@seasonkoh/webaz 0.1.9 → 0.1.11

package/dist/layer1-agent/L1-1-mcp-server/server.js

@@ -14,7 +14,8 @@
  */
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { CallToolRequestSchema, ListToolsRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
+import { CallToolRequestSchema, ListToolsRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, ListPromptsRequestSchema, // #B.1 a — MCP 三大原语之 Prompts
+GetPromptRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
 import { initDatabase, generateId } from '../../layer0-foundation/L0-1-database/schema.js';
 import { transition, getOrderStatus, initSystemUser, } from '../../layer0-foundation/L0-2-state-machine/engine.js';
 import { initDisputeSchema, createDispute, respondToDispute, getDisputeDetails, getOrderDispute, getOpenDisputes, } from '../../layer3-trust/L3-1-dispute-engine/dispute-engine.js';
@@ -3925,7 +3926,7 @@ function settleOrder(db, orderId) {
 }
 // ─── MCP Server 主体 ──────────────────────────────────────────
 export async function startMCPServer() {
-    const server = new Server({ name: 'dcp-protocol', version: '0.1.0' }, { capabilities: { tools: {}, resources: {} } });
+    const server = new Server({ name: 'dcp-protocol', version: '0.1.0' }, { capabilities: { tools: {}, resources: {}, prompts: {} } });
     server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
     // ── MCP Resources：协议 Manifest ─────────────────────────────
     server.setRequestHandler(ListResourcesRequestSchema, async () => ({
@@ -3953,6 +3954,141 @@ export async function startMCPServer() {
             ],
         };
     });
+    // ── MCP Prompts:预定义对话模板(#B.1 a — MCP 三大原语补齐)─────────────
+    // Claude Desktop / Cursor / 其它 MCP 客户端会把这些 prompt 作为推荐对话起点呈现给用户。
+    // 每个 prompt = 一个"如何在 webaz 完成 X"的引导,用户选了之后,模型按 prompt 模板开始对话。
+    // 加这一层让 onboarding 极大简化 — 用户不需要先读 webaz_info 再决定怎么用。
+    const PROMPTS = [
+        {
+            name: 'webaz-place-order',
+            description: '引导买家 agent 完成「发现 → 验价 → 锁价 → 下单」全流程(含粘贴外链精准匹配)。如果用户给你商品链接,用这个 prompt。',
+            arguments: [
+                { name: 'user_intent', description: '用户原始需求或粘贴的链接文本', required: true },
+            ],
+        },
+        {
+            name: 'webaz-list-product',
+            description: '引导卖家 agent 完成商品上架 — 含 SEO/Agent 友好度最佳实践(填全 brand/model/specs/return_days/handling_hours 等 Schema.org 加分字段)。',
+            arguments: [
+                { name: 'product_summary', description: '卖家口述的商品概要', required: true },
+            ],
+        },
+        {
+            name: 'webaz-onboard',
+            description: '新 agent 第一次接入 webaz 时的引导 — 解释协议性质 / pre-launch 状态 / MLM 形态 / 注册路径 / 用户授权边界。先读 webaz_info,再走这个 prompt。',
+            arguments: [],
+        },
+        {
+            name: 'webaz-handle-dispute',
+            description: '订单出现问题时引导处理 — 区分"协商退款 / 走争议仲裁 / 卖家主动取消"三条路径,提示铁律(arbitrate 必须 PWA + Passkey)。',
+            arguments: [
+                { name: 'order_id', description: '出问题的订单 ID', required: true },
+                { name: 'issue_summary', description: '问题描述(收到货不符 / 没收到 / 质量问题等)', required: true },
+            ],
+        },
+        {
+            name: 'webaz-cross-border',
+            description: '中国跨境卖家参与引导 — 国内用 webaz 自有协议 / 跨境暴露 UCP merchant endpoint 给全球 agent。讲清双轨架构 + 合规边界。',
+            arguments: [],
+        },
+    ];
+    server.setRequestHandler(ListPromptsRequestSchema, async () => ({ prompts: PROMPTS }));
+    server.setRequestHandler(GetPromptRequestSchema, async (request) => {
+        const name = request.params.name;
+        const args = (request.params.arguments || {});
+        // 每个 prompt 返回一份 message 列表,客户端把它当作对话起点
+        const messages = [];
+        switch (name) {
+            case 'webaz-place-order':
+                messages.push({
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `用户需求:${args.user_intent || '(未提供)'}\n\n` +
+                            `请使用 webaz_search 工具(可粘贴外链精准匹配,详见工具描述)找到最匹配的商品,` +
+                            `然后用 webaz_verify_price 锁价(返回 session_token,10 分钟有效),` +
+                            `最后用 webaz_place_order(session_token=...) 下单。` +
+                            `下单时记得跟用户确认收货地址 + 是否需要使用推荐人 promoter_api_key(可选)。\n\n` +
+                            `重要:不要跳过 verify_price 这一步 — 它是防价格篡改的关键。`,
