@seasonkoh/webaz 0.1.15 → 0.1.16

package/LICENSE

@@ -16,7 +16,7 @@ Business Source License 1.1
   Change License:        MIT
   
   For information about alternative licensing arrangements for the
-  Licensed Work, please contact seasons.agents@gmail.com.
+  Licensed Work, please contact licensing@webaz.xyz.
 License text copyright © 2024 MariaDB plc, All Rights Reserved. “Business Source License” is a trademark of MariaDB plc.
 
 Terms

package/NOTICE

@@ -0,0 +1,58 @@
+WebAZ — Licensing Notice
+=========================
+
+Copyright (c) 2026 seasonsagents-art and WebAZ contributors
+
+
+Current License (since 2026-05-18)
+----------------------------------
+
+Business Source License 1.1 (BUSL-1.1).
+See LICENSE for full terms.
+
+  Licensor:              seasonsagents-art
+  Licensed Work:         WebAZ — Agent-native decentralized commerce protocol
+  Additional Use Grant:  You may make production use of the Licensed Work,
+                         provided that your use does not include offering the
+                         Licensed Work to third parties as a hosted or managed
+                         service that is substantially similar to, or competes
+                         with, the WebAZ commerce protocol service operated by
+                         the Licensor.
+  Change Date:           2030-05-18
+  Change License:        MIT
+
+On the Change Date the Licensed Work automatically converts to the
+Change License (MIT) for all purposes.
+
+
+Historical Licensing
+--------------------
+
+All versions and git commits published BEFORE 2026-05-18 were released under
+the MIT License. That grant is irrevocable. Copies, forks, and derivatives
+made from those earlier versions remain MIT-licensed in perpetuity.
+
+The license change applies only to commits and releases dated on or after
+2026-05-18.
+
+
+Third-Party Components
+----------------------
+
+This software incorporates third-party open-source libraries listed in
+package.json. Each is governed by its own license; see the respective
+package's LICENSE file for terms.
+
+
+Trademarks
+----------
+
+"WebAZ" and the WebAZ logo are trademarks of seasonsagents-art. The license
+does not grant any trademark rights.
+
+
+Questions
+---------
+
+For licensing questions, including commercial license inquiries that fall
+outside the Additional Use Grant above, contact: licensing@webaz.xyz

package/README.md

@@ -6,7 +6,12 @@
 
 [![npm](https://img.shields.io/npm/v/@seasonkoh/webaz.svg)](https://www.npmjs.com/package/@seasonkoh/webaz)
 [![MCP Registry](https://img.shields.io/badge/MCP%20Registry-active-blue)](https://registry.modelcontextprotocol.io/v0/servers?search=webaz)
-[![License: BUSL-1.1](https://img.shields.io/badge/License-BUSL--1.1-orange.svg)](LICENSE) [![Change Date: 2030-05-18](https://img.shields.io/badge/Change%20Date-2030--05--18-blue.svg)](NOTICE)
+[![License: BUSL-1.1](https://img.shields.io/badge/License-BUSL--1.1-orange.svg)](LICENSE) [![Change Date: 2030-05-18](https://img.shields.io/badge/Change%20Date-2030--05--18-blue.svg)](NOTICE) ![Status: Pre-launch](https://img.shields.io/badge/Status-Pre--launch-yellow.svg)
+
+> 🚧 **Pre-launch · 预发布阶段** — v1.0 公示中（起算 2026-05-31）· 0 真用户 · verifier + arbitrator 全为 fixture · 经济模型未结算 · 不建议生产使用。
+> 🚧 **Pre-launch stage** — v1.0 public-notice period (started 2026-05-31) · 0 real users · verifier + arbitrator are fixtures · economic model un-settled · **not for production use**.
+>
+> 详见 / Details: [`docs/CHARTER.md`](docs/CHARTER.md) · [`docs/META-RULES-FULL.md`](docs/META-RULES-FULL.md) · [`docs/ECONOMIC-MODEL.md`](docs/ECONOMIC-MODEL.md) · [`/api/protocol-status`](https://webaz.xyz/api/protocol-status)
 
