot",
      "name": "Cybaa Bot",
      "operator": null,
      "kind": "BOT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://cybaa.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "Nk3dlwIepZGCY8teO7tVqSrd686jSDcquLIC08Lyl6c",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "daric2",
      "name": "Daric2",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://9ed846ee-31d6-4dc7-be9c-c57d769a68c8.wba-bots.ai-audit.cfdata.org/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "hXHNCbkaiPjCX1v8BHg3WPflqfuYv9k1iDyzsw55Xck",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "daric3",
      "name": "Daric3",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://fce34b5f-e942-453c-8203-efa46f63136e.wba-bots.ai-audit.cfdata.org/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "3-fK-8m5nysbc9ouiriwHrGw4lPYE-hVAvAuAUIToT0",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "daric4",
      "name": "Daric4",
      "operator": "Cloudflare",
      "kind": "BOT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://9183a4a8-5a53-4cb3-8d59-16ae94b9f950.wba-bots.ai-audit.cfdata.org/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 4 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "LfC8vGUKgwhB38MngPVa1e6_kiDMi9EHVdaB8UsPx50",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        },
        {
          "kid": "AvP03CkiG2Js4wVQISdNqFgz4iYMcdTwBA8CaDOalMs",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        },
        {
          "kid": "NtnM9snP9whB2DBsByRs8P5YnO8yAEt9GaKoXAI1gtM",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        },
        {
          "kid": "yZ1WimZ5j9PiQxaWFK5geEbYhR6sPydaCMZtlqNv3lU",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "dnsnifferbot",
      "name": "DNSnifferBot",
      "operator": "DNSniffer",
      "kind": "BOT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://dnsniffer.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 2,
      "failCount": 1,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "fail",
          "detail": "No usable key in this directory — Invalid public-key value: key #1 (x is invalid bytes, expected 32).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "warn",
          "detail": "The directory is signed, but its Signature-Input/Signature header could not be parsed, so the signature was not verified.",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "duckassistbot",
      "name": "DuckAssistbot",
      "operator": "DuckDuckGo",
      "kind": "BOT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://assistbot.duckduckgo.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86340).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "Ov3HDsa8JQ39dPEYFvFFN-cUpnz9yNI8LDvr-5LeiBM",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "easyscan",
      "name": "EasyScan",
      "operator": "codire GmbH",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://admin.itrk-easysafe.de/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "blMPEeG2iPeMk_56OkO6bLj5HXvraX-4A6FKXaEvJdE",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "firmlyai-bot",
      "name": "FirmlyAI Bot",
      "operator": "Firmly",
      "kind": "BOT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://api.firmly.online/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "warn",
          "detail": "The directory is signed, but its Signature-Input/Signature header could not be parsed, so the signature was not verified.",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "z5QNfiqQln9vi6bknBcrseX_7gJHfIBX4Mx_0C6ALQE",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "flowpane",
      "name": "Flowpane",
      "operator": "Flowpane Ltd",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://crawler.flowpane.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 1,
      "failCount": 1,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "fail",
          "detail": "No key is usable yet — every key's not-before time is in the future: QZdoanWPKy-cHIy6B080FKtxV0Zky1tSDQ6WIslvi7E.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "QZdoanWPKy-cHIy6B080FKtxV0Zky1tSDQ6WIslvi7E",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 20869900,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "flyingpress",
      "name": "FlyingPress",
      "operator": "FlyingWeb LLC",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_OPTIMIZATION",
      "signatureAgentUrl": "https://page-optimizer.flyingpress.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "ghostexplore",
      "name": "GhostExplore",
      "operator": "Ghost",
      "kind": "BOT",
      "category": "AGGREGATOR",
      "signatureAgentUrl": "https://explore.ghost.org/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=60, public, s-maxage=60).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "henry-shopping-agent",
      "name": "Henry Shopping Agent",
      "operator": "Henry Labs",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://www.henrylabs.ai/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "warn",
          "detail": "Key expires soon: qTHUBf7EC_LRRSojcmjpqPnZmn8-c2UmNTY8WY7xSR0 (7 day(s)).",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "qTHUBf7EC_LRRSojcmjpqPnZmn8-c2UmNTY8WY7xSR0",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 7,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "hunter-logos",
      "name": "Hunter Logos",
      "operator": "Hunter Web Services, Inc",
      "kind": "BOT",
      "category": "OTHER",