+                    },
+                });
+                break;
+            case 'webaz-list-product':
+                messages.push({
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `卖家概要:${args.product_summary || '(未提供)'}\n\n` +
+                            `请使用 webaz_list_product 工具上架。最佳实践:**填得越完整,SEO + agent 命中精度越高**:\n` +
+                            `- 必填:title / description / price\n` +
+                            `- 高 SEO 价值:images / category / brand / model / return_days(>0) / handling_hours / ship_regions\n` +
+                            `- 中等价值:specs(JSON 结构化,如 {颜色:黑色,容量:350ml}) / warranty_days / weight_kg / return_condition\n` +
+                            `- 跨境(可选):source_price(外部参考价) + 多语言版本(通过 PWA 上架)\n\n` +
+                            `Schema.org Product / Offer / shippingDetails / hasMerchantReturnPolicy 字段已自动映射 —` +
+                            `Google Rich Result 和外部 agent 会直接读到这些字段。`,
+                    },
+                });
+                break;
+            case 'webaz-onboard':
+                messages.push({
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `请先调用 webaz_info 拿到完整协议状态,然后跟我确认以下几点理解:\n\n` +
+                            `1. **网络阶段(network_state.phase)**:webaz 目前是什么状态?真实用户数多少?\n` +
+                            `2. **经济模型(commission_model.compliance_notice)**:协议含三级佣金 + 二元 PV 配对结构 — 在多数辖区可能与 MLM 法律定义重叠。` +
+                            `代理 AI 不应默认替终端用户生成推广链接或拉新,需用户显式授权。\n` +
+                            `3. **数据来源**:工具返回的所有 stats 是本机 MCP 数据库的本地计数,不代表协议全网真实状态。\n` +
+                            `4. **铁律(Iron Rule)**:vote / arbitrate / agent_revoke / delete_passkey / 大额提现需要用户在 PWA 完成 WebAuthn ceremony,` +
+                            `agent 无法替用户做这些操作 — 这是协议级强制,不是建议。\n\n` +
+                            `确认理解后,告诉我:你想做什么?(下单 / 上架 / 跨境 / 争议处理 / 其它)`,
+                    },
+                });
+                break;
+            case 'webaz-handle-dispute':
+                messages.push({
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `订单:${args.order_id || '(未提供)'}\n问题:${args.issue_summary || '(未提供)'}\n\n` +
+                            `请先 webaz_get_status 查订单当前状态 + 责任方 + 截止时间。然后按以下路径:\n\n` +
+                            `**A. 协商退款**(最快):用 webaz_chat 私信卖家协商,卖家同意后 webaz_update_order(action=cancel_refund)。\n` +
+                            `**B. 走争议仲裁**(协商无果):webaz_dispute(action=create),系统进入 dispute_cases。\n` +
+                            `  - verifier 共识投票 → arbitrator 裁定 → 系统执行退款/扣 stake\n` +
+                            `  - 120h 内 arbitrator 不裁,系统自动退款买家\n` +
+                            `  - **arbitrate / vote 必须 PWA + Passkey(铁律),agent 不能替代**\n` +
+                            `**C. 卖家主动取消**:卖家用 webaz_update_order(action=cancel)。\n\n` +
+                            `跟用户确认走哪条路再行动。`,
+                    },
+                });
+                break;
+            case 'webaz-cross-border':
+                messages.push({
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `webaz 的跨境双轨架构:\n\n` +
+                            `**境内业务**:走 webaz 自有协议(中文 + 监管友好 + 独立)。所有交易在 webaz state machine 内完成。\n\n` +
+                            `**跨境业务**:同一商品同时通过两条路径暴露:\n` +
+                            `1. webaz 自有协议(给 webaz 内部 agent / PWA 用户)\n` +
+                            `2. UCP merchant endpoint(被全球 commerce agent 如 Google AI Mode / Gemini / ChatGPT 发现)\n\n` +
+                            `**关键合规**:\n` +
+                            `- 资金通道严格走持牌(新加坡实体 + KYC ≥ 1000 WAZ)\n` +
+                            `- 数据出境严格限定到交易必要字段(不含画像 / 信誉细节)\n` +
+                            `- agent 替代下单的法律责任分配(平台 / 卖家 / agent 三方) — 当前 owner 在做法律意见\n\n` +
+                            `如果你是跨境卖家想入驻,告诉我商品类目 + 主要目的国 + 是否已有 Shopify/淘宝/亚马逊店,` +
+                            `我帮你规划在 webaz 上架的最优字段配置(SEO 友好 + 跨境合规)。`,
+                    },
+                });
+                break;
+            default:
+                throw new Error(`未知 prompt: ${name}`);
+        }
+        return {
+            description: PROMPTS.find(p => p.name === name)?.description || '',
+            messages,
+        };
+    });
     server.setRequestHandler(CallToolRequestSchema, async (request) => {
         const { name, arguments: args = {} } = request.params;
         const t0 = Date.now();

