hape.com
Audited 6 days ago· shopify
Agent-readiness across all five AI commerce surfaces.
Surfaces — click to filter
20 failing · 60 not checked · 80 shown
60 checks couldn't run on this store — each is listed below with the reason. Your score reflects only what we could verify.
Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months
Why this matters: AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.
Findings (1)
Confirmed the homepage is HTTPS (status 200), probed http://hape.com/ for redirect behaviour, and parsed the Strict-Transport-Security header (value: "max-age=7889238").
How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).
- HSTS max-age is below the 6-month minimumCRITICAL
/parsed max-age = 7889238s (need ≥ 15552000s = 180 days)
What we found
max-age=7889238What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomainsBump
max-ageto at least 15552000 (180 days). 31536000 (1 year) is required for preload-list inclusion.
Skipped — no /robots.txt was reachable
Context: Google's shopping and AI Overview answers cite product pages Googlebot was permitted to crawl.
Why this was skipped
Wanted to check whether Googlebot is allowed at /products/test, but no /robots.txt was reachable.
How: RFC 9309 group match on User-agent: Googlebot rules at the representative product path /products/test (via the parsed robots.txt isAllowed predicate).
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Agents need a price with a currency to show and compare your product.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — no /robots.txt was reachable so per-UA rules cannot be evaluated
Context: ChatGPT's shopping answers cite pages OAI-SearchBot could crawl; blocking it removes you from ChatGPT results.
Why this was skipped
Wanted to evaluate whether OAI-SearchBot (OpenAI's ChatGPT search/discovery crawler) is allowed at /, but no /robots.txt was reachable so per-UA rules cannot be evaluated.
How: RFC 9309 group match on User-agent: OAI-SearchBot rules at path / (via the parsed robots.txt isAllowed predicate).
Skipped — no /robots.txt was reachable
Context: A site-wide Disallow of `/` blocks every agent crawler at once — catastrophic across every surface.
Why this was skipped
Wanted to scan the wildcard group for a root Disallow, but no /robots.txt was reachable.
How: Line-by-line scan of robots.txt; track membership of the User-agent: * group (stacked UA lines combine into one group per RFC 9309 section 2.2.1) and flag the file when a root Disallow: / appears in that group with no offsetting Allow: /.
Add a mailto: email link or tel: phone link to your contact page
Why this matters: Without an email or phone on your contact page, ChatGPT and Perplexity have no escalation path to surface for shoppers.
Findings (1)
Probed 4 candidate contact-page paths and none returned a 2xx response.
How: URL probe of contact paths; the first 2xx body is scanned for mailto: / tel: hrefs, plain emails (placeholder hosts excluded), and phone-shaped numbers.
- No contact page reachableHIGH
statuses: /pages/contact=404, /pages/contact-us=404, /contact=404, /contact-us=404
Publish a contact page at /contact (or your platform's standard path) with a
mailto:and/ortel:link.
Make product pages discoverable without JavaScript
Why this matters: AI shopping crawlers do not run JavaScript; without server-rendered product pages, agents can't see your catalog.
Findings (1)
Counted product pages discovered by the non-JavaScript crawl. None were found — JS-only storefront, products missing from sitemap, or the crawl was blocked.
How: Count the product pages a non-JavaScript crawl could discover via the sitemap or initial HTML (no JS execution). The fetcher already attempted discovery; we read ctx.pdpSample.
- No product pages discoverable from a non-JavaScript crawlHIGH
/0 products in pdpSample after sitemap + HTML link discovery
Server-render product pages and list every product URL in the sitemap.
Publish a privacy policy page and link it from your site nav/footer
Why this matters: A privacy policy is required by GDPR/CCPA and is a baseline trust signal for AI agents, ad networks, and most merchant-listing programs.
Findings (1)
Probed 3 candidate privacy-policy paths (nav-discovered + platform-conventional) and none returned a 2xx body.
How: Discover candidate URLs by scoring homepage nav/footer anchors for privacy/gdpr/cookie keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.