      "signatureAgentUrl": "https://logos.hunter.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "XUTOys9wNKm3RByyxfcfro3tDfFZfOzkCDoAK-Usp_k",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "keldannewscrawler",
      "name": "KeldanNewsCrawler",
      "operator": "Keldan ehf.",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_CRAWLER",
      "signatureAgentUrl": "https://news-crawler.keldan.is/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"no-store\" prevents caching. Drop no-store/no-cache so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "kernel",
      "name": "Kernel",
      "operator": "Kernel",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://www.kernel.sh/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "warn",
          "detail": "Key expires soon: 5z6F4EJybUfoygglZXiAYaS6O1GU8hA1JrA-m7lGURM (0 day(s)).",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "5z6F4EJybUfoygglZXiAYaS6O1GU8hA1JrA-m7lGURM",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 0,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "klaviyoaibot",
      "name": "KlaviyoAIBot",
      "operator": "Klaviyo",
      "kind": "BOT",
      "category": "AI_SEARCH",
      "signatureAgentUrl": "https://www.klaviyo.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "link-cli",
      "name": "Link CLI",
      "operator": "Link",
      "kind": "AGENT",
      "category": "OTHER",
      "signatureAgentUrl": "https://api.link.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"max-age=0, no-cache, no-store, must-revalidate\" prevents caching. Drop no-store/no-cache so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "V_khXUprn_ogn4ISW47LoNMdWLnmmbQSpTNHunAy3d4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "manus-bot",
      "name": "Manus Bot",
      "operator": "Manus",
      "kind": "BOT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://api.manus.im/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "mediaboardbot",
      "name": "mediaboardbot",
      "operator": "Mediaboard",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://media.mediaboard.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "nava-labs-asp-dev",
      "name": "Nava Labs ASP (Dev)",
      "operator": "Nava Labs",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://dev.labs-asp.navateam.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (private, max-age=60).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "7YGvanRmbwiz8FqvVJd86wHWd_2lYI4aCUKdqCXuxEw",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "nekuda-payment-executor",
      "name": "Nekuda Payment Executor",
      "operator": "Nekuda",
      "kind": "AGENT",
      "category": "OTHER",
      "signatureAgentUrl": "https://nekuda-agent-registry.onrender.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 2 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: AG_d4b2a665, AG_0e229c54.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "AG_d4b2a665",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        },
        {
          "kid": "AG_0e229c54",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "nostra",
      "name": "Nostra",
      "operator": "Nostra",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_OPTIMIZATION",
      "signatureAgentUrl": "https://bots.nostra.ai/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 1,
      "failCount": 1,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 2 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "fail",
          "detail": "No key is usable yet — every key's not-before time is in the future: 3vKgyEtYsNMyY8M-CDk8_HzkuZO22aLy_LlHEjtT3WI, Pav1sqEdDlQ9qYyCUqV7J5oT3Eh2aTabW5-Ii6OCHT0.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "3vKgyEtYsNMyY8M-CDk8_HzkuZO22aLy_LlHEjtT3WI",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        },
        {
          "kid": "Pav1sqEdDlQ9qYyCUqV7J5oT3Eh2aTabW5-Ii6OCHT0",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "novellum-ai-crawl",
      "name": "Novellum AI Crawl",
      "operator": "Novellum",
      "kind": "BOT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://crawl.corp.novellum.ai/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 404,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 1,
      "failCount": 2,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "fail",
          "detail": "Returned HTTP 404, not 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as text/html.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "fail",
          "detail": "The response body is not valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        }
      ],
      "keys": []
    },
    {
      "slug": "onticabot-2",
      "name": "OnticaBot",
      "operator": "Ontica Pty Ltd",
      "kind": "BOT",
      "category": "SOCIAL_MEDIA_MARKETING",
      "signatureAgentUrl": "https://ontica.com.au/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"private\" has no positive max-age. Add one so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "vFgzvIohSrTxRtF9VyH44rSMkEVTJhMLUn4fsmbKpX4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "panachebot",
      "name": "PanacheBot",
      "operator": "Panache",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://withpanache.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "OkCxNiGYQIhlKwFyqcDOmH9WsiiBZcsEVOiz9zqE1r4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "particlenewsbot",
      "name": "ParticleNewsBot",
      "operator": null,
