Every check. Every weight. Every regex.

Why scoring like this

Most "free SEO audits" check whether you have a title tag and a meta description. A clean Squarespace site passes those checks and scores 89/B. The customer thinks "I'm fine" and clicks away.

That's backwards. The customer's actual problem is not "your meta tags are missing." It's "you're invisible to people searching for what you offer in your city." So this audit measures the things customers actually pay to fix.

The 5 categories

Category	Weight	What it measures
Discoverability	40	Sitemap surface area, blog presence, freshness, indexability
Conversion Readiness	20	Phone above the fold, CTAs, reviews displayed, trust signals
Local Presence	15	LocalBusiness schema, NAP in footer, GBP link, hours visible
Authority & Content	10	Page count, internal linking, h2 hierarchy, content depth
Technical Hygiene	15	Title, meta, schema, OG tags, performance, accessibility
Total	100	—

Each category has its own 0-100 sub-score. The final score is the weighted sum. A perfect site scores 100. Sites in the wild typically land between 30 (a totally invisible single-page site) and 95 (a well-tuned local business with complete schema, NAP, blog, and active reviews).

Discoverability (40 weight)

This is the dominant axis because it answers the question that matters most: "are customers finding you at all?"

Check	Penalty	Verify yourself
No sitemap.xml at /sitemap.xml	35	curl -I yoursite.com/sitemap.xml
Sitemap has < 5 URLs	30	curl -s yoursite.com/sitemap.xml | grep -c '<url>'
Sitemap has < 15 URLs	18	Same command
Sitemap has < 30 URLs	8	Same command
No blog or content hub link	25	grep -i 'href="/\(blog\|articles\|news\)"' index.html
No recent year (2024/2025/2026) in body text	12	curl -s yoursite.com | grep -c '\b202[4-6]\b'
Generic page title (Home/Welcome/Index)	25	curl -s yoursite.com | grep -oE '<title>[^<]+'
No GSC verification meta tag (info only)	5	grep 'google-site-verification' index.html

Conversion Readiness (20 weight)

Once a customer lands on your page, will they actually call or book? This is where 80% of small-business sites lose deals — and where almost no audit ever looks.

Check	Penalty	Verify yourself
No tel: link anywhere	35	grep 'href="tel:' index.html
Phone number not in first 8KB of HTML (above fold)	18	head -c 8000 index.html | grep tel:
Zero CTA buttons or button-class links	25	grep -ciE 'button|btn|cta' index.html
Fewer than 3 CTAs total	12	Same command
No reviews/testimonials/AggregateRating	25	grep -iE 'review|testimonial|AggregateRating|⭐' index.html
No trust signals (Featured in / Awards / Since YYYY)	12	grep -iE 'featured in|awarded|since 2[0-9]{3}' index.html
No /contact/ page link or mailto:	15	grep -iE 'href="/contact|mailto:' index.html
No <form> on page (when no contact link either)	10	grep '<form' index.html

Local Presence (15 weight)

For local service businesses, the local pack is where the money is. National SEO advice doesn't apply.

Check	Penalty	Verify yourself
No LocalBusiness JSON-LD schema (any of 100+ valid types)	30	grep -E '"@type".*LocalBusiness' index.html
Phone missing from <footer>	12	Inspect <footer> for tel: link
Address (street OR City+ST) missing from footer	15	Look for "Santa Fe, NM" or "123 Main St" pattern
No Google Maps or GBP link	10	grep -E 'google.com/maps|maps.app.goo' index.html
No US state mentioned in body content	10	Body text scan for state abbreviations
No operating hours visible (info)	6	Scan for day-of-week + time pattern

Authority & Content (10 weight)

Do you have the content depth and internal linking to outrank?

Check	Penalty	Verify yourself
Body word count under 200	25	Strip HTML, count words
Body word count under 400	12	Same
Body word count under 700	5	Same
No <h2> subheadings	8	grep -c '<h2' index.html
Fewer than 3 internal links	12	Count href="/..." links
Fewer than 8 internal links	5	Same
Skipped heading levels (h2 → h4 with no h3)	3	DOM scan

Technical Hygiene (15 weight)

The classic "is this site competently built" stuff. Important, but not the whole story. Includes 50+ sub-checks across:

