madbarn.com
Audited 5 days ago· woocommerce
Agent-readiness across all five AI commerce surfaces.
Surfaces — click to filter
16 failing · 24 not checked · 40 shown
24 checks couldn't run on this store — each is listed below with the reason. Your score reflects only what we could verify.
Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months
Why this matters: AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.
Findings (1)
Confirmed the homepage is HTTPS (status 200), probed http://madbarn.com/ for redirect behaviour, and parsed the Strict-Transport-Security header (absent).
How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).
- No Strict-Transport-Security header on the homepage responseCRITICAL
Add
Strict-Transport-Security: max-age=31536000; includeSubDomainsto every HTTPS response.
Remove the noindex directive from every PDP
Why this matters: A noindex on the PDP makes it invisible to Google and ineligible for the merchant listing program.
Findings (7)
Sampled 20 PDP(s); 7 returned a noindex directive.
How: For each sampled PDP, inspect the HTML for <meta name="robots" content="...noindex..."> and the response headers for X-Robots-Tag: ...noindex....
Coverage
13/20 · 65%
- PDP returns noindex (html)HIGH× 4
What we found
<meta name="robots" content="noindex, noimageindex, max-snippet:-1, max-video-preview:-1" />What we expected
<meta name="robots" content="index, follow">Remove the noindex directive from both the meta tag and the X-Robots-Tag header on this route.
Affected (4)
- /product/baseball-hatcontent: noindex, noimageindex, max-snippet:-1, max-video-preview:-1
- /product/pumpcontent: noindex, noimageindex, max-snippet:-1, max-video-preview:-1
- /product/toquecontent: noindex, noimageindex, max-snippet:-1, max-video-preview:-1
- /product/riding-sockscontent: noindex, noimageindex, max-snippet:-1, max-video-preview:-1
- PDP returns noindex (html)HIGH× 3
What we found
<meta name="robots" content="noindex, max-snippet:-1, max-image-preview:large, max-video-preview:-1" />What we expected
<meta name="robots" content="index, follow">Remove the noindex directive from both the meta tag and the X-Robots-Tag header on this route.
Affected (3)
- /product/swag-bagcontent: noindex, max-snippet:-1, max-image-preview:large, max-video-preview:-1
- /product/fanny-packcontent: noindex, max-snippet:-1, max-image-preview:large, max-video-preview:-1
- /product/swag-packcontent: noindex, max-snippet:-1, max-image-preview:large, max-video-preview:-1
Emit a single Product JSON-LD node per PDP
Why this matters: Duplicate Product nodes on a single PDP cause Google's merchant scraper to drop the listing or pick the wrong variant.
Findings (7)
Sampled 20 PDP(s); 7 carried multiple Product JSON-LD nodes.
How: For each sampled PDP, count JSON-LD nodes whose @type is Product or whose @type array contains Product. Each PDP must expose at most one.
Coverage
13/20 · 65%
- PDP exposes 2 Product JSON-LD nodesHIGH× 2
Emit exactly one Product JSON-LD block per PDP; model variants via
hasVariantor multiple Offer children.Affected (2)
- /product/psyllium2 Product nodes detected
- /product/nocr2 Product nodes detected
- PDP exposes 3 Product JSON-LD nodesHIGH× 5
Emit exactly one Product JSON-LD block per PDP; model variants via
hasVariantor multiple Offer children.Affected (5)
- /product/acetyl-l-carnitine3 Product nodes detected
- /product/biotin3 Product nodes detected
- /product/zinc-copper3 Product nodes detected
- /product/three-amigos3 Product nodes detected
- /product/threonine3 Product nodes detected
Make every MerchantReturnPolicy node satisfy Option A or Option B
Why this matters: A policy node missing both shapes is invisible to agents — they can't render it, link to it, or quote your return terms.
Findings (11)
Inspected 15 MerchantReturnPolicy nodes across 15 PDPs (0 satisfy Option A or B, 0%).
How: For each PDP, walk every hasMerchantReturnPolicy node (Product or Offer level) and require either (applicableCountry + returnPolicyCategory) OR a syntactically-valid merchantReturnLink URL.
Coverage
0/15 · 0%
- MerchantReturnPolicy node fails Option A and Option BHIGH× 10
Add (applicableCountry + returnPolicyCategory) or merchantReturnLink to this policy node.
Affected (10)
- /product/psylliumnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/baseball-hatnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/swag-bagnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/nocrnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/pumpnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/fanny-packnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/swag-packnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/toquenode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/acetyl-l-carnitinenode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
- /product/forage-analysisnode missing Option A or B (lacks: returnPolicyCategory, applicableCountry (ISO alpha-2), merchantReturnLink (URL))
…and 1 more
Publish /.well-known/ucp with at minimum a version field
Why this matters: Without `/.well-known/ucp`, Google's AI Mode can't identify your storefront as a UCP-conformant merchant.