      "kind": "BOT",
      "category": "AGGREGATOR",
      "signatureAgentUrl": "https://api.minalabs.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "payhawk-invoice-fetching-bot",
      "name": "Payhawk Invoice Fetching Agent",
      "operator": "Payhawk",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://external-bot.payhawk.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public,max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "kB3PTzPKNP0DIEkjhP0hGYT7YrwHHzCC9e5fEu07G70",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "payroll-bot",
      "name": "payroll-bot",
      "operator": "ADP",
      "kind": "BOT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://payroll-bot.adp.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "platebreaker",
      "name": "Platebreaker",
      "operator": "Platebreaker",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_CRAWLER",
      "signatureAgentUrl": "https://www.platebreaker.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 3,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as binary/octet-stream.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: platebreaker-bot-v1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public,max-age=31536000,immutable).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "platebreaker-bot-v1",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "playpatrol",
      "name": "Playpatrol",
      "operator": "CreateIT",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://cf.playpatrol.app/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=60).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "pricey",
      "name": "Pricey",
      "operator": "Wilico",
      "kind": "AGENT",
      "category": "AGGREGATOR",
      "signatureAgentUrl": "https://web-bot-auth-keys.wilico-ppc-bot.workers.dev/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 3,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as application/json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: web-bot-auth-key-1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=3600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "web-bot-auth-key-1",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "pureconsentbot",
      "name": "PureConsentBot",
      "operator": "PureConsent",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://pureconsent.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 3,
      "failCount": 1,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "warn",
          "detail": "The directory was reached via a redirect; it should be served directly at the well-known path.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "warn",
          "detail": "Served at /cdn-cgi/access/login/pureconsent.com. Cloudflare, the dominant verifier, fetches /.well-known/http-message-signatures-directory unless another location is advertised via a Signature-Agent header. Move it there or advertise it.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as text/html.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "fail",
          "detail": "The response body is not valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        }
      ],
      "keys": []
    },
    {
      "slug": "qatechbot",
      "name": "QAtechBot",
      "operator": "QA.tech",
      "kind": "BOT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://app.bugduck.tech/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "quartr-crawler",
      "name": "Quartr Crawler",
      "operator": "Quartr",
      "kind": "BOT",
      "category": "AGGREGATOR",
      "signatureAgentUrl": "https://crawler.prod.quartr.cloud/.well-known/http-message-signatures-directory",
      "fetchOk": false,
      "httpStatus": null,
      "attempts": 3,
      "transientErrors": [
        "attempt 1: UND_ERR_CONNECT_TIMEOUT: fetch failed",
        "attempt 2: UND_ERR_CONNECT_TIMEOUT: fetch failed",
        "attempt 3: UND_ERR_CONNECT_TIMEOUT: fetch failed"
      ],
      "grade": "fetch_error",
      "warnCount": 0,
      "failCount": 0,
      "findings": [],
      "keys": []
    },
    {
      "slug": "redactus-web-classifier",
      "name": "Redactus Web Classifier",
      "operator": "Redactus",
      "kind": "AGENT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://bot.redactus.co.uk/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as application/json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public, max-age=300).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "4Riht9HIuWzkSZExY2eAu79KoGVtSu_6CZ892gbkMQ4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "redirect-pizza-destination-monitor",
      "name": "redirect.pizza destination monitor",
      "operator": "Enflow B.V.",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://redirect.pizza/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "Cache-Control \"no-cache, private\" prevents caching. Drop no-store/no-cache so verifiers can cache the directory.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "Vd4rmrLbHWCA258yOZbKs6n8cIssz7VYX4Se_cNqAqk",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "ryebot",
      "name": "RyeBot",
      "operator": "Rye",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://rye.xyz/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "pruQTAkOsxc3Jgyewz0ladvjlgLp8iqe22EVSGJHEGg",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 104,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "sourcedash",
      "name": "sourcedash",
