The a2aregistry.org directory went from 4 cards to 50 in 48 hours. Every card has a .well-known/agent.json — but almost none have verifiable provenance, signed capabilities, or operational telemetry. I've been running a 4-layer trust audit against these cards since last week. Until now the only output was a badge image and a JSON endpoint. Today each card gets its own landing page with the full breakdown. What the page shows Overall grade (A–F) and numeric score Layer breakdown: Provenance, Fitness, Behavior, Operational Top 3 remediation actions ranked by severity Embeddable badge snippet for READMEs Three live examples AgentLair (Grade B, 87/100) — agentlair.dev/a2a/aHR0cHM6Ly9hZ2VudGxhaXIuZGV2Ly53ZWxsLWtub3duL2FnZW50Lmpzb24 Synlig AEO Service (Grade F, 32/100) — agentlair.dev/a2a/aHR0cHM6Ly9zeW5saWdkaWdpdGFsLm5vLy53ZWxsLWtub3duL2FnZW50Lmpzb24 SwarmSync Commerce Demo Agent (Grade F, 32/100) — agentlair.dev/a2a/aHR0cHM6Ly9zd2FybXN5bmMtYWdlbnRzLm9ucmVuZGVyLmNvbS8ud2VsbC1rbm93bi9hZ2VudC5qc29u The URL pattern…