{ "profileId": "uaix.ai-ready-web.requirements.v1", "title": "UAIX AI-Ready Web Requirement Registry", "version": "1.0.0", "package_version": "3.167.0", "generated_at_utc": "2026-06-27T00:00:00Z", "canonical_url": "https://uaix.org/spec/ai-ready-web-requirements.json", "program_url": "https://uaix.org/en-us/ai-ready-web/", "scope": "Human-first, agent-compatible website readiness requirements for accessible pages, deterministic discovery, safe APIs, bounded capabilities, privacy, provenance, validation, and governance.", "profiles": [ { "id": "ARW-F0", "name": "Static Readable", "minimum": "Semantic public HTML, no JavaScript-only critical facts, robots, sitemap, contact or review path, and no destructive route inference." }, { "id": "ARW-F1", "name": "Discoverable", "minimum": "ARW-F0 plus public-safe .well-known manifest, route inventory, advisory llms file, schema or digest records, and maturity labels." }, { "id": "ARW-F2", "name": "Action Described", "minimum": "ARW-F1 plus OpenAPI-described routes, Problem Details errors, idempotency, auth and consent boundaries, and human review fallback." }, { "id": "ARW-F3", "name": "Delegation Ready", "minimum": "ARW-F2 plus delegated authority model, audit logs, trace IDs, readback URLs, revocation, and no-op behavior." }, { "id": "ARW-F4", "name": "Evidence Complete", "minimum": "ARW-F3 plus readiness results, conformance or evidence package, release trail, incident process, and owner review." } ], "requirements": [ { "id": "ARW-001", "title": "Human-first, agent-compatible architecture", "level": "MUST", "profile": "ARW-F0", "family": "core_architecture", "requirement": "The site must keep the human-facing experience complete, accessible, and authoritative while adding machine-readable routes as companion evidence.", "test": "Sample key pages and verify primary facts are present in server-rendered HTML and are not available only through scripts, images, PDFs, or private API calls.", "evidence": "Page URLs, HTML samples, accessibility review, and route inventory.", "anti_patterns": [ "Replacing human-readable policy with a machine-only manifest.", "Publishing bot-only answers that conflict with public page copy." ] }, { "id": "ARW-002", "title": "Explicit support boundary", "level": "MUST", "profile": "ARW-F0", "family": "core_architecture", "requirement": "Every AI-ready claim must state what the site does not authorize, including no certification, no hidden runtime execution, no credential validation, and no private route probing unless those capabilities are actually implemented and evidenced.", "test": "Search public pages and machine files for unsupported authority, certification, endorsement, safety proof, runtime execution, or automatic write claims.", "evidence": "Support-boundary text on public pages and machine artifacts.", "anti_patterns": [ "Calling a site agent-ready because an agent can visually click it.", "Treating capability discovery as permission to execute." ] }, { "id": "ARW-003", "title": "Maturity labels", "level": "MUST", "profile": "ARW-F0", "family": "core_architecture", "requirement": "Mechanisms must be labeled as stable baseline, configuration-specific implementation, proposal/community convention, research track, or unsupported.", "test": "Verify the maturity register includes every AI-facing mechanism named by the site.", "evidence": "Maturity register JSON and matching page copy.", "anti_patterns": [ "Describing proposals as formal standards.", "Treating research-track browser-agent APIs as current support." ] }, { "id": "ARW-010", "title": "Semantic HTML baseline", "level": "MUST", "profile": "ARW-F0", "family": "accessibility_rendering", "requirement": "Pages must use semantic headings, links, lists, tables, form labels, buttons, landmarks, and programmatic names so assistive technology and agents can parse the page.", "test": "Run automated HTML/accessibility checks and manual keyboard review on representative pages.", "evidence": "Accessibility report, page samples, and manual notes.", "anti_patterns": [ "Clickable div soup.", "Unlabeled icon-only controls.", "Skipped heading hierarchy." ] }, { "id": "ARW-011", "title": "WCAG 2.2 