Building in Public — DPP Render Redesign and the Hallucination Gate
A lot of this sprint was invisible to end users but will matter to everyone who's looked at a credential render and thought "this is a lot to scan." Today's post covers a full redesign of how Digital Product Passports display, two AI misbehavior problems (and how we fixed them), and one deliberate decision to leave something that looks like a bug alone.
The Credential Render, Rebuilt
The old DPP render scattered key product metadata — GTIN, manufacturer, facility, country, granularity, product category — across separate sections. Useful information, but you had to hunt for it.
The new layout consolidates all of that into a single scannable details bar at the top. The rest of the credential flows underneath it. First impression goes from "wall of structured data" to "here's what this product is, here's what was claimed about it."
Two more changes to the reading flow:
Further Information was previously a two-column table. It's now inline hyperlinks, and it's been repositioned between the Description and Conformity Claims sections. That's a better reading order — context first, then structured attestations, then supporting links. The table format was technically complete but read like a database dump.
Conformity Claims cards got a full redesign. Previously the card title was whatever string was in the schema. Now the evidence link name is the title, the description is the body text, and there's a labeled "Evidence" link at the bottom. That link does something small but meaningful: it distinguishes between a regular document (a PDF, a test report) and an actual Digital Conformity Credential — a machine-verifiable credential issued by a conformity assessment body.
When the evidence is a DCC, the card gets an orange pill badge that says "DCC." It's a small visual signal, but it communicates something important: this evidence isn't just a PDF someone attached — it's cryptographically verifiable. That's the whole point of the UNTP ecosystem, and the render should make it legible at a glance.
The Hallucination Problem
Here's the more interesting part of this sprint.
The AI credential agent was hallucinating. Not wrong answers to factual questions — it was inventing entire credential sections with plausible-looking, completely fabricated data. Emissions scorecards. Circularity scorecards. Traceability information blocks. All structurally valid UNTP JSON. All invented.
This is a known failure mode with LLMs working against complex schemas: when the model sees a field structure it recognizes, it fills it in. Confidently. It doesn't know the difference between "I was asked to populate this" and "this looks like a thing I should populate."
For a credential platform, that's not a minor UX issue. A Digital Product Passport with fabricated emissions data is worse than no passport at all — it's a liability.
The fix is a server-side hard gate. These complex sections (emissions scorecard, circularity scorecard, traceability information) are now stripped from the credential draft unless they were already present when the AI received it. The rule is simple: the AI can populate a section a human started, but it cannot create one from scratch. If the human hasn't opened the door, the AI doesn't walk through it.
This pattern — human-initiated, AI-assisted — is the right default for any data with regulatory or legal weight. The agent is genuinely useful for filling out what a practitioner has started. It's not a substitute for the practitioner making the decision to include a section at all.
The DCC Linktype Problem
A second, subtler issue: the AI was labeling all conformity evidence as DCC type, even when the evidence was a plain PDF.
Tracing it back: the UNTP schema examples use a DCC URL as the sample value for the linkType field. The LLM, being a pattern-matching machine, copies examples. If the example shows a DCC URL, the model treats that as the correct value.
We fixed this in two layers. First, the n8n prompt was updated with explicit rules about when linkType can be set to DCC — the AI now has a clear constraint, not just an example to imitate. Second, server-side normalization strips non-DCC linkType values as a safety net, so prompt drift or a future model change can't reintroduce the bug without the server catching it.
Two layers matters here. Prompt-only fixes are fragile — prompts change, models update, and the constraint can silently disappear. Server-side normalization is the backstop that makes the constraint durable.
Keeping Two Templates in Sync
One operational note worth documenting: the DPP render exists in two places. The API uses it to render signed credentials for public consumption. The web editor uses it for the live preview while drafting. Both need to stay in sync, and they don't automatically.
This sprint kept both updated in parallel through every template change. It sounds obvious, but in practice the preview render is the one you see constantly during development, and the API render is easy to forget. Credential render bugs that only surface in production — after signing — are painful to debug and undermine trust fast.
If you're building dual-template architecture for anything with a preview/publish distinction, build the habit of treating them as a single surface, not two.
The Decision to Leave Duplication Alone
One thing we deliberately did not fix: a Certificate of Analysis can appear in both Conformity Claims and Further Information at the same time. That looks like a bug. It isn't.
Conformity Claims is structured attestation — a verifiable claim with evidence, linked to a specific assertion about the product. Further Information is quick-access — a direct link someone might want to pull up fast without reading through the credential structure.
The duplication mirrors how real product documentation works. A CoA lives in the filing system and gets referenced in the technical spec. Two purposes, same document. Forcing mutual exclusivity would be technically tidier but less accurate to how practitioners actually use these credentials.
Sometimes the right call is to leave the duplication and document why.
What's next: Selective disclosure UI is in scope for April. Broader AI agent coverage beyond DPP and DFR is on the roadmap. If you're evaluating UNTP credential tooling or starting a pilot, dppkit.io/pricing has where things stand.