Public compliance tracker
GraphCentric coverage against The Website Specification checklist
This page tracks GraphCentric's public website and platform capabilities against the 137 topics in The Website Specification checklist. The checklist priority is the source site's label. The GraphCentric priority is our mission fit: durable semantic resources, governed data access, agent readiness, and trustworthy public web delivery.
Status labels are intentionally pragmatic: covered means implemented or structurally present; partial means useful platform support exists but needs hardening, site-wide rollout, or verification; gap means relevant but not yet implemented; not applicable means the topic does not fit the current public site or product surface.
137Checklist topics tracked
33Covered now
37Partial coverage
31Relevant gaps
36Not applicable or deprioritised
Foundations
The HTML, head, and document basics every page needs.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| The HTML doctype | Required | Covered | High | Public template starts with the HTML5 doctype. |
| The lang attribute on html | Required | Covered | High | Public template sets lang="en". Revisit when localisation begins. |
| meta charset | Required | Covered | High | Public template declares UTF-8 early in the head. |
| meta viewport | Required | Covered | High | Public template uses device-width viewport and does not disable scaling. |
| The title element | Required | Partial | High | Template provides a title fallback. Need audit of per-resource unique titles. |
| meta name="description" | Recommended | Partial | High | Template has fallback and resource-driven description support. Need page uniqueness audit. |
| Canonical URL | Recommended | Partial | Mission critical | GraphCentric models canonical and concrete resources explicitly. Need site-wide canonical link audit. |
| Favicons and app icons | Recommended | Covered | Medium | Public template advertises SVG and ICO favicons, an Apple touch icon, a web app manifest, and a maskable app icon generated from the GraphCentric octopus asset. |
| meta name="theme-color" | Recommended | Covered | Low | Public template includes dark and light theme-color metadata. |
| meta name="color-scheme" | Recommended | Covered | Low | Public template declares support for dark and light colour schemes. |
| Open Graph protocol | Recommended | Partial | Medium | Public template now emits OG site name, type, title, and description. Add per-page og:url and og:image next. |
| Feed discovery with rel="alternate" | Recommended | Partial | High | Blog advertises RSS through link sidecars. Confirm every feed is advertised from relevant pages. |
| Feed content hygiene | Recommended | Partial | Medium | RSS exists. Need validation, stable GUID review, self link, and cadence metadata. |
| Popover API | Recommended | Deprioritised | Low | Useful for future menus or dialogs, but not central to current platform capability. |
SEO
Search visibility, robots, sitemaps, canonicals, and structured data.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| robots.txt | Recommended | Covered | High | Public resources include templated robots.txt with sitemap discovery. |
| XML sitemaps | Recommended | Covered | High | Mothership serves dynamic sitemap resources from authorised web resources. |
| Sitemap index files | Recommended | Not applicable | Low | Not needed at current site scale. Revisit if content volume grows significantly. |
| Image and video sitemap extensions | Optional | Deprioritised | Low | No media-heavy SEO surface yet. |
| URL structure | Recommended | Covered | Mission critical | Resource URIs are explicit, stable, and treated as public contracts. |
| Redirects | Required | Partial | High | Redirect resources are supported and root redirects to canonical index. Need redirect-policy audit. |
| Server-side rendering | Recommended | Covered | Mission critical | Mothership renders primary HTML server-side from RDF state and templates. |
| Soft 404s | Avoid | Partial | High | Unauthorized internal resources return 404. Need custom error pages and crawler audit. |
| Meta robots and X-Robots-Tag | Required | Gap | High | Add explicit indexing policy for public, staging, internal, and private resources. |
| Heading hierarchy | Required | Partial | High | Pages use semantic headings. Need automated or manual outline audit. |
| Internal linking | Recommended | Partial | High | Navigation, footer, resource alternates, and deck links exist. Need link graph review. |
| Structured data | Recommended | Covered | Mission critical | RDF and JSON-LD are core platform features; public template embeds JSON-LD when available. |
| Breadcrumbs | Recommended | Gap | Medium | Add visible breadcrumbs and BreadcrumbList JSON-LD where hierarchy matters. |
| IndexNow | Optional | Deprioritised | Low | Not needed until publication velocity justifies push recrawl. |
Accessibility
WCAG-aligned rules so people of all abilities can use the site.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| Colour contrast | Required | Partial | High | Design uses high-contrast dark surfaces. Need automated contrast audit across themes. |