posture", "level": "SHOULD", "profile": "ARW-F0", "family": "accessibility_rendering", "requirement": "Sites should meet WCAG 2.2 AA expectations for public workflows and record exceptions before claiming agent accessibility.", "test": "Run automated WCAG checks, keyboard task checks, focus review, and manual screen-reader smoke checks for representative flows.", "evidence": "Accessibility QA notes and release checklist.", "anti_patterns": [ "Equating bot readability with human accessibility.", "Leaving focus traps or unlabeled fields in core workflows." ] }, { "id": "ARW-012", "title": "No JavaScript-only critical facts", "level": "MUST", "profile": "ARW-F0", "family": "accessibility_rendering", "requirement": "Critical facts, support boundaries, policy statements, route links, and primary instructions must be available without JavaScript.", "test": "Fetch pages with a simple HTTP client and compare core facts against rendered browser output.", "evidence": "Static fetch snapshots and parity notes.", "anti_patterns": [ "Putting canonical content only in tabs that render after client-side state.", "Using canvas or images for required text without accessible alternatives." ] }, { "id": "ARW-013", "title": "Stable interactive controls", "level": "SHOULD", "profile": "ARW-F0", "family": "accessibility_rendering", "requirement": "Interactive controls should have stable names, roles, states, result URLs, and predictable layout so agents and humans do not lose task context.", "test": "Run browser checks for focus order, control labels, layout shift, and result-path disclosure.", "evidence": "Browser QA screenshots or automation logs.", "anti_patterns": [ "Moving controls during loading.", "Changing button meaning without changing its accessible name." ] }, { "id": "ARW-020", "title": "Robots and sitemap", "level": "MUST", "profile": "ARW-F0", "family": "discovery_content", "requirement": "The site must publish robots.txt and XML sitemap records that point agents and crawlers to canonical public pages without exposing private routes.", "test": "Fetch robots.txt and sitemap.xml, parse them, and verify canonical public URLs.", "evidence": "robots.txt, sitemap.xml, and route inventory.", "anti_patterns": [ "Only linking private or staging sitemaps.", "Contradicting sitemap URLs in llms.txt or manifests." ] }, { "id": "ARW-021", "title": "Public-safe .well-known discovery", "level": "SHOULD", "profile": "ARW-F1", "family": "discovery_content", "requirement": "Sites should expose a public-safe .well-known manifest naming canonical pages, machine files, API routes, policy routes, contact/review paths, and unsupported capabilities.", "test": "Fetch and parse .well-known JSON; check canonical base URLs, safe-harbor URL, and blocked capability list.", "evidence": ".well-known manifest and static discovery test output.", "anti_patterns": [ "Publishing internal hostnames.", "Listing private admin or credential routes." ] }, { "id": "ARW-022", "title": "Advisory llms file", "level": "MAY", "profile": "ARW-F1", "family": "discovery_content", "requirement": "Sites may publish llms.txt and llms-full.txt as advisory AI-reader files when they match canonical pages and do not replace stable discovery.", "test": "Check that llms files parse as text, link to canonical pages, and do not contradict robots, sitemap, or .well-known manifests.", "evidence": "llms.txt, llms-full.txt, and route inventory.", "anti_patterns": [ "Treating llms.txt as a formal permission standard.", "Publishing llms-only facts missing from public pages." ] }, { "id": "ARW-023", "title": "Route inventory", "level": "MUST", "profile": "ARW-F1", "family": "discovery_content", "requirement": "AI-facing sites must maintain a route inventory that identifies human pages, machine files, API routes, action routes, fallback routes, and review routes.", "test": "Parse the route inventory and sample representative routes for HTTP status, content type, and canonical URL.", "evidence": "Route inventory JSON and HTTP audit output.", "anti_patterns": [ "Relying on agents to infer hidden routes.", "Leaving obsolete routes in discovery." ] }, { "id": "ARW-024", "title": "Structured entity clarity", "level": "SHOULD", "profile": "ARW-F1", "family": "discovery_content", "requirement": "Use