Confirmed the homepage is HTTPS (status 200), probed http://pemberleyrose.com/ for redirect behaviour, and parsed the Strict-Transport-Security header (absent).

How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).

• No Strict-Transport-Security header on the homepage response■CRITICALCRITICAL severity — weight 10 in score calculation.

  /

  Add Strict-Transport-Security: max-age=31536000; includeSubDomains to every HTTPS response.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for Offer price + priceCurrency.

How: Parse Offer price (or AggregateOffer lowPrice) as a parseable numeric price ≥ 0; require priceCurrency to match /^[A-Z]{3}$/i.

Parsed JSON-LD on 20 sampled product pages for a Product node (0 found, 0%).

How: Walk each sampled PDP's parsed jsonLdBlocks, flatten @graph containers, and count the page as passing if any node has @type Product / ProductGroup / IndividualProduct / ProductModel.

• No Product JSON-LD on this PDP▲HIGHHIGH severity — weight 5 in score calculation.× 10

  Add a <script type="application/ld+json"> block with @type: Product to the PDP <head>.

  Affected (10)

  • /
  • /shop
  • /shop/bunny-letterpress-wall-art
  • /shop/designer-handmade-doll-dumye-anarvus-ii
  • /shop/designer-handmade-doll-dumye-anarvus-iii
  • /shop/dumye-handmade-designer-angel-doll-la-lov…
  • /shop/dumye-handmade-designer-doll-with-pink-dr…
  • /shop/dumye-handmade-boho-fairy-doll-hoo-hoo-ch…
  • /shop/dumye-handmade-designer-bunny-doll-little…
  • /shop/dumye-talula-handmade-ballerina-doll-wheat

…and 1 more

Probed 5 candidate privacy-policy paths (nav-discovered + platform-conventional) and none returned a 2xx body.

How: Discover candidate URLs by scoring homepage nav/footer anchors for privacy/gdpr/cookie keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.

• No privacy policy page reachable at any candidate URL▲HIGHHIGH severity — weight 5 in score calculation.

  statuses: /privacy-policy/=404, /privacy/=404, /privacy=404, /privacy-policy=404, /policies/privacy-policy=404

  Publish a privacy policy page at /privacy-policy (or your platform's standard slug) with ≥200 chars of body text.

Checked 20 sampled product pages for brand attribution via Product JSON-LD or visible HTML signals (0 attributed, 0%).

How: On each PDP, accept brand attribution from either (a) extractBrand on the first Product JSON-LD node OR (b) an HTML brand signal (OG product:brand, brand meta, og:brand, Microdata itemprop="brand").

• No brand attribution on this PDP (neither JSON-LD brand nor OG/Microdata)▲HIGHHIGH severity — weight 5 in score calculation.× 10

  Add brand to the Product JSON-LD or a <meta property="product:brand"> tag.

  Affected (10)

  • /
  • /shop
  • /shop/bunny-letterpress-wall-art
  • /shop/designer-handmade-doll-dumye-anarvus-ii
  • /shop/designer-handmade-doll-dumye-anarvus-iii
  • /shop/dumye-handmade-designer-angel-doll-la-lov…
  • /shop/dumye-handmade-designer-doll-with-pink-dr…
  • /shop/dumye-handmade-boho-fairy-doll-hoo-hoo-ch…
  • /shop/dumye-handmade-designer-bunny-doll-little…
  • /shop/dumye-talula-handmade-ballerina-doll-wheat

…and 1 more

Checked 20 sampled product pages for a GTIN in the Product JSON-LD (0 carry a valid GTIN, 0%).

How: Extract gtin / gtin8 / gtin12 / gtin13 / gtin14 from the first Product JSON-LD node on each PDP; validate digit length.

• No valid GTIN on this product page▲HIGHHIGH severity — weight 5 in score calculation.× 10

  Populate gtin/gtin8/gtin12/gtin13/gtin14 with the manufacturer's barcode.

