Skip to main content

ByUpdated

Implementation

Compliance Checklist

Interactive layer-by-layer checklist for BiModal Design compliance. Check off items as you implement each layer — progress is tracked in real time.

Maturity Levels

Your BiModal maturity level is determined by which Defense in Depth layers you have fully implemented. Each level unlocks a new class of agent capability.

LevelName
0
Infrastructure Ready

Server-side rendering configured; no agent-specific markup yet

1
Agent Visible

FR-1 compliant, semantic HTML, data-agent-* attributes in place

2
Agent Readable

Structured data enables knowledge graph extraction and AI overviews

3
Agent Integrated

API surface enables programmatic access beyond page scraping

4
Agent Native

Full protocol support — MCP tools, Agent Card, agentic workflows

Layer Checklist

Click items to mark complete. Click "details" for implementation notes. Progress resets on page refresh.

All primary content must be present in the initial HTTP response. Enables access by curl, HTTP scrapers, and Level 0 agents.

  • All primary content renders server-side (SSR or SSG)
  • No critical content loaded exclusively in useEffect or componentDidMount
  • Progressive enhancement: core functionality works without JavaScript
  • noscript fallback provided for any JS-dependent dynamic content
  • Skeleton loaders annotated with data-agent-mitigation="skeleton"
  • Time-to-first-byte (TTFB) under 800ms for primary pages

HTML5 landmarks, ARIA roles, heading hierarchy, and data-agent-* attributes. Enables structured parsing agents.

  • HTML5 landmarks: <header>, <nav>, <main>, <footer> present on every page
  • One <h1> per page — the page title
  • No skipped heading levels (h1 → h3 without h2 is invalid)
  • All <nav> elements have unique aria-label attributes
  • Skip-to-content link present with data-agent-action="skip-to-content"
  • data-agent-framework and data-agent-mode on <html> element
  • data-agent-page and data-agent-intent on <main> element
  • data-agent-component on major UI sections (navigation, hero-banner, product-list, etc.)
  • data-agent-content on key content fields (page-title, product-name, product-price, etc.)
  • data-agent-action on interactive elements (add-to-cart, view-product-details, etc.)
  • All images have descriptive alt text (not empty or "image")
  • Forms have associated <label> elements for every input

Schema.org JSON-LD and microdata. Enables knowledge graph agents and AI overviews.

  • JSON-LD script block in <head> for primary page entity
  • Schema.org @type matches the page content type
  • Required properties present for each @type (name, description, url minimum)
  • BreadcrumbList on all pages deeper than root level
  • Product pages: price, currency, availability in Offer schema
  • Article pages: author, datePublished, dateModified present
  • Google Rich Results Test passes with no errors
  • Schema.org Validator passes with no critical errors

OpenAPI-documented REST or GraphQL API with discovery links. Enables API-capable agents.

  • OpenAPI 3.x specification at /api/openapi.json or /api/openapi.yaml
  • <link rel="api"> in <head> pointing to OpenAPI spec
  • All public API endpoints documented in OpenAPI spec
  • Every endpoint has operationId, summary, and description
  • All request/response schemas defined in components/schemas
  • Authentication documented in securitySchemes (OAuth2, API key, etc.)
  • Rate limits documented in x-rate-limit-* extensions or description
  • API returns CORS headers allowing agent origins
  • robots.txt references API spec location

MCP server, Agent Card, and protocol discovery. Enables MCP/A2A protocol agents and agentic workflows.

  • MCP server implemented and deployed
  • MCP tools cover all primary agent use cases
  • Agent Card at /.well-known/agent.json returns HTTP 200
  • Agent Card schemaVersion, name, description, and skills are populated
  • Agent Card skills list examples for each capability
  • robots.txt allows major AI crawlers (GPTBot, ClaudeBot, Googlebot-Extended)
  • llms.txt at /llms.txt with site guidance (optional but recommended)
  • sitemap.xml up to date and referenced in robots.txt

Agent-specific security controls. Required for any implementation with authentication or sensitive data.

  • Authenticated routes require valid session/token for all agent access
  • Rate limiting applied to all API endpoints accessible by agents
  • MCP tool inputs validated and sanitized (no prompt injection via tool results)
  • Agent interactions logged with user ID, action, and timestamp
  • Sensitive data (PII, credentials) never included in data-agent-* attributes
  • robots.txt Disallow rules for /admin, /api/admin, /.env, and similar paths
  • MCP server uses scoped permissions (read-only vs. write tools)
  • CSP headers do not block agent-required inline JSON-LD scripts

Continue reading

Implementation Plan

Week-by-week rollout guide

Troubleshooting

Common problems and solutions