JSON-LD, Schema.org, canonical IDs, or equivalent structured records for important public entities, offers, events, policies, and profiles where applicable.", "test": "Validate structured data and compare it to visible page text.", "evidence": "Structured data validation and page samples.", "anti_patterns": [ "Structured data that claims facts not visible to users.", "Using stale or conflicting canonical IDs." ] }, { "id": "ARW-025", "title": "Alternate representations", "level": "SHOULD", "profile": "ARW-F1", "family": "discovery_content", "requirement": "Long or interactive content should offer compact text, JSON, or markdown-equivalent representations when agents need deterministic reading.", "test": "Fetch alternate representations and compare freshness, canonical URL, and support boundary against the human page.", "evidence": "Alternate route URLs and parity notes.", "anti_patterns": [ "Markdown mirrors with stale claims.", "Machine summaries that omit critical cautions." ] }, { "id": "ARW-026", "title": "Ethical AEO/GEO publishing", "level": "MUST", "profile": "ARW-F1", "family": "discovery_content", "requirement": "Answer Engine Optimization (AEO) and Generative Engine Optimization (GEO) claims must improve answerability, citability, source evidence, accessibility, and correction paths for humans and AI readers. Sites must not use AEO/GEO as a cover for cloaking, hidden bot-only text, keyword stuffing, fabricated citations, prompt injection, ranking guarantees, or synthetic pages that lack review and provenance.", "test": "Review AEO/GEO pages, canonical HTML, structured data, llms files, sitemaps, .well-known manifests, route inventory, and visible support boundaries for content parity and anti-patterns.", "evidence": "AEO and GEO term pages, AI-Ready Web content, source references, route inventory entries, readiness result checks, and machine-readable manifests.", "anti_patterns": [ "Generative-engine keyword stuffing.", "Answer-engine doorway pages.", "Hidden bot-only text or cloaked facts.", "Fabricated expertise, sources, or citations.", "Prompt-injection instructions aimed at models.", "Ranking-guarantee promises." ] }, { "id": "ARW-027", "title": "Target-site implementation guidance", "level": "MUST", "profile": "ARW-F1", "family": "discovery_content", "requirement": "AI-Ready Web, AEO, GEO, and SEO guidance must tell visiting agents to audit and implement the strategy on the user's target site, repository, CMS, public routes, machine discovery files, structured data, evidence records, and deployable package. The guidance must not lead agents to copy UAIX content or create a page about UAIX guidance unless the user explicitly asks for that output.", "test": "Review public pages, document dossier text, llms files, .well-known manifests, route inventory, and readiness examples for target-site implementation instructions and anti-copy language.", "evidence": "AI-Ready Web page contract, per-page dossier guidance, llms implementation rule, .well-known implementation contract, and readiness result checks.", "anti_patterns": [ "Creating an About AI-Ready Web page instead of improving the target site.", "Copying UAIX guidance into the target site as filler content.", "Summarizing AEO/GEO/SEO definitions without auditing the target site.", "Skipping route, schema, metadata, accessibility, discovery, and support-boundary implementation work.", "Providing a deployable root ZIP that contains a guidance page but not the requested target-site improvements." ] }, { "id": "ARW-030", "title": "OpenAPI for HTTP actions", "level": "MUST", "profile": "ARW-F2", "family": "apis_capabilities", "requirement": "Agent-usable HTTP actions must be described by OpenAPI or an equivalent route contract with method, auth, request body, response body, errors, and rate limits.", "test": "Parse OpenAPI and verify action routes have operation IDs, content types, auth requirements, and documented errors.", "evidence": "OpenAPI document and API test output.", "anti_patterns": [ "Expecting agents to scrape forms for write APIs.", "Documenting write endpoints only in prose." ] }, { "id": "ARW-031", "title": "Problem Details error