Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Probed 4 candidate contact-page paths and none returned a 2xx response.

How: URL probe of contact paths; the first 2xx body is scanned for mailto: / tel: hrefs, plain emails (placeholder hosts excluded), and phone-shaped numbers.

• No contact page reachable▲HIGHHIGH severity — weight 5 in score calculation.

  statuses: /pages/contact=404, /pages/contact-us=404, /contact=404, /contact-us=404

  Publish a contact page at /contact (or your platform's standard path) with a mailto: and/or tel: link.

Counted product pages discovered by the non-JavaScript crawl. None were found — JS-only storefront, products missing from sitemap, or the crawl was blocked.

How: Count the product pages a non-JavaScript crawl could discover via the sitemap or initial HTML (no JS execution). The fetcher already attempted discovery; we read ctx.pdpSample.

• No product pages discoverable from a non-JavaScript crawl▲HIGHHIGH severity — weight 5 in score calculation.

  /0 products in pdpSample after sitemap + HTML link discovery

  Server-render product pages and list every product URL in the sitemap.

Ran the discovery cascade (feed → platform catalog → typed sitemap → content-verified crawl). Method: none; verified 0 product pages.

How: Read the product-discovery cascade result from ctx.discovery. Score by discovery method (feed / platform_api / sitemap_typed → pass when verifiedProductCount ≥ MIN_CONFIDENT_PRODUCTS; content_verified → partial; none or under-threshold → fail).

• No reliable way for agents to discover your products▲HIGHHIGH severity — weight 5 in score calculation.

  /method=none, verified=0

  Publish a product feed (Google Merchant XML or ACP) and declare it in /.well-known/ucp and /llms.txt, or ensure every product page carries Product JSON-LD and is listed in the sitemap.

Inspected /.well-known/ucp for a parseable JSON document with a top-level version string.

How: Confirm ctx.wellKnownUcp is non-null and carries a non-empty version string (the only universally-required UCP profile field).

• /.well-known/ucp is not reachable or not parseable as JSON▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

  Serve a JSON document at /.well-known/ucp with a top-level version string (e.g., "2026-04-08").

Wanted to inspect UCP root keys, but no profile was found.

How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.

• No /.well-known/ucp profile present▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

  Publish /.well-known/ucp first (see ucp-profile-present).

Wanted to walk the UCP profile's services[] for a valid shopping entry, but no profile was found.

How: List every services[] entry whose namespace is shopping (or contains shopping) and require at least one with transport ∈ {rest,mcp,a2a,embedded} AND a syntactically valid https:// endpoint.

• No /.well-known/ucp profile present▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

  Publish /.well-known/ucp first (see ucp-profile-present), then declare the shopping service.

Wanted to validate signing_keys[], but no UCP profile was found.

How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.

• No /.well-known/ucp profile present▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

No UCP profile present; Cache-Control policy is not evaluable.

How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.

No UCP profile present; Content-Type is not evaluable.

How: Check that the Content-Type header on /.well-known/ucp starts with application/json (optionally with a charset parameter).

No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.

How: Confirm an unauthenticated GET to /.well-known/ucp returns a 2xx status.

No UCP profile present; redirect behaviour is not evaluable.

How: Inspect the final HTTP status of GET /.well-known/ucp and whether any 3xx redirect was followed to reach it.

No UCP profile present.

How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.

No UCP profile present.

How: For each services[] entry, require transport to be one of: rest, mcp, a2a, embedded.

Inspected the homepage Strict-Transport-Security header ("max-age=31536000") and the includeSubDomains directive is absent.

How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).

• HSTS header is missing the includeSubDomains directive◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  /

  What we found

  max-age=31536000

  What we expected

  Strict-Transport-Security: max-age=31536000; includeSubDomains

  Append ; includeSubDomains to your STS header once every subdomain you operate supports HTTPS.

Scanned the homepage and 0 sampled PDPs for 8 review-platform asset fingerprints; none matched.

How: Substring scan of homepage and sampled PDP HTML for known review-platform asset fingerprints (judge.me, yotpo, stamped.io, reviews.io, okendo, loox, trustpilot, bazaarvoice).

• No third-party review-platform integration detected◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  none of 8 fingerprints matched across 1 source

  Install a Judge.me / Yotpo / Loox / Okendo / Stamped / Reviews.io / Trustpilot / Bazaarvoice widget on your storefront.

Tried to resolve an XML sitemap from robots.txt (Sitemap: directives) or /sitemap.xml. No entries were returned.

