cd /news/ai-agents/when-honesty-and-the-checker-disagre… · home topics ai-agents article
[ARTICLE · art-50841] src=dev.to ↗ pub= topic=ai-agents verified=true sentiment=· neutral

When honesty and the checker disagree

Turva.dev resolved a contradiction in its auth.md file where it stated both 'no issued credentials' and 'an API key is issued out of band on request'. The fix involved declaring the API key accurately while removing false claims about access tokens and event channels, maintaining a perfect score on the isitagentready.com checker. The incident highlights the limitation of automated scanners in distinguishing genuine claims from hollow signals.

read3 min views1 publishedJul 8, 2026

During the line-by-line pass that read every line of turva.dev, one of the smallest surfaces turned into the sharpest question in the audit. turva.dev serves an auth.md file, a plain description of how an agent authenticates here. It said two things that did not sit together. One line read no issued credentials. Another said an API key is issued out of band on request. Both were trying to be honest, and side by side they were a contradiction.

The obvious repair was to drop the credential machinery and let the file say the simple true thing, that nothing here needs a credential. So the agent_auth block lost its credential types, the fields that name what kind of key or token a service hands out. To a reader they looked like box-ticking, the sort of hollow detail an audit is meant to strip.

Then the scanner failed. isitagentready.com runs a check on auth.md, and that check reports agent_auth metadata was not found the moment the block has no complete registration method. Its own published recipe requires at least one method, and every method has to declare the credential types it supports. Fields removed to look more honest read to the checker as no auth surface at all. The pass count for the whole site leans on that check, and gutting the block would have dropped the 100/100 the front page shows.

So there were two true things to write. turva.dev really does issue no credential that any resource requires, and I could say exactly that and let the check fail. Or turva.dev really does hand out an API key out of band when someone asks, and I could declare that key properly and keep the check green. Both are honest. The checker accepts only one of them.

The tempting read is that the checker is the villain here, rewarding the file that ticks more boxes. That story is wrong. The credential the check wanted was not a fiction, because a key really does get issued on request. The first draft was dishonest for a different reason. A true detail sat next to a line that flatly denied it.

The fix was to make the whole block exactly true, rather than gut it or inflate it. The API key is declared and issued out of band on request. The file describes it for exactly what it is. It attributes correspondence and nothing more. No resource on turva.dev requires it, and holding it unlocks no extra access. Two other fields went the other way and were deleted, because they were the real hollow signals. One named an access token the service never issues. The other named an events channel that does not exist. Those were claims with nothing behind them. The API key is a claim with a key behind it.

That is the line between a hollow signal and a modest true one, and a scanner cannot draw it for you. It can tell that a field is present and parses. It cannot tell whether the thing the field describes is real. The judgment that took the longest landed on the surface that moved no score at all.

auth.md now says one thing instead of two. The key it names is the key you get if you email and ask, and it labels the message and grants nothing. The fields that described things the service does not do are gone. The check reads green because the declaration is finally true. Nothing was padded to please it.

For an agent-readiness audit that reads your agent-facing claims the way a skeptic would, contact [info@turva.dev](mailto:info@turva.dev).

*Originally published at https://turva.dev/blog/honesty-and-the-checker*
── more in #ai-agents 4 stories · sorted by recency
── more on @turva.dev 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/when-honesty-and-the…] indexed:0 read:3min 2026-07-08 ·