      "operator": "Source Dashboard",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_CRAWLER",
      "signatureAgentUrl": "https://www.sourcedashboard.co.uk/.well-known/http-message-signatures-directory",
      "fetchOk": false,
      "httpStatus": null,
      "attempts": 3,
      "transientErrors": [
        "attempt 1: EAI_AGAIN: fetch failed",
        "attempt 2: EAI_AGAIN: fetch failed",
        "attempt 3: EAI_AGAIN: fetch failed"
      ],
      "grade": "fetch_error",
      "warnCount": 0,
      "failCount": 0,
      "findings": [],
      "keys": []
    },
    {
      "slug": "spyglasses",
      "name": "Spyglasses",
      "operator": "Spyglasses",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_OPTIMIZATION",
      "signatureAgentUrl": "https://www.spyglasses.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "strivve-automation",
      "name": "Strivve Automation",
      "operator": "Strivve",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://signatures.cardsavr.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 2 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "ilOSDnyotJ1rPIrDiAxGiCx-E6Q32G4DxVjA1t1yD0o",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 20,
          "thumbprintMatches": true
        },
        {
          "kid": "xCh4yoTBFW0NDKjDivaVCaqk4gx8jBKGXC-sNFmSUnY",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": 20,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "trustlink-verificationagent",
      "name": "TrustLink-VerificationAgent",
      "operator": "Pearl Industry Network LLC",
      "kind": "BOT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://vagent.trustlink360.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 2,
      "failCount": 1,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as application/json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "fail",
          "detail": "The signature tag is \"web-bot-auth\"; a directory-response signature MUST carry tag=\"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "twinagent",
      "name": "TwinAgent",
      "operator": "Twin",
      "kind": "BOT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://signature-agents.twin.so/.well-known/http-message-signatures-directory",
      "fetchOk": false,
      "httpStatus": null,
      "attempts": 3,
      "transientErrors": [
        "attempt 1: ENOTFOUND: fetch failed",
        "attempt 2: ENOTFOUND: fetch failed",
        "attempt 3: ENOTFOUND: fetch failed"
      ],
      "grade": "fetch_error",
      "warnCount": 0,
      "failCount": 0,
      "findings": [],
      "keys": []
    },
    {
      "slug": "urlertbot",
      "name": "URLertBot",
      "operator": "URLert",
      "kind": "BOT",
      "category": "SECURITY",
      "signatureAgentUrl": "https://www.urlert.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (public,max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "visually-io-shopify-editor",
      "name": "Visually.io Shopify Editor",
      "operator": "Visually.io",
      "kind": "AGENT",
      "category": "AI_ASSISTANT",
      "signatureAgentUrl": "https://visually.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass",
      "warnCount": 0,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "pass",
          "detail": "All key IDs match their RFC 7638 thumbprint (a fingerprint of the key).",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=600).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": "fmhbszwgFdOwiIsMh2w4qMKe_WEJ3a_v6B-MV-NXmU4",
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": true
        }
      ]
    },
    {
      "slug": "windowsforum-ai",
      "name": "WindowsForum-AI",
      "operator": "WindowsForum.com",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_CRAWLER",
      "signatureAgentUrl": "https://windowsforum.com/.well-known/http-message-signatures-directory/index.json",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 5,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "warn",
          "detail": "Served at /.well-known/http-message-signatures-directory/index.json. Cloudflare, the dominant verifier, fetches /.well-known/http-message-signatures-directory unless another location is advertised via a Signature-Agent header. Move it there or advertise it.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as application/json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "warn",
          "detail": "The directory response is not signed (no Signature header). Cloudflare, the dominant verifier, requires a signature on the directory response. Sign it, or an unsigned directory will be rejected.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "ygs-group-falconer-scraper",
      "name": "YGS Group Falconer Scraper",
      "operator": null,
      "kind": "BOT",
      "category": "AI_CRAWLER",
      "signatureAgentUrl": "https://bot-signature.gregoryscottdev.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 1,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "pass",
          "detail": "Cache-Control is set (max-age=86400).",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    },
    {
      "slug": "youbot",
      "name": "YouBot",
      "operator": "You.com",
      "kind": "BOT",
      "category": "SEARCH_ENGINE_CRAWLER",
      "signatureAgentUrl": "https://you.com/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 403,
      "attempts": 1,
      "transientErrors": [],
      "grade": "fail",
      "warnCount": 1,