package/dist/pwa/public/app.js

@@ -206,6 +206,88 @@ function setJsonLd(obj) {
   } catch { /* never break rendering */ }
 }
 
+// #1052 — 商家上架/编辑表单 SEO/Agent 友好度评分(零运行时风险,纯前端引导)
+// 鼓励商家填全 Schema.org 加分字段:每填一个 + 权重分,显著提高 rich result / agent 命中精度
+window.computeSeoScore = function(prefix) {
+  // prefix='prd' (create form) | 'ep' (edit form) — 字段 ID 用 prefix-name
+  const v = id => (document.getElementById(prefix + '-' + id)?.value || '').trim()
+  const n = id => Number(v(id)) || 0
+  const checks = []
+  // 必填项(不评分,缺则警告)
+  checks.push({ name: '商品名称', filled: v('title').length > 0, weight: 'required' })
+  checks.push({ name: '商品描述', filled: v('desc').length > 10, weight: 'required' })
+  checks.push({ name: '价格', filled: n('price') > 0, weight: 'required' })
+  // 高 SEO 价值
+  if (prefix === 'prd') {
+    const imgCount = (window.state?._addProductImgs?.length) || 0
+    checks.push({ name: '商品图片(至少 1 张)', filled: imgCount > 0, weight: 12 })
+  } else {
+    checks.push({ name: '商品图片', filled: !!document.querySelector('#ep-img-grid img'), weight: 12 })
+  }
+  checks.push({ name: '分类', filled: v('cat').length > 0, weight: 12 })
+  checks.push({ name: '退货天数(>0)', filled: n('return') > 0, weight: 12 })
+  checks.push({ name: '备货时效', filled: n('handling') > 0, weight: 10 })
+  checks.push({ name: '配送范围', filled: v('ship-regions').length > 0, weight: 8 })
+  // 中等 SEO 价值
+  checks.push({ name: '规格参数', filled: v('specs').length > 0, weight: 8 })
+  checks.push({ name: '质保天数', filled: n('warranty') > 0, weight: 6 })
+  checks.push({ name: '退货条件', filled: v('return-cond').length > 0, weight: 6 })
+  checks.push({ name: '预计时效', filled: v('est-days').length > 0, weight: 6 })
+  // edit form 独有字段(brand/model/i18n)
+  if (prefix === 'ep') {
+    checks.push({ name: '品牌', filled: v('brand').length > 0, weight: 8 })
+    checks.push({ name: '型号', filled: v('model').length > 0, weight: 6 })
+    checks.push({ name: '英文标题(跨境)', filled: v('i18n-title-en').length > 0, weight: 4 })
+  }
+  const requiredMissing = checks.filter(c => c.weight === 'required' && !c.filled).map(c => c.name)
+  const scorable = checks.filter(c => c.weight !== 'required')
+  const max = scorable.reduce((s, c) => s + c.weight, 0)
+  const got = scorable.filter(c => c.filled).reduce((s, c) => s + c.weight, 0)
+  const pct = max > 0 ? Math.round((got / max) * 100) : 0
+  const missing = scorable.filter(c => !c.filled).map(c => c.name)
+  return { pct, missing, requiredMissing, max, got }
+}
+
+window.renderSeoScoreBar = function(prefix) {
+  const bar = document.getElementById('seo-score-bar-' + prefix)
+  if (!bar) return
+  const { pct, missing, requiredMissing } = computeSeoScore(prefix)
+  let level, color, msg
+  if (requiredMissing.length) {
+    level = '❌'; color = '#dc2626'; msg = t('必填项缺失: ') + requiredMissing.map(t).join(' / ')
+  } else if (pct >= 85) { level = '🌟'; color = '#16a34a'; msg = t('优秀 — 商品对 agent / 搜索引擎完全友好') }
+  else if (pct >= 60) { level = '📈'; color = '#0891b2'; msg = t('不错 — 再补几项达到最佳') }
+  else if (pct >= 30) { level = '🌱'; color = '#ca8a04'; msg = t('起步阶段,补全信息显著提高曝光') }
+  else { level = '⚠️'; color = '#dc2626'; msg = t('信息不全,搜索引擎和 agent 几乎找不到') }
+  const missingTip = missing.length ? missing.map(t).join('\n') : ''
+  bar.innerHTML = `
+    <div style="background:#fff;border:1px solid ${color};border-radius:8px;padding:10px 14px;margin-bottom:14px">
+      <div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:6px">
+        <span style="font-weight:600;font-size:13px;color:${color}">${level} ${t('SEO / Agent 友好度')}: ${pct}/100</span>
+        ${missing.length ? `<span style="font-size:11px;color:#6b7280;cursor:help" title="${escHtml(missingTip)}">${t('还缺')} ${missing.length} ${t('项')} ▾</span>` : ''}
+      </div>
+      <div style="background:#f3f4f6;border-radius:99px;height:6px;overflow:hidden">
+        <div style="background:${color};height:100%;width:${pct}%;transition:width 0.3s"></div>
+      </div>
+      <div style="font-size:11px;color:#6b7280;margin-top:6px;line-height:1.4">${escHtml(msg)}</div>
+    </div>
+  `
+}
+
+window.setupSeoScoreBar = function(prefix) {
+  // 首渲 + 在 form 上挂 input/change 监听器实时刷新
+  setTimeout(() => {
+    renderSeoScoreBar(prefix)
+    const formId = prefix === 'prd' ? 'add-product-form' : 'edit-form-card'
+    const form = document.getElementById(formId)
+    if (!form || form._seoBound) return
+    form._seoBound = true
+    const rerender = () => renderSeoScoreBar(prefix)
+    form.addEventListener('input', rerender, { passive: true })
+    form.addEventListener('change', rerender, { passive: true })
+  }, 80)
+}
+
 async function loadPersistedApiKey() {
   let raw = null
   try { raw = localStorage.getItem('webaz_key') } catch {}
@@ -5379,6 +5461,7 @@ window.openAuthSheet = (defaultTab) => {
             <option value="global">${t('🌐 其他地区')}</option>
           </select>
         </div>
+        <div id="reg-turnstile-slot" style="margin:10px 0;min-height:0"></div>
         <button class="btn btn-primary" onclick="doRegister()">${t('注册')}</button>
       </div>
     </div>
@@ -5387,6 +5470,8 @@ window.openAuthSheet = (defaultTab) => {
   // sheet 渲染后：自动预填邀请码 + 切到默认 tab + 触发注册闸门检查
   setTimeout(() => {
     if (defaultTab === 'reg') switchLoginTab('reg')
+    // #1049 Turnstile widget(若 env 已配)
+    try { window._mountTurnstileIfEnabled && window._mountTurnstileIfEnabled() } catch {}
     const inp = document.getElementById('inp-sponsor')
     if (inp && !inp.value) {
       const hint = readShareHint()
@@ -10184,7 +10269,10 @@ window.switchLoginTab = (tab) => {
   document.getElementById('panel-reg').style.display  = tab === 'reg'   ? '' : 'none'
   document.getElementById('tab-login').className = 'seg-btn' + (tab === 'login' ? ' active' : '')
   document.getElementById('tab-reg').className   = 'seg-btn' + (tab === 'reg'   ? ' active' : '')
-  if (tab === 'reg') checkRegGate()
+  if (tab === 'reg') {
+    checkRegGate()
+    try { window._mountTurnstileIfEnabled && window._mountTurnstileIfEnabled() } catch {}
+  }
 }
 
