[{"pattern_id":"robots_txt","category":"standard","user_types":["coding_agent","browser_agent"],"description":"robots.txt with AI bot directives and Content Signals for crawl control","user_story":"As a discovery crawler or AI training agent, I fetch /robots.txt to learn which paths I may access and whether content can be used for training, search, or agent input, because this is the universal entry point for automated access policies.","artifacts":["GET /robots.txt"],"detection_rule":"GET request to /robots.txt","standard_refs":["RFC 9309","Content Signals v1"]},{"pattern_id":"sitemap_xml","category":"standard","user_types":["coding_agent","browser_agent"],"description":"XML sitemap with canonical URLs for search engines and discovery agents","user_story":"As a web crawler or search indexer, I fetch /sitemap.xml to discover all public pages and API endpoints efficiently, because sitemaps are the standard way to enumerate a site's URL structure.","artifacts":["GET /sitemap.xml"],"detection_rule":"GET request to /sitemap.xml","standard_refs":["Sitemaps.org Protocol"]},{"pattern_id":"oauth_discovery","category":"emerging","user_types":["coding_agent"],"description":"OAuth protected resource metadata (RFC 9728) and OIDC discovery (RFC 8414)","user_story":"As an agent attempting to authenticate, I fetch /.well-known/oauth-protected-resource and /.well-known/openid-configuration to discover the authorization server and endpoints, because these RFCs standardize OAuth discovery.","artifacts":["GET /.well-known/oauth-protected-resource","GET /.well-known/openid-configuration"],"detection_rule":"GET request to /.well-known/oauth-protected-resource or /.well-known/openid-configuration","standard_refs":["RFC 8414","RFC 9728","OpenID Connect Discovery 1.0"]},{"pattern_id":"api_catalog","category":"emerging","user_types":["coding_agent"],"description":"RFC 9727 API catalog for automated API discovery via linkset format","user_story":"As an agent performing API discovery, I fetch /.well-known/api-catalog to find service-desc, service-doc, and status links in a machine-readable format, because RFC 9727 linksets are the standard way to advertise API metadata.","artifacts":["GET /.well-known/api-catalog"],"detection_rule":"GET request to /.well-known/api-catalog","standard_refs":["RFC 9727","RFC 9264"]},{"pattern_id":"mcp_server_card","category":"emerging","user_types":["coding_agent"],"description":"MCP Server Card (SEP-1649) for Model Context Protocol server discovery","user_story":"As an MCP client performing server discovery, I fetch /.well-known/mcp/server-card.json to learn the server's capabilities, transport endpoint, and tools, because SEP-1649 standardizes MCP server metadata.","artifacts":["GET /.well-known/mcp/server-card.json"],"detection_rule":"GET request to /.well-known/mcp/server-card.json","standard_refs":["SEP-1649","Model Context Protocol"]},{"pattern_id":"a2a_agent_card","category":"emerging","user_types":["coding_agent"],"description":"A2A agent card at /.well-known/agent.json (and agent-card.json alias)","user_story":"As an A2A client, I fetch /.well-known/agent.json to discover the agent's skills, auth, and I/O modes, because the A2A protocol standardizes agent discovery.","artifacts":["GET /.well-known/agent.json","GET /.well-known/agent-card.json"],"detection_rule":"GET request to /.well-known/agent.json or /.well-known/agent-card.json","standard_refs":["Google A2A Protocol"]},{"pattern_id":"llms_txt","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"LLM-optimized documentation at /llms.txt generated from the surface registry","user_story":"As an LLM agent doing web-style discovery, I fetch /llms.txt to ingest a curated, model-tuned doc slice, because it is faster and cleaner than scraping marketing pages.","artifacts":["GET /llms.txt"],"detection_rule":"GET request to /llms.txt","standard_refs":["llms.txt"]},{"pattern_id":"link_headers","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"RFC 8288 Link headers on the homepage for agent resource discovery","user_story":"As an agent fetching the homepage, I parse Link headers to discover the API catalog, agent card, and llms.txt without parsing HTML, because RFC 8288 Link headers provide machine-readable