      "failCount": 2,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "fail",
          "detail": "Returned HTTP 403, not 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "warn",
          "detail": "The directory draft requires (MUST) Content-Type application/http-message-signatures-directory+json; served as text/html.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "fail",
          "detail": "The response body is not valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        }
      ],
      "keys": []
    },
    {
      "slug": "zvelo-bot",
      "name": "Zvelo",
      "operator": "zvelo",
      "kind": "BOT",
      "category": "MONITORING_AND_ANALYTICS",
      "signatureAgentUrl": "https://fetch-bot.zvelo.io/.well-known/http-message-signatures-directory",
      "fetchOk": true,
      "httpStatus": 200,
      "attempts": 1,
      "transientErrors": [],
      "grade": "pass_warn",
      "warnCount": 2,
      "failCount": 0,
      "findings": [
        {
          "check": "https",
          "grade": "pass",
          "detail": "Served over HTTPS.",
          "authority": "verifier-requirement"
        },
        {
          "check": "reachable",
          "grade": "pass",
          "detail": "Returned HTTP 200.",
          "authority": "verifier-requirement"
        },
        {
          "check": "not_redirected",
          "grade": "pass",
          "detail": "Served directly, no redirect.",
          "authority": "linter-opinion"
        },
        {
          "check": "well_known_path",
          "grade": "pass",
          "detail": "Served at the well-known path /.well-known/http-message-signatures-directory.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §7.1"
        },
        {
          "check": "content_type",
          "grade": "pass",
          "detail": "Content-Type is application/http-message-signatures-directory+json.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5"
        },
        {
          "check": "json_parse",
          "grade": "pass",
          "detail": "Body is valid JSON.",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "keys_present",
          "grade": "pass",
          "detail": "Directory publishes 1 key(s).",
          "authority": "spec-must",
          "specRef": "RFC 7517 §5"
        },
        {
          "check": "kty_okp",
          "grade": "pass",
          "detail": "All keys use key type \"OKP\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "crv_ed25519",
          "grade": "pass",
          "detail": "All keys use curve \"Ed25519\".",
          "authority": "verifier-requirement"
        },
        {
          "check": "x_valid",
          "grade": "pass",
          "detail": "All public keys are valid 32-byte Ed25519 values.",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        },
        {
          "check": "thumbprint_kid",
          "grade": "warn",
          "detail": "Key ID is not the RFC 7638 thumbprint of the key (a fingerprint some verifiers expect the kid to equal); still valid, some verifiers use opaque IDs: key #1.",
          "authority": "linter-opinion",
          "specRef": "RFC 7638"
        },
        {
          "check": "unique_kids",
          "grade": "pass",
          "detail": "All key IDs are distinct.",
          "authority": "spec-should",
          "specRef": "RFC 7517 §4.5"
        },
        {
          "check": "cache_control",
          "grade": "warn",
          "detail": "No Cache-Control header. Add one so verifiers can cache the directory instead of refetching every time.",
          "authority": "linter-opinion"
        },
        {
          "check": "nbf_hygiene",
          "grade": "pass",
          "detail": "No key has a future not-before time.",
          "authority": "spec-should",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "exp_hygiene",
          "grade": "pass",
          "detail": "No key is expired or expiring within 14 days.",
          "authority": "linter-opinion",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §3"
        },
        {
          "check": "response_signature",
          "grade": "pass",
          "detail": "The directory response carries an HTTP-message signature.",
          "authority": "verifier-requirement",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_keyid_thumbprint",
          "grade": "pass",
          "detail": "The signature key ID is the RFC 7638 thumbprint (fingerprint) of a key advertised in this directory.",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_tag",
          "grade": "pass",
          "detail": "The signature tag is \"http-message-signatures-directory\".",
          "authority": "spec-must",
          "specRef": "draft-meunier-http-message-signatures-directory-05 §5.2"
        },
        {
          "check": "signature_verified",
          "grade": "pass",
          "detail": "The directory-response signature is cryptographically valid (Ed25519).",
          "authority": "verifier-requirement",
          "specRef": "RFC 9421 §3.2"
        },
        {
          "check": "private_key_material",
          "grade": "pass",
          "detail": "No private key material is exposed (public keys only).",
          "authority": "spec-must",
          "specRef": "RFC 8037 §2"
        }
      ],
      "keys": [
        {
          "kid": null,
          "crv": "Ed25519",
          "kty": "OKP",
          "daysToExpiry": null,
          "thumbprintMatches": false
        }
      ]
    }
  ]
}
