From b167e4e3c4fb67c6d3f981ba7fe5b90f582d3158 Mon Sep 17 00:00:00 2001
From: Derek Scruggs <djscruggs@digitalbazaar.com>
Date: Mon, 8 Jun 2026 19:32:25 -0500
Subject: [PATCH 1/5] Add opt-in Hypothesis inline review comments.

Wire the Hypothesis embed into the base layout for inline, text-anchored
review comments, as a ready-made alternative to pasting page snippets
into Slack.

It is off by default so production ships no third-party script. A review
build enables it with HYPOTHESIS_COMMENTS=1, and HYPOTHESIS_GROUP scopes
the client to a Hypothesis private group so only logged-in DB group
members see and post comments. Config lives in site.js; the layout only
emits the script (and the group config) when enabled. Document the env
vars and the private-group / access-gated review pattern in the README.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 README.md                      | 21 +++++++++++++++++++++
 src/_data/site.js              |  9 +++++++++
 src/_includes/layouts/base.njk | 13 +++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/README.md b/README.md
index 6b0890e..851a884 100644
--- a/README.md
+++ b/README.md
@@ -51,8 +51,29 @@ To add a page to discovery: just create it. To exclude one, set
 
 The home page, sitemap, and `llms.txt` pick it up automatically.
 
+## Inline review comments (Hypothesis)
+
+The site can load [Hypothesis](https://web.hypothes.is) for inline,
+text-anchored review comments. It is **off by default** so production ships no
+third-party script. Enable it only on a review build:
+
+```bash
+HYPOTHESIS_COMMENTS=1 HYPOTHESIS_GROUP=<group-id> npm run build
+```
+
+- `HYPOTHESIS_COMMENTS=1` injects the Hypothesis embed.
+- `HYPOTHESIS_GROUP` scopes the client to a Hypothesis **private group** so only
+  logged-in group members see and post comments; the public sees nothing. Omit
+  it to use public Hypothesis annotations (not recommended for review).
+
+Reviewers join the private group, log in to Hypothesis, highlight text, and
+comment. To also hide the Hypothesis UI itself from the public, serve the
+enabled build behind an access gate (e.g. a Cloudflare Access review URL) rather
+than on the public production site.
+
 ## Deployment
 
 Pushes to `main` deploy to GitHub Pages via
 [`.github/workflows/deploy.yml`](./.github/workflows/deploy.yml). Set the
 `SITE_URL` repo variable for a custom domain (e.g. `https://learnvc.org`).
+Production builds leave Hypothesis comments off (see above).
diff --git a/src/_data/site.js b/src/_data/site.js
index c06f0c2..82b71f8 100644
--- a/src/_data/site.js
+++ b/src/_data/site.js
@@ -19,6 +19,15 @@ export default {
       'Digital Bazaar builds open, standards-based infrastructure for ' +
       'Verifiable Credentials and decentralized identity.'
   },
+  // Inline review comments via Hypothesis (https://web.hypothes.is).
+  // Off by default so production carries no third-party script. Enable on a
+  // review deployment with HYPOTHESIS_COMMENTS=1. Set HYPOTHESIS_GROUP to a
+  // Hypothesis private group id to scope the client to the DB review group;
+  // logged-in members of that group see/post comments, the public does not.
+  comments: {
+    enabled: process.env.HYPOTHESIS_COMMENTS === '1',
+    group: process.env.HYPOTHESIS_GROUP || ''
+  },
   // Top-level nav. Verticals are appended automatically from the collection.
   nav: [
     {text: 'Home', url: '/'},
diff --git a/src/_includes/layouts/base.njk b/src/_includes/layouts/base.njk
index e1ddd08..889b7d3 100644
--- a/src/_includes/layouts/base.njk
+++ b/src/_includes/layouts/base.njk
@@ -59,5 +59,18 @@
     {{ content | safe }}
   </main>
   {% include "partials/footer.njk" %}
+
+  {# Inline review comments (Hypothesis). Loads only when explicitly enabled
+     (HYPOTHESIS_COMMENTS=1) so production ships no third-party script. When a
+     private group id is configured, the client is scoped to it: logged-in DB
+     group members see and post comments; the public does not. #}
+  {% if site.comments.enabled %}
+  {% if site.comments.group %}
+  <script type="application/json" class="js-hypothesis-config">
+  {"openSidebar": false, "focus": {"group": "{{ site.comments.group }}"}}
+  </script>
+  {% endif %}
+  <script src="https://hypothes.is/embed.js" async></script>
+  {% endif %}
 </body>
 </html>