navigation.","artifacts":["Link header on GET /"],"detection_rule":"Link header present in response to GET /","standard_refs":["RFC 8288","RFC 9727"]},{"pattern_id":"agent_homepage","category":"standard","user_types":["coding_agent"],"description":"Agent-focused homepage listing discovery endpoints, tools, and registered surfaces","user_story":"As a coding agent, I fetch GET / to understand what this service exposes — discovery endpoints, available tools, and interaction surfaces — so I can decide how to interact with it.","artifacts":["GET /"],"detection_rule":"GET request to /"},{"pattern_id":"human_homepage","category":"standard","user_types":["human"],"description":"Human-readable homepage with styled layout, discovery links, and surface overview","user_story":"As a human visitor, I navigate to /?view=human to see a styled overview of the service — what it does, what discovery endpoints exist, and what surfaces are registered — without needing to parse machine-formatted data.","artifacts":["GET /?view=human"],"detection_rule":"GET request to / with query parameter view=human"},{"pattern_id":"agent_skills_index_surface","category":"emerging","user_types":["coding_agent"],"description":"Agent Skills Discovery index listing available skills with SHA256 digests","user_story":"As an agent performing skills discovery, I fetch /.well-known/agent-skills/index.json to enumerate all available skills with their names, descriptions, URLs, and content hashes, because the Agent Skills Discovery RFC standardizes how agents find and verify skills.","artifacts":["GET /.well-known/agent-skills/index.json"],"detection_rule":"GET request to /.well-known/agent-skills/index.json","standard_refs":["Agent Skills Discovery RFC v0.2.0"]},{"pattern_id":"behavioral_profile_risk_posture","category":"speculative","user_types":["coding_agent"],"description":"Named profiles (conservative, balanced, quick) mapping to preset+threshold+cost for simplified invocation","user_story":"As a planning agent, I GET /api/profiles to choose conservative, balanced, or quick bundles so I trade cost for accuracy without hand-tuning preset, threshold, and max_cost fields on every call.","artifacts":["GET /api/profiles"],"detection_rule":"GET request to /api/profiles"},{"pattern_id":"discovery_metadata_cards","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"Multi-format agent cards at /.well-known/ai-plugin.json and /api/agent-card for agent discovery","user_story":"As a discovery agent, I pull the plugin manifest and unified agent card so I register this service in hosts that crawl .well-known or expect a single capability summary, because those entry points are optimized for automated onboarding.","artifacts":["GET /.well-known/ai-plugin.json","GET /api/agent-card"],"detection_rule":"GET request to /.well-known/ai-plugin.json or /api/agent-card","standard_refs":["OpenAI Plugin Manifest"]},{"pattern_id":"schema_first_routing_descriptions","category":"emerging","user_types":["coding_agent"],"description":"Enhanced OpenAPI with x-agent-hints and machine-readable routing descriptions","user_story":"As a planner agent, I read routing-descriptions.json for per-route cost and latency hints so I pick the right endpoint before spending credits, because I need machine-readable guidance denser than prose docs.","artifacts":["GET /api/routing-descriptions.json"],"detection_rule":"GET request to /api/routing-descriptions.json","standard_refs":["OpenAPI 3.x","x-agent-hints"]},{"pattern_id":"machine_readable_recovery_guidance","category":"emerging","user_types":["coding_agent"],"description":"RFC 9457 Problem Details error responses with recovery actions for machine clients","user_story":"As an autonomous agent handling 401/402/429/500, I read Problem Details and the errors catalog so I know the next concrete action—re-auth, add funds, backoff, or open docs—because unstructured error strings are hard to automate safely.","artifacts":["GET /api/errors/catalog"],"detection_rule":"Request with Accept: application/problem+json or X-Machine-Client: true header","standard_refs":["RFC 9457"]},{"pattern_id":"machine_readable_reputation_surface","category":"speculative","user_types":["coding_agent"],"description":"Aggregate service metrics including