Redesign DACS directory for human and agent discovery#8
Conversation
Addresses the four findings from the PR #8 review: - structuredData: new safeJsonLd() escapes `<` when serializing JSON-LD. JSON.stringify does not escape `<`, so seller-controlled listing titles/descriptions and display names containing `</script>` broke out of the homepage and service-page ld+json blocks — a stored XSS reachable by any seller the passive scanner discovers. Data is unchanged after JSON.parse; a regression test proves both properties. - DirectoryExplorer/service hero: restore the owner-registered / found on-chain / unverified-submission provenance cue that PR #7 added and this redesign dropped. Without it an unsigned third-party submission's chosen display name rendered unqualified on cards and the service hero. - publicUrl: log a one-time production warning when NEXT_PUBLIC_DIRECTORY_URL is unset, and document the failure mode in the README — otherwise canonical URLs, the sitemap, robots and llms.txt silently advertise localhost:3400. - sitemap: only advertise active listings, matching the discovery surface (revoked listings remain on seller history pages but are not destinations). - contracts: OpenAPI limit maximum corrected 100 → 200 to match what parsePagination actually enforces; contract test locks the two together. typecheck clean, 23/23 tests, production build passes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Reviewed this PR and pushed fixes for the findings in 1. Stored XSS through the JSON-LD blocks — fixed (the one blocker)
Fix: new 2. Provenance cue restored on cards and the service hero The redesign dropped the "owner-registered / found on-chain / unverified submission" label that PR #7 added, leaving it only on the seller profile. That mattered because an unsigned third-party registration controls the display name — the redesigned cards showed "by {name}" with a "listing verified" badge right next to it, lending unearned credibility to a name nobody attested. The cue is back on directory cards ( 3. Localhost canonical-URL footgun — now loud instead of silent
4. Discovery consistency nits
Not changed, deliberately: the JSON-LD Validation on the rebased branch: |
|
Ran a post-merge Railway preview QA pass on Finding: the
Why it matters: the preview now makes the Directory and deal lookup tangible, but the proof CTA currently terminates in an error for the sample deal. This looks like a runtime verifier/RPC/artifact reachability issue rather than layout: no browser console errors, Other checks from the same pass:
Suggested fix: re-check the live verifier path used after the deal bundle is loaded, especially any RPC/base URL/env wiring that differs between local and Railway. The UI shell itself looked good in this pass. |
What changed
llms.txt, typedLinkheaders, JSON alternates, ETags, cache policy, robots, and a live-catalog sitemapWhy
The merged MVP proved the cryptographic and catalog behavior, but the interface still read like an operator console. Human buyers need to understand the offer and trust model quickly, while agent buyers need a first-class machine contract that never depends on scraping HTML.
Impact
Humans can now find a service, understand payment/delivery and three separate trust layers, inspect the seller, and reach the truthful next action. Agents can start with only the site origin and discover the catalog, filters, schemas, listing artifacts, seller data, and freshness state.
Deployments should set
NEXT_PUBLIC_DIRECTORY_URLto the public origin so canonical URLs, sitemap, and plain-text discovery links use the production host.Railway deployment
/api/healthreadiness check pass/dataLinkheaders resolve to the Railway domainGitHub-source deployments now clone the pinned private SDK with a fine-grained read-only token stored as a Railway secret. The credential is supplied through Git environment configuration and is not written to the checkout or remote URL. The service is configured with the directory monorepo root and its checked-in
railway.json; the CLI packaging path remains available as a fallback.Validation
npm test— 22/22 passingnpm run typechecknpm run build— all routes compilenpm audit --omit=dev— 0 vulnerabilitiesgit diff --check9c008bb, including authenticated private-SDK clone, Railpack build, health check, persistent indexed data, public-origin links, and 9 active listingsVisual QA note
Source, responsive behavior, semantic structure, production rendering, and HTTP routes were validated. An interactive browser session was unavailable in this workspace, so desktop/mobile screenshot comparison and direct wallet interaction should be included in preview-deployment review.