 让 AI Agent 成为去中心化商业协议的原生参与者。卖家零额外工作量接入新渠道，买家通过 Agent 自动购物，人类与 AI 在同一协议上平等参与。
 
@@ -315,3 +320,21 @@ npm run test-manifest# 测试协议 Manifest
 - [ ] 评价系统（结构化 1-5 星，反哺声誉）
 - [ ] 证据上传通道（争议附图）
 - [ ] 治理 DAO
+
+---
+
+## 联系 / Contact
+
+| 用途 / Purpose | Email | 详情 / Details |
+|---|---|---|
+| 通用咨询 / General inquiries | `contact@webaz.xyz` | — |
+| 安全漏洞 / Security vulnerabilities | `security@webaz.xyz` | [SECURITY.md](SECURITY.md) — 强烈优先用 [GitHub Security Advisory](https://github.com/seasonsagents-art/webaz/security/advisories) / Strongly prefer Advisory |
+| 行为准则举报 / Code of Conduct reports | `conduct@webaz.xyz` | [docs/CODE_OF_CONDUCT.md](docs/CODE_OF_CONDUCT.md) §7 |
+| BSL 商业授权 / Commercial licensing | `licensing@webaz.xyz` | [LICENSE](LICENSE) / [NOTICE](NOTICE) |
+
+> 📬 上述均为 Cloudflare Email Routing forwarding alias;phase A solo 阶段统一转发到创始人个人邮箱,响应水平为**个人级**(非企业 SLA);phase B+ 形成 maintainer 群后会切到团队 triage(无需改文档)。
+> 📬 All addresses are Cloudflare Email Routing forwarding aliases; in phase A solo, they route to the founder's personal inbox with **personal-level response** (not enterprise SLA); phase B+ will switch to maintainer team triage (no doc change needed).
+
+**Bug 报告 / 功能想法 / RFC**:走 [GitHub Issues](https://github.com/seasonsagents-art/webaz/issues) 或 [Discussions](https://github.com/seasonsagents-art/webaz/discussions);PR 流程见 [CONTRIBUTING.md](CONTRIBUTING.md)。
+
+**Bug reports / feature ideas / RFCs**: please use [GitHub Issues](https://github.com/seasonsagents-art/webaz/issues) or [Discussions](https://github.com/seasonsagents-art/webaz/discussions); PR workflow per [CONTRIBUTING.md](CONTRIBUTING.md).

package/dist/layer1-agent/L1-1-mcp-server/server.js

@@ -27,7 +27,9 @@ import { requireAuth } from './auth.js';
 import { createHash, randomBytes } from 'node:crypto';
 const SERVER_VERSION = '0.1.8';
 const TELEMETRY_URL = process.env.WEBAZ_TELEMETRY_URL ?? 'https://webaz.xyz/api/mcp-telemetry';
-const TELEMETRY_ENABLED = (process.env.WEBAZ_TELEMETRY ?? 'on').toLowerCase() !== 'off';
+// 2026-06-01: phase A pre-launch 默认 OFF(opt-in)— W8 public launch 时翻回 default ON + 加 README 披露段
+// Phase A pre-launch: telemetry default OFF (opt-in). Flip to default ON at W8 launch + add README disclosure section.
+const TELEMETRY_ENABLED = (process.env.WEBAZ_TELEMETRY ?? 'off').toLowerCase() === 'on';
 // ─── 初始化 ──────────────────────────────────────────────────
 const db = initDatabase();
 initSystemUser(db);
@@ -537,6 +539,13 @@ Actions:
 Agents should poll this periodically to check for pending order events.
 Every status change (new order / ship / dispute / etc.) notifies relevant participants.
 
+⚠️ Scope: 此工具只查 L2-6 system notifications。不含 / Does NOT include:
+  - chat unread(私信)→ 用 webaz_chat action=list
+  - announcements unread(管理员公告)→ 暂无 MCP 工具(PWA #me/announcements)
+  - feedback replies unread(用户反馈回复)→ 暂无 MCP 工具
+PWA 顶部红点是 4 项合计;此工具仅返回第 1 项 → 数字可能 < PWA 显示。
+PWA top badge aggregates all 4; this returns only 1 → may be < PWA shows.
+
 ──
 中文：查通知 — agent 定期调用检查待处理事件（新订单/发货/争议等会通知所有相关方）。`,
         inputSchema: {
@@ -944,7 +953,14 @@ Returns the action result.`,
 
