kapiva.in — AI Commerce Audit

HALFCRITICAL

HTTPS enforced sitewide + HSTS (≥ 6-month max-age)https-and-hsts-enforcedHSTS

Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months

Why this matters: AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.

RFC 6797 — HTTP Strict Transport Security (HSTS)

−2.9impact

Findings (1)

Confirmed the homepage is HTTPS (status 200), probed http://kapiva.in/ for redirect behaviour, and parsed the Strict-Transport-Security header (absent).

How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).

No Strict-Transport-Security header on the homepage responseCRITICAL
/
Add Strict-Transport-Security: max-age=31536000; includeSubDomains to every HTTPS response.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILHIGH

UCP profile carries all four required top-level keysucp-profile-required-keysUCP

Add every required top-level key to the UCP profile

Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.

UCP overview — required profile keys

−1.6impact

Findings (1)

Profile is missing required key(s): signing_keys.

How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.

Required top-level key signing_keys is missingHIGH
/.well-known/ucp
What we expected
```
Add a top-level "signing_keys" field to the JSON document (empty array/object is fine).
```
Set signing_keys at the root of the JSON document.

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILHIGH

Each service satisfies the transport-conditional field requirementsucp-service-transport-conditional-fieldsUCP

Populate the conditional fields required by each service's transport

Why this matters: A service declared with the right transport but missing endpoint/schema is unreachable — agents can't negotiate or connect.

UCP overview — transport-conditional fields

−1.3impact

Findings (1)

Validated 1 services with recognised transports (0 satisfy their transport's required fields).

How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.

Coverage

0/1 · 0%

Service is missing transport-conditional field(s)HIGH
/.well-known/ucpnamespace=dev.ucp.shopping; transport=rest
What we found
```
missing: schema
```
What we expected
```
`endpoint` + `schema`
```
Add schema to this services[] entry.

How to fix · 2 steps · create a free account to viewCreate a free account →

NAHIGH

Every signing_keys[] entry is a valid JWKucp-signing-keys-validJWKS

Skipped — Profile declares no signing_keys; JWK validation has no entries to evaluate.

Context: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.

RFC 7517 — JSON Web Key (JWK)

Not scoredimpact

Why this was skipped

Profile declares no signing_keys; JWK validation has no entries to evaluate.

How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.

FAILMEDIUM

Organization/OnlineStore JSON-LD with contactPoint on homepageorganization-jsonld-with-contactSchema.org

Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint

Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.

schema.org/Organization (and OnlineStore subclass) with contactPoint

−1.1impact

Findings (1)

Parsed the homepage JSON-LD looking for an Organization/OnlineStore node with a contactPoint, but no Organization-class node is present.

How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.

No Organization/OnlineStore JSON-LD on homepageMEDIUM

/

What we expected

<script type="application/ld+json">{"@context":"https://schema.org","@type":"OnlineStore","name":"Example Store","url":"https://example.com","contactPoint":[{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com"}]}</script>

Add an Organization (or OnlineStore) JSON-LD block in the homepage <head> with a contactPoint.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILMEDIUM

Third-party review-platform integration detectedreview-app-detectedSchema.org

Install a third-party review platform so agents see syndicated reviews on your storefront

Why this matters: Third-party review widgets feed the ratings AI agents trust when ranking merchants.

schema.org/Review vocabulary

−0.9impact

Findings (1)

Scanned the homepage and 20 sampled PDPs for 8 review-platform asset fingerprints; none matched.

How: Substring scan of homepage and sampled PDP HTML for known review-platform asset fingerprints (judge.me, yotpo, stamped.io, reviews.io, okendo, loox, trustpilot, bazaarvoice).

No third-party review-platform integration detectedMEDIUM
none of 8 fingerprints matched across 21 sources
Install a Judge.me / Yotpo / Loox / Okendo / Stamped / Reviews.io / Trustpilot / Bazaarvoice widget on your storefront.

How to fix · 3 steps · create a free account to viewCreate a free account →

NAMEDIUM

HSTS policy carries the includeSubDomains directivehsts-include-subdomainsHSTS

Skipped — HSTS itself is not enabled

Context: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.