Findings (1)
Inspected /.well-known/ucp for a parseable JSON document with a top-level version string.
How: Confirm ctx.wellKnownUcp is non-null and carries a non-empty version string (the only universally-required UCP profile field).
- /.well-known/ucp is not reachable or not parseable as JSONHIGH
Serve a JSON document at /.well-known/ucp with a top-level
versionstring (e.g., "2026-04-08").
Add every required top-level key to the UCP profile
Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.
Findings (1)
Wanted to inspect UCP root keys, but no profile was found.
How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.
- No /.well-known/ucp profile presentHIGH
Publish /.well-known/ucp first (see ucp-profile-present).
Declare a shopping service entry with a recognised transport and an HTTPS endpoint
Why this matters: Without a valid shopping service entry, agents can recognise you as a UCP merchant but have no way to fetch your catalog.
Findings (1)
Wanted to walk the UCP profile's services[] for a valid shopping entry, but no profile was found.
How: List every services[] entry whose namespace is shopping (or contains shopping) and require at least one with transport ∈ {rest,mcp,a2a,embedded} AND a syntactically valid https:// endpoint.
- No /.well-known/ucp profile presentHIGH
Publish /.well-known/ucp first (see ucp-profile-present), then declare the shopping service.
Make every signing_keys[] entry a JWK with kty + kty-specific params
Why this matters: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.
Findings (1)
Wanted to validate signing_keys[], but no UCP profile was found.
How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.
- No /.well-known/ucp profile presentHIGH
Publish a Product JSON-LD block on every PDP
Why this matters: Product JSON-LD is how agents identify the canonical product entity without running JavaScript.
Findings (5)
Parsed JSON-LD on 20 sampled product pages for a Product node (15 found, 75%).
How: Walk each sampled PDP's parsed jsonLdBlocks, flatten @graph containers, and count the page as passing if any node has @type Product / ProductGroup / IndividualProduct / ProductModel.
Coverage
15/20 · 75%
- No Product JSON-LD on this PDPHIGH× 5
Add a
<script type="application/ld+json">block with@type: Productto the PDP<head>.
Surface brand attribution on every PDP
Why this matters: Brand on every product is a primary agent filter and a required feed field.
Findings (5)
Checked 20 sampled product pages for brand attribution via Product JSON-LD or visible HTML signals (15 attributed, 75%).
How: On each PDP, accept brand attribution from either (a) extractBrand on the first Product JSON-LD node OR (b) an HTML brand signal (OG product:brand, brand meta, og:brand, Microdata itemprop="brand").
Coverage
15/20 · 75%
- No brand attribution on this PDP (neither JSON-LD
brandnor OG/Microdata)HIGH× 5Add
brandto the Product JSON-LD or a<meta property="product:brand">tag.
Populate gtin on every branded Product node
Why this matters: GTINs let agents match your product to the same item elsewhere; without them you lose cross-catalog matching.
Findings (5)
Checked 20 sampled product pages for a GTIN in the Product JSON-LD (15 carry a valid GTIN, 75%).
How: Extract gtin / gtin8 / gtin12 / gtin13 / gtin14 from the first Product JSON-LD node on each PDP; validate digit length.
Coverage
15/20 · 75%
- No valid GTIN on this product pageHIGH× 5
Populate gtin/gtin8/gtin12/gtin13/gtin14 with the manufacturer's barcode.
Skipped — No MerchantReturnPolicy node used the MerchantReturnFiniteReturnWindow category, so the `merchantReturnDays` check has nothing to evaluate.
Context: AI agents quote your concrete return window in shopping cards. Without `merchantReturnDays`, your policy renders as 'has a return policy' without the headline number.
Why this was skipped
No MerchantReturnPolicy node used the MerchantReturnFiniteReturnWindow category, so the merchantReturnDays check has nothing to evaluate.
How: For each MerchantReturnPolicy node whose returnPolicyCategory normalizes to MerchantReturnFiniteReturnWindow, require merchantReturnDays to be a positive number (or a numeric string > 0).
Skipped — No UCP profile present; Cache-Control policy is not evaluable.
Context: If your UCP profile says `no-cache`, agent runtimes re-fetch on every interaction — brittle at scale and prone to rate-limit failures.
Why this was skipped
No UCP profile present; Cache-Control policy is not evaluable.
How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.
Skipped — No UCP profile present; Content-Type is not evaluable.
