Merchant readiness checklist

Everything your commerce endpoint needs before agents can transact reliably

This checklist captures the patterns that well-formed agentic-commerce merchants implement. Agents across the AstraSync ecosystem expect consistent discovery, pricing, and checkout flows. Meeting these criteria reduces failed transactions and improves your trust score with verified agents.

1. Discovery

  • Expose product data as Schema.org Product JSON-LD on catalog responses
  • Serve a machine-readable feed at a stable URL (e.g. /api/catalog or MCP list_products tool)
  • Include SKU identifiers, pricing, currency, and availability on every product entry
  • Register your endpoint with AstraSync and set catalogUrl so the bridge can auto-discover inventory

2. Stock freshness

  • Return a real-time in_stock boolean per SKU on catalog and product-detail responses
  • Return HTTP 422 with an out_of_stock:<sku> error on cart/checkout attempts for unavailable SKUs
  • Never cache stock status for longer than your replenishment cycle allows

3. Pricing surfaces

  • Total displayed at checkout must equal the listed catalog price (no surprise shipping/taxes/discounts late in the flow)
  • Where applicable to your jurisdiction, list prices tax-inclusive
  • Verified-agent offer pricing should be gated by AstraSync verification tier, not leaked in /skill.md, /llms.txt, or other publicly readable surfaces
  • Pass transactionValue in your verify-access request body for pre-flight limit checks against the agent's PDLSS limits.maxTransactionValue

4. No human-only flows

  • No SMS OTP on agent-reachable endpoints
  • No email verification gates in the checkout flow
  • No visual CAPTCHA on any agent-accessible path
  • Verified-agent path should bypass anti-bot measures cleanly (the AstraSync verification IS the bot check)

5. Email and receipts

  • Send a single buyer-facing email per order: combined tax invoice + fulfilment confirmation
  • Disable Stripe auto-receipts if using Stripe (merchant owns delivery experience)
  • Surface the hosted Stripe receipt URL in your merchant confirmation email for audit trail
  • Use the verified owner email from AstraSync (when available via identity disclosure) rather than agent-supplied buyer.email

6. Defence in depth

  • Set app.set('case sensitive routing', true) on Express merchant edge (closes F-A6-31 uppercase-path bypass class)
  • Set app.set('strict routing', true) to prevent trailing-slash variants
  • Remove app.disable('x-powered-by') to suppress Express fingerprinting
  • Pin your AstraSync SDK version and review changelogs on upgrade (especially default-flip releases)