- No privacy policy page reachable at any candidate URLHIGH
statuses: /policies/privacy-policy=404, /privacy=404, /privacy-policy=404
Publish a privacy policy page at
/privacy-policy(or your platform's standard slug) with ≥200 chars of body text.
Publish a terms of service page and link it from your site nav/footer
Why this matters: A published ToS is a baseline trust signal AI agents and ad networks use to decide whether to surface or accept a merchant.
Findings (1)
Probed 3 candidate ToS paths (nav-discovered + platform-conventional) and none returned a 2xx body.
How: Discover candidate URLs by scoring homepage nav/footer anchors for terms/tos/legal/conditions keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.
- No terms-of-service page reachable at any candidate URLHIGH
statuses: /policies/terms-of-service=404, /terms=404, /terms-of-service=404
Publish a ToS page at
/terms(or your platform's standard slug) with ≥200 chars of body text.
Publish a non-empty robots.txt at the site root
Why this matters: robots.txt is the only place a merchant can declare per-crawler rules and a Sitemap to AI agents.
Findings (1)
Looked for a reachable /robots.txt at the site root. The fetcher returned no robots.txt (404, network error, or non-200 response).
How: Check whether the fetcher reached a non-empty /robots.txt at the site root (RFC 9309 §2.2.3 access method).
- No /robots.txt reachable at the site rootHIGH
/robots.txtno response body (404 / network error / non-200)
Publish a plain-text /robots.txt at the site root with at least
User-agent: *+Allow: /.
Publish a product feed or a crawlable product sitemap
Why this matters: Agents build their catalog from a feed or by crawling product pages; if neither yields products, your store is invisible.
Findings (1)
Ran the discovery cascade (feed → platform catalog → typed sitemap → content-verified crawl). Method: none; verified 0 product pages.
How: Read the product-discovery cascade result from ctx.discovery. Score by discovery method (feed / platform_api / sitemap_typed → pass when verifiedProductCount ≥ MIN_CONFIDENT_PRODUCTS; content_verified → partial; none or under-threshold → fail).
- No reliable way for agents to discover your productsHIGH
/method=none, verified=0
Publish a product feed (Google Merchant XML or ACP) and declare it in /.well-known/ucp and /llms.txt, or ensure every product page carries Product JSON-LD and is listed in the sitemap.
Publish /.well-known/ucp with at minimum a version field
Why this matters: Without `/.well-known/ucp`, Google's AI Mode can't identify your storefront as a UCP-conformant merchant.
Findings (1)
Inspected /.well-known/ucp for a parseable JSON document with a top-level version string.
How: Confirm ctx.wellKnownUcp is non-null and carries a non-empty version string (the only universally-required UCP profile field).
- /.well-known/ucp is not reachable or not parseable as JSONHIGH
Serve a JSON document at /.well-known/ucp with a top-level
versionstring (e.g., "2026-04-08").
Add every required top-level key to the UCP profile
Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.
Findings (1)
Wanted to inspect UCP root keys, but no profile was found.
How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.
- No /.well-known/ucp profile presentHIGH
Publish /.well-known/ucp first (see ucp-profile-present).
Declare a shopping service entry with a recognised transport and an HTTPS endpoint
Why this matters: Without a valid shopping service entry, agents can recognise you as a UCP merchant but have no way to fetch your catalog.
Findings (1)
Wanted to walk the UCP profile's services[] for a valid shopping entry, but no profile was found.
How: List every services[] entry whose namespace is shopping (or contains shopping) and require at least one with transport ∈ {rest,mcp,a2a,embedded} AND a syntactically valid https:// endpoint.
- No /.well-known/ucp profile presentHIGH
Publish /.well-known/ucp first (see ucp-profile-present), then declare the shopping service.
Make every signing_keys[] entry a JWK with kty + kty-specific params
Why this matters: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.
Findings (1)
Wanted to validate signing_keys[], but no UCP profile was found.
How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.
- No /.well-known/ucp profile presentHIGH
Skipped — no /robots.txt was reachable so per-UA rules cannot be evaluated
Context: Microsoft Copilot Shopping ranks results from the Bing index; blocking Bingbot removes you from Copilot answers.