• Title + meta description — present, unique, length 30-65 chars (title) and 80-170 chars (description)
• H1 — exactly one
• HTTPS, viewport, canonical, robots — basic indexability flags
• Schema markup — JSON-LD blocks present, BreadcrumbList, FAQPage, WebSite, image
• Open Graph + Twitter Card — title, description, image, URL
• Performance — TTFB under 1.5s, page weight under 200KB, gzip/brotli, cache headers, render-blocking script count
• Image optimization — width/height attributes (CLS), lazy loading, alt text coverage
• Accessibility — <main> / <nav> / <footer> landmarks, skip-to-content link, form input labels, button text, alt text, favicon

How the score is computed

Each category accumulates penalties from its checks. The category sub-score is max(0, 100 - penalty). The final score is the weighted sum:

final_score = round(
  (discoverability_subscore  * 40 +
   conversion_subscore       * 20 +
   localPresence_subscore    * 15 +
   authority_subscore        * 10 +
   technical_subscore        * 15) / 100
)

Grades follow a standard curve:

• A: 90-100 — strong fundamentals across the board
• B: 75-89 — good but with room to grow in 1-2 categories
• C: 60-74 — clear gaps that are costing you visibility or conversions
• D: 40-59 — multiple critical issues, business is leaking money
• F: 0-39 — site is functionally invisible or broken for the business it serves

What's measured live vs what's proxied

This is the most important section on the page. Every check the audit performs falls into one of three categories:

Status	What it means	Data source
LIVE	Pulled from a real API on every audit run	HTTP scrape, GSC API (when verified), Supabase queries
PROXY	Inferred from on-page signals as a stand-in for the real data	HTML regex, sitemap parsing, JSON-LD inspection
NOT MEASURED	Acknowledged gap. Either v3 roadmap or out of scope.	—

Discoverability (40 weight)

• Sitemap URL count — LIVE — direct fetch of /sitemap.xml, parses <url> entries
• Sitemap submitted to GSC — LIVE — GSC Sitemaps API for verified properties
• Indexed page count — LIVE for verified properties via scripts/gsc-submit.mjs writing to state/gsc-index-status.json daily. PROXY for unverified sites (sitemap URL count as a stand-in).
• Keyword rankings — LIVE for verified properties via scripts/gsc-rank-tracker-lite.mjs against the GSC Search Analytics API. NOT MEASURED for unverified sites — the dashboard explicitly shows position: null with a "no GSC data — pending verification" note rather than fake numbers.
• Blog/content hub presence — PROXY — looks for /blog/, /articles/, /case-studies/, etc. in href attributes
• Content freshness (recent year in body) — PROXY — regex for current year + last year
• Generic page title check — LIVE — direct title tag inspection

Conversion Readiness (20 weight)

• Phone above the fold — LIVE — checks first 8KB of HTML body for tel: link or phone pattern
• CTA buttons present — LIVE — counts <button> + class*="cta|btn|button" patterns
• Reviews/testimonials displayed — PROXY — scans for review-related text + AggregateRating schema. Does NOT verify the review count is honest.
• Trust signals — PROXY — regex for "featured in", "since YYYY", "trusted by", "awarded", etc. The audit doesn't verify any claim is true.
• Contact path + form — LIVE — looks for /contact/, mailto:, <form>

Local Presence (15 weight)

• LocalBusiness JSON-LD schema — LIVE — parses every <script type="application/ld+json"> block, handles array @type, recognizes 100+ Schema.org types
• NAP in footer — LIVE — extracts <footer> text, regex for phone + (street address OR City, ST locality)
• Google Maps / GBP link — LIVE — looks for google.com/maps, business.google.com, or maps.app.goo URLs
• GBP claim verification — NOT MEASURED — would require the GBP API. v3 candidate.
• GBP review count — NOT MEASURED — same. Currently we just check that reviews are displayed somewhere.

Authority & Content (10 weight)

• Word count — LIVE — strips HTML, counts visible text words
• Internal link count — LIVE — regex on href attributes
• Heading hierarchy — LIVE — h1-h6 sequence check for skips
• Backlink count + domain rating — NOT MEASURED — requires paid API. v3 candidate (Ahrefs, Moz, or DataForSEO).