  Affected (10)

  • /
  • /shop
  • /shop/bunny-letterpress-wall-art
  • /shop/designer-handmade-doll-dumye-anarvus-ii
  • /shop/designer-handmade-doll-dumye-anarvus-iii
  • /shop/dumye-handmade-designer-angel-doll-la-lov…
  • /shop/dumye-handmade-designer-doll-with-pink-dr…
  • /shop/dumye-handmade-boho-fairy-doll-hoo-hoo-ch…
  • /shop/dumye-handmade-designer-bunny-doll-little…
  • /shop/dumye-talula-handmade-ballerina-doll-wheat

…and 1 more

Inspected /.well-known/ucp for a parseable JSON document with a top-level version string.

How: Confirm ctx.wellKnownUcp is non-null and carries a non-empty version string (the only universally-required UCP profile field).

• /.well-known/ucp is not reachable or not parseable as JSON▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

  Serve a JSON document at /.well-known/ucp with a top-level version string (e.g., "2026-04-08").

Wanted to inspect UCP root keys, but no profile was found.

How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.

• No /.well-known/ucp profile present▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

  Publish /.well-known/ucp first (see ucp-profile-present).

Wanted to walk the UCP profile's services[] for a valid shopping entry, but no profile was found.

How: List every services[] entry whose namespace is shopping (or contains shopping) and require at least one with transport ∈ {rest,mcp,a2a,embedded} AND a syntactically valid https:// endpoint.

• No /.well-known/ucp profile present▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

  Publish /.well-known/ucp first (see ucp-profile-present), then declare the shopping service.

Wanted to validate signing_keys[], but no UCP profile was found.

How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.

• No /.well-known/ucp profile present▲HIGHHIGH severity — weight 5 in score calculation.

  /.well-known/ucp

No MerchantReturnPolicy node used the MerchantReturnFiniteReturnWindow category, so the merchantReturnDays check has nothing to evaluate.

How: For each MerchantReturnPolicy node whose returnPolicyCategory normalizes to MerchantReturnFiniteReturnWindow, require merchantReturnDays to be a positive number (or a numeric string > 0).

No PDP carried a hasMerchantReturnPolicy node, so Option A/B shape cannot be evaluated.

How: For each PDP, walk every hasMerchantReturnPolicy node (Product or Offer level) and require either (applicableCountry + returnPolicyCategory) OR a syntactically-valid merchantReturnLink URL.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for hasMerchantReturnPolicy.

How: On each PDP, locate the Product JSON-LD node and check for a hasMerchantReturnPolicy object/array at Product level OR Offer level. Pass band ≥ 85% coverage, partial ≥ 50%.

No PDP carried a resolvable Offer, so there is nothing to inspect for availability.

How: On each Offer, accept availability only if it matches one of the canonical Schema.org ItemAvailability IRIs (http or https, trailing slash optional).

No PDP carried a Product JSON-LD node, so there is nothing to inspect for shippingDetails.

How: On each PDP, locate the Product JSON-LD node and check for shippingDetails (single object or array) at Product or Offer level. Pass band ≥ 85% coverage.

No PDP in the sample carried a Product JSON-LD node, so there is nothing to inspect for image.

How: Resolve image on each Product node into a list of URL strings (string, array, or ImageObject.url/contentUrl); require at least one non-empty URL.

No PDP in the sample carried a Product JSON-LD node, so there is nothing to inspect for name.

How: On each PDP with a Product JSON-LD node, require name to be a string of length > 0 after trimming.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for offers.

How: On each Product node, require a resolvable Offer (or first Offer inside an AggregateOffer) via findOffer.

No UCP profile present; Cache-Control policy is not evaluable.

How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.

No UCP profile present; Content-Type is not evaluable.

How: Check that the Content-Type header on /.well-known/ucp starts with application/json (optionally with a charset parameter).

No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.

How: Confirm an unauthenticated GET to /.well-known/ucp returns a 2xx status.

No UCP profile present; redirect behaviour is not evaluable.

How: Inspect the final HTTP status of GET /.well-known/ucp and whether any 3xx redirect was followed to reach it.

No UCP profile present.

How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.

No UCP profile present.

How: For each services[] entry, require transport to be one of: rest, mcp, a2a, embedded.