Why this was skipped
Wanted to evaluate whether Bingbot (Microsoft's web crawler — also the source for Copilot Shopping's index) is allowed at /, but no /robots.txt was reachable so per-UA rules cannot be evaluated.
How: RFC 9309 group match on User-agent: Bingbot rules at path / (via the parsed robots.txt isAllowed predicate).
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: AI agents quote your concrete return window in shopping cards. Without `merchantReturnDays`, your policy renders as 'has a return policy' without the headline number.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: A policy node missing both shapes is invisible to agents — they can't render it, link to it, or quote your return terms.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Without the entry-point return-policy node, agents can't render or quote your return terms — they fall back to platform defaults or skip your store.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Agents suppress out-of-stock or ambiguous items; a valid availability URL keeps you eligible.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Without shippingDetails, AI agents fall back to vague defaults — they can't quote your rates, destinations, or delivery windows in shopping cards.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: PDPs behind a login wall are silently dropped from Google's merchant listing and from every AI agent surface.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: A noindex on the PDP makes it invisible to Google and ineligible for the merchant listing program.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Duplicate Product nodes on a single PDP cause Google's merchant scraper to drop the listing or pick the wrong variant.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — no /robots.txt was reachable so per-UA rules cannot be evaluated
Context: Perplexity's shopping recommendations are built from pages PerplexityBot was permitted to crawl.
Why this was skipped
Wanted to evaluate whether PerplexityBot (Perplexity's shopping index crawler) is allowed at /, but no /robots.txt was reachable so per-UA rules cannot be evaluated.
How: RFC 9309 group match on User-agent: PerplexityBot rules at path / (via the parsed robots.txt isAllowed predicate).
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Brand on every product is a primary agent filter and a required feed field.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: GTINs let agents match your product to the same item elsewhere; without them you lose cross-catalog matching.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Agents show your product image in shopping cards; a missing image weakens or drops the listing.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Product JSON-LD is how agents identify the canonical product entity without running JavaScript.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: A product's name is the minimum an agent needs to list it.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Without an Offer, agents can't see that the product is for sale.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — No UCP profile present; Cache-Control policy is not evaluable.
Context: If your UCP profile says `no-cache`, agent runtimes re-fetch on every interaction — brittle at scale and prone to rate-limit failures.
Why this was skipped
No UCP profile present; Cache-Control policy is not evaluable.
How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.
Skipped — No UCP profile present; Content-Type is not evaluable.
Context: Agent runtimes that gate parsing on Content-Type will skip your profile if it's served as HTML or plain text.
Why this was skipped
No UCP profile present; Content-Type is not evaluable.
How: Check that the Content-Type header on /.well-known/ucp starts with application/json (optionally with a charset parameter).
Skipped — No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.
Context: Agents fetch `/.well-known/ucp` without credentials — a 401 or 403 means they never see the profile.
Why this was skipped
No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.
How: Confirm an unauthenticated GET to /.well-known/ucp returns a 2xx status.
Skipped — No UCP profile present; redirect behaviour is not evaluable.
Context: Lightweight agent clients fetch `/.well-known/ucp` without following redirects — a 301/302 means they never see your profile.
Why this was skipped
No UCP profile present; redirect behaviour is not evaluable.
How: Inspect the final HTTP status of GET /.well-known/ucp and whether any 3xx redirect was followed to reach it.
Skipped — No UCP profile present.
Context: A service declared with the right transport but missing endpoint/schema is unreachable — agents can't negotiate or connect.
Why this was skipped
No UCP profile present.
How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.
Skipped — No UCP profile present.
Context: An unrecognised transport leaves agents with no handler to dispatch — your service appears absent.
Why this was skipped
No UCP profile present.
How: For each services[] entry, require transport to be one of: rest, mcp, a2a, embedded.
Add includeSubDomains to your Strict-Transport-Security header
Why this matters: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.