 async function checkRegGate() {
@@ -10537,6 +10625,45 @@ async function initShareCtx() {
   return readShareCtx()
 }
 
+// #1049 Turnstile widget bootstrap — 仅当后端注入 site_key 时挂载;失败/无 key 时透明跳过
+window._mountTurnstileIfEnabled = async () => {
+  const slot = document.getElementById('reg-turnstile-slot')
+  if (!slot || slot.dataset.mounted === '1') return
+  try {
+    const flags = await fetch('/api/system-flags').then(r => r.json())
+    const siteKey = flags?.turnstile_site_key
+    if (!siteKey) return    // env 未配置 — 静默跳过(dev/pre-launch 兼容)
+    if (!window.turnstile) {
+      // 动态加载 Cloudflare Turnstile script(一次性)
+      await new Promise((resolve, reject) => {
+        if (document.getElementById('cf-turnstile-script')) return resolve()
+        const s = document.createElement('script')
+        s.id = 'cf-turnstile-script'
+        s.src = 'https://challenges.cloudflare.com/turnstile/v0/api.js'
+        s.async = true; s.defer = true
+        s.onload = resolve; s.onerror = reject
+        document.head.appendChild(s)
+      })
+    }
+    // 给一帧让 widget 挂载;再渲染
+    setTimeout(() => {
+      if (window.turnstile && slot.dataset.mounted !== '1') {
+        try {
+          window._turnstileToken = ''
+          window.turnstile.render(slot, {
+            sitekey: siteKey,
+            theme: 'light',
+            callback: tk => { window._turnstileToken = tk },
+            'expired-callback': () => { window._turnstileToken = '' },
+            'error-callback': () => { window._turnstileToken = '' },
+          })
+          slot.dataset.mounted = '1'
+        } catch {}
+      }
+    }, 50)
+  } catch { /* 加载失败不阻塞 dev */ }
+}
+
 window.doRegister = async () => {
   const name = document.getElementById('inp-name').value.trim()
   const role = document.getElementById('inp-role').value
@@ -10557,8 +10684,21 @@ window.doRegister = async () => {
     body.placement_inviter_id = hint.placement_inviter_id
     body.placement_side       = hint.placement_side
   }
+  // #1049 Turnstile token(若启用)
+  if (window._turnstileToken) body.turnstile_token = window._turnstileToken
   const res = await POST('/register', body)
-  if (res.error) return showMsg('error', res.error)
+  if (res.error) {
+    // P0-3: token 单次消耗,任何注册失败(name 重 / invite 缺 / captcha 假)后都要 reset widget 拿新 challenge,
+    // 否则用户 retry 时旧 token 已失效 → 后端 timeout-or-duplicate → 死循环
+    try {
+      window._turnstileToken = ''
+      if (window.turnstile) {
+        const slot = document.getElementById('reg-turnstile-slot')
+        if (slot) window.turnstile.reset(slot)
+      }
+    } catch {}
+    return showMsg('error', res.error)
+  }
   // 注册成功后清掉 hint（已绑定）
   localStorage.removeItem('webaz_share_hint')
   localStorage.removeItem('webaz_ref')
@@ -11481,6 +11621,7 @@ async function renderDiscover(app) {
   shInjectStrip('discover-sh-strip', { limit: 5 })
 