 USE THIS when user asks "what's popular/being bought near me / 我附近 / 同城" — geo-aggregated
 view, no specific keyword. NOT for "find product X" — use webaz_search. NOT for "items shippable
-to my address" — use webaz_search ship_to filter.`,
+to my address" — use webaz_search ship_to filter.
+
+⚠️ MCP query 需要先 set_location(否则返回 has_location: false 提示)。
+  PWA #nearby 有【全网 / 同城 / 周边 / 14 公里】 4 档 fallback,无 location 也能看全网视图 —
+  这是设计性差异(MCP agent 应明示要 location,PWA UI 友好降级)。
+⚠️ MCP query needs set_location first (else returns has_location: false).
+  PWA #nearby has 4-tier fallback (national/city/around/14km) showing global view without location —
+  by design (MCP demands location; PWA degrades gracefully).`,
         inputSchema: {
             type: 'object',
             properties: {

package/dist/pwa/public/app.js

@@ -104,7 +104,11 @@ async function persistApiKey(key) {
   await idbSet('webaz_key_set_at', Date.now())
   // 申请 persistent storage（iOS Safari / Chrome / Firefox 都支持）
   // iOS 仍可能拒（取决于使用频率/收藏状态），但申请总好过不申请
-  try { await navigator.storage?.persist?.() } catch {}
+  // 2026-06-01 fix(BUG-PWA-NEW): fire-and-forget,不 await
+  //   背景:permission prompt 在某些浏览器状态下 pending 不 resolve(自动化测试 / 部分 first-visit
+  //   场景),会卡死整个 doLogin 流程 → 后续 navigateIntended 永不执行 → 登录后 UI 不刷新
+  //   修复:不阻塞登录流程,允许 persist 在后台慢慢拿
+  try { navigator.storage?.persist?.()?.catch(() => {}) } catch {}
 }
 
 // 当前域是否拿到了 persistent storage（iOS 7-day eviction 免疫指示）
@@ -439,6 +443,25 @@ async function apiWithStatus(method, path, body) {
 async function bootAuth() {
   if (state.authBooted) return
   state.authBooted = true
+  // 2026-06-01 fix(BUG-PWA-NEW safety net): boot 后任意 await 卡住,2.5s 后兜底强制重渲
+  //   背景:首次访问可能有多个 await 路径(initShareCtx / /me / IDB recovery 等)隐性 hang;
+  //   此 net 不解决 root cause,只确保 UI 不永驻 "正在恢复登录" skeleton
+  // P1 (2026-06-01): 加 recency guard 防 race — 若 route 在最近 1s 内已 fire(说明合法
+  //   render 进行中,skeleton 是 in-flight fetch 的临时状态),跳过 safety net 防双 render
+  setTimeout(() => {
+    try {
+      const app = document.getElementById('app')
+      if (!app) return
+      if (!app.innerHTML.includes('正在恢复登录')) return
+      if (Date.now() - _lastRouteRanAt < 1000) {
+        console.info('[boot] skeleton 仍在但 route 刚 fire — 让合法 render 完成,跳过 safety net')
+        return
+      }
+      if (typeof window._routeForceRefresh !== 'function') return
+      console.warn('[boot] skeleton 仍在 + 无近期 route,强制 route refresh')
+      window._routeForceRefresh()
+    } catch {}
+  }, 2500)
 
   // Wave G-5 + audit P1-4: 启动时尽早拉 rate（anon 也拉），不阻塞登录恢复
   fetch('/api/wallet/rate').then(r => r.json()).then(r => {
@@ -452,8 +475,11 @@ async function bootAuth() {
   }).catch(() => {})
 
   // 桌面图标启动（standalone）+ Persistent Storage Permission（Chromium / 部分 Safari 支持）
+  // 2026-06-01 fix: fire-and-forget — 同 persistApiKey(L107),boot 路径也不阻塞
+  //   权限弹窗 pending 在某些场景(自动化/incognito/首次)会卡死整个 boot → 永驻"正在恢复登录"
+  //   不 await — 让 boot 立刻往下走,permission 后台慢慢拿
   if (navigator.storage?.persist) {
-    try { await navigator.storage.persist() } catch {}
+    try { navigator.storage.persist().catch(() => {}) } catch {}
   }
 