shape", "level": "SHOULD", "profile": "ARW-F2", "family": "apis_capabilities", "requirement": "API errors should use Problem Details or a documented equivalent with type, title, status, detail, instance, correlation ID, retryability, and documentation URL.", "test": "Send invalid requests and verify documented error shape and content type.", "evidence": "Negative API test output.", "anti_patterns": [ "Returning HTML errors for JSON APIs.", "Omitting actionable no-op or human-review guidance." ] }, { "id": "ARW-032", "title": "Idempotency and side-effect labeling", "level": "MUST", "profile": "ARW-F2", "family": "apis_capabilities", "requirement": "Every action route must state whether it is safe, idempotent, side-effecting, destructive, or review-gated, and side-effecting routes must use appropriate methods and idempotency protections.", "test": "Inspect route contracts for method, side-effect class, idempotency key, replay policy, and no query-string secrets.", "evidence": "OpenAPI routes and validator output.", "anti_patterns": [ "Destructive GET routes.", "Secrets in URLs.", "No replay protection for writes." ] }, { "id": "ARW-033", "title": "Capability surface matrix", "level": "MUST", "profile": "ARW-F2", "family": "apis_capabilities", "requirement": "A site that claims agent action support must publish or cite a capability surface matrix naming highest supported path, lowest safe fallback, human review URL, and no-op behavior by client ability.", "test": "Parse capability matrix and verify every advertised workflow has fallback and no-op records.", "evidence": "Capability matrix JSON or page plus route tests.", "anti_patterns": [ "One-size-fits-all agent support claims.", "No fallback for clients that cannot POST, authenticate, or execute JavaScript." ] }, { "id": "ARW-034", "title": "No-op safety", "level": "MUST", "profile": "ARW-F2", "family": "apis_capabilities", "requirement": "Unsupported, ambiguous, blocked, or unsafe work must produce no-op behavior with a reason and human review path instead of route guessing.", "test": "Run unsupported-action simulations and verify the response stops safely.", "evidence": "No-op test output and human review URL.", "anti_patterns": [ "Retry loops.", "Guessing undocumented write routes.", "Escalating authority from page text." ] }, { "id": "ARW-040", "title": "Non-human principal identity boundary", "level": "MUST", "profile": "ARW-F3", "family": "identity_security_privacy", "requirement": "Agent identity, user delegation, and service authorization must be explicit; a user-agent string or model name must not be treated as sufficient authority.", "test": "Inspect auth flows and verify delegated authority is distinct from crawl or discovery identity.", "evidence": "Auth policy, consent screens, and API contract.", "anti_patterns": [ "Trusting declared bot names.", "Letting agents reuse human sessions without explicit consent." ] }, { "id": "ARW-041", "title": "Consent and revocation", "level": "MUST", "profile": "ARW-F3", "family": "identity_security_privacy", "requirement": "User-specific or side-effecting agent actions must have explicit consent, scope, expiration, and revocation behavior.", "test": "Verify consent records, scoped tokens, expiry handling, and revocation path.", "evidence": "Consent flow review and auth tests.", "anti_patterns": [ "Unlimited agent delegation.", "No revocation path.", "Silent agent-to-agent delegation." ] }, { "id": "ARW-042", "title": "Data minimization", "level": "MUST", "profile": "ARW-F1", "family": "identity_security_privacy", "requirement": "Machine-readable public artifacts must exclude secrets, private customer data, private hostnames, hidden prompt instructions, non-public logs, and irrelevant operational detail.", "test": "Scan public machine files for local/private hosts, secret-like values, and unsupported internal references.", "evidence": "Static discovery hygiene test output.", "anti_patterns": [ "Publishing staging URLs.", "Embedding credentials or tokens.", "Exposing private admin paths." ] }, { "id": "ARW-043", "title": "Rights and usage preferences", "level": "SHOULD", "profile": "ARW-F1", "family": "identity_security_privacy", "requirement": "Sites