Findings (1)
Inspected the homepage Strict-Transport-Security header ("max-age=7889238") and the includeSubDomains directive is absent.
How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).
- HSTS header is missing the includeSubDomains directiveMEDIUM
What we found
max-age=7889238What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomainsAppend
; includeSubDomainsto your STS header once every subdomain you operate supports HTTPS.
Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint
Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.
Findings (1)
Parsed the homepage JSON-LD looking for an Organization/OnlineStore node with a contactPoint, but no Organization-class node is present.
How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.
- No Organization/OnlineStore JSON-LD on homepageMEDIUM
What we expected
<script type="application/ld+json">{"@context":"https://schema.org","@type":"OnlineStore","name":"Example Store","url":"https://example.com","contactPoint":[{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com"}]}</script>Add an Organization (or OnlineStore) JSON-LD block in the homepage
<head>with a contactPoint.
Publish a sitemap containing product URLs
Why this matters: A sitemap that omits product URLs forces every crawler into slower, less complete frontier discovery.
Findings (1)
Tried to resolve an XML sitemap from robots.txt (Sitemap: directives) or /sitemap.xml. No entries were returned.
How: Parse <loc> entries from the resolved sitemap (or sitemap index) and classify each against product-URL patterns (/products/..., /product/..., /p/<id>, etc.).
- No XML sitemap was reachable, or it contained no <loc> entriesMEDIUM
/sitemap.xml0 entries parsed
Publish a sitemap at /sitemap.xml that includes one <loc> entry per product.
Publish a shipping policy page and link it from your site nav/footer
Why this matters: Agents quote shipping terms to shoppers; without a reachable shipping policy they fall back to vague defaults or skip your store.
Findings (1)
Probed 4 candidate shipping-policy paths (nav-discovered + platform-conventional) and none returned a 2xx body.
How: Discover candidate URLs by scoring homepage nav/footer anchors for shipping/delivery/dispatch keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.
- No shipping policy page reachable at any candidate URLMEDIUM
statuses: /policies/shipping-policy=404, /shipping=404, /shipping-policy=404, /pages/shipping=404
Publish a shipping policy page at
/shipping-policy(or your platform's standard slug) with ≥200 chars of body text and link it from your footer.
Publish a returns policy page and link it from your site nav/footer
Why this matters: AI agents quote return terms to shoppers; missing returns pages are a baseline trust failure that suppresses you from agentic shopping cards.
Findings (1)
Reached a returns/refund policy page at http://hapetoys.returnscenter.com/ but its stripped body length (44 chars) is below the 200-char substantiveness threshold.
How: Discover candidate URLs by scoring homepage nav/footer anchors for return/refund/exchange keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.
- Returns policy page reachable but too short to be substantiveMEDIUM
/44 chars of stripped body text (need ≥ 200)
Expand the body to at least 200 characters covering window, conditions, and refund process.
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: A non-ISO country is dropped silently; the policy looks present but never reaches the merchant-listing rich result.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: An invalid category is silently dropped — your policy looks present in the source but never renders in Google's return-policy rich result.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Without a valid destination region, your shipping rate has no scope — Google can't decide whether to render it for a given shopper's country.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: An invalid rate object is silently dropped; agents can't quote your shipping cost in shopping cards.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Brand on every product is a primary agent filter and a required feed field.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Agents quote your description to answer shopper questions; an empty description gives them nothing to work with.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: A stable SKU lets agents track and re-identify your product across catalogs.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Placeholder titles like Default Title make products look broken to agents.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — no robots.txt was reachable
Context: Declaring the sitemap in robots.txt is the simplest way to point every crawler at your full product list.
Why this was skipped
Wanted to read Sitemap: directives from /robots.txt, but no robots.txt was reachable.
How: Read parsed Sitemap: directives from robots.txt (sitemaps.org / RFC 9309 implementation note).
Skipped — the runner did not surface any sitemap resources
Context: Unescaped `&` is the single most common cause of sitemap parse errors that drop product URLs silently.
Why this was skipped
Wanted to inspect sampled <loc> entries for entity escaping, but the runner did not surface any sitemap resources.