   // 若 state.apiKey 为空（首次同步读 localStorage 没拿到，可能被 iOS 清了），从 IDB 恢复
@@ -479,10 +505,12 @@ async function bootAuth() {
 // 转发流程曾出现 3 次连调），导致 async render 之间无 mutex → race condition。
 // 用 last-hash 比较即可：相同 hash 跳过 render，async 中间态不被覆盖。
 let _lastRouteHash = null
+let _lastRouteRanAt = 0  // 2026-06-01 P1: 给 safety net 用,防 hashchange+safety-net 双 render race
 function route(force) {
   const raw = location.hash.slice(1) || '/'
   if (!force && raw === _lastRouteHash) return  // 防重复
   _lastRouteHash = raw
+  _lastRouteRanAt = Date.now()  // P1: 标记 route 实际触发(early-return 后才记)
   // 剥离 query string：支持 #shares?product=xxx&source=order 模式
   const [pathPart, queryPart] = raw.split('?')
   state._urlQuery = queryPart ? Object.fromEntries(new URLSearchParams(queryPart)) : {}
@@ -5202,10 +5230,10 @@ function renderWelcome(app) {
         <div>© 2026 webaz</div>
         <div>${T('开放协议 · Agent 原生 · DAO 治理', 'Open Protocol · Agent-Native · DAO Governance')}</div>
         <div style="margin-top:10px">
-          <a href="#">${T('完整元规则', 'Full Meta-Rules')}</a>
-          <a href="#">GitHub</a>
+          <a href="https://github.com/seasonsagents-art/webaz/blob/main/docs/META-RULES-FULL.md" target="_blank" rel="noopener">${T('完整元规则', 'Full Meta-Rules')}</a>
+          <a href="https://github.com/seasonsagents-art/webaz" target="_blank" rel="noopener">GitHub</a>
           <a href="#">${T('协议白皮书', 'Whitepaper')}</a>
-          <a href="#">${T('联系', 'Contact')}</a>
+          <a href="mailto:contact@webaz.xyz">${T('联系', 'Contact')}</a>
         </div>
       </footer>
     </div>
@@ -10466,10 +10494,16 @@ async function maybeClaimPendingProductShare() {
 function navigateIntended(fallback) {
   const intended = sessionStorage.getItem('webaz_intended_hash')
   sessionStorage.removeItem('webaz_intended_hash')
-  if (intended && intended !== '#' && intended !== '') {
-    location.hash = intended
-  } else if (fallback) {
-    location.hash = fallback
+  const target = (intended && intended !== '#' && intended !== '') ? intended : fallback
+  if (!target) return
+  // 2026-06-01 fix(BUG-PWA-NEW): 防御 hashchange 不触发
+  //   如果 target hash 与 current hash 相同(e.g. user 被引到 #login 时 intended_hash 为空,
+  //   fallback 又恰好等于 current hash),location.hash 赋值不会 fire hashchange → route()
+  //   不执行 → UI 不刷新。改用 force refresh.
+  if (location.hash === target) {
+    if (typeof window._routeForceRefresh === 'function') window._routeForceRefresh()
+  } else {
+    location.hash = target
   }
 }
 
@@ -23384,7 +23418,10 @@ async function renderWallet(app) {
   app.innerHTML = shell(loading$(), 'wallet')
   const userRegion = state.user?.region || 'global'
   const [wallet, income, deposits, withdrawals, whitelistRes, trust, tokenomics, rateRes, regionPmRes] = await Promise.all([
-    GET('/wallet'),
+    // 2026-06-01 fix(BUG-PWA-WALLET): 加 catch 防 #wallet 加载死循环
+    //   原 GET('/wallet') 无 fallback,一旦该 endpoint 错(网络 / 401 / 后端 500),
+    //   整个 Promise.all reject,renderWallet 早退,"加载中..." 永驻
+    GET('/wallet').catch(() => ({ balance: 0, escrowed: 0, staked: 0, earned: 0, _error: true })),
     GET('/wallet/income').catch(() => null),
     GET('/wallet/deposits').catch(() => []),
     GET('/wallet/withdrawals').catch(() => []),
@@ -23394,6 +23431,19 @@ async function renderWallet(app) {
     GET('/wallet/rate').catch(() => null),
     GET('/payment-methods/for-region?region=' + encodeURIComponent(userRegion)).catch(() => ({ items: [] })),
   ])
+  // 2026-06-01 fix(BUG-PWA-WALLET self-review): 若 /wallet 加载失败,显式错误页(避免静默显示 0 余额误导)
+  if (wallet?._error) {
+    app.innerHTML = shell(`
+      <div class="card" style="margin:40px auto;max-width:420px;text-align:center;padding:32px">
+        <div style="font-size:32px;margin-bottom:12px">⚠️</div>
+        <h2 style="margin:0 0 8px;font-size:18px">${t('钱包数据加载失败')}</h2>
+        <p style="color:#6b7280;font-size:14px;margin:0 0 20px">${t('请检查网络后重试,或退出重新登录。当前显示的不是您的真实余额。')}</p>
+        <button class="btn btn-primary" onclick="renderWallet(document.getElementById('app'))">${t('重试')}</button>
+        <button class="btn btn-ghost" style="margin-left:8px" onclick="navigate('#me')">${t('返回')}</button>
+      </div>
+    `, 'wallet')
+    return
+  }
   // 多链/多渠道支付方法（admin 配置 · 当前默认仅 USDC-Base 实现）
   const regionMethods = regionPmRes?.items || []
   // 去重 method_id（同方法 deposit/withdraw 两条会合并显示）