Found a homepage Organization node but its contactPoint is missing both email and telephone.

How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.

• Homepage Organization node has no contactPoint with email or telephone◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  /

  What we expected

  "contactPoint": [{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com","telephone":"+1-555-123-4567"}]

  Add a contactPoint object with at least one of email or telephone.

Scanned the homepage and 20 sampled PDPs for 8 review-platform asset fingerprints; none matched.

How: Substring scan of homepage and sampled PDP HTML for known review-platform asset fingerprints (judge.me, yotpo, stamped.io, reviews.io, okendo, loox, trustpilot, bazaarvoice).

• No third-party review-platform integration detected◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  none of 8 fingerprints matched across 21 sources

  Install a Judge.me / Yotpo / Loox / Okendo / Stamped / Reviews.io / Trustpilot / Bazaarvoice widget on your storefront.

Probed 7 candidate returns-policy paths (nav-discovered + platform-conventional) and none returned a 2xx body.

How: Discover candidate URLs by scoring homepage nav/footer anchors for return/refund/exchange keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.

• No returns/refund policy page reachable at any candidate URL◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  statuses: /refund_returns/=404, /returns/=404, /refund-policy/=404, /returns=404, /refund-policy=404, /return-policy=404, /policies/refund-policy=404

  Publish a returns/refund policy page at /returns (or your platform's standard slug) with ≥200 chars of body text.

Probed 6 candidate shipping-policy paths (nav-discovered + platform-conventional) and none returned a 2xx body.

How: Discover candidate URLs by scoring homepage nav/footer anchors for shipping/delivery/dispatch keywords, then append platform-conventional paths; probe each with politeFetch and pass on the first 2xx with ≥200 stripped-body chars.

• No shipping policy page reachable at any candidate URL◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  statuses: /shipping-policy/=404, /shipping/=404, /shipping=404, /shipping-policy=404, /policies/shipping-policy=404, /pages/shipping=404

  Publish a shipping policy page at /shipping-policy (or your platform's standard slug) with ≥200 chars of body text and link it from your footer.

Resolved an XML sitemap with 86 <loc> entries, but none look like product URLs.

How: Parse <loc> entries from the resolved sitemap (or sitemap index) and classify each against product-URL patterns (/products/..., /product/..., /p/<id>, etc.).

• Sitemap reachable but contains no product URLs◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  /sitemap.xml86 total <loc> entries, 0 product-shaped (0%)

  Add product URLs (e.g., /products/<handle>) to the sitemap or include the product-section sitemap in your sitemap index.

Looked for includeSubDomains in the Strict-Transport-Security header, but HSTS itself is not enabled.

How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).

• HSTS not enabled; check https-and-hsts-enforced first.◆MEDIUMMEDIUM severity — weight 3 in score calculation.

  /

  Fix https-and-hsts-enforced first — once HSTS ships, re-run this check.

No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.

How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.

No MerchantReturnPolicy node carried applicableCountry, so the ISO-code check has nothing to evaluate.

How: On each MerchantReturnPolicy node where applicableCountry is set, extract every candidate string and require every one to match /^[A-Z]{2}$/i.

No MerchantReturnPolicy node carried returnPolicyCategory, so the enum check has nothing to evaluate.

How: On each MerchantReturnPolicy node where returnPolicyCategory is set, accept the bare enum name or the schema.org URL form; reject any other string.

No OfferShippingDetails node carried shippingDestination, so the DefinedRegion check has nothing to evaluate.

How: On each OfferShippingDetails node where shippingDestination is set, require it to be a DefinedRegion (or array) and every entry to carry addressCountry matching /^[A-Z]{2}$/i.

No OfferShippingDetails node carried shippingRate, so the MonetaryAmount check has nothing to evaluate.

How: On each OfferShippingDetails node where shippingRate is set, require an object with numeric value/maxValue (typed or numeric string) and a 3-letter ISO 4217 currency.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for brand.

How: On each Product node, accept brand if it's a non-empty trimmed string OR an object with a non-empty name. Objects with @type Brand/Organization but no name are rejected.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for description.