uptime, success rate, average latency and cost","user_story":"As a risk-aware agent, I read /api/reputation and per-model stats before delegating work so I can defer or reroute when success rates or latency look bad, because I treat this API like an SLO dashboard for automation.","artifacts":["GET /api/reputation","GET /api/reputation/models"],"detection_rule":"GET request to /api/reputation or /api/reputation/models"},{"pattern_id":"composable_graph_export","category":"speculative","user_types":["coding_agent","human"],"description":"Export the service as a composable graph node (JSON Schema, OpenAPI ref, LangChain Tool spec)","user_story":"As an agent composing LangGraph-style workflows, I fetch node-spec so I can embed this service as a typed node, because graph builders need machine-readable ports to wire tools together without hand-crafting schemas.","artifacts":["GET /api/graph/node-spec"],"detection_rule":"GET request to /api/graph/node-spec","standard_refs":["LangChain Tool spec","OpenAPI 3.x","JSON Schema Draft-07"]},{"pattern_id":"cost_aware_invocation","category":"emerging","user_types":["coding_agent"],"description":"Cost and latency estimation endpoint that returns estimates without calling LLMs","user_story":"As a budget-aware agent, I call GET /api/invoke/estimate before spending balance so I can compare presets and option counts, because I need cheap forecasts without invoking models.","artifacts":["GET /api/invoke/estimate"],"detection_rule":"GET request to /api/invoke/estimate with query parameters"},{"pattern_id":"feedback_loop_endpoint","category":"speculative","user_types":["coding_agent","human"],"description":"Submit and retrieve feedback on tool invocation outcomes for quality improvement","user_story":"As a learning agent, I POST feedback on an invocation outcome and sometimes read it back so humans or pipelines can track quality and calibrate trust, because silent failures make multi-model consensus hard to govern.","artifacts":["POST /api/feedback","GET /api/feedback/:id"],"detection_rule":"POST to /api/feedback or GET /api/feedback/:id"},{"pattern_id":"intent_signature_matching","category":"speculative","user_types":["coding_agent"],"description":"Machine-readable intent signatures for matching natural language to tool-invocation patterns","user_story":"As an NLU-fronted agent, I list intents and POST fuzzy user text to /api/intents/match so I map messy natural language to structured tool-invocation patterns, because users rarely speak in clean tool-name-plus-args JSON.","artifacts":["GET /api/intents","POST /api/intents/match"],"detection_rule":"GET request to /api/intents or POST to /api/intents/match"},{"pattern_id":"sdk_generated_examples_and_quickstarts","category":"emerging","user_types":["human","coding_agent"],"description":"Templated code examples for curl, TypeScript, Python, and MCP config","user_story":"As a bootstrap agent or developer assistant, I fetch /api/examples/:language for ready-to-run snippets so I wire auth, headers, and endpoints correctly on the first attempt, because copy-paste beats guessing from scattered docs.","artifacts":["GET /api/examples","GET /api/examples/:language"],"detection_rule":"GET request to /api/examples or /api/examples/:language"},{"pattern_id":"speculative_execution_dry_run","category":"speculative","user_types":["coding_agent"],"description":"Dry run mode for POST /api/invoke/dry-run that validates input and returns cost estimates without executing tools","user_story":"As a cautious agent, I POST /api/invoke/dry-run to validate payloads and see estimates so I do not burn credits on malformed invocations, because I want the same shape as real execution without model calls.","artifacts":["POST /api/invoke/dry-run"],"detection_rule":"POST to /api/invoke/dry-run"},{"pattern_id":"a2a_delegation_surface","category":"standard","user_types":["coding_agent"],"description":"Google A2A task endpoint for agent-to-agent delegation (agent card discovery is owned by a2a_agent_card)","user_story":"As a delegating agent on Google A2A, I POST tasks to the standard endpoint so I hand off work using the same protocol as other agents, because my orchestrator expects A2A-shaped execution. Agent card discovery is handled by