Hypothesis review comments + home and Why VCALM copy edits

.github/workflows/preview.yml

@@ -10,8 +10,11 @@ name: Deploy PR preview to Cloudflare Pages
 #   2. Add repository secrets:
 #        CLOUDFLARE_API_TOKEN   - token scoped to "Cloudflare Pages: Edit".
 #        CLOUDFLARE_ACCOUNT_ID  - your Cloudflare account id.
-# Until both secrets exist the deploy step is skipped, so merging this file
-# changes nothing.
+#   3. (Optional) Add repository variable HYPOTHESIS_GROUP - the Hypothesis
+#        private group id. When set, PR previews load Hypothesis inline review
+#        comments scoped to that group; production (GitHub Pages) never does.
+# Until the Cloudflare secrets exist the deploy step is skipped, so merging this
+# file changes nothing.
 
 on:
   pull_request:
@@ -46,6 +49,13 @@ jobs:
           # Each PR preview is served from its own *.pages.dev root, so
           # absolute URLs resolve correctly. SITE_URL is left at its default.
           SITE_URL: ${{ vars.PREVIEW_SITE_URL || 'https://learnvcorg.pages.dev' }}
+          # Inline review comments (Hypothesis) on previews only — never on
+          # production (GitHub Pages). Enabled only when the HYPOTHESIS_GROUP
+          # repo variable is set, so previews stay clean until the DB private
+          # group id is configured; an unset var means comments stay off rather
+          # than defaulting to public annotations.
+          HYPOTHESIS_COMMENTS: ${{ vars.HYPOTHESIS_GROUP != '' && '1' || '0' }}
+          HYPOTHESIS_GROUP: ${{ vars.HYPOTHESIS_GROUP }}
 
       - name: Check for Cloudflare credentials
         id: creds

README.md

@@ -51,8 +51,35 @@ To add a page to discovery: just create it. To exclude one, set
 
 The home page, sitemap, and `llms.txt` pick it up automatically.
 
+## Inline review comments (Hypothesis)
+
+The site can load [Hypothesis](https://web.hypothes.is) for inline,
+text-anchored review comments. It is **off by default** so production ships no
+third-party script. Enable it only on a review build:
+
+```bash
+HYPOTHESIS_COMMENTS=1 HYPOTHESIS_GROUP=<group-id> npm run build
+```
+
+- `HYPOTHESIS_COMMENTS=1` injects the Hypothesis embed.
+- `HYPOTHESIS_GROUP` scopes the client to a Hypothesis **private group** so only
+  logged-in group members see and post comments; the public sees nothing. Omit
+  it to use public Hypothesis annotations (not recommended for review).
+
+Reviewers join the private group, log in to Hypothesis, highlight text, and
+comment.
+
+**Where it's enabled:** PR previews on Cloudflare Pages only. Set the
+`HYPOTHESIS_GROUP` repository variable to your private group id; the preview
+workflow then builds each PR preview with comments on, scoped to that group.
+Production (GitHub Pages) never loads Hypothesis. Comments stay off until the
+variable is set. To also hide the Hypothesis UI from the public, keep the
+enabled build behind an access gate (e.g. Cloudflare Access) rather than the
+public site.
+
 ## Deployment
 
 Pushes to `main` deploy to GitHub Pages via
 [`.github/workflows/deploy.yml`](./.github/workflows/deploy.yml). Set the
 `SITE_URL` repo variable for a custom domain (e.g. `https://learnvc.org`).
+Production builds leave Hypothesis comments off (see above).