From f406fda8e10713de6f8f2735ee5ab7d2a17e936a Mon Sep 17 00:00:00 2001
From: Derek Scruggs <djscruggs@digitalbazaar.com>
Date: Tue, 9 Jun 2026 09:02:03 -0500
Subject: [PATCH 2/5] Enable Hypothesis review comments on PR previews.

Wire the Hypothesis env vars into the Cloudflare Pages preview build so
each PR preview carries inline review comments, scoped to a private
group. Production (GitHub Pages) is untouched and never loads Hypothesis.

The build only enables comments when the HYPOTHESIS_GROUP repository
variable is set, so previews stay clean until the private group id is
configured. Harden the site config so comments require both the flag and
a group, never loading in public groupless mode by accident.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/preview.yml | 14 ++++++++++++--
 README.md                     | 12 +++++++++---
 src/_data/site.js             |  5 ++++-
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 79ca284..768c5ae 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -10,8 +10,11 @@ name: Deploy PR preview to Cloudflare Pages
 #   2. Add repository secrets:
 #        CLOUDFLARE_API_TOKEN   - token scoped to "Cloudflare Pages: Edit".
 #        CLOUDFLARE_ACCOUNT_ID  - your Cloudflare account id.
-# Until both secrets exist the deploy step is skipped, so merging this file
-# changes nothing.
+#   3. (Optional) Add repository variable HYPOTHESIS_GROUP - the Hypothesis
+#        private group id. When set, PR previews load Hypothesis inline review
+#        comments scoped to that group; production (GitHub Pages) never does.
+# Until the Cloudflare secrets exist the deploy step is skipped, so merging this
+# file changes nothing.
 
 on:
   pull_request:
@@ -46,6 +49,13 @@ jobs:
           # Each PR preview is served from its own *.pages.dev root, so
           # absolute URLs resolve correctly. SITE_URL is left at its default.
           SITE_URL: ${{ vars.PREVIEW_SITE_URL || 'https://learnvcorg.pages.dev' }}
+          # Inline review comments (Hypothesis) on previews only — never on
+          # production (GitHub Pages). Enabled only when the HYPOTHESIS_GROUP
+          # repo variable is set, so previews stay clean until the DB private
+          # group id is configured; an unset var means comments stay off rather
+          # than defaulting to public annotations.
+          HYPOTHESIS_COMMENTS: ${{ vars.HYPOTHESIS_GROUP != '' && '1' || '0' }}
+          HYPOTHESIS_GROUP: ${{ vars.HYPOTHESIS_GROUP }}
 
       - name: Check for Cloudflare credentials
         id: creds
diff --git a/README.md b/README.md
index 851a884..2ac4fbc 100644
--- a/README.md
+++ b/README.md
@@ -67,9 +67,15 @@ HYPOTHESIS_COMMENTS=1 HYPOTHESIS_GROUP=<group-id> npm run build
   it to use public Hypothesis annotations (not recommended for review).
 
 Reviewers join the private group, log in to Hypothesis, highlight text, and
-comment. To also hide the Hypothesis UI itself from the public, serve the
-enabled build behind an access gate (e.g. a Cloudflare Access review URL) rather
-than on the public production site.
+comment.
+
+**Where it's enabled:** PR previews on Cloudflare Pages only. Set the
+`HYPOTHESIS_GROUP` repository variable to your private group id; the preview
+workflow then builds each PR preview with comments on, scoped to that group.
+Production (GitHub Pages) never loads Hypothesis. Comments stay off until the
+variable is set. To also hide the Hypothesis UI from the public, keep the
+enabled build behind an access gate (e.g. Cloudflare Access) rather than the
+public site.
 