| Image alt text | Required | Partial | High | Need image inventory and alt text audit for public assets. |
| Form labels | Required | Partial | High | Forms exist in public and authenticated surfaces. Need label association audit. |
| Keyboard navigation | Required | Partial | High | Native links and buttons are used in many areas. Need keyboard-only traversal test. |
| Visible focus indicators | Required | Covered | High | Site CSS includes explicit high-contrast :focus-visible outlines for controls. |
| Skip links | Required | Covered | High | Public template includes a skip-to-main link targeting the main content region. |
| Semantic HTML and landmarks | Required | Covered | High | Templates use header, nav, main, footer, sections, articles, and real controls. |
| ARIA first rule of ARIA | Recommended | Partial | High | Native elements are preferred. Need ARIA usage review for interactive pieces. |
| Descriptive link text | Required | Partial | High | Most navigation labels are descriptive. Need public content audit for vague links. |
| Empty links and buttons | Avoid | Partial | High | Icon SVGs are marked decorative in places. Need empty interactive control audit. |
| Accessible form errors | Required | Gap | High | Standardise form error markup and announcements for update failures. |
| Document and parts language | Required | Covered | High | Document language is set. Inline language support becomes relevant with multilingual content. |
| Reduced motion | Required | Covered | Medium | Site CSS respects prefers-reduced-motion by disabling smooth scrolling, transitions, and animations. |
| Accessibility overlays | Avoid | Covered | High | No accessibility overlay is used or planned. |
| Captions and transcripts | Required | Not applicable | Medium | No primary audio or video content currently. Required if talks or video are published. |
| Accessible data tables | Required | Partial | High | This report uses real tables. Need audit of all data-table-like layouts. |
| Touch target size | Required | Partial | High | Primary controls are large. Need mobile touch target audit across pages. |
| Hidden until found | Recommended | Deprioritised | Low | Useful for future dense docs, not required for the current public site. |
| Mobile-friendly form inputs | Recommended | Partial | Medium | Need form input type, inputmode, enterkeyhint, and font-size audit. |
| Native interactive elements | Recommended | Covered | High | Navigation and theme controls use anchors, buttons, details, and summary. |
| CSS state and relational selectors | Recommended | Deprioritised | Low | Good progressive enhancement, but not mission-critical now. |
Security
Headers, transport, and policies that keep visitors safe.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| HTTPS and TLS | Required | Covered | Mission critical | Caddy terminates HTTPS for local and production-style environments. |
| HSTS | Required | Gap | High | Add production HSTS policy deliberately after confirming preload/subdomain commitments. |
| Mixed content and upgrade-insecure-requests | Recommended | Partial | High | Site uses HTTPS origins. Add CSP safety net and scan for HTTP subresources. |
| Content Security Policy | Recommended | Gap | High | Define CSP compatible with inline JSON-LD, templates, and current scripts. |
| security.txt | Recommended | Gap | Medium | Publish /.well-known/security.txt with contact and policy. |
| X-Content-Type-Options | Required | Gap | High | Add nosniff at the edge or runtime for relevant responses. |
| Clickjacking protection | Required | Gap | High | Add CSP frame-ancestors and legacy fallback if needed. |
| Cross-origin isolation | Recommended | Deprioritised | Low | Not required unless we need SharedArrayBuffer or stricter isolation features. |
| Referrer-Policy | Recommended | Gap | High | Add strict-origin-when-cross-origin unless a stricter policy is chosen. |
| Permissions-Policy | Recommended | Gap | Medium | Deny unused powerful browser features by default. |
| Subresource Integrity | Recommended | Not applicable | Medium | Most assets are self-hosted. Required if third-party JS or CSS is introduced. |
| Cookie attributes | Required | Partial | Mission critical | Authentication uses Keycloak and Mothership flows. Need cookie attribute audit across auth/session cookies. |
| DNS CAA records | Recommended | Gap | Medium | DNS-level production task outside the app repo. |
| DNSSEC | Optional | Deprioritised | Low | Desirable defence in depth, but dependent on registrar and operational appetite. |
Well-Known URIs
Standard agreed-upon paths under /.well-known/.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| Well-known URIs | Recommended | Partial | High | Platform can serve explicit resources. Need a deliberate well-known publication set. |
| change-password | Optional | Gap | Medium | Relevant because the site has login. Add redirect to Keycloak/account password flow. |
| webauthn | Optional | Not applicable | Low | No related-origin passkey deployment yet. |