Technical Hygiene (15 weight)

• Title, meta description, H1, viewport, canonical, robots, hreflang, sitemap.xml + robots.txt presence — LIVE — all direct HTML/HTTP scrapes
• Schema markup presence — LIVE — counts JSON-LD blocks, recognizes BreadcrumbList/FAQPage/WebSite/Organization/etc.
• Open Graph + Twitter Card — LIVE — meta tag presence
• TTFB / page weight / compression / cache headers — LIVE — measured during the fetch. Single request, desktop only, no HAR file.
• Image alt text coverage — LIVE — img tag scan, accepts alt="" + aria-hidden as valid decorative marker
• Accessibility landmarks (main, nav, footer, skip-to-content) — LIVE — direct DOM scan
• Real Lighthouse Core Web Vitals (LCP, FID, CLS) — NOT MEASURED — requires headless browser. v3 candidate.
• Mobile vs desktop split — NOT MEASURED — single User-Agent fetch only

What the audit is NOT

To be honest about limitations:

• Not a Lighthouse score. Performance checks are HTML-side proxies (TTFB, page weight, render-blocking script count, compression headers). Real Core Web Vitals require running a headless browser. The audit catches the structural problems Lighthouse would also catch — and is 100x faster.
• Not a backlink analysis. Backlink count and domain rating are not in the score because they require a paid third-party API (Ahrefs, Moz, DataForSEO). The Authority category currently focuses on on-page signals only.
• Not a content quality reviewer. Word count is measured but the audit cannot read your prose. A 1,200-word page of AI slop scores the same as a 1,200-word page of expert advice. Human review fixes this.
• Single-page only. The audit runs on the URL you give it (usually the homepage). It does not crawl your entire site. Multi-page audits are part of the engagement, not the free scan.

Bugs we have already fixed (because honesty matters)

Before going public, we caught and fixed several false positives in real-world testing. We're listing them here so you can trust the current scoring:

Bug 1 — LocalBusiness schema array form

The original LocalBusiness regex required a string-only @type, like "@type": "LocalBusiness". It missed the array form like "@type": ["LocalBusiness", "PhotographyBusiness"] which is valid Schema.org. Sites that used the array form (including addasonphoto.com) were falsely flagged for missing schema they actually had. Fixed: regex now handles both forms via two patterns OR'd together.

Bug 2 — Address regex too strict for service businesses

The original "address in footer" check required a street address (number + street name + suffix like "St" or "Ave"). Many service businesses (photographers, hypnotherapists, consultants) operate by appointment with no public street address. They'd be falsely flagged even when their footer clearly said "Santa Fe, NM" or "Austin, TX". Fixed: the check now accepts EITHER a street address OR a "City, ST" locality format as valid local-presence signaling.

Bug 3 — Missing types in the recognized list

The original LocalBusiness type list missed several common types — Photographer, PhotographyBusiness, ProfessionalService, Hypnotherapist. Sites using those specific types (which Google fully supports) were falsely flagged. Fixed: the recognized list now includes the full Schema.org LocalBusiness hierarchy — over 100 types.

Bug 4 — Duplicate LocalBusiness check across categories

The original audit had TWO separate LocalBusiness schema checks — one in Schema Markup, one in Local Presence — using two different regexes. They could disagree. Fixed: consolidated to a single hasLocalBusinessSchema variable computed once at the top of the audit, referenced in both places.

The source code

The audit script is scripts/generate-audit-report.mjs in the project repository. It is a single Node.js file with no external dependencies (zero node_modules required). Anyone can read every check, inspect every regex, and run it against any URL.

You can run it yourself:

node scripts/generate-audit-report.mjs \
  --url https://yoursite.com \
  --email you@yoursite.com \
  --business "Your Business Name" \
  --industry service \
  --json

The --json flag dumps the full audit object to stdout — every category, every issue, every penalty. No HTML report generation. Pipe it into jq for programmatic analysis.

Security — the lethal trifecta

Every LLM system that combines (a) access to private data, (b) exposure to untrusted content, and (c) ability to communicate externally is vulnerable to prompt injection by default. This is what security researcher Simon Willison calls the "lethal trifecta." Most AI SEO tools have all three legs. Addason Digital specifically engineered around it.

What is coming in v3

• Real SERP rankings via DataForSEO API — replaces "no GSC verification" proxy with actual indexed page count + impressions + clicks per keyword
• Google Business Profile API — replaces "no GBP link" proxy with actual claim verification + review count + photo count + post freshness
• Mobile vs desktop split scoring — Lighthouse-style separate sub-scores for mobile and desktop performance + UX
• Backlink count + domain rating — currently the Authority category has no off-site signal weight
• Multi-page crawling — audit your entire site, not just the homepage
• Per-finding evidence object — each check stores what was tested, what was expected, what was found, so the report shows full provenance per issue