package/dist/pwa/public/i18n.js

@@ -1662,6 +1662,8 @@ const _EN = {
   '正在恢复登录...': 'Restoring login...',
   '暂时无法连接': 'Connection unavailable',
   '已为你保留登录状态，请检查网络后重试': 'Your login is preserved — check your network and retry',
+  '钱包数据加载失败': 'Failed to load wallet data',
+  '请检查网络后重试,或退出重新登录。当前显示的不是您的真实余额。': 'Check your network and retry, or log out and back in. The numbers shown are NOT your real balance.',
   '请填写收款地址和金额': 'Enter both address and amount',
   '活跃会话': 'Active sessions',
   '一键全登出': 'Logout everywhere',

package/dist/pwa/server.js

@@ -1045,14 +1045,7 @@ try {
     db.exec("CREATE INDEX IF NOT EXISTS idx_wl_user ON withdrawal_whitelist(user_id, revoked_at)");
 }
 catch { }
-try {
-    db.exec("ALTER TABLE withdrawal_requests ADD COLUMN status_detail TEXT");
-}
-catch { }
-try {
-    db.exec("ALTER TABLE withdrawal_requests ADD COLUMN email_confirmed_at TEXT");
-}
-catch { }
+// (withdrawal_requests status_detail / email_confirmed_at migrations moved to where the table is created — see ~L3782)
 // Wave G-1: 链上签名证明地址归属 → 免 24h 冷却
 try {
     db.exec("ALTER TABLE withdrawal_whitelist ADD COLUMN signature_verified_at TEXT");
@@ -4478,16 +4471,27 @@ function detectShareCommandFormat(text) {
 }
 db.exec(`
   CREATE TABLE IF NOT EXISTS withdrawal_requests (
-    id          TEXT PRIMARY KEY,
-    user_id     TEXT NOT NULL,
-    to_address  TEXT NOT NULL,
-    amount      REAL NOT NULL,
-    status      TEXT DEFAULT 'pending',
-    created_at  TEXT DEFAULT (datetime('now')),
-    processed_at TEXT,
-    tx_hash     TEXT
+    id                 TEXT PRIMARY KEY,
+    user_id            TEXT NOT NULL,
+    to_address         TEXT NOT NULL,
+    amount             REAL NOT NULL,
+    status             TEXT DEFAULT 'pending',
+    status_detail      TEXT,
+    email_confirmed_at TEXT,
+    created_at         TEXT DEFAULT (datetime('now')),
+    processed_at       TEXT,
+    tx_hash            TEXT
   )
 `);
+// migrations for older DBs (idempotent — fail silently if column already exists)
+try {
+    db.exec("ALTER TABLE withdrawal_requests ADD COLUMN status_detail TEXT");
+}
+catch { }
+try {
+    db.exec("ALTER TABLE withdrawal_requests ADD COLUMN email_confirmed_at TEXT");
+}
+catch { }
 db.exec(`
   CREATE TABLE IF NOT EXISTS deposit_txns (
     tx_hash      TEXT PRIMARY KEY,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@seasonkoh/webaz",
-  "version": "0.1.15",
-  "description": "Agent-native decentralized commerce protocol. Humans and AI agents trade on the same protocol via MCP tools.",
+  "version": "0.1.16",
+  "description": "[PRE-LAUNCH] Agent-native decentralized commerce protocol. Humans and AI agents trade on the same protocol via MCP tools. ⚠️ Repository currently private until W8 public launch — GitHub links may return 404. See https://webaz.xyz for status.",
   "main": "dist/mcp.js",
   "bin": {
     "webaz": "dist/mcp.js"
@@ -40,7 +40,9 @@
   "type": "module",
   "files": [
     "dist/",
-    "README.md"
+    "README.md",
+    "LICENSE",
+    "NOTICE"
   ],
   "dependencies": {
     "@anthropic-ai/sdk": "^0.95.2",
@@ -62,6 +64,6 @@
     "typescript": "^6.0.3"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=22"
   }
 }