feat(#333): site AI-readiness polish — agent-permissions, llm:* meta, Copy-for-AI button

[atlas-apex]

Summary

Closes the GEO-audit polish bundle from 2026-05-20 (findings G4 + G5 + G15 + G17). Three of the four sub-items shipped, one explicitly skipped — see § "Decisions" below.

• Item B (G5) — site/agent-permissions.json: minimal site-root manifest declaring read-only access for all AI agents + preferred_endpoints pointing at the cheap-to-parse markdown alternates (llms.txt, llms-full.txt, the 3 .md rewrites). schema_version: "v1" since the convention is still firming up.

• Item C (G15) — llm:token-count + llm:doc-length meta tags on each of the 3 marketing pages (index / architecture / skills). Placed right after the existing <link rel=\"alternate\" type=\"text/markdown\"> so LLM-related discovery signals group together. Token estimate is chars/4 (cross-vendor approximation). Per-page values measured against post-item-D file sizes — accuracy within ~1% drift.

• Item D (G17) — Copy-for-AI button on each of the 3 pages. Single shared JS module at site/copy-for-ai.js (vanilla ES2017, no build step, defer-loaded); inline-styled per-page button with data-md-url attribute pointing at the page's markdown alternate. Click → fetch the .md → navigator.clipboard.writeText() → flash "Copied!" confirmation for 1.5s. Fallback path: if clipboard API unavailable OR fetch fails, opens the .md alternate in a new tab so the user can copy manually (honest fail rather than silent).

• Smoke test (per [Chore] site/ — optional AI-readiness polish: ai-plugin.json, agent-permissions.json, token meta, Copy-for-AI button #333 AC): test_site_counts.sh gains a new section that verifies the llm:* meta tags stay within 5% of actual file size. Catches the "page edited without refreshing meta" regression. 5% tolerance handles the meta-tag self-impact (~150 bytes) + small content edits.

Decisions

Item A (G4) — /.well-known/ai-plugin.json: SKIPPED. The ticket itself flagged this as a likely skip ("Apexyard isn't a SaaS so much of the spec is N/A; skip if it feels off-shape"). The OpenAI plugin spec describes hosted services with auth + OpenAPI; apexyard is a framework (markdown + shell, distributed via git). Shipping a stub that says "description_for_model": "ApexYard is a framework, not a hosted service" would tell AI tools "treat me as a plugin" while the metadata says "actually no." Cleaner to skip + document. The framework's discovery story stays on llms.txt / llms-full.txt / agent-permissions.json (which DO fit the shape).

Per the #333 AC: this counts as "documenting the skip" — recorded here in the PR body. If a future convention surfaces that DOES fit framework-class projects (vs hosted-service-class), file a separate ticket to revisit.

Testing

• bash .claude/hooks/tests/test_site_counts.sh — PASS at 53 skills / 31 hooks / 19 roles + all 3 LLM-meta tags within 5% tolerance (~0% actual drift on each page).
• jq . site/agent-permissions.json — valid JSON.
• wc -c site/copy-for-ai.js — 78 lines of vanilla ES2017, no minification needed.
• Manual smoke (operator, post-Netlify-deploy): click "Copy as Markdown for AI" on each page, paste into a text editor, confirm the markdown alternate's content lands in the clipboard. Try on Safari + Chrome — navigator.clipboard.writeText() is well-supported but the fallback path (opens .md in new tab) needs visual confirmation if either browser misbehaves.
• Manual smoke: curl https://yard.apexscript.com/agent-permissions.json — should return the JSON manifest with Content-Type: application/json.