Context: Agent runtimes that gate parsing on Content-Type will skip your profile if it's served as HTML or plain text.
Why this was skipped
No UCP profile present; Content-Type is not evaluable.
How: Check that the Content-Type header on /.well-known/ucp starts with application/json (optionally with a charset parameter).
Skipped — No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.
Context: Agents fetch `/.well-known/ucp` without credentials — a 401 or 403 means they never see the profile.
Why this was skipped
No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.
How: Confirm an unauthenticated GET to /.well-known/ucp returns a 2xx status.
Skipped — No UCP profile present; redirect behaviour is not evaluable.
Context: Lightweight agent clients fetch `/.well-known/ucp` without following redirects — a 301/302 means they never see your profile.
Why this was skipped
No UCP profile present; redirect behaviour is not evaluable.
How: Inspect the final HTTP status of GET /.well-known/ucp and whether any 3xx redirect was followed to reach it.
Skipped — No UCP profile present.
Context: A service declared with the right transport but missing endpoint/schema is unreachable — agents can't negotiate or connect.
Why this was skipped
No UCP profile present.
How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.
Skipped — No UCP profile present.
Context: An unrecognised transport leaves agents with no handler to dispatch — your service appears absent.
Why this was skipped
No UCP profile present.
How: For each services[] entry, require transport to be one of: rest, mcp, a2a, embedded.
Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint
Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.
Findings (1)
Found a homepage Organization node but its contactPoint is missing both email and telephone.
How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.
- Homepage Organization node has no contactPoint with email or telephoneMEDIUM
What we expected
"contactPoint": [{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com","telephone":"+1-555-123-4567"}]Add a contactPoint object with at least one of
emailortelephone.
Publish a sitemap containing product URLs
Why this matters: A sitemap that omits product URLs forces every crawler into slower, less complete frontier discovery.
Findings (1)
Tried to resolve an XML sitemap from robots.txt (Sitemap: directives) or /sitemap.xml. No entries were returned.
How: Parse <loc> entries from the resolved sitemap (or sitemap index) and classify each against product-URL patterns (/products/..., /product/..., /p/<id>, etc.).
- No XML sitemap was reachable, or it contained no <loc> entriesMEDIUM
/sitemap.xml0 entries parsed
Publish a sitemap at /sitemap.xml that includes one <loc> entry per product.
Populate description on every Product JSON-LD node
Why this matters: Agents quote your description to answer shopper questions; an empty description gives them nothing to work with.
Findings (4)
Read description on Product JSON-LD across 15 sampled product pages (11 non-empty after HTML strip, 73%).
How: Read description on each Product node; strip HTML tags and collapse whitespace; require length > 0.
Coverage
11/15 · 73%
- Product JSON-LD has no
description(empty after HTML strip)MEDIUM× 4Fill in the product description in your store admin; the JSON-LD template typically binds to that field.
Skipped — HSTS itself is not enabled
Context: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.
Why this was skipped
Looked for includeSubDomains in the Strict-Transport-Security header, but HSTS itself is not enabled.
How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).
- HSTS not enabled; check
https-and-hsts-enforcedfirst.MEDIUMFix
https-and-hsts-enforcedfirst — once HSTS ships, re-run this check.
Skipped — No MerchantReturnPolicy node carried a `merchantReturnLink` URL, so reachability has nothing to evaluate.
Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.
Why this was skipped
No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.
How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.
Skipped — No MerchantReturnPolicy node carried `applicableCountry`, so the ISO-code check has nothing to evaluate.
Context: A non-ISO country is dropped silently; the policy looks present but never reaches the merchant-listing rich result.
Why this was skipped
No MerchantReturnPolicy node carried applicableCountry, so the ISO-code check has nothing to evaluate.
How: On each MerchantReturnPolicy node where applicableCountry is set, extract every candidate string and require every one to match /^[A-Z]{2}$/i.
Skipped — No MerchantReturnPolicy node carried `returnPolicyCategory`, so the enum check has nothing to evaluate.
Context: An invalid category is silently dropped — your policy looks present in the source but never renders in Google's return-policy rich result.
Why this was skipped
No MerchantReturnPolicy node carried returnPolicyCategory, so the enum check has nothing to evaluate.
How: On each MerchantReturnPolicy node where returnPolicyCategory is set, accept the bare enum name or the schema.org URL form; reject any other string.
Skipped — the runner did not surface any sitemap resources
Context: Unescaped `&` is the single most common cause of sitemap parse errors that drop product URLs silently.
Why this was skipped
Wanted to inspect sampled <loc> entries for entity escaping, but the runner did not surface any sitemap resources.
