Guide
AGENTS.md: make your repo agent-verifiable
An agent dropped into your repository does not want to be persuaded — it wants to act without breaking things, and it trusts what it can run over what you assert. An AGENTS.md earns that trust by pairing every claim with the exact command that proves it. The same discipline is what makes a skeptical human reviewer believe you.
The one idea
A README says “well-tested, production-ready.” An agent has no reason to believe that. An AGENTS.md says: the test suite is 36 tests across 7 files; run npm test and see them pass.Now the claim carries its own proof. The reader — agent or human — runs one command and knows. Every section below is an application of that single move: claim + the command that verifies it.
What to put in it
Four things, in roughly this order:
# AGENTS.md
## What this is
One paragraph: what the project does and its honest maturity
(alpha / beta / stable). No superlatives.
## Repo map
Where the load-bearing code lives, so an agent doesn't have to
grep blindly.
- src/lib/ core logic
- examples/ runnable reference backend
- docs/ the contract other implementers follow
## Verifiable claims
Each claim + how to check it:
- Tests: 36 tests across 7 files. -> npm test
- The MCP endpoint answers a spec handshake and, unauthenticated,
returns a 401 OAuth challenge:
curl -s -D - -X POST https://mcp.example/mcp \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
# expect: HTTP/1.1 401 + WWW-Authenticate: Bearer resource_metadata="..."
- Build is clean: -> npm run build
## Conventions for agents working here
Branch naming, how to run one test, what NOT to touch, how to
report a missing capability.Write claims that fight back
The point of a verifiable claim is that it fails loudly when it drifts. If you write “36 tests” and later delete one, the next person who runs npm test sees 35 and catches the stale doc. That is a feature: the command is a test of your own honesty. A claim with no command can rot forever without anyone noticing.
Do
- +Attach a runnable command to every factual claim.
- +State maturity honestly — "beta, expect breaking changes" builds more trust than "production-ready".
- +Include live probes (curl) for anything an agent reaches over the network.
- +Tell agents how to report a gap — a missing-capability path beats a silent wrong guess.
Don’t
- −Assert quality ("robust", "battle-tested") with nothing to run.
- −Let numbers drift — a wrong count is worse than no count.
- −Duplicate the whole README; link it and stay action-focused.
- −Describe endpoints you have not curled yourself from a clean environment.
A real one
The AGENTS.md of cortex-gateway states its test count and gives npm test to confirm it, provides live curl probes against its running endpoint (initialize handshake, the 401 OAuth challenge), maps the repo, and is blunt about beta status. Nothing in it asks to be believed; everything can be run.
Verify the network claims
The claims about your deployed surface are the ones most likely to quietly break. Run your domain through the agent-readiness checkerto confirm the MCP handshake, the OAuth discovery chain, and llms.txt actually behave the way your AGENTS.md promises — each result shows the curl, so you can paste it straight into the doc.
FAQ
AGENTS.md vs README.md?
AGENTS.md vs llms.txt?
Does any agent actually read AGENTS.md?
Where does it go?
What makes a claim "verifiable"?