Glossary

Term	Definition
agent-permissions.json	Site-root JSON file declaring access rules for AI agents per the emerging GEO/AEO conventions. Apexyard's manifest says: any agent ("*") may read, no rate limit, prefer the markdown alternates (llms.txt, *.md) for parsing-cheap consumption.
llm:token-count / llm:doc-length meta tags	Two non-standard meta names that surface payload size to LLM crawlers. Cross-vendor estimate via chars/4; precise per-vendor counts need tiktoken (OpenAI) or Anthropic's tokens API. The estimate is good enough for "should I fetch the full page?" decisions. The 5% smoke-test tolerance handles approximation noise.
Copy-for-AI button	UX affordance per GEO-audit G17. Clicking it copies the page's clean markdown alternate to the user's clipboard, so they can paste-into-LLM without right-click → view-source → manual cleanup. The .md alternate is served via the existing /foo.md → /foo.md.gen Netlify rewrite from prior AI-readiness work.
"Decide-and-do" AC	The #333 AC framing for items A + B: explicitly mark each item DONE or SKIPPED in the PR, never silently half-ship. This PR records A as skip + B/C/D as done.
5% drift tolerance	The smoke test allows meta values within 5% of actuals because (a) chars/4 token estimate is itself approximate, (b) the meta tags self-add ~150 bytes per page, (c) small content edits shouldn't require a meta refresh every commit. Beyond 5% the page has materially changed and the meta should be re-measured.

Closes #333
Refs GEO-audit 2026-05-20T08-23-47Z findings G4 (skipped) + G5 (B) + G15 (C) + G17 (D)

[atlas-apex]

Code Review: PR #369

Commit: ec31efa98f9b46c25b4daf9264341725a3774f3f

Summary

Ships 3 of 4 GEO-audit polish items from #333: agent-permissions.json (item B), Copy-for-AI button on 3 marketing pages (item D), and llm:token-count + llm:doc-length meta tags + a drift smoke test (item C). Item A (ai-plugin.json) is explicitly skipped with a documented rationale in the PR body. Scope is tight — 6 files touched, all under site/ except the smoke-test extension which is the AC-required test.

Checklist Results

• Architecture & Design: Pass (no domain/application/infra concerns — static site assets)
• Code Quality: Pass (vanilla ES2017 with no any, IIFE-wrapped, strict-mode JS; well-commented bash test)
• Testing: Pass (smoke test re-run locally: all 3 pages within 5%; verified failure modes — missing meta exits 1, drift > 5% exits 1)
• Security: Pass (window.open(url, "_blank", "noopener") is correct form; credentials: "omit" on fetch; no inline secrets)
• Performance: Pass (defer-loaded JS, no blocking parse; negligible payload)
• PR Description & Glossary: Pass (5-term glossary, narrative summary bullets, decisions documented inline)
• Summary Bullet Narrative: Pass (each bullet answers what + why)
• Technical Decisions (AgDR): N/A (no new libraries, frameworks, or architecture patterns — agent-permissions.json schema choice is a one-off GEO-audit polish, not a portfolio-wide tech call)
• Adopter Handbooks: N/A (no findings — handbooks loaded but none apply to static site assets)

Verification performed locally at HEAD ec31efa

Check	Result
jq . site/agent-permissions.json	valid JSON; shape {schema_version, agents.{*:{allow, rate_limit, preferred_endpoints}}} matches the schema_version="v1" convention
Smoke test happy path	PASS — all 3 pages within ~0.6% drift (well under 5% tolerance)
Smoke test failure path 1 (missing meta tag removed from index.html)	EXIT 1 with DRIFT: missing llm:token-count or llm:doc-length — correct
Smoke test failure path 2 (drift forced to 98% on architecture.html)	EXIT 1 with >5% tolerance message — correct
CI status	4/4 green: lychee, Verify Ticket ID, ShellCheck, site-counts drift detection
Single ticket closure	Closes #333 present in body; no multi-close marker needed

Issues Found

None blocking.

Suggestions (non-blocking)

1. Latent zero-divide error in the drift check (test_site_counts.sh:236-237, :239-240). The bash ternary actual_chars > 0 ? diff_chars * 100 / actual_chars : 0 evaluates both branches in arithmetic context before short-circuiting. If a file is 0 bytes, you get a division by 0 stderr message and pct_chars ends up empty (which the -gt 5 then treats as 0 — so the test still behaves correctly, just noisily).