How: Parse <loc> entries from the resolved sitemap (or sitemap index) and classify each against product-URL patterns (/products/..., /product/..., /p/<id>, etc.).

• No XML sitemap was reachable, or it contained no <loc> entries◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  /sitemap.xml0 entries parsed

  Publish a sitemap at /sitemap.xml that includes one <loc> entry per product.

Probed 4 candidate shipping-policy paths (nav-discovered + platform-conventional) and none returned a 2xx body.

How: Discover candidate URLs by scoring homepage nav/footer anchors for shipping/delivery/dispatch keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.

• No shipping policy page reachable at any candidate URL◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  statuses: /policies/shipping-policy=404, /shipping=404, /shipping-policy=404, /pages/shipping=404

  Publish a shipping policy page at /shipping-policy (or your platform's standard slug) with ≥200 chars of body text and link it from your footer.

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Wanted to inspect sampled <loc> entries for entity escaping, but the runner did not surface any sitemap resources.

How: Sample the first 100 <loc> entries per sitemap document and check for raw &, <, or > (sitemaps.org entity escaping rules).

• Transport metadata not available — runner update pending●LOWLOW severity — weight 1 in score calculation.

  /sitemap.xml

Wanted to compare sitemap entry hosts against the containing sitemap, but the runner did not surface any sitemap resources.

How: For each resolved sitemap resource, parse the sitemap URL's host and compare it against every parsed <loc> URL's host.

• Transport metadata not available — runner update pending●LOWLOW severity — weight 1 in score calculation.

  /sitemap.xml

Wanted to check the xmlns declaration on every resolved sitemap document, but the runner did not surface any sitemap resources.

How: Substring-match xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" against the raw XML of every resolved sitemap document.

• Transport metadata not available — runner update pending●LOWLOW severity — weight 1 in score calculation.

  /sitemap.xml

No UCP profile present.

How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.

No UCP profile present.

How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.

No UCP profile present; service version formats are not evaluable.

How: For each services[] entry, require version to be a string matching /^\d{4}-\d{2}-\d{2}$/.

Inspected the homepage Strict-Transport-Security header ("max-age=31536000") and the preload directive is absent.

How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).

• HSTS header is missing the preload directive●LOWLOW severity — weight 1 in score calculation.

  /

  What we found

  max-age=31536000

  What we expected

  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  Append ; preload after includeSubDomains and submit your domain at https://hstspreload.org/.

Probed 4 candidate About-page paths and none returned a 2xx body.

How: URL probe of platform-specific about-page paths via politeFetch; the first 2xx response whose HTML-stripped body length is ≥ 200 chars counts as a pass.

• No About page reachable at any standard URL●LOWLOW severity — weight 1 in score calculation.

  statuses: /pages/about=404, /pages/about-us=404, /about=404, /about-us=404

  Publish an About page at /about (or your platform's standard path) with ≥ 200 chars of body text.

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.

How: n/a

Wanted to check <loc> URL lengths across every resolved sitemap document, but the runner did not surface any sitemap resources.

How: Iterate every parsed <loc> URL across all resolved sitemap resources and check length against the 2,048-character cap.

• Transport metadata not available — runner update pending●LOWLOW severity — weight 1 in score calculation.

  /sitemap.xml

Wanted to verify each sitemap's byte size and entry count against sitemaps.org caps, but the runner did not surface any sitemap resources.

How: Check raw byte size (≤ 52,428,800 B) and entry count (≤ 50,000) for every resolved sitemap resource.

• Transport metadata not available — runner update pending●LOWLOW severity — weight 1 in score calculation.

  /sitemap.xml

Wanted to check the encoding of every resolved sitemap document, but the runner did not surface any sitemap resources with transport metadata.

How: Inspect every resolved sitemap document's raw byte stream for UTF-8 decodability (sitemaps.org encoding requirement).

• Transport metadata not available — runner update pending●LOWLOW severity — weight 1 in score calculation.

  /sitemap.xml

  This check activates once the runner (Task I1) populates ctx.sitemapResources with raw bytes + headers.

No UCP profile found; MCP transport validity is not evaluable.

How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.

Scanned the homepage and 0 sampled PDPs for Apple Pay markers; none matched.

How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.

• No Apple Pay markers detected on the homepage or PDPs○INFOINFO severity — weight 0 in score calculation.

  /

  Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

Scanned the homepage and 0 sampled PDPs for Google Pay markers; none matched.

How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.

• No Google Pay markers detected on the homepage or PDPs○INFOINFO severity — weight 0 in score calculation.

  /

  Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

Looked for /llms.txt at the site root; the fetcher returned no file.

How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.