v0.0.71
Released Jul 13, 2026
All releases
Release Notes
Agent experience goes deep: a much larger set of rules auditing how AI agents read, reach, and act on your site, plus major crawler and cloud reliability fixes.
Added
- The Agent Experience category grows from 4 to 17 rules. New checks cover agent access (whether GPTBot, Claude-User and friends get the same content as a browser, including bot-challenge and pay-per-crawl detection), content signals and licensing (contradictory bot policies across scopes, noai signals, RSL licenses), agent-facing files (AGENTS.md, llms.txt including lookalike SPA shells, MCP server cards, A2A agent cards and other well-known agent endpoints), API discoverability (OpenAPI, OAuth self-onboarding), and response token weight for agents on a budget. The crawler now probes these agent surfaces on every audit.
- New security rules: subresource integrity on external scripts, and cookie security flags checked against real response headers. The catalog now totals 261 rules across 21 categories.
- Report issues are now ordered by severity in every output format, so the most important findings always come first.
- Failures outside your site's control, like an unreachable third-party link, are now reported as warnings with an expected-failure tag instead of counting against the audit as errors.
Fixed
- Cloud audits that stalled mid-crawl and timed out now complete normally. A crawler concurrency slot could leak when a page fetch failed a certain way, eventually deadlocking the crawl until the run hit its time limit. This was the main cause of recent cloud audit timeouts; affected runs were refunded automatically.
- Crawls stop promptly and cleanly at the page cap instead of letting in-flight work run past it.
- Publishing a report with the full rule catalog could be rejected after the catalog grew past an internal limit. The limit is raised and now guarded by tests so it cannot silently recur.
- Auto and hybrid render modes no longer render pages that were already rendered during the crawl, making rendered audits cheaper.
- Reports now say when a cloud check did not run and why, instead of leaving a silent gap in the results.
- Set-Cookie headers now flow through the whole audit pipeline, so cookie security rules evaluate the real headers your site sends.
- Creating a new site through a cloud audit or the MCP server now respects your account's website limit like every other path.
Update to this version
squirrelscan will auto-update, or run this command to update now:
$