How: Sample the first 100 <loc> entries per sitemap document and check for raw &, <, or > (sitemaps.org entity escaping rules).
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources
Context: Cross-host sitemap entries are silently dropped, so the off-host product URLs effectively don't exist for the crawler.
Why this was skipped
Wanted to compare sitemap entry hosts against the containing sitemap, but the runner did not surface any sitemap resources.
How: For each resolved sitemap resource, parse the sitemap URL's host and compare it against every parsed <loc> URL's host.
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources
Context: Schema-validating crawlers reject sitemaps with a missing or wrong namespace.
Why this was skipped
Wanted to check the xmlns declaration on every resolved sitemap document, but the runner did not surface any sitemap resources.
How: Substring-match xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" against the raw XML of every resolved sitemap document.
- Transport metadata not available — runner update pendingLOW
Skipped — No UCP profile present.
Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.
Why this was skipped
No UCP profile present.
How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.
Skipped — No UCP profile present.
Context: A spec URL on an unrelated authority signals the service was copy-pasted from stale documentation — agents can't trust the conformance claim.
Why this was skipped
No UCP profile present.
How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.
Skipped — No UCP profile present; service version formats are not evaluable.
Context: Free-form version labels like `1.0` or `latest` defeat the version-pinning agents rely on, leaving them unable to negotiate the correct spec generation.
Why this was skipped
No UCP profile present; service version formats are not evaluable.
How: For each services[] entry, require version to be a string matching /^\d{4}-\d{2}-\d{2}$/.
Skipped — HSTS itself is not enabled
Context: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.
Why this was skipped
Looked for the preload directive in the Strict-Transport-Security header, but HSTS itself is not enabled.
How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).
- HSTS not enabled; check
https-and-hsts-enforcedfirst.LOWFix
https-and-hsts-enforcedfirst — once HSTS ships, re-run this check.
Skipped — No MerchantReturnPolicy node carried returnFees, returnMethod, or refundType, so the enum check has nothing to evaluate.
Context: Invalid enrichment values are dropped silently, leaving merchants confused about why their rendered policy is missing fields they configured.
Why this was skipped
No MerchantReturnPolicy node carried returnFees, returnMethod, or refundType, so the enum check has nothing to evaluate.
How: On each MerchantReturnPolicy node, inspect returnFees/returnMethod/refundType if set; require the bare name or schema.org URL form of a value in the corresponding Schema.org enum.
Skipped — the runner did not surface any sitemap resources
Context: Strict crawlers drop over-cap URLs without surfacing the error, so over-cap product entries effectively vanish.
Why this was skipped
Wanted to check <loc> URL lengths across every resolved sitemap document, but the runner did not surface any sitemap resources.
How: Iterate every parsed <loc> URL across all resolved sitemap resources and check length against the 2,048-character cap.
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources
Context: Over-cap sitemaps are silently dropped — neither byte overflow nor entry overflow surfaces a crawler error.
Why this was skipped
Wanted to verify each sitemap's byte size and entry count against sitemaps.org caps, but the runner did not surface any sitemap resources.
How: Check raw byte size (≤ 52,428,800 B) and entry count (≤ 50,000) for every resolved sitemap resource.
- Transport metadata not available — runner update pendingLOW
Skipped — the runner did not surface any sitemap resources with transport metadata
Context: Non-UTF-8 sitemaps are silently dropped by Search Console and trip default XML parsers used by other crawlers.
Why this was skipped
Wanted to check the encoding of every resolved sitemap document, but the runner did not surface any sitemap resources with transport metadata.
How: Inspect every resolved sitemap document's raw byte stream for UTF-8 decodability (sitemaps.org encoding requirement).
- Transport metadata not available — runner update pendingLOW
This check activates once the runner (Task I1) populates ctx.sitemapResources with raw bytes + headers.
Skipped — No UCP profile found; MCP transport validity is not evaluable.
Context: If you advertise MCP transport, agents will try to connect — broken or non-HTTPS endpoints fail silently and lose the integration.
Why this was skipped
No UCP profile found; MCP transport validity is not evaluable.
How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.
Enable Apple Pay through your payment processor (informational only)
Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.
How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.
- No Apple Pay markers detected on the homepage or PDPsINFO
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Enable Google Pay through your payment processor (informational only)
Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.
How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.
- No Google Pay markers detected on the homepage or PDPsINFO
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Skipped — Looked for /llms.txt at the site root; the fetcher returned no file.
Context: An /llms.txt manifest points agents at your feed and key pages without them having to guess.
Why this was skipped
Looked for /llms.txt at the site root; the fetcher returned no file.
How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.