 ## Deployment
 
diff --git a/src/_data/site.js b/src/_data/site.js
index 82b71f8..1bb9b8d 100644
--- a/src/_data/site.js
+++ b/src/_data/site.js
@@ -25,7 +25,10 @@ export default {
   // Hypothesis private group id to scope the client to the DB review group;
   // logged-in members of that group see/post comments, the public does not.
   comments: {
-    enabled: process.env.HYPOTHESIS_COMMENTS === '1',
+    // Require both the flag and a private group id, so comments never load in
+    // public (groupless) mode by accident.
+    enabled:
+      process.env.HYPOTHESIS_COMMENTS === '1' && !!process.env.HYPOTHESIS_GROUP,
     group: process.env.HYPOTHESIS_GROUP || ''
   },
   // Top-level nav. Verticals are appended automatically from the collection.

From 17c762bf6cb7bd4fa046fcdbe0b185d4f7462955 Mon Sep 17 00:00:00 2001
From: Derek Scruggs <djscruggs@digitalbazaar.com>
Date: Tue, 9 Jun 2026 11:45:23 -0500
Subject: [PATCH 3/5] Apply home-page editorial review feedback.

Work through the review notes left on the home page:

- Lead with Student IDs; rename Education to "Diplomas"; hide Supply Chain
  from the chooser, nav, footer, sitemap, and llms.txt for now (the page
  still builds at /supply-chain/ and is one line to relist).
- Rewrite the "Why VCALM?" blurb around the vendor-lock-in framing and the
  formats/protocols VCALM supports (W3C VCs, mDL, mDoc, SD-JWT, OID4VCI,
  OID4VP, HAIP, DIDComm).
- Expand "VCALM" to its full name in the site description, tighten the
  call to action, and update the company blurb.
- Add a question mark to "What is VCALM?", drop the "Why VCALM" and
  "See an example" links for now, collapse the footer About column, and
  add Verifiable Credentials and Decentralized Identifiers reference links.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/_data/site.js                            | 13 +++++++------
 src/_includes/partials/footer.njk            |  9 +++++----
 src/index.njk                                | 14 ++++++++++----
 src/verticals/education/index.njk            |  6 +++---
 src/verticals/student-id/index.njk           |  2 +-
 src/verticals/supply-chain/supply-chain.json |  4 +++-
 6 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/src/_data/site.js b/src/_data/site.js
index 1bb9b8d..9c29abe 100644
--- a/src/_data/site.js
+++ b/src/_data/site.js
@@ -10,14 +10,15 @@ export default {
   tagline: 'Issue and verify W3C Verifiable Credentials — without vendor lock-in.',
   description:
     'A guide to issuing and verifying W3C Verifiable ' +
-    'Credentials with VCALM (the VC API). Pick a vertical, see how it ' +
-    'works, ship.',
+    'Credentials with the Verifiable Credential API for Lifecycle Management (VCALM). Pick a vertical, learn how it ' +
+    'works, ship it.',
   company: {
     name: 'Digital Bazaar, Inc.',
     url: 'https://digitalbazaar.com',
     blurb:
-      'Digital Bazaar builds open, standards-based infrastructure for ' +
-      'Verifiable Credentials and decentralized identity.'
+      'Digital Bazaar builds open, standards-based, production-grade digital ' +
+      'credential infrastructure for some of the largest organizations and ' +
+      'governments in the world.'
   },
   // Inline review comments via Hypothesis (https://web.hypothes.is).
   // Off by default so production carries no third-party script. Enable on a
@@ -34,8 +35,8 @@ export default {
   // Top-level nav. Verticals are appended automatically from the collection.
   nav: [
     {text: 'Home', url: '/'},
-    {text: 'What is VCALM', url: '/what-is-vcalm/'},
-    {text: 'Why VCALM', url: '/why-vcalm/'},
+    {text: 'What is VCALM?', url: '/what-is-vcalm/'},
+    // {text: 'Why VCALM', url: '/why-vcalm/'},
     {text: 'About', url: '/company/about/'},
     {text: 'Contact', url: '/company/contact/'}
   ]
diff --git a/src/_includes/partials/footer.njk b/src/_includes/partials/footer.njk
index 62195fb..9e38019 100644
--- a/src/_includes/partials/footer.njk
+++ b/src/_includes/partials/footer.njk
@@ -12,16 +12,17 @@
     <nav class="footer-col" aria-label="Learn">
       <h2>Learn</h2>
       <ul>
-        <li><a href="/what-is-vcalm/">What is VCALM</a></li>
-        <li><a href="/why-vcalm/">Why VCALM</a></li>
+        <li><a href="/what-is-vcalm/">What is VCALM?</a></li>
+        <!--<li><a href="/why-vcalm/">Why VCALM</a></li>-->
         <li><a href="https://www.w3.org/TR/vcalm/">VCALM spec</a></li>
+        <li><a href="https://www.w3.org/TR/vc-overview/">Verifiable Credentials</a></li>
+        <li><a href="https://www.w3.org/TR/did-1.1/">Decentralized Identifiers</a></li>
       </ul>
     </nav>
 