src/_data/site.js

@@ -10,20 +10,33 @@ export default {
   tagline: 'Issue and verify W3C Verifiable Credentials — without vendor lock-in.',
   description:
     'A guide to issuing and verifying W3C Verifiable ' +
-    'Credentials with VCALM (the VC API). Pick a vertical, see how it ' +
-    'works, ship.',
+    'Credentials with the Verifiable Credential API for Lifecycle Management (VCALM). Pick a vertical, learn how it ' +
+    'works, ship it.',
   company: {
     name: 'Digital Bazaar, Inc.',
     url: 'https://digitalbazaar.com',
     blurb:
-      'Digital Bazaar builds open, standards-based infrastructure for ' +
-      'Verifiable Credentials and decentralized identity.'
+      'Digital Bazaar builds open, standards-based, production-grade digital ' +
+      'credential infrastructure for some of the largest organizations and ' +
+      'governments in the world.'
+  },
+  // Inline review comments via Hypothesis (https://web.hypothes.is).
+  // Off by default so production carries no third-party script. Enable on a
+  // review deployment with HYPOTHESIS_COMMENTS=1. Set HYPOTHESIS_GROUP to a
+  // Hypothesis private group id to scope the client to the DB review group;
+  // logged-in members of that group see/post comments, the public does not.
+  comments: {
+    // Require both the flag and a private group id, so comments never load in
+    // public (groupless) mode by accident.
+    enabled:
+      process.env.HYPOTHESIS_COMMENTS === '1' && !!process.env.HYPOTHESIS_GROUP,
+    group: process.env.HYPOTHESIS_GROUP || ''
   },
   // Top-level nav. Verticals are appended automatically from the collection.
   nav: [
     {text: 'Home', url: '/'},
-    {text: 'What is VCALM', url: '/what-is-vcalm/'},
-    {text: 'Why VCALM', url: '/why-vcalm/'},
+    {text: 'What is VCALM?', url: '/what-is-vcalm/'},
+    // {text: 'Why VCALM', url: '/why-vcalm/'},
     {text: 'About', url: '/company/about/'},
     {text: 'Contact', url: '/company/contact/'}
   ]

src/_includes/layouts/base.njk

@@ -59,5 +59,18 @@
     {{ content | safe }}
   </main>
   {% include "partials/footer.njk" %}
+
+  {# Inline review comments (Hypothesis). Loads only when explicitly enabled
+     (HYPOTHESIS_COMMENTS=1) so production ships no third-party script. When a
+     private group id is configured, the client is scoped to it: logged-in DB
+     group members see and post comments; the public does not. #}
+  {% if site.comments.enabled %}
+  {% if site.comments.group %}
+  <script type="application/json" class="js-hypothesis-config">
+  {"openSidebar": false, "focus": {"group": "{{ site.comments.group }}"}}
+  </script>
+  {% endif %}
+  <script src="https://hypothes.is/embed.js" async></script>
+  {% endif %}
 </body>
 </html>

src/_includes/partials/footer.njk

@@ -12,16 +12,17 @@
     <nav class="footer-col" aria-label="Learn">
       <h2>Learn</h2>
       <ul>
-        <li><a href="/what-is-vcalm/">What is VCALM</a></li>
-        <li><a href="/why-vcalm/">Why VCALM</a></li>
+        <li><a href="/what-is-vcalm/">What is VCALM?</a></li>
+        <!--<li><a href="/why-vcalm/">Why VCALM</a></li>-->
         <li><a href="https://www.w3.org/TR/vcalm/">VCALM spec</a></li>
+        <li><a href="https://www.w3.org/TR/vc-overview/">Verifiable Credentials</a></li>
+        <li><a href="https://www.w3.org/TR/did-1.1/">Decentralized Identifiers</a></li>
       </ul>
     </nav>
 
     <nav class="footer-col" aria-label="About">
       <h2>About</h2>
       <ul>
-        <li><a href="/company/about/">About</a></li>
         <li><a href="/company/contact/">Contact</a></li>
         <li><a href="{{ site.company.url }}">{{ site.company.name }}</a></li>
       </ul>
@@ -33,7 +34,7 @@
     <p>
       &copy; {{ year }}
       <a href="{{ site.company.url }}">{{ site.company.name }}</a>.
-      Built on <a href="https://www.w3.org/TR/vcalm/">VCALM</a> and
+      Built on <a href="https://www.w3.org/TR/vcalm/">W3C VCALM</a> and
       <a href="https://www.w3.org/TR/vc-data-model-2.0/">W3C Verifiable Credentials</a>.
     </p>
     <p class="footer-meta"><a href="/llms.txt">llms.txt</a> · <a href="/sitemap.xml">sitemap</a></p>

src/index.njk

@@ -6,10 +6,10 @@ title: false
   <p class="kicker">An open standard · W3C Verifiable Credentials &amp; VCALM</p>
   <h1>{{ site.tagline }}</h1>
   <p class="promise">{{ site.description }}</p>
-  <p class="cta">
+  <!--<p class="cta">
     <a class="btn primary" href="/why-vcalm/">Why VCALM</a>
     <a class="btn" href="/education/">See an example</a>
-  </p>
+  </p>-->
 </section>
 