   // #1051 Schema.org ItemList — 搜索引擎可取作 SERP / 购物 agent 可一次读完前 20 个商品
+  // #1053 每个 Product 加 inLanguage + name 多语言数组(i18n_titles 有别名时)
   try {
     setJsonLd({
       '@context': 'https://schema.org',
@@ -11489,12 +11630,19 @@ async function renderDiscover(app) {
       numberOfItems: products.length,
       itemListElement: products.slice(0, 20).map((pp, idx) => {
         const img = (pp.images || '').split(',').map(s => s.trim()).filter(s => /^(https?:|\/|data:)/.test(s))[0]
+        const lang = pp._lang || 'zh'
+        const titles = pp.i18n_titles && typeof pp.i18n_titles === 'object' ? pp.i18n_titles : {}
+        const altCount = Object.entries(titles).filter(([k, v]) => k !== lang && v).length
+        const nameField = altCount > 0
+          ? [{ '@value': String(pp.title || ''), '@language': lang },
+             ...Object.entries(titles).filter(([k, v]) => k !== lang && v).map(([k, v]) => ({ '@value': String(v), '@language': k }))]
+          : pp.title
         return {
           '@type': 'ListItem',
           position: idx + 1,
           item: {
             '@type': 'Product',
-            name: pp.title,
+            name: nameField,
             url: location.origin + '/#order-product/' + pp.id,
             ...(img ? { image: img } : {}),
             offers: { '@type': 'Offer', price: pp.price, priceCurrency: pp.currency || 'WAZ' },
@@ -15567,11 +15715,26 @@ async function renderBuyPage(app, productId) {
     const hasMerchantReturnPolicy = returnDays > 0
       ? { '@type': 'MerchantReturnPolicy', applicableCountry: 'Global', returnPolicyCategory: 'https://schema.org/MerchantReturnFiniteReturnWindow', merchantReturnDays: returnDays, returnMethod: 'https://schema.org/ReturnByMail' }
       : { '@type': 'MerchantReturnPolicy', returnPolicyCategory: 'https://schema.org/MerchantReturnNotPermitted' }
+    // #1053 多语言变体:用 JSON-LD 1.1 language-tagged value 数组让 name/description 同时承载多语言
+    // — Google rich result 读取第一项(当前 locale),其他 agent / 跨语种爬虫可解 @language 拿对应译文
+    const curLang = p._lang || 'zh'
+    const i18nTitles = p.i18n_titles && typeof p.i18n_titles === 'object' ? p.i18n_titles : {}
+    const i18nDescs  = p.i18n_descs  && typeof p.i18n_descs  === 'object' ? p.i18n_descs  : {}
+    function buildLangArray(currentVal, currentLang, i18nMap) {
+      const out = [{ '@value': String(currentVal || ''), '@language': currentLang }]
+      for (const [lang, val] of Object.entries(i18nMap)) {
+        if (lang === currentLang || !val) continue
+        out.push({ '@value': String(val).slice(0, 5000), '@language': lang })
+      }
+      return out.length > 1 ? out : String(currentVal || '')
+    }
+    const nameField = buildLangArray(p.title, curLang, i18nTitles)
+    const descField = buildLangArray((p.description || '').slice(0, 5000), curLang, i18nDescs)
     setJsonLd({
       '@context': 'https://schema.org',
       '@type': 'Product',
-      name: p.title,
-      description: (p.description || '').slice(0, 5000),
+      name: nameField,
+      description: descField,
       sku: p.id,
       ...(p.brand ? { brand: { '@type': 'Brand', name: p.brand } } : {}),
       ...(p.model ? { model: p.model } : {}),
@@ -20667,6 +20830,7 @@ async function renderSeller(app) {
       <div class="card">
         <div style="font-weight:700;margin-bottom:16px">${t('上架新商品')}</div>
         <div id="add-msg"></div>
+        <div id="seo-score-bar-prd"></div>  <!-- #1052 SEO 友好度评分,setupSeoScoreBar('prd') 启用 -->
 
         <div class="form-group"><label class="form-label">${t('商品名称')} *</label><input class="form-control" id="prd-title" placeholder="${t('例：手工竹编收纳篮')}"></div>
 
@@ -20851,7 +21015,7 @@ async function renderSeller(app) {
   } catch {}
 }
 
-window.showAddProduct = () => { document.getElementById('add-product-form').style.display = '' }
+window.showAddProduct = () => { document.getElementById('add-product-form').style.display = ''; setupSeoScoreBar('prd') }
 // 2026-05-24 #987：实时估算测评活动需预留资金
 window.updateTrialCost = () => {
   const el = document.getElementById('prd-trial-cost')
@@ -21563,7 +21727,8 @@ async function renderEditProduct(app, productId) {
       <h1 class="page-title" style="margin:0">${t('编辑商品')}</h1>
     </div>
     <div id="edit-msg"></div>
-    <div class="card">
+    <div class="card" id="edit-form-card">
+      <div id="seo-score-bar-ep"></div>  <!-- #1052 SEO 友好度评分,setupSeoScoreBar('ep') 启用 -->
       <div class="form-group"><label class="form-label">${t('商品名称')}</label>
         <input class="form-control" id="ep-title" value="${escHtml(p.title || '')}"></div>
       <div class="form-group">
@@ -21793,6 +21958,7 @@ async function renderEditProduct(app, productId) {
       <div id="ep-lnk-msg"></div>
     </div>
   `, 'seller')
+  setupSeoScoreBar('ep')  // #1052 实时显示编辑表单的 SEO/Agent 友好度评分
 }
 