     <nav class="footer-col" aria-label="About">
       <h2>About</h2>
       <ul>
-        <li><a href="/company/about/">About</a></li>
         <li><a href="/company/contact/">Contact</a></li>
         <li><a href="{{ site.company.url }}">{{ site.company.name }}</a></li>
       </ul>
@@ -33,7 +34,7 @@
     <p>
       &copy; {{ year }}
       <a href="{{ site.company.url }}">{{ site.company.name }}</a>.
-      Built on <a href="https://www.w3.org/TR/vcalm/">VCALM</a> and
+      Built on <a href="https://www.w3.org/TR/vcalm/">W3C VCALM</a> and
       <a href="https://www.w3.org/TR/vc-data-model-2.0/">W3C Verifiable Credentials</a>.
     </p>
     <p class="footer-meta"><a href="/llms.txt">llms.txt</a> · <a href="/sitemap.xml">sitemap</a></p>
diff --git a/src/index.njk b/src/index.njk
index a4d5740..6d3153a 100644
--- a/src/index.njk
+++ b/src/index.njk
@@ -6,10 +6,10 @@ title: false
   <p class="kicker">An open standard · W3C Verifiable Credentials &amp; VCALM</p>
   <h1>{{ site.tagline }}</h1>
   <p class="promise">{{ site.description }}</p>
-  <p class="cta">
+  <!--<p class="cta">
     <a class="btn primary" href="/why-vcalm/">Why VCALM</a>
     <a class="btn" href="/education/">See an example</a>
-  </p>
+  </p>-->
 </section>
 