Repro:

$ (actual_chars=0; meta_chars=0; pct=$(( actual_chars > 0 ? 100 / actual_chars : 0 )); echo "pct=$pct")
bash: actual_chars > 0 ? 100 / actual_chars : 0 : division by 0 (error token is ": 0 ")
pct=

In practice this can't fire — the marketing HTML pages are never 0 bytes, and the [ -f "$f" ] || continue guard covers nonexistent files. But a future page added to the FILES_TO_SCAN list that happens to be empty would emit confusing stderr noise during CI. Cleaner shape:

if [ "$actual_chars" -eq 0 ]; then
  echo "  SKIP: $f — 0 bytes, skipping drift check"
  continue
fi
diff_chars=$(( actual_chars > meta_chars ? actual_chars - meta_chars : meta_chars - actual_chars ))
pct_chars=$(( diff_chars * 100 / actual_chars ))

Non-blocking — file the follow-up only if a 0-byte page is ever realistic.

2. Copy-for-AI button accessibility (site/{index,architecture,skills}.html). The button has type="button" + readable text label which covers screen-readers via accessible-name computation, but:

• No aria-label — the text label "Copy as Markdown for AI" is sufficient as accessible name (don't add aria-label redundantly; that would override the visible text). Current state is correct on this axis.
• No visible focus state — the inline styles set border: 1px solid currentColor but no :focus / :focus-visible outline. Keyboard users tab-navigating the page won't see where their focus lands. Browsers do show their default focus ring on <button> even with custom border, so this likely works in practice, but an explicit :focus-visible rule would harden it.

Non-blocking but worth a follow-up.

3. UX during slow fetch (site/copy-for-ai.js:33). The button is disabled only AFTER the fetch completes and the flash starts — there's no spinner or "Fetching..." label during the network call. For typical .md alternates (< 100KB), this is invisible on broadband; on slow connections the user might click twice before the first fetch returns. The second click fires another fetch. Minor — flash duration (1.5s) bounds the misbehaviour, and Promise coalescing would be overkill for a marketing-site button. Non-blocking.

4. agent-permissions.json schema is the right shape for a still-firming convention. I reviewed the spec landscape: the GEO/AEO conventions around agent-permissions.json are not yet RFC'd; multiple proposals exist (the most-cited one — discussed in the GEO-audit registry — uses exactly the {schema_version, agents.{<glob>:{allow, rate_limit, preferred_endpoints}}} shape this PR ships). "*" as the catch-all agent is universally accepted. null for rate_limit correctly signals "unlimited" vs an integer per-minute cap. The 5 preferred_endpoints are absolute URLs (good — agents that resolve relative paths inconsistently won't trip). No schema concerns.

5. Item A skip rationale is sound. I considered whether any minimal framing of ai-plugin.json would help apexyard. The OpenAI plugin spec is fundamentally about hosted services with an OpenAPI surface — apexyard is markdown + shell distributed via git clone. The cleanest framings ("apexyard as a plugin that helps users set up SDLC tooling") would require a hosted backend the framework doesn't have. The skip + agent-permissions.json covers the discoverability story without misleading agents about apexyard's deployment model.

Verdict

APPROVED at HEAD ec31efa98f9b46c25b4daf9264341725a3774f3f.

(Submitting as a comment because GitHub blocks Rex from formally approving own PRs — operator will write the approval marker on Rex's behalf per the standard sandbox workaround.)

Scope discipline is excellent — no drive-by edits, all changes are AC-scoped, the skip decision is documented in the PR body (not relegated to comments). CI green at HEAD. Smoke test verified to fail correctly on both the missing-meta and drift-exceeded paths. Per-page meta accuracy is ~0.6% drift, well inside the 5% tolerance window.

The suggestions above (latent zero-divide noise, focus-visible style, slow-fetch UX) are all non-blocking polish items. None should hold this PR.

---

Reviewed by Rex (Code Reviewer Agent)
Reviewed commit: ec31efa98f9b46c25b4daf9264341725a3774f3f