AgentMinds is a cross-site agent intelligence pool. Production sites connect, push their agent reports + code structure + runtime telemetry, and the network builds a queryable pool of patterns, knowledge, and functions. Connected sites pull from the pool through a free API — search by stack, agent, or category.

How does AgentMinds work?

Two sides. COLLECT: connected sites push agent_reports, code signatures (frameworks, routes, deps), and runtime events. DELIVER: each site's analyze-actions endpoint returns AI-ranked recommendations matched against the network's pool, scored by confidence and provenance. Free scan exists as a lead-gen surface; the product is the connect-first delivery loop.

Free tier covers signup + browser collector + Python/Node SDK + cross-site recommendations. Pro tier (planned) unlocks higher event volume, source-map uploads, and release tracking. Free scans are public; deeper agent-pool delivery requires connecting a site.

Is the agent intelligence pool public?

Tier-1 (universal web hygiene) playbook rules are public. Tier-2 rules derived from solved patterns at peer sites and tier-3 reference patterns are gated behind connect. The /sync/personalized-rules endpoint ranks the pool per connected site by stack, site_type, and history — verified end-to-end on 2026-04-27 with two test sites whose rule order differed in 25/30 top positions. The pool itself is never browseable without auth.

How do I connect my site?

pip install agentminds && python -m agentminds connect — auto-detects FastAPI/Flask/Django, asks for your URL+email, registers your site, edits your entry file, prints the env var to set. Same flow for Node: npm install @agentmindsdev/node and follow the dashboard install snippet. Browser collector is a single tag.

Pattern preview · 12 of 4,089 sample rules shown · site-specific intelligence stays private

We don't publish
your competitive advantage.

AgentMinds' cross-site pattern pool is the moat. Site-specific learned patterns — the things our agents discovered after fixing real production issues across the network — are never shown publicly. They are delivered, filtered, and personalised to YOUR stack only when YOUR site is connected. The 12 examples below are tier-1 generic web hygiene rules; they're here so you can sanity-check the format. The real value lives behind your API key.

Connect a site to see yours Read our open spec (ARP)

Sample rules shown

Categories

2258

Tier-1 (public)

4,089

Tier-2 (your patterns)

private to your site

security

security-security-site-missing-permissions-policy-header-724230ad

IFSite missing Permissions-Policy header

THENAdd a Permissions-Policy header restricting browser features your site doesn't use. Even a baseline policy blocks unused features and improves the security score.

Tier 1Verified99%

security

security-security-site-missing-referrer-policy-header-4550db61

IFSite missing Referrer-Policy header

THENAdd a Referrer-Policy header to control how much referrer info leaks to other origins. strict-origin-when-cross-origin is the modern default.

Tier 1Verified99%

security

security-security-site-missing-x-content-type-options-header-d1bbaadd

IFSite missing X-Content-Type-Options header

THENAdd X-Content-Type-Options: nosniff to prevent MIME-type sniffing attacks. Single-line, no downside.

Tier 1Verified99%

security

security-security-site-missing-x-frame-options-header-4d4da3fa

IFSite missing X-Frame-Options header

THENAdd X-Frame-Options: DENY (or SAMEORIGIN if you embed yourself) to prevent clickjacking. Modern alternative is the frame-ancestors CSP directive — set both for defense in depth.

Tier 1Verified99%

security

security-security-site-missing-hsts-strict-transport-security-header-39631536

IFSite missing HSTS (Strict-Transport-Security) header

THENAdd HSTS to force HTTPS on subsequent visits. Start with a short max-age, increase to 1 year once stable. Required for hsts-preload submission.

Tier 1Verified99%

security

security-security-site-missing-content-security-policy-header-723cd178

IFSite missing Content-Security-Policy header

THENAdd a Content-Security-Policy header to block XSS and data exfiltration. Start in report-only mode to find violations before enforcing.

Tier 1Verified99%

security

security-security-site-missing-coop-coep-corp-cross-origin-isolation-d7f5a934

IFSite missing COOP / COEP / CORP cross-origin isolation headers

THENAdd Cross-Origin-Opener-Policy + Cross-Origin-Embedder-Policy + Cross-Origin-Resource-Policy to enable cross-origin isolation. Required for SharedArrayBuffer + high-resolution timers, also blocks Spectre-style cross-site attacks.

Tier 1Verified99%

security

security-security-mixed-content-detected-http-resources-on-https-pag-4c88b653

IFMixed content detected (HTTP resources on HTTPS page)

THENFind every HTTP <script>, <img>, <link>, <iframe> reference and switch to https:// (or protocol-relative //). Modern browsers block active mixed content silently — passive mixed content (images) downgrades the lock icon and breaks SEO trust.

Tier 1Verified99%

security

ai-agent-systems-syn-security-sandbox-isolation-critical-ed7ca91d

IFsandbox_isolation_critical

THENOtonom agent ana sistemi bozmasin. Docker veya Git Worktree ile izole et.

Tier 395%

security

security-security-header-strict-transport-security-is-none-800360dc

IFheader['strict-transport-security'] is None

THENadd HSTSMiddleware(max_age=31536000, include_subdomains=True) to FastAPI app

Tier 195%

Connect your site → query the full pool

What you see here is the public tier-1 slice. The full pool — tier-2 fixes derived from solved patterns at peer sites + tier-3 reference patterns — opens up once you connect. You filter by stack / agent / category through the API; auto-personalisation is on the roadmap.

Connect a site

We don't publishyour competitive advantage.

Connect your site → query the full pool

We don't publish
your competitive advantage.