How: Read description on each Product node; strip HTML tags and collapse whitespace; require length > 0.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for sku.

How: On each PDP with a Product node, accept sku if it is a non-empty trimmed string or a number.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for placeholder titles.

How: Read name on the first Product JSON-LD node. Fail if empty, matches a known placeholder list (Default Title / Untitled / Product N / sample / test / draft / placeholder), or matches slug shape (lower-case alnum + at least one hyphen).

No UCP profile present.

How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.

No UCP profile present.

How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.

No UCP profile present; service version formats are not evaluable.

How: For each services[] entry, require version to be a string matching /^\d{4}-\d{2}-\d{2}$/.

Parsed <img> alt attributes across 20 sampled product pages (13 have alt text on at least 80% of images).

How: Per PDP, count <img> tags via regex; a tag 'has alt text' when its alt attribute is present AND non-empty after trim. A PDP passes when it carries no <img> at all OR ≥80% of its <img> tags have non-empty alt.

• Most images on this product page lack alt text●LOWLOW severity — weight 1 in score calculation.× 7

  What we expected

  <img src="/img/sneaker.webp" alt="Red leather running shoe, side view" />

  Populate the alt attribute on each <img> with a description of what the image shows; use alt="" only for decorative images.

  Affected (7)

  • /1/3 <img> tags have non-empty alt (33%)
  • /shop1/3 <img> tags have non-empty alt (33%)
  • /shop/art-print-ballerina-fashion-illustration-…6/8 <img> tags have non-empty alt (75%)
  • /shop/le-cavalier-equestrian-wall-art6/8 <img> tags have non-empty alt (75%)
  • /shop/british-roadster-boys-race-car-wall-art6/8 <img> tags have non-empty alt (75%)
  • /shop/big-ben-london-wall-art6/8 <img> tags have non-empty alt (75%)
  • /shop/vintage-motorcycle-wall-art6/8 <img> tags have non-empty alt (75%)

No PDP carried a Product JSON-LD node, so there is no eligible PDP to inspect for BreadcrumbList.

How: Search every JSON-LD block on each PDP for @type: BreadcrumbList with a non-empty itemListElement.

Looked for the preload directive in the Strict-Transport-Security header, but HSTS itself is not enabled.

How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).

• HSTS not enabled; check https-and-hsts-enforced first.●LOWLOW severity — weight 1 in score calculation.

  /

  Fix https-and-hsts-enforced first — once HSTS ships, re-run this check.

No MerchantReturnPolicy node carried returnFees, returnMethod, or refundType, so the enum check has nothing to evaluate.

How: On each MerchantReturnPolicy node, inspect returnFees/returnMethod/refundType if set; require the bare name or schema.org URL form of a value in the corresponding Schema.org enum.

No PDP carried a resolvable Offer, so there is nothing to inspect for itemCondition.

How: On each Offer: if itemCondition is omitted, count as pass (Google defaults to NewCondition). If present, accept only when it matches a canonical Schema.org ItemCondition IRI.

No OfferShippingDetails node carried deliveryTime, so the ShippingDeliveryTime check has nothing to evaluate.

How: On each OfferShippingDetails node where deliveryTime is set, require an object with at least one of handlingTime / transitTime populated as a QuantitativeValue.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for aggregateRating.

How: On each Product node, parse aggregateRating (or the first element if it's an array) and require ratingValue in [0,5] AND reviewCount or ratingCount ≥ 1.

No PDP carried a Product JSON-LD node, so there is nothing to inspect for title quality.

How: Read name on the first Product JSON-LD node. Fail if missing/empty after trimming OR if the string contains letters and they're all upper-case.

No UCP profile found; MCP transport validity is not evaluable.

How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.

Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.

How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.

• No Apple Pay markers detected on the homepage or PDPs○INFOINFO severity — weight 0 in score calculation.

  /

  Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.

How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.

• No Google Pay markers detected on the homepage or PDPs○INFOINFO severity — weight 0 in score calculation.

  /

  Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

Looked for /llms.txt at the site root; the fetcher returned no file.

How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.