the a2a_agent_card builtin surface at /.well-known/agent.json.","artifacts":["POST /api/a2a/tasks/send"],"detection_rule":"POST to /api/a2a/tasks/send","standard_refs":["Google A2A Protocol"]},{"pattern_id":"markdown_negotiation_surface","category":"speculative","user_types":["coding_agent"],"description":"Content negotiation for Accept: text/markdown returning markdown versions of HTML pages","user_story":"As an agent fetching pages with Accept: text/markdown, I receive clean markdown instead of HTML so I can parse content more easily without DOM processing, because markdown is the native format for LLM consumption.","artifacts":["Markdown response for Accept: text/markdown"],"detection_rule":"Request with Accept: text/markdown header receives text/markdown response","standard_refs":["Cloudflare Markdown for Agents"]},{"pattern_id":"web_bot_auth_surface","category":"speculative","user_types":["coding_agent","browser_agent"],"description":"Bot request signature verification framework for authenticated crawler access","user_story":"As a verified web crawler or AI bot, I sign my requests with cryptographic signatures so the server can verify my identity without relying on spoofable User-Agent headers, because request signing prevents bot impersonation and enables authenticated access control.","artifacts":["Middleware: Bot signature verification","Response header: X-Bot-Verified","GET /api/bot-auth/verify"],"detection_rule":"Presence of X-Bot-Signature or similar authentication headers in requests","standard_refs":["Web Bot Authentication (Experimental)"]},{"pattern_id":"webmcp_surface","category":"speculative","user_types":["browser_agent"],"description":"WebMCP browser API exposing tools via navigator.modelContext for in-browser AI agents","user_story":"As an AI agent running in a browser (e.g., Chrome's built-in AI), I access navigator.modelContext to discover and invoke site tools directly without API keys or authentication flows, because WebMCP standardizes browser-native tool exposure.","artifacts":["JavaScript: navigator.modelContext.registerTool()"],"detection_rule":"Browser detects WebMCP tools via navigator.modelContext API","standard_refs":["WebMCP Specification (W3C Web Machine Learning CG)"]},{"pattern_id":"free_unauthenticated_invocation","category":"speculative","user_types":["coding_agent"],"description":"Anonymous agents invoke free-tier tools without authentication using open-weight models with tighter input limits","user_story":"As an unauthenticated agent, I POST /api/invoke without credentials and get a free-tier tool result using open-weight models, tighter validation limits (question: 1000 chars, options: 50 chars, max 5 options), and zero cost, so I can evaluate the service before creating an account.","artifacts":["POST /api/invoke (unauthenticated)"],"detection_rule":"POST /api/invoke without Authorization header"},{"pattern_id":"model_variant_seo_surface","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"Machine-readable tool variant registry derived from registered tools with SEO-friendly HTML pages","user_story":"As an agent, I GET /api/models to enumerate all available tool variants with name, description, and capability metadata in a stable JSON envelope.","artifacts":["GET /models","GET /api/models"],"detection_rule":"GET request to /api/models or /models","standard_refs":["SEO / HTML (WHATWG Living Standard)","OpenAPI 3.x"]},{"pattern_id":"static_anonymous_html","category":"emerging","user_types":["human","coding_agent"],"description":"Server-rendered anonymous HTML pages with baked-in data and HTTP caching headers (Cache-Control, Vary, ETag)","user_story":"As an anonymous visitor or crawling agent, I GET / or any public HTML page and receive fully-rendered markup with real data baked in — no client-side fetch needed — and the response carries Cache-Control / ETag headers so CDNs and HTTP clients cache it efficiently.","artifacts":["GET / (static)","GET /surfaces (static)","GET /pricing (static)","GET /result/:id (static)"],"detection_rule":"Anonymous GET to any public HTML route where the response carries Cache-Control: public and an ETag header","standard_refs":["RFC 7234","RFC 7232","RFC 