Passing agent commerce checks without faking compliance
turva.dev fixed A2A, AP2 and ACP agent-readiness checks without faking compliance, while deliberately leaving x402 and Web Bot Auth flagged red.
turva.dev tracks its own agent-readiness with two independent scanners: it ranks first at 100/100 on startuphub.ai's leaderboard and reaches Level 5 across 21 standards on isitagentready.com. The team set out to turn four red discovery and commerce checks — A2A Agent Card, AP2, ACP, and x402 — green without claiming any capability the site doesn't actually have. Publishing an A2A Agent Card that describes the site's real read-only HTTP/JSON surface was purely additive and left the startuphub.ai score untouched.
For AP2, the isitagentready fix text pointed to an incorrect protocol URI; matching the real specification's lowercase, correctly versioned URI turned the check green, underscoring that protocol identifiers should be copied from specs, not helper text. The ACP fix involved a harder call: since the scanner only reads the discovery document, editing one field could have faked compliance while the checkout endpoint remained non-functional. Instead of taking that shortcut, the team built a genuine, minimal checkout session endpoint that honestly returns a not-ready-for-payment state, reflecting the site's real quote-first, async business model.
Two checks stay red on purpose: x402 is actually implemented correctly, but the isitagentready probe checks the wrong paths, and fixing it would break already-correct surfaces; Web Bot Auth doesn't apply since turva only receives traffic rather than sending signed bot requests. The takeaway for engineers is that a scanner score only matters if it reflects what an agent actually finds — a green check built on a lie is worse than an honest red one. The underlying worker code has been released as open source.