| openid-configuration | Optional | Not applicable | Low | GraphCentric relies on Keycloak rather than acting as the OIDC provider at this host. |
| api-catalog | Recommended | Gap | Mission critical | Strong fit for resource and update discovery. Publish Linkset catalog for public APIs/resources. |
| webfinger | Optional | Deprioritised | Low | No Fediverse account discovery use case yet. |
| apple-app-site-association | Optional | Not applicable | Low | No native iOS app integration yet. |
| assetlinks.json | Optional | Not applicable | Low | No native Android app integration yet. |
| nodeinfo | Optional | Deprioritised | Low | No federated platform node stats use case yet. |
| traffic-advice | Optional | Deprioritised | Low | Consider only if private prefetch proxy traffic becomes material. |
Agent Readiness
Things that make a site legible to AI agents and crawlers.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| Agent readiness | Recommended | Covered | Mission critical | Agent-readable, linked, semantic resources are central to GraphCentric. |
| llms.txt | Recommended | Covered | High | Public resource /llms.txt gives agents a curated index of core GraphCentric pages and ideas. |
| llms-full.txt | Optional | Gap | Medium | Useful while the public site is small. Consider generated full-text export. |
| Per-page Markdown source endpoints | Recommended | Partial | Mission critical | Index advertises Markdown alternate. Extend pattern to all documentation-like pages. |
| robots.txt for AI crawlers | Recommended | Gap | High | Add explicit AI crawler policy to robots.txt. |
| Content Signals in robots.txt | Optional | Gap | Medium | Relevant for public licensing posture. Add once policy is decided. |
| Web Bot Auth | Optional | Deprioritised | Low | Monitor standard maturity before implementation. |
| Stable URLs | Required | Covered | Mission critical | Stable resource URIs are a platform design rule. |
| Structured data for agents | Recommended | Covered | Mission critical | RDF, JSON-LD frames, and embedded resource models are first-class. |
| Machine-readable formats | Recommended | Covered | Mission critical | Resources can expose HTML, JSON-LD, Turtle, Markdown, and other alternates. |
| HTTP Link headers for discovery | Recommended | Covered | Mission critical | Mothership projects explicit link nodes into HTTP Link headers and HTML links. |
| MCP and tool discovery | Optional | Gap | High | Strong mission fit. Define safe public MCP tools and discovery metadata. |
| A2A agent cards | Optional | Deprioritised | Low | Wait for clearer product need and standard maturity. |
| Agent Skills discovery | Recommended | Gap | High | Good fit. Publish skills for resource discovery, auth, and graph inspection when stable. |
| DNS for AI Discovery | Optional | Deprioritised | Low | Monitor; depends on DNS operations and adoption. |
| NLWeb | Optional | Gap | Medium | Potential public demo surface, but MCP/resource discovery should come first. |
| WebMCP | Optional | Deprioritised | Low | Browser-native agent APIs are not stable enough to prioritise. |
| Schemamap | Optional | Gap | High | Excellent semantic-web fit. Explore generating schemamap from resource configuration graph. |
Performance
Core Web Vitals, caching, images, fonts, and network behaviour.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| Core Web Vitals | Required | Gap | High | Add measurement through Lighthouse, RUM, or synthetic checks. |
| Image optimisation | Required | Partial | Medium | Images are self-hosted. Need dimensions, formats, and responsive image audit. |
| Lazy loading images, iframes, and video | Recommended | Partial | Medium | Audit offscreen media and add native lazy loading where appropriate. |
| Preload, prefetch, preconnect | Recommended | Gap | Medium | Add only after identifying critical fonts/images and likely next navigations. |
| Cache-Control headers | Required | Partial | High | Varnish is in path. Need explicit policy for HTML, assets, and private resources. |
| Conditional requests | Recommended | Covered | Mission critical | Repository docs describe query cache, ETag, and stream invalidation support. |
| No-Vary-Search response header | Recommended | Gap | Medium | Useful for tracking parameters. Need safe query parameter policy. |
| Compression | Required | Covered | High | Caddy configuration enables zstd and gzip. |
| Web font loading | Recommended | Partial | Medium | Fonts are site-controlled. Need font-display, subsetting, and preload review. |
| Critical CSS and render-blocking resources | Recommended | Gap | Medium | CSS is currently linked normally. Optimise if metrics show render blocking. |
| Script loading | Recommended | Partial | Medium | Small inline and theme scripts exist. Need defer/module audit for external scripts. |
| HTTP/2 and HTTP/3 | Recommended | Covered | High | Caddy reports h1, h2, and h3 support in local environment. |
| Speculation Rules | Recommended | Deprioritised | Low | Could help navigation, but not before cache and metric basics. |
| Resource hints overview | Recommended | Gap | Medium | Same workstream as preload, prefetch, and preconnect. |