How: Sample the first 100 <loc> entries per sitemap document and check for raw &, <, or > (sitemaps.org entity escaping rules).
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources
Context: Cross-host sitemap entries are silently dropped, so the off-host product URLs effectively don't exist for the crawler.
Why this was skipped
Wanted to compare sitemap entry hosts against the containing sitemap, but the runner did not surface any sitemap resources.
How: For each resolved sitemap resource, parse the sitemap URL's host and compare it against every parsed <loc> URL's host.
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources
Context: Schema-validating crawlers reject sitemaps with a missing or wrong namespace.
Why this was skipped
Wanted to check the xmlns declaration on every resolved sitemap document, but the runner did not surface any sitemap resources.
How: Substring-match xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" against the raw XML of every resolved sitemap document.
- Transport metadata not available — runner update pendingLOW
Skipped — No UCP profile present.
Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.
Why this was skipped
No UCP profile present.
How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.
Skipped — No UCP profile present.
Context: A spec URL on an unrelated authority signals the service was copy-pasted from stale documentation — agents can't trust the conformance claim.
Why this was skipped
No UCP profile present.
How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.
Skipped — No UCP profile present; service version formats are not evaluable.
Context: Free-form version labels like `1.0` or `latest` defeat the version-pinning agents rely on, leaving them unable to negotiate the correct spec generation.
Why this was skipped
No UCP profile present; service version formats are not evaluable.
How: For each services[] entry, require version to be a string matching /^\d{4}-\d{2}-\d{2}$/.
Add preload to your Strict-Transport-Security header and submit to hstspreload.org
Why this matters: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.
Findings (1)
Inspected the homepage Strict-Transport-Security header ("max-age=7889238") and the preload directive is absent.
How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).
- HSTS header is missing the preload directiveLOW
What we found
max-age=7889238What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadAppend
; preloadafterincludeSubDomainsand submit your domain at https://hstspreload.org/.
Publish a substantive About page at a standard URL
Why this matters: Perplexity and ChatGPT use About-page text to summarise your brand to shoppers in answer responses.
Findings (1)
Probed 4 candidate About-page paths and none returned a 2xx body.
How: URL probe of platform-specific about-page paths via politeFetch; the first 2xx response whose HTML-stripped body length is ≥ 200 chars counts as a pass.
- No About page reachable at any standard URLLOW
statuses: /pages/about=404, /pages/about-us=404, /about=404, /about-us=404
Publish an About page at /about (or your platform's standard path) with ≥ 200 chars of body text.
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Breadcrumbs help agents understand where a product sits in your catalog.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — no /robots.txt was reachable so per-UA rules cannot be evaluated
Context: Explicitly allowing ChatGPT-User removes ambiguity about whether ChatGPT can fetch pages during user actions.
Why this was skipped
Wanted to evaluate whether ChatGPT-User (OpenAI's user-initiated live fetcher (advisory)) is allowed at /, but no /robots.txt was reachable so per-UA rules cannot be evaluated.
How: RFC 9309 group match on User-agent: ChatGPT-User rules at path / (via the parsed robots.txt isAllowed predicate).
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Alt text is the only text description AI agents and screen readers have for your product imagery.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Tiny product images get dropped from Google’s shopping rich-result modules and are unhelpful to AI agents quoting your product visually.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Invalid enrichment values are dropped silently, leaving merchants confused about why their rendered policy is missing fields they configured.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: When you declare itemCondition, agents and Google require a canonical Schema.org IRI; free-text values get ignored.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Without populated handling/transit times, agents can't quote a delivery window in shopping cards.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — no /robots.txt was reachable so per-UA rules cannot be evaluated
Context: Explicitly allowing Perplexity-User removes ambiguity about whether Perplexity can fetch pages live during user actions.
Why this was skipped
Wanted to evaluate whether Perplexity-User (Perplexity's live user-initiated fetcher (advisory)) is allowed at /, but no /robots.txt was reachable so per-UA rules cannot be evaluated.