 <section class="verticals">
@@ -32,8 +32,14 @@ title: false
 <section class="why">
   <h2>Why VCALM?</h2>
   <p>
-    You pick a VCALM provider and can swap it. You aren't locked to one wallet
-    vendor or one stack. The standard is open; your software stays yours.
+    The Verifiable Credential API for Lifecycle Management (VCALM) solves the
+    vendor lock-in problem in digital credential ecosystems. A global
+    standards-track solution at the W3C, it is the only digital credential
+    lifecycle management solution that ensures you don't get locked into one
+    vendor or digital credential software stack. It also doesn't force you to
+    choose things you don't want; it supports variations of W3C VCs, mDL, mDoc,
+    SD-JWT, OID4VCI, OID4VP, HAIP, DIDComm, and many other digital credential
+    formats and protocols.
   </p>
   <p><a href="{{ site.company.url }}">About {{ site.company.name }} →</a></p>
 </section>
diff --git a/src/verticals/education/index.njk b/src/verticals/education/index.njk
index 74ed00e..73111b7 100644
--- a/src/verticals/education/index.njk
+++ b/src/verticals/education/index.njk
@@ -1,10 +1,10 @@
 ---
 title: "Issue and verify Diplomas, Certificates and other credentials with VCALM"
-shortName: "Education"
-cardTitle: "Academic Credentials"
+shortName: "Diplomas"
+cardTitle: "Diplomas & academic credentials"
 summary: "Issue diplomas, transcripts, and enrollment proofs any wallet can hold and any institution can verify."
 description: "Issue and verify diplomas, transcripts, and enrollment proofs with W3C Verifiable Credentials over VCALM — no central identity provider."
-order: 1
+order: 2
 chooserIcon: educationIssue
 permalink: /education/
 ---
diff --git a/src/verticals/student-id/index.njk b/src/verticals/student-id/index.njk
index 148df4f..f372b98 100644
--- a/src/verticals/student-id/index.njk
+++ b/src/verticals/student-id/index.njk
@@ -4,7 +4,7 @@ shortName: "Student IDs"
 cardTitle: "Student IDs & campus credentials"
 summary: "Issue student IDs students control — verifiable across campus and beyond, with any wallet."
 description: "Issue digital student IDs with W3C Verifiable Credentials over VCALM — student-controlled, any wallet, no allow-lists, privacy by design. Prove enrollment without revealing identity."
-order: 3
+order: 1
 chooserIcon: studentIdIssue
 permalink: /student-id/
 ---
diff --git a/src/verticals/supply-chain/supply-chain.json b/src/verticals/supply-chain/supply-chain.json
index 582bac6..6e47075 100644
--- a/src/verticals/supply-chain/supply-chain.json
+++ b/src/verticals/supply-chain/supply-chain.json
@@ -1,4 +1,6 @@
 {
   "layout": "layouts/base.njk",
-  "tags": "supply-chain"
+  "tags": "supply-chain",
+  "_comment": "Hidden from the home chooser, nav, footer, sitemap and llms.txt for now per review (2026-06-09). The page still builds at /supply-chain/. Remove eleventyExcludeFromCollections to relist it.",
+  "eleventyExcludeFromCollections": true
 }

From 5789cb8e69bda794bf8cd078ebdfe7a8facdb5a8 Mon Sep 17 00:00:00 2001
From: Derek Scruggs <djscruggs@digitalbazaar.com>
Date: Tue, 9 Jun 2026 13:30:58 -0500
Subject: [PATCH 4/5] Reframe the format section of Why VCALM around the
 benefit.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Section 5 led with the feature ("native W3C Verifiable Credentials"),
which doesn't tell the reader why they should care. Lead with the
advantage instead — no format lock-in — and make format support the
supporting evidence.

- Heading: "Native W3C Verifiable Credentials — and the rest"
  → "No format lock-in — bring any credential format".
- Body leads with issuing the format each relying party needs, mixing
  them, and changing later without re-architecting; W3C VCs / SD-JWT /
  mdoc become the proof, not the headline.
- At-a-glance row reframed to "Freedom to choose credential format".

This also makes the section consistent with the page's other
benefit-led headings.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/why-vcalm.njk | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/why-vcalm.njk b/src/why-vcalm.njk
index 6f56bd0..ca061b8 100644
--- a/src/why-vcalm.njk
+++ b/src/why-vcalm.njk
@@ -126,16 +126,17 @@ structuredData:
   </section>
 
   <section>
-    <h2>Native W3C Verifiable Credentials — and the rest</h2>
+    <h2>No format lock-in — bring any credential format</h2>
     <p>
-      <strong>With VCALM:</strong> standards-compliant W3C Verifiable Credentials
-      travel natively, and VCALM can carry other formats and protocols too — so
-      you're never forced to choose sides on format.
+      <strong>With VCALM:</strong> you're not forced to bet on one credential
+      format. It carries W3C Verifiable Credentials, SD-JWT, and ISO mdoc — so
+      you can issue the format each relying party needs, mix them, and change
+      your mind later without re-architecting.
     </p>
     <p>
-      OID4's high-assurance profile is scoped to SD-JWT and ISO mdoc and does not
-      include W3C Verifiable Credentials. If you've standardized on W3C VCs,
-      that's a wall in OID4 alone — and an open door in VCALM.
+      OID4's high-assurance profile is scoped to SD-JWT and ISO mdoc and excludes
+      W3C Verifiable Credentials. Pick that path and your format choice is made
+      for you. VCALM keeps the choice open — including the W3C VCs OID4 leaves out.
     </p>
   </section>
 