| View Transitions | Recommended | Deprioritised | Low | Nice progressive enhancement, not core to platform value. |
| Back/forward cache | Recommended | Partial | Medium | Mostly static server-rendered pages should be eligible. Need BFCache audit for scripts and streams. |
| Visibility-aware rendering | Recommended | Deprioritised | Low | Apply only to long pages with measured layout cost. |
| CSS containment | Optional | Deprioritised | Low | Optimisation tool for measured component-level issues. |
| Scroll-driven animations | Optional | Deprioritised | Low | No need for scroll animation capability now. |
| Scrollbar gutter | Recommended | Gap | Low | Add scrollbar-gutter: stable if layout shift is observed. |
| Dynamic viewport units | Recommended | Partial | Medium | Responsive CSS exists. Audit mobile full-height sections for dvh/svh/lvh needs. |
| Compression Dictionary Transport | Optional | Deprioritised | Low | Premature for current traffic and asset profile. |
Privacy
Consent, privacy signals, and respecting visitor choice.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| Privacy policy | Required | Covered | High | Public site includes a privacy page linked from the footer. |
| Cookie consent | Required | Partial | High | Cookie policy exists. Need audit of actual cookies and whether consent UI is required. |
| Global Privacy Control | Recommended | Gap | Medium | Add handling once analytics and data-sharing posture is finalised. |
| Third-party scripts and privacy | Recommended | Covered | High | Public template avoids third-party scripts by default. |
| Privacy-respecting analytics | Recommended | Gap | Medium | If analytics are added, choose aggregate cookieless analytics first. |
| Data minimisation | Recommended | Partial | Mission critical | Governed updates and named graphs support minimisation. Need public statement and audit trail. |
Resilience
Graceful failure, error pages, offline support, and monitoring.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| Custom error pages | Required | Gap | High | Add user-friendly 404 and 500 pages with correct status codes. |
| Maintenance pages and 503 | Recommended | Gap | Medium | Add operational maintenance response pattern with Retry-After. |
| Graceful degradation when JavaScript fails | Recommended | Partial | High | Primary public content is server-rendered. Some authenticated interactivity relies on DataStar/JS. |
| Offline support and service workers | Optional | Deprioritised | Low | Not needed for the public marketing/docs site yet. |
| Web app manifest | Recommended | Covered | Low | Public template links /site.webmanifest, which declares site identity, theme colour, and app icons. |
| Monitoring and uptime | Recommended | Partial | High | Operational services exist. Need explicit external monitoring and public/private status plan. |
Internationalisation
Language, locale, direction, and translated content.
| Topic | Checklist | Status | GC priority | Evidence and next action |
|---|---|---|---|---|
| International URL structure | Recommended | Not applicable | Low | No multilingual public site yet. Decide URL strategy before translation. |
| hreflang for language and regional URLs | Recommended | Not applicable | Low | Depends on multilingual alternates. |
| Localised page metadata | Recommended | Not applicable | Low | Depends on translated content. |
| hreflang in XML sitemaps | Optional | Not applicable | Low | Depends on multilingual sitemap alternates. |
| Avoid automatic IP-based language redirects | Avoid | Covered | Medium | No automatic geo-language redirects are used. |
| lang attribute on inline content | Required | Partial | Medium | Page language is set. Need inline language markup if non-English content appears. |
| Language switcher | Recommended | Not applicable | Low | No translated pages yet. |
| RTL and bidirectional text | Recommended | Not applicable | Low | No RTL locales yet. |
| Writing modes and CJK line breaking | Optional | Not applicable | Low | No CJK or vertical-writing locales yet. |
| Locale-aware content | Recommended | Partial | Medium | Future data-driven apps need locale-aware dates, numbers, currencies, and units. |
| Plural rules and grammatical number | Recommended | Gap | Medium | Need i18n strategy before dynamic multilingual UI strings. |
| Internationalised Domain Names | Optional | Deprioritised | Low | No IDN requirement for graphcentric.com. |
Next Priorities
Shortlist of high-fit work from this audit.
- Publish
/llms.txt, expand Markdown alternates, and add an API catalog for resource and update discovery. - Complete security response headers: CSP, HSTS, nosniff, Referrer-Policy, Permissions-Policy, and frame-ancestors.
- Audit accessibility basics: skip links, focus indicators, form labels, form errors, headings, link text, and image alt text.
- Add public metadata polish: canonical links, Open Graph, favicons, theme-color, and color-scheme.
- Add operational resilience: custom error pages, 503 maintenance handling, external monitoring, and Core Web Vitals measurement.