How: RFC 9309 group match on User-agent: Perplexity-User rules at path / (via the parsed robots.txt isAllowed predicate).
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Review ratings are a trust signal agents use to rank and filter products.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
Context: Empty or all-caps product titles signal low quality to agents and trigger Google Merchant Center policy flags.
Why this was skipped
Couldn't confidently identify product pages (found 0), so product-level checks aren't applicable.
How: n/a
Skipped — No /robots.txt was reachable, so the content-type check has nothing to evaluate.
Context: A wrong content type makes strict crawlers ignore the file entirely and fall back to permissive defaults.
Why this was skipped
No /robots.txt was reachable, so the content-type check has nothing to evaluate.
How: Inspect the /robots.txt response Content-Type header for a text/plain media type per RFC 9309 §2.3.
- No /robots.txt reachable — content-type check skippedLOW
Skipped — No /robots.txt was reachable, so the size check has nothing to evaluate.
Context: An oversized robots.txt is truncated by Google and Bing — trailing rules and Sitemap directives are silently lost.
Why this was skipped
No /robots.txt was reachable, so the size check has nothing to evaluate.
How: Measure the raw byte size of the /robots.txt body and compare against the RFC 9309 §2.5 parser cap (≥ 500 KiB).
- No /robots.txt reachable — size check skippedLOW
Skipped — No /robots.txt was reachable, so the encoding check has nothing to evaluate (see robots-txt-present).
Context: Non-UTF-8 robots files are silently dropped by Google's parser; the merchant loses all per-UA control.
Why this was skipped
No /robots.txt was reachable, so the encoding check has nothing to evaluate (see robots-txt-present).
How: Inspect the raw byte stream of /robots.txt for UTF-8 decodability per RFC 9309 §2.3.
- No /robots.txt reachable — encoding check skippedLOW
Skipped — the runner did not surface any sitemap resources
Context: Strict crawlers drop over-cap URLs without surfacing the error, so over-cap product entries effectively vanish.
Why this was skipped
Wanted to check <loc> URL lengths across every resolved sitemap document, but the runner did not surface any sitemap resources.
How: Iterate every parsed <loc> URL across all resolved sitemap resources and check length against the 2,048-character cap.
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources
Context: Over-cap sitemaps are silently dropped — neither byte overflow nor entry overflow surfaces a crawler error.
Why this was skipped
Wanted to verify each sitemap's byte size and entry count against sitemaps.org caps, but the runner did not surface any sitemap resources.
How: Check raw byte size (≤ 52,428,800 B) and entry count (≤ 50,000) for every resolved sitemap resource.
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources with transport metadata
Context: Non-UTF-8 sitemaps are silently dropped by Search Console and trip default XML parsers used by other crawlers.
Why this was skipped
Wanted to check the encoding of every resolved sitemap document, but the runner did not surface any sitemap resources with transport metadata.
How: Inspect every resolved sitemap document's raw byte stream for UTF-8 decodability (sitemaps.org encoding requirement).
- Transport metadata not available — runner update pendingLOW
This check activates once the runner (Task I1) populates ctx.sitemapResources with raw bytes + headers.
Skipped — No UCP profile found; MCP transport validity is not evaluable.
Context: If you advertise MCP transport, agents will try to connect — broken or non-HTTPS endpoints fail silently and lose the integration.
Why this was skipped
No UCP profile found; MCP transport validity is not evaluable.
How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.
Enable Apple Pay through your payment processor (informational only)
Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 0 sampled PDPs for Apple Pay markers; none matched.
How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.
- No Apple Pay markers detected on the homepage or PDPsINFO
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Enable Google Pay through your payment processor (informational only)
Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 0 sampled PDPs for Google Pay markers; none matched.
How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.
- No Google Pay markers detected on the homepage or PDPsINFO
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Skipped — Looked for /llms.txt at the site root; the fetcher returned no file.
Context: An /llms.txt manifest points agents at your feed and key pages without them having to guess.
Why this was skipped
Looked for /llms.txt at the site root; the fetcher returned no file.
How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.