Turva
БесплатноНе проверенPublic read-only MCP server for turva.dev's agent-readiness audit, enabling AI agents to query service catalog, security evidence, and engagement principles via
Описание
Public read-only MCP server for turva.dev's agent-readiness audit, enabling AI agents to query service catalog, security evidence, and engagement principles via structured JSON.
README
Public, read-only Model Context Protocol (MCP) server for turva.dev, an agent-readiness audit and advisory service. It lets AI agents query turva.dev's service catalog, its own agent-readiness scores, the public web-security scan results for its domain, and its engagement principles, as structured JSON instead of scraped HTML.
The server is public on purpose: anyone can read exactly what it exposes before deciding anything.
MCP endpoint
https://mcp.turva.dev/mcp
Transport is Streamable HTTP. The MCP endpoint is POST /mcp; there is no SSE transport. A server card is published at GET / and GET /.well-known/mcp. CORS is open (Access-Control-Allow-Origin: *).
No authentication and no API key are required. All exposed data is public and read-only.
Tools
Four read-only tools. There are no write tools and no transaction tools. Each returns JSON as text content.
| Tool | Returns |
|---|---|
get_services |
The service catalog (audit, advisory, implementation, agent operations, MCP server design), the engagement model, and pricing (fixed list prices for audit, advisory and implementation; others on request) |
get_agent_readiness |
turva.dev's own agent-readiness scores from independent scanners, with per-scanner sub-scores, leaderboard rank, notable wins, the measurement date, and verification links |
get_security_evidence |
Public web-security scan results for turva.dev's own domain (Hardenize, Internet.nl), with the scan date |
get_principles |
The engagement principles: async-only, least access, results measured in scanner numbers, open and verifiable |
Data is served from static TypeScript objects bundled with the Worker, so every response is deterministic and depends on no external state. Scores carry a measured_at date and verification links, so any reader can compare a stored snapshot against a fresh scan.
Evidence
turva.dev publishes its own scan results so the work is verifiable, not just claimed.
Measured on turva.dev: agent-readiness on 2026-07-13, web security on 2026-07-13.
Agent-readiness: 100/100 on both independent scanners.
- startuphub.ai: 100/100 (A+), ranked first of publicly-scanned sites on the startuphub.ai agent-readiness leaderboard. All six sub-scores are perfect: Discoverability, Content, Access Control, Capabilities, Commerce, and Quality. Notable wins: an MCP Server Card (under 0.01% of sites have one), an llms.txt guide (top 3%), declared Content Signals (top 4%), and Markdown content negotiation (top 4%).
- isitagentready.com (the same scanner as Cloudflare Agent-Ready): 100/100, Level 5 (Agent-Native). Discoverability, Content, Bot Access Control, and API/Auth/MCP/Skill Discovery all pass fully. Commerce is optional and is not required for the perfect overall score.
Web security: measured and explained.
- Hardenize passes all 13 categories.
- Internet.nl scores 98/100. IPv6, DNSSEC and RPKI pass in full; the single deduction is one HTTPS sub-test, the hash function for key exchange.
All scores carry a measurement date and a live link, so a reader can re-run any scan and compare.
Endpoints
| Method and path | Response |
|---|---|
POST /mcp |
MCP over Streamable HTTP |
GET / |
Server card JSON (name, transport, endpoint) |
GET /.well-known/mcp |
Server card JSON |
GET /.well-known/glama.json |
Glama MCP directory domain verification |
OPTIONS * |
204 CORS preflight |
| any other path | 404 |
All methods on /mcp are handled by the Streamable HTTP transport (GET opens the SSE stream, DELETE ends a session). The card paths respond to any method.
Connect
Point any MCP client that supports Streamable HTTP at the endpoint. Example client config:
{
"mcpServers": {
"turva": {
"url": "https://mcp.turva.dev/mcp"
}
}
}
Quick reachability check from PowerShell (returns the server card):
curl.exe https://mcp.turva.dev/
Verify
Everything the tools return is publicly auditable. Re-run the scans and open the records yourself:
- StartupHub leaderboard: https://www.startuphub.ai/agent-readiness
- isitagentready scan: https://isitagentready.com/turva.dev
- Hardenize report: https://www.hardenize.com/report/turva.dev
- Internet.nl report: https://internet.nl/site/turva.dev/
- Company (Finnish Business Information System): https://tietopalvelu.ytj.fi/yritys/3600281-7
How it works
A single Cloudflare Worker built on the Cloudflare Agents SDK serves the MCP endpoint, backed by a Durable Object. Tool data lives in static TypeScript objects in the bundle. The server does no logging; errors are returned as MCP protocol error responses rather than written anywhere. Cloudflare Workers observability is switched off in wrangler.jsonc, so the platform does not collect invocation logs either.
The Worker is independent from the main turva.dev site, so an MCP change cannot affect the website.
Deploy
Requires a Cloudflare account and the wrangler CLI.
cd turva-mcp
npm install
npx wrangler deploy
Route the Worker to mcp.turva.dev under Workers & Pages, your-worker, Settings, Domains & Routes.
Use it for your own site
MIT licensed. Fork it, replace the static data objects with your own, then deploy.
If you want an agent-readiness audit of your own domain, see turva.dev or Erik Rekola on LinkedIn.
Security
Responsible disclosure: see SECURITY.md. Contact: [email protected]
License
Установка Turva
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/erekola/turva-mcpFAQ
Turva MCP бесплатный?
Да, Turva MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Turva?
Нет, Turva работает без API-ключей и переменных окружения.
Turva — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Turva в Claude Desktop, Claude Code или Cursor?
Открой Turva на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Turva with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