should publish clear content usage, crawling, text and data mining, attribution, and privacy preference statements, while recognizing that advisory signals do not replace law, contracts, or consent.", "test": "Verify policy links, robots rules, rights statements, and maturity label for any TDM or AI preference mechanism.", "evidence": "Policy pages and discovery manifest.", "anti_patterns": [ "Treating policy preference files as universal enforcement.", "Contradicting robots or terms with advisory AI files." ] }, { "id": "ARW-050", "title": "Provenance and traceability", "level": "SHOULD", "profile": "ARW-F3", "family": "provenance_operations", "requirement": "Actionable routes and evidence packets should carry provenance, source URL, actor, timestamp, correlation ID, and Trace Context-compatible identifiers where applicable.", "test": "Inspect API responses, logs, and readiness results for trace and provenance fields.", "evidence": "Trace samples, readiness result, and audit digest.", "anti_patterns": [ "Untraceable agent actions.", "Evidence packets without source URLs or timestamps." ] }, { "id": "ARW-051", "title": "Freshness and caching", "level": "SHOULD", "profile": "ARW-F1", "family": "provenance_operations", "requirement": "Machine-readable files and API responses should declare freshness, cache posture, generated time, package or content version, and canonical URL.", "test": "Fetch files and inspect headers and payload fields for freshness markers.", "evidence": "HTTP headers, payload metadata, and release notes.", "anti_patterns": [ "Stale manifests with no version.", "Conflicting generated dates across discovery files." ] }, { "id": "ARW-052", "title": "Observability and incident review", "level": "SHOULD", "profile": "ARW-F3", "family": "provenance_operations", "requirement": "Agent-facing workflows should have monitoring, abuse detection, rate-limit visibility, incident review, rollback, and public-safe audit records for support-changing events.", "test": "Review operational runbooks and incident templates for agent-facing routes.", "evidence": "Runbook, incident template, and release checklist.", "anti_patterns": [ "No rollback plan for agent routes.", "No audit path for support-claim changes." ] }, { "id": "ARW-060", "title": "Claim review gate", "level": "MUST", "profile": "ARW-F0", "family": "governance_lifecycle", "requirement": "A current AI-ready support claim must be backed by aligned page copy, machine artifact, test evidence, release note, and owner review.", "test": "Pick support claims and trace each to public evidence and a test or recorded exception.", "evidence": "Changelog, route inventory, readiness result, and owner note.", "anti_patterns": [ "Marketing-only AI-ready claims.", "Claims found only in old reports or private chat." ] }, { "id": "ARW-061", "title": "Translation parity", "level": "SHOULD", "profile": "ARW-F0", "family": "governance_lifecycle", "requirement": "Enabled public locales should preserve support boundaries, maturity labels, and no-op behavior when translated.", "test": "Run locale source checks and spot-review critical translated pages before production publication.", "evidence": "i18n check output and review notes.", "anti_patterns": [ "Translated copy that widens support claims.", "Missing support boundaries in non-English pages." ] }, { "id": "ARW-062", "title": "Readiness result export", "level": "SHOULD", "profile": "ARW-F4", "family": "governance_lifecycle", "requirement": "Sites should export a readiness result record for launch-affecting AI-ready work, including automated checks, manual checks, skipped checks, blockers, warnings, and support boundary.", "test": "Validate readiness result against the schema and compare it to release notes.", "evidence": "Readiness result JSON and release checklist.", "anti_patterns": [ "Score-only readiness claims.", "Omitting skipped checks or manual review status." ] } ], "support_boundary": "AI-Ready Web requirements are public guidance and evidence expectations. They do not authorize scraping, bypass policy, validate credentials, grant tools, execute workflows, certify implementations, endorse agents, prove safety, or prove consciousness." }