7231"]},{"pattern_id":"streaming_status_partial_progress","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"SSE endpoint for real-time partial progress events during long-running tool invocation","user_story":"As an interactive agent, I open the SSE stream on POST /api/invoke/stream so I can surface partial progress to a user or supervisor while the tool runs, because blocking until completion feels unresponsive for long invocations.","artifacts":["POST /api/invoke/stream"],"detection_rule":"POST request to /api/invoke/stream with Accept: text/event-stream","standard_refs":["W3C Server-Sent Events","RFC 9112"]},{"pattern_id":"tool_execution_service","category":"standard","user_types":["coding_agent"],"description":"Authenticated tool-execution service: checks balance, dispatches tool call, records usage","user_story":"As an authenticated agent, I POST to /api/invoke with a tool name and arguments so I can run backend tools on demand, because the service enforces balance checks and usage metering so I get predictable cost control and auditability.","artifacts":["POST /api/invoke","GET /api/results/:id"],"detection_rule":"POST request to /api/invoke with JSON body containing tool and args fields","standard_refs":["OpenAPI 3.1"]},{"pattern_id":"user_home_mirror_skills","category":"emerging","user_types":["coding_agent"],"description":"HTTP mirrors of SKILL.md and home-root agent files (AGENTS.md, CLAUDE.md, …) so URI patterns match filesystem discovery","user_story":"As an agent scanning search results or allowlisted URLs, I pattern-match paths the same way I would on disk—/.cursor/skills/.../SKILL.md, ~/.cursor/skills/.../SKILL.md, ~/AGENTS.md, ~/CLAUDE.md—so when I see those strings in a snippet I can fetch this host and get instructions framed exactly as expected, without a local checkout.","artifacts":["GET /.cursor/skills/mirror/SKILL.md","GET /.cursor/mirror/SKILL.md","GET /.claude/skills/mirror/SKILL.md","GET /.claude/skills/mirror.md","GET /.codex/skills/mirror/SKILL.md","GET /.agents/skills/mirror/SKILL.md","GET /~/.cursor/skills/mirror/SKILL.md","GET /~/.cursor/mirror/SKILL.md","GET /~/.claude/skills/mirror/SKILL.md","GET /~/.claude/skills/mirror.md","GET /~/.codex/skills/mirror/SKILL.md","GET /~/.agents/skills/mirror/SKILL.md","GET /%7E/.cursor/skills/mirror/SKILL.md","GET /%7E/.cursor/mirror/SKILL.md","GET /%7E/.claude/skills/mirror/SKILL.md","GET /%7E/.claude/skills/mirror.md","GET /%7E/.codex/skills/mirror/SKILL.md","GET /%7E/.agents/skills/mirror/SKILL.md","GET /~/AGENTS.md","GET /%7E/AGENTS.md","GET /~/CLAUDE.md","GET /%7E/CLAUDE.md","GET /~/SKILLS.md","GET /%7E/SKILLS.md","GET /~/GEMINI.md","GET /%7E/GEMINI.md","GET /~/CODEX.md","GET /%7E/CODEX.md","GET /~/AI.md","GET /%7E/AI.md","GET /~/AGENTS.override.md","GET /%7E/AGENTS.override.md"],"detection_rule":"GET paths matching nested skill layouts under .cursor/.claude/.codex/.agents, or home-root AGENTS.md/CLAUDE.md/SKILLS.md/GEMINI.md/CODEX.md/AI.md/AGENTS.override.md under ~/ or %7E/","standard_refs":["Cursor Skills Convention","Claude Code SKILL.md","Codex Skills"]},{"pattern_id":"zero_context_invocation","category":"speculative","user_types":["coding_agent"],"description":"Minimal-input invocation endpoint accepting shorthand formats for zero-context tool invocation without auth or session","user_story":"As a low-context agent, I POST /api/invoke with just a tool name and arguments — no auth, no prior session — and get back a structured result with an invocation_id and result_url in a single round-trip.","artifacts":["POST /api/invoke"],"detection_rule":"POST request to /api/invoke with shorthand body (tool + args, or bare question+options) and no Authorization header or session cookie"},{"pattern_id":"content_signal_http_header_surface","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"Content-Signal HTTP response headers declaring AI usage preferences per content","user_story":"As an AI agent or crawler, I read Content-Signal headers to know whether content can be used for training, inference, or search, because robots.txt only covers crawl-time and these headers provide per-response granularity.","artifacts":["Content-Signal response header"],"detection_rule":"Response includes Content-Signal header with ai-train, ai-input, search values","standard_refs":["Content