RFC 6797 — HSTS `includeSubDomains` directive

Not scoredimpact

Why this was skipped

Looked for includeSubDomains in the Strict-Transport-Security header, but HSTS itself is not enabled.

How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).

HSTS not enabled; check https-and-hsts-enforced first.MEDIUM
/
Fix https-and-hsts-enforced first — once HSTS ships, re-run this check.

NAMEDIUM

MerchantReturnPolicy merchantReturnLink URL is reachablemerchant-return-link-reachableReturns

Skipped — No MerchantReturnPolicy node carried a `merchantReturnLink` URL, so reachability has nothing to evaluate.

Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.

Google return-policy SD — merchantReturnLink reachability

Not scoredimpact

Why this was skipped

No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.

How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.

NAMEDIUM

OfferShippingDetails shippingRate is a valid MonetaryAmountoffer-shipping-rate-validShipping

Skipped — No OfferShippingDetails node carried `shippingRate`, so the MonetaryAmount check has nothing to evaluate.

Context: An invalid rate object is silently dropped; agents can't quote your shipping cost in shopping cards.

Google shipping-policy SD — shippingRate as MonetaryAmount

Not scoredimpact

Why this was skipped

No OfferShippingDetails node carried shippingRate, so the MonetaryAmount check has nothing to evaluate.

How: On each OfferShippingDetails node where shippingRate is set, require an object with numeric value/maxValue (typed or numeric string) and a 3-letter ISO 4217 currency.

NAMEDIUM

Each capability has version + spec + schemaucp-capability-required-fieldsUCP

Skipped — Profile declares no capabilities; required-field checks have nothing to evaluate.

Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.

UCP overview — capabilities

Not scoredimpact

Why this was skipped

Profile declares no capabilities; required-field checks have nothing to evaluate.

How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.

NAMEDIUM

Each service's `spec` URL origin matches its namespace authorityucp-service-spec-url-origin-matchesUCP

Skipped — No services declared a `spec` URL; origin matching has nothing to evaluate.

Context: A spec URL on an unrelated authority signals the service was copy-pasted from stale documentation — agents can't trust the conformance claim.

UCP overview — service specs

Not scoredimpact

Why this was skipped

No services declared a spec URL; origin matching has nothing to evaluate.

How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.

FAILLOW

Alt text on at least 80% of PDP imagesimage-alt-text-coverageWCAG

Add descriptive alt text to product images (WCAG 2.x SC 1.1.1)

Why this matters: Alt text is the only text description AI agents and screen readers have for your product imagery.

WCAG 2.x SC 1.1.1 — Non-text Content

−0.2impact

Findings (11)

Parsed <img> alt attributes across 20 sampled product pages (0 have alt text on at least 80% of images).

How: Per PDP, count <img> tags via regex; a tag 'has alt text' when its alt attribute is present AND non-empty after trim. A PDP passes when it carries no <img> at all OR ≥80% of its <img> tags have non-empty alt.

Coverage

0/20 · 0%

Most images on this product page lack alt textLOW× 10
What we expected
```
<img src="/img/sneaker.webp" alt="Red leather running shoe, side view" />
```
Populate the alt attribute on each <img> with a description of what the image shows; use alt="" only for decorative images.
Affected (10)
- /detox/kapiva-noni-juice-1l17/42 <img> tags have non-empty alt (40%)
- /detox/kapiva-wheat-grass-juice-1-l37/68 <img> tags have non-empty alt (54%)
- /daily-diet/kapiva-vegan-protein-chocolate-1-kg28/57 <img> tags have non-empty alt (49%)
- /weight-loss/kapiva-get-slim-juice-1-l67/117 <img> tags have non-empty alt (57%)
- /weight-loss/kapiva-slimfit-combo-1-049/83 <img> tags have non-empty alt (59%)
- /diabetes-care/kapiva-neem-juice-1-l19/44 <img> tags have non-empty alt (43%)
- /diabetes-care/kapiva-karela-jamun-juice-1-l40/71 <img> tags have non-empty alt (56%)
- /skin-hair/kapiva-aloe-vera-juice-1-l41/72 <img> tags have non-empty alt (57%)
- /kapiva-dia-free-juice-1-l34/66 <img> tags have non-empty alt (52%)
- /skin-hair/kapiva-aloe-vera-skin-gel-500gms37/68 <img> tags have non-empty alt (54%)