 <section class="verticals">
@@ -32,8 +32,14 @@ title: false
 <section class="why">
   <h2>Why VCALM?</h2>
   <p>
-    You pick a VCALM provider and can swap it. You aren't locked to one wallet
-    vendor or one stack. The standard is open; your software stays yours.
+    The Verifiable Credential API for Lifecycle Management (VCALM) solves the
+    vendor lock-in problem in digital credential ecosystems. A global
+    standards-track solution at the W3C, it is the only digital credential
+    lifecycle management solution that ensures you don't get locked into one
+    vendor or digital credential software stack. It also doesn't force you to
+    choose things you don't want; it supports variations of W3C VCs, mDL, mDoc,
+    SD-JWT, OID4VCI, OID4VP, HAIP, DIDComm, and many other digital credential
+    formats and protocols.
   </p>
   <p><a href="{{ site.company.url }}">About {{ site.company.name }} →</a></p>
 </section>

src/verticals/education/index.njk

@@ -1,10 +1,10 @@
 ---
 title: "Issue and verify Diplomas, Certificates and other credentials with VCALM"
-shortName: "Education"
-cardTitle: "Academic Credentials"
+shortName: "Diplomas"
+cardTitle: "Diplomas & academic credentials"
 summary: "Issue diplomas, transcripts, and enrollment proofs any wallet can hold and any institution can verify."
 description: "Issue and verify diplomas, transcripts, and enrollment proofs with W3C Verifiable Credentials over VCALM — no central identity provider."
-order: 1
+order: 2
 chooserIcon: educationIssue
 permalink: /education/
 ---

src/verticals/student-id/index.njk

@@ -4,7 +4,7 @@ shortName: "Student IDs"
 cardTitle: "Student IDs & campus credentials"
 summary: "Issue student IDs students control — verifiable across campus and beyond, with any wallet."
 description: "Issue digital student IDs with W3C Verifiable Credentials over VCALM — student-controlled, any wallet, no allow-lists, privacy by design. Prove enrollment without revealing identity."
-order: 3
+order: 1
 chooserIcon: studentIdIssue
 permalink: /student-id/
 ---

src/verticals/supply-chain/supply-chain.json

@@ -1,4 +1,6 @@
 {
   "layout": "layouts/base.njk",
-  "tags": "supply-chain"
+  "tags": "supply-chain",
+  "_comment": "Hidden from the home chooser, nav, footer, sitemap and llms.txt for now per review (2026-06-09). The page still builds at /supply-chain/. Remove eleventyExcludeFromCollections to relist it.",
+  "eleventyExcludeFromCollections": true
 }

src/why-vcalm.njk

@@ -126,16 +126,18 @@ structuredData:
   </section>
 
   <section>
-    <h2>Native W3C Verifiable Credentials — and the rest</h2>
+    <h2>No format lock-in — bring any credential format</h2>
     <p>
-      <strong>With VCALM:</strong> standards-compliant W3C Verifiable Credentials
-      travel natively, and VCALM can carry other formats and protocols too — so
-      you're never forced to choose sides on format.
+      <strong>With VCALM:</strong> you're not forced to bet on one credential
+      format. It carries variations of W3C Verifiable Credentials, SD-JWT, ISO
+      mdoc, and mDL — and speaks protocols like OID4VCI, OID4VP, HAIP, and
+      DIDComm — so you can issue the format each relying party needs, mix them,
+      and change your mind later without re-architecting.
     </p>
     <p>
-      OID4's high-assurance profile is scoped to SD-JWT and ISO mdoc and does not
-      include W3C Verifiable Credentials. If you've standardized on W3C VCs,
-      that's a wall in OID4 alone — and an open door in VCALM.
+      OID4's high-assurance profile is scoped to SD-JWT and ISO mdoc and excludes
+      W3C Verifiable Credentials. Pick that path and your format choice is made
+      for you. VCALM keeps the choice open — including the W3C VCs OID4 leaves out.
     </p>
   </section>
 
@@ -150,7 +152,7 @@ structuredData:
         <tr><td>Run OID4VCI / OID4VP</td><td>Yes — carried over VCALM</td><td>Yes (that's all it is)</td></tr>
         <tr><td>User picks their wallet</td><td>Yes, by default</td><td>Can be restricted by allow-lists (HAIP)</td></tr>
         <tr><td>Switch providers without re-integrating</td><td>Yes, across the stack</td><td>Mainly at the wallet layer</td></tr>
-        <tr><td>Carries W3C Verifiable Credentials</td><td>Natively (plus SD-JWT, mdoc)</td><td>Excluded from the high-assurance profile</td></tr>
+        <tr><td>Freedom to choose credential format</td><td>W3C VCs, SD-JWT, mdoc, mDL, and more — no lock-in</td><td>Locked to SD-JWT / mdoc (no W3C VCs)</td></tr>
         <tr><td>Resists vendor lock-in lifecycle-wide</td><td>Yes — by design</td><td>Not its scope</td></tr>
       </tbody>
     </table>