@@ -150,7 +151,7 @@ structuredData:
         <tr><td>Run OID4VCI / OID4VP</td><td>Yes — carried over VCALM</td><td>Yes (that's all it is)</td></tr>
         <tr><td>User picks their wallet</td><td>Yes, by default</td><td>Can be restricted by allow-lists (HAIP)</td></tr>
         <tr><td>Switch providers without re-integrating</td><td>Yes, across the stack</td><td>Mainly at the wallet layer</td></tr>
-        <tr><td>Carries W3C Verifiable Credentials</td><td>Natively (plus SD-JWT, mdoc)</td><td>Excluded from the high-assurance profile</td></tr>
+        <tr><td>Freedom to choose credential format</td><td>W3C VCs, SD-JWT, and mdoc — no lock-in</td><td>Locked to SD-JWT / mdoc (no W3C VCs)</td></tr>
         <tr><td>Resists vendor lock-in lifecycle-wide</td><td>Yes — by design</td><td>Not its scope</td></tr>
       </tbody>
     </table>

From b0edfc96081f675209205c96f2b5b089d6d66b28 Mon Sep 17 00:00:00 2001
From: Derek Scruggs <djscruggs@digitalbazaar.com>
Date: Tue, 9 Jun 2026 16:43:51 -0500
Subject: [PATCH 5/5] Broaden the Why VCALM format list to match the home page.

The home page lists the full set of formats and protocols VCALM
supports, but the Why VCALM format section listed only W3C VCs, SD-JWT,
and mdoc. Align it so the two pages agree.

- Body now names W3C VCs, SD-JWT, ISO mdoc, and mDL as formats, and
  OID4VCI, OID4VP, HAIP, and DIDComm as protocols (kept distinct so the
  formats-vs-protocols claim stays accurate).
- At-a-glance row reads "W3C VCs, SD-JWT, mdoc, mDL, and more".

The "Does VCALM support W3C Verifiable Credentials?" FAQ stays focused on
that specific question.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/why-vcalm.njk | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/why-vcalm.njk b/src/why-vcalm.njk
index ca061b8..bf224ab 100644
--- a/src/why-vcalm.njk
+++ b/src/why-vcalm.njk
@@ -129,9 +129,10 @@ structuredData:
     <h2>No format lock-in — bring any credential format</h2>
     <p>
       <strong>With VCALM:</strong> you're not forced to bet on one credential
-      format. It carries W3C Verifiable Credentials, SD-JWT, and ISO mdoc — so
-      you can issue the format each relying party needs, mix them, and change
-      your mind later without re-architecting.
+      format. It carries variations of W3C Verifiable Credentials, SD-JWT, ISO
+      mdoc, and mDL — and speaks protocols like OID4VCI, OID4VP, HAIP, and
+      DIDComm — so you can issue the format each relying party needs, mix them,
+      and change your mind later without re-architecting.
     </p>
     <p>
       OID4's high-assurance profile is scoped to SD-JWT and ISO mdoc and excludes
@@ -151,7 +152,7 @@ structuredData:
         <tr><td>Run OID4VCI / OID4VP</td><td>Yes — carried over VCALM</td><td>Yes (that's all it is)</td></tr>
         <tr><td>User picks their wallet</td><td>Yes, by default</td><td>Can be restricted by allow-lists (HAIP)</td></tr>
         <tr><td>Switch providers without re-integrating</td><td>Yes, across the stack</td><td>Mainly at the wallet layer</td></tr>
-        <tr><td>Freedom to choose credential format</td><td>W3C VCs, SD-JWT, and mdoc — no lock-in</td><td>Locked to SD-JWT / mdoc (no W3C VCs)</td></tr>
+        <tr><td>Freedom to choose credential format</td><td>W3C VCs, SD-JWT, mdoc, mDL, and more — no lock-in</td><td>Locked to SD-JWT / mdoc (no W3C VCs)</td></tr>
         <tr><td>Resists vendor lock-in lifecycle-wide</td><td>Yes — by design</td><td>Not its scope</td></tr>
       </tbody>
     </table>