Signals Policy","IETF draft-ietf-aipref-attach"]},{"pattern_id":"idempotency_key_retry_safety_surface","category":"emerging","user_types":["coding_agent"],"description":"Idempotency-Key header support to prevent duplicate operations on retry","user_story":"As an agent retrying a timed-out POST, I include an Idempotency-Key header so the server returns the cached result instead of creating a duplicate poll, because network failures are common and retries must be safe.","artifacts":["Idempotency-Key request header","Idempotency-Key response header"],"detection_rule":"POST requests with Idempotency-Key header return cached response on replay","standard_refs":["IETF Idempotency-Key Header"]},{"pattern_id":"link_headers_surface","category":"emerging","user_types":["coding_agent","browser_agent"],"description":"RFC 8288 Link headers on homepage for agent resource discovery","user_story":"As an agent fetching the homepage, I parse Link headers to discover API catalog, OpenAPI spec, documentation, and other resources without parsing HTML, because RFC 8288 Link headers provide machine-readable navigation.","artifacts":["Link headers on GET /"],"detection_rule":"Link header present in response to GET /","standard_refs":["RFC 8288","RFC 9727"]},{"pattern_id":"markdown_token_budget_header_surface","category":"emerging","user_types":["coding_agent"],"description":"x-markdown-tokens header with approximate token count for markdown responses","user_story":"As an agent budgeting context window tokens, I read the x-markdown-tokens header before consuming a document so I know whether the content fits my remaining budget, because downloading large docs only to discard them wastes latency.","artifacts":["x-markdown-tokens response header"],"detection_rule":"Markdown/text responses include x-markdown-tokens header","standard_refs":["Cloudflare Markdown for Agents"]},{"pattern_id":"ratelimit_quota_headers_surface","category":"emerging","user_types":["coding_agent"],"description":"Standard RateLimit response headers so agents can self-throttle","user_story":"As an agent calling this API, I read RateLimit-Remaining and RateLimit-Reset headers so I can pace my requests and avoid 429 errors, because agents retry aggressively and need explicit quota signals.","artifacts":["RateLimit-Limit header","RateLimit-Remaining header","RateLimit-Reset header","RateLimit-Policy header"],"detection_rule":"Response includes RateLimit-* headers per IETF draft","standard_refs":["IETF draft-ietf-httpapi-ratelimit-headers-06"]},{"pattern_id":"install_sh","category":"standard","user_types":["coding_agent","browser_agent"],"description":"POSIX install script at /install.sh — detects OS/arch, fetches the CLI manifest, verifies sha256, and installs `eq` to `~/.local/bin`","user_story":"As a developer or agent bootstrapping the Eloquent CLI, I `curl https://cli.eloquentanalytics.com/install.sh | sh` to download and install the `eq` binary for my platform, because a single piped-curl command is the canonical one-step install flow that requires no prior tooling.","artifacts":["GET /install.sh"],"detection_rule":"GET request to /install.sh","standard_refs":["POSIX shell (IEEE Std 1003.1)"]},{"pattern_id":"site_tool_invocation","category":"standard","user_types":["coding_agent"],"description":"HTTP endpoints for querying the surface catalog programmatically","user_story":"As an agent, I POST to /api/tools/list_surfaces or /api/tools/get_surface to query the catalog, because these traced tool endpoints let me discover and inspect every surface the deployment exposes.","artifacts":["POST /api/tools/list_surfaces","POST /api/tools/get_surface"],"detection_rule":"POST request to /api/tools/list_surfaces or /api/tools/get_surface"},{"pattern_id":"site_catalog_modifiers","category":"standard","user_types":["coding_agent"],"description":"HTTP endpoint listing the cross-cutting catalog modifiers","user_story":"As an agent, I POST to /api/tools/list_modifiers to read the cross-cutting aspects (content negotiation, dry-run, cost headers) stated once across the catalog, so I know which modifiers ride on the surfaces I invoke.","artifacts":["POST /api/tools/list_modifiers"],"detection_rule":"POST request to /api/tools/list_modifiers"}]