…and 1 more

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILLOW

BreadcrumbList present on PDPsbreadcrumb-list-presentSchema.org

Add a BreadcrumbList JSON-LD block to every PDP

Why this matters: Breadcrumbs help agents understand where a product sits in your catalog.

schema.org/BreadcrumbList

−0.2impact

Findings (11)

Searched JSON-LD on 20 sampled product pages for a BreadcrumbList (0 found, 0%).

How: Search every JSON-LD block on each PDP for @type: BreadcrumbList with a non-empty itemListElement.

Coverage

0/20 · 0%

No BreadcrumbList JSON-LD with a populated itemListElementLOW× 10
Add a BreadcrumbList JSON-LD block walking Home → Category → Product.
Affected (10)

…and 1 more

How to fix · 2 steps · create a free account to viewCreate a free account →

NALOW

HSTS policy carries the preload directivehsts-preload-directiveHSTS

Skipped — HSTS itself is not enabled

Context: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.

RFC 6797 — HSTS `preload` directive (vendor extension)

Not scoredimpact

Why this was skipped

Looked for the preload directive in the Strict-Transport-Security header, but HSTS itself is not enabled.

How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).

HSTS not enabled; check https-and-hsts-enforced first.LOW
/
Fix https-and-hsts-enforced first — once HSTS ships, re-run this check.

NALOW

OfferShippingDetails deliveryTime is a valid ShippingDeliveryTimeoffer-shipping-delivery-time-validShipping

Skipped — No OfferShippingDetails node carried `deliveryTime`, so the ShippingDeliveryTime check has nothing to evaluate.

Context: Without populated handling/transit times, agents can't quote a delivery window in shopping cards.

Google shipping-policy SD — deliveryTime as ShippingDeliveryTime

Not scoredimpact

Why this was skipped

No OfferShippingDetails node carried deliveryTime, so the ShippingDeliveryTime check has nothing to evaluate.

How: On each OfferShippingDetails node where deliveryTime is set, require an object with at least one of handlingTime / transitTime populated as a QuantitativeValue.

NALOW

UCP MCP-transport entries have valid HTTPS endpointsucp-mcp-transport-validUCP

Skipped — Walked services[] for `transport: "mcp"` entries; none advertised.

Context: If you advertise MCP transport, agents will try to connect — broken or non-HTTPS endpoints fail silently and lose the integration.

UCP overview — transport declarations

Not scoredimpact

Why this was skipped

Walked services[] for transport: "mcp" entries; none advertised.

How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.

FAILINFO

Apple Pay markers detected (informational)apple-pay-detectedSchema.org

Enable Apple Pay through your payment processor (informational only)

Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.

Apple Pay availability — payment options observed

No score impactimpact

Findings (1)

Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.

How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.

No Apple Pay markers detected on the homepage or PDPsINFO
/
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILINFO

Google Pay markers detected (informational)google-pay-detectedSchema.org

Enable Google Pay through your payment processor (informational only)

Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.

Google Pay availability — payment options observed

No score impactimpact

Findings (1)

Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.

How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.

No Google Pay markers detected on the homepage or PDPsINFO
/
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

How to fix · 3 steps · create a free account to viewCreate a free account →

NAINFO

llms.txt present (informational)llms-txt-presentllms.txt

Skipped — Looked for /llms.txt at the site root; the fetcher returned no file.

Context: An /llms.txt manifest points agents at your feed and key pages without them having to guess.

llmstxt.org — /llms.txt manifest

Not scoredimpact

Why this was skipped

Looked for /llms.txt at the site root; the fetcher returned no file.

How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.

9 failing · 10 not checked · 19 shown