 // S4 v0.4.35：从编辑页 origin 字段拼装 JSON payload；null=清空

package/dist/pwa/public/i18n.js

@@ -5719,6 +5719,32 @@ const _EN = {
   // ── #1044 删 Passkey 需先用 Passkey 验证 ────────────────────
   '需要先用 Passkey 验证身份才能删除：': 'Need Passkey verification to delete: ',
 
+  // ── #1052 商家 SEO/Agent 友好度评分 ─────────────────────────
+  'SEO / Agent 友好度':                'SEO / Agent friendliness',
+  '还缺':                              'Missing',
+  '项':                                'fields',
+  '必填项缺失: ':                      'Required fields missing: ',
+  '优秀 — 商品对 agent / 搜索引擎完全友好': 'Excellent — product is fully friendly to agents / search engines',
+  '不错 — 再补几项达到最佳':           'Good — fill a few more to reach optimal',
+  '起步阶段,补全信息显著提高曝光':     'Starter level — completing more fields significantly boosts visibility',
+  '信息不全,搜索引擎和 agent 几乎找不到': 'Incomplete — search engines and agents will barely find you',
+  '商品名称':                          'Product title',
+  '商品描述':                          'Product description',
+  '价格':                              'Price',
+  '商品图片(至少 1 张)':               'Product image (at least 1)',
+  '商品图片':                          'Product image',
+  '分类':                              'Category',
+  '退货天数(>0)':                      'Return days (>0)',
+  '备货时效':                          'Handling time',
+  '配送范围':                          'Ship regions',
+  '规格参数':                          'Specs',
+  '质保天数':                          'Warranty days',
+  '退货条件':                          'Return condition',
+  '预计时效':                          'Estimated delivery',
+  '品牌':                              'Brand',
+  '型号':                              'Model',
+  '英文标题(跨境)':                    'English title (cross-border)',
+
   // ── #1047 pre-launch 横幅 ────────────────────────────────────
   '协议尚未公开上线 · 数据为测试 / demo · 请勿据此投资或承诺第三方':
     'Pre-launch protocol · data is test / demo only · do not use for investment or third-party commitments',

package/dist/pwa/public/sw.js

@@ -1,5 +1,5 @@
 // Service Worker — 网络优先，离线降级缓存；API 请求不缓存
-const CACHE = 'webaz-v475'
+const CACHE = 'webaz-v480'
 
 self.addEventListener('install', e => {
   self.skipWaiting()

package/dist/pwa/routes/agent-governance.js

@@ -53,7 +53,11 @@ export function registerAgentGovernanceRoutes(app, deps) {
         };
         res.json({ items, custodian });
     });
-    // Phase 4：签名可移植护照导出(VC/DID,跨协议 ecrecover 可验)。owner 自取自己 agent 的凭证。
+    // Phase 4 + DID/VC 短期 mapping(B.6 b,2026-05-30):
+    //   webaz_format = 原 WebAZAgentPassport (向后兼容,任何 existing consumer 还用这个)
+    //   vc_format    = W3C Verifiable Credential v1 标准(任何标准 DID/VC resolver 可用)
+    //   两者签名是同一个(eip191 over canonical 串),两者可互推。
+    //   issuer 同时给 did:web:webaz.xyz(标准 DID method)+ 原 did:webaz:0x... 地址(向后兼容)。
     app.get('/api/me/agents/:apiKeyPrefix/passport', async (req, res) => {
         const user = auth(req, res);
         if (!user)
@@ -68,11 +72,14 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const pp = computeAgentPassport(db, match.api_key, user.id, custodianFingerprint);
         const issued_at = new Date().toISOString();
         const expires_at = new Date(Date.now() + 7 * 86400_000).toISOString();
-        const issuer = issuerAddress();
+        const issuerAddr = issuerAddress();
+        const issuerDidWeb = 'did:web:webaz.xyz'; // W3C did:web 形态
+        const issuerDidLegacy = 'did:webaz:' + issuerAddr; // 原自定义形态(保留)
         const keyPrefix = match.api_key.slice(0, 12) + '...';
         const bp = pp.behavior_profile;
-        // 规范化签名串(verifier 用相同格式重建 → verifyMessage(issuer, canonical, signature))
-        const canonical = `webaz-agent-passport|v1|${issuer}|${issued_at}|${expires_at}|${pp.custodian_fingerprint}|${keyPrefix}|risk=${pp.risk_score}|depth=${pp.engagement_depth}|bp=${bp.query},${bp.transact},${bp.govern}`;
+        // 规范化签名串(verifier 用相同格式重建 → verifyMessage(issuerAddr, canonical, signature))
+        // 两套 wrapper 共享同一 canonical + signature,所以一签两用。
+        const canonical = `webaz-agent-passport|v1|${issuerAddr}|${issued_at}|${expires_at}|${pp.custodian_fingerprint}|${keyPrefix}|risk=${pp.risk_score}|depth=${pp.engagement_depth}|bp=${bp.query},${bp.transact},${bp.govern}`;
         let signature = '';
         try {
             signature = await signPassport(canonical);
@@ -80,14 +87,52 @@ export function registerAgentGovernanceRoutes(app, deps) {
         catch (e) {
             return void res.status(503).json({ error: '签名服务暂不可用', detail: e.message });
         }
-        res.json({
+        // 原格式(向后兼容)— 任何已写过 webaz 集成的 consumer 不需要改
+        const webaz_format = {
             type: 'WebAZAgentPassport', version: 1,
-            issuer: 'did:webaz:' + issuer, issuer_address: issuer,
+            issuer: issuerDidLegacy, issuer_address: issuerAddr,
             issued_at, expires_at,
             subject: { custodian_fingerprint: pp.custodian_fingerprint, agent_key_prefix: keyPrefix },
             claims: { risk_score: pp.risk_score, engagement_depth: pp.engagement_depth, behavior_profile: bp },
             canonical, signature,
             verify: { scheme: 'eip191', how: 'verifyMessage(issuer_address, canonical, signature)' },
+        };
+        // W3C Verifiable Credential v1 标准格式 — 任何 DID/VC 生态工具(KILT/Polygon ID/Veramo/SpruceID/...)可直接消费
+        // proof.type 用 EcdsaSecp256k1RecoverySignature2020(eip191 在 W3C 安全套件里的标准名)
+        // proofValue 是同一 signature 字符串(0x..),verifier 用 viem.verifyMessage 验真
+        const vc_format = {
+            '@context': [
+                'https://www.w3.org/2018/credentials/v1',
+                'https://webaz.xyz/credentials/v1', // webaz 自定义 schema 命名空间
+            ],
+            type: ['VerifiableCredential', 'WebAZAgentPassport'],
+            issuer: issuerDidWeb, // did:web — 通过 /.well-known/did.json 解析
+            issuanceDate: issued_at,
+            expirationDate: expires_at,
+            credentialSubject: {
+                id: `${issuerDidWeb}:agents:${keyPrefix.replace('...', '')}`, // 在 issuer 命名空间下的 agent 标识
+                custodianFingerprint: pp.custodian_fingerprint,
+                agentKeyPrefix: keyPrefix,
+                riskScore: pp.risk_score,
+                engagementDepth: pp.engagement_depth,
+                behaviorProfile: { query: bp.query, transact: bp.transact, govern: bp.govern },
+            },
+            proof: {
+                type: 'EcdsaSecp256k1RecoverySignature2020', // eip191 在 W3C 套件里的标准名
+                created: issued_at,
+                verificationMethod: `${issuerDidWeb}#key-1`, // 指向 did.json 里的 verificationMethod
+                proofPurpose: 'assertionMethod',
+                proofValue: signature,
+                // canonical 不在 W3C VC 标准里,但 webaz consumer 仍需要它来重建签名:
+                webazCanonical: canonical,
+            },
+        };
+        res.json({
+            // 两个格式并存返回 — backward-compat consumer 用 webaz_format,标准 DID/VC consumer 用 vc_format
+            // 顶层保留 webaz_format 的关键字段方便不解嵌的 consumer(类似 ?format=webaz 默认行为)
+            ...webaz_format,
+            vc_format,
+            webaz_format, // 显式重复让消费者明确选哪个
         });
     });
     app.get('/api/me/agents/:apiKeyPrefix/log', (req, res) => {

package/dist/pwa/routes/ap2-mandate.js

@@ -0,0 +1,123 @@
+/**
+ * AP2 Mandate 构造器 — 把 webaz 内部 verify_price / place_order 输出
+ * 映射为 Google AP2 (Agent Payments Protocol) 的三类 Mandate 结构,
+ * 与 webaz 原 schema 并存(不破坏现有客户端),让 AP2-aware 的 agent 可直接消费。
+ *
+ * AP2 三类 Mandate:
+ *   IntentMandate  — 用户/agent "想买什么"(verify_price 锁价时签发)
+ *   CartMandate    — agent 实际组装的购物车(place_order 成功时签发)
+ *   PaymentMandate — 卖家应收金额(place_order 成功时签发,与 Cart 并发)
+ *
+ * 签名方案 = Phase 4 同款 eip191(hot wallet),signature 字段由调用方填充。
+ * canonical 是用于签名的 JSON.stringify 输出(确定序列化、键序固定)。
+ */
+const AP2_VERSION = '1.0';
+const AP2_SPEC = 'https://github.com/google-agentic-commerce/AP2';
+function nowIso() { return new Date().toISOString(); }
+function canonical(obj) {
+    // 简单深排序后 JSON.stringify;够用于签名稳定性,不引入额外依赖。
+    const sort = (v) => {
+        if (v === null || typeof v !== 'object')
+            return v;
+        if (Array.isArray(v))
+            return v.map(sort);
+        return Object.keys(v).sort().reduce((acc, k) => {
+            acc[k] = sort(v[k]);
+            return acc;
+        }, {});
+    };
+    return JSON.stringify(sort(obj));
+}
+function baseProof(input) {
+    return {
+        type: 'EcdsaSecp256k1RecoverySignature2020',
+        scheme: 'eip191',
+        proofPurpose: 'assertionMethod',
+        verificationMethod: `${input.issuerDid}#controller`,
+        blockchainAccountId: `eip155:8453:${input.issuerAddress}`,
+        created: input.issuedAt ?? nowIso(),
+        signature: '', // 调用方填充
+    };
+}
+export function buildIntentMandate(input) {
+    const issuedAt = input.issuedAt ?? nowIso();
+    const mandate = {
+        '@context': ['https://www.w3.org/2018/credentials/v1', AP2_SPEC],
+        type: ['VerifiableCredential', 'IntentMandate'],
+        ap2_version: AP2_VERSION,
+        issuer: input.issuerDid,
+        issuedAt,
+        ...(input.expiresAt ? { expiresAt: input.expiresAt } : {}),
+        principal: input.principal,
+        intent: {
+            action: 'purchase',
+            target: { type: 'product', sku: input.productId, ...(input.productName ? { name: input.productName } : {}) },
+            constraints: {
+                max_unit_price: input.maxUnitPrice,
+                quantity: input.quantity,
+                max_total: input.maxUnitPrice * input.quantity,
+                currency: input.currency,
+            },
+            session_token: input.sessionToken,
+        },
+        proof: baseProof({ ...input, issuedAt }),
+    };
+    // canonical 签名内容 = 除 proof.signature 外的全部字段
+    const forSign = JSON.parse(JSON.stringify(mandate));
+    forSign.proof.signature = '';
+    return { canonical: canonical(forSign), mandate };
+}
+export function buildCartMandate(input) {
+    const issuedAt = input.issuedAt ?? nowIso();
+    const mandate = {
+        '@context': ['https://www.w3.org/2018/credentials/v1', AP2_SPEC],
+        type: ['VerifiableCredential', 'CartMandate'],
+        ap2_version: AP2_VERSION,
+        issuer: input.issuerDid,
+        issuedAt,
+        principal: input.principal,
+        cart: {
+            order_id: input.orderId,
+            items: input.items,
+            subtotal: input.subtotal,
+            ...(input.fees ? { fees: input.fees } : {}),
+            total: input.total,
+            currency: input.currency,
+        },
+        proof: baseProof({ ...input, issuedAt }),
+    };
+    const forSign = JSON.parse(JSON.stringify(mandate));
+    forSign.proof.signature = '';
+    return { canonical: canonical(forSign), mandate };
+}
+export function buildPaymentMandate(input) {
+    const issuedAt = input.issuedAt ?? nowIso();
+    const mandate = {
+        '@context': ['https://www.w3.org/2018/credentials/v1', AP2_SPEC],
+        type: ['VerifiableCredential', 'PaymentMandate'],
+        ap2_version: AP2_VERSION,
+        issuer: input.issuerDid,
+        issuedAt,
+        payer: input.payer,
+        payee: input.payee,
+        payment: {
+            amount: input.amount,
+            currency: input.currency,
+            method: input.paymentMethod,
+            order_id: input.orderId,
+            ...(input.escrowReleaseCondition ? { release_condition: input.escrowReleaseCondition } : {}),
+        },
+        proof: baseProof({ ...input, issuedAt }),
+    };
+    const forSign = JSON.parse(JSON.stringify(mandate));
+    forSign.proof.signature = '';
+    return { canonical: canonical(forSign), mandate };
+}
+/** 把 build*Mandate 输出的 canonical 经 signFn 签名后,返回带 signature 的深 clone(不 mutate 入参) */
+export async function signMandate(out, signFn) {
+    const sig = await signFn(out.canonical);
+    // P2-3:深 clone 后再塞 signature;入参 out.mandate 保持不变,防调用方持引用被旁路修改
+    const signed = JSON.parse(JSON.stringify(out.mandate));
+    signed.proof.signature = sig;
+    return signed;
+}

package/dist/pwa/routes/auth-register.js

@@ -2,13 +2,40 @@ export function registerAuthRegisterRoutes(app, deps) {
     // VALID_REGIONS + INVITE_ROTATION_HANDLES 通过 deps.X 在 handler 内延迟读
     // （server.ts 用 getter 注入；destructure at register-time would trigger TDZ 因为它们在下方 const）
     const { db, errorRes, INTERNAL_AUDITOR_ID, isAllowedSponsor, resolveUserRef, generateId, generateSecureKey, generatePermanentCode, deriveHandle, clientIpHash, clientUaHash, pickPreferredSide, joinPowerLeg, inviteRotationLookup, recordSession, broadcastSystemEvent } = deps;
-    app.post('/api/register', (req, res) => {
-        const { name, role, sponsor_id, region, placement_inviter_id, placement_side } = req.body;
+    app.post('/api/register', async (req, res) => {
+        const { name, role, sponsor_id, region, placement_inviter_id, placement_side, turnstile_token } = req.body;
         const validRoles = ['buyer', 'seller'];
         if (!name?.trim())
             return void errorRes(res, 400, 'NAME_REQUIRED', '请填写名称');
         if (!validRoles.includes(role))
             return void errorRes(res, 400, 'ROLE_NOT_PUBLIC_REGISTERABLE', '角色无效（仅允许 buyer/seller — 受信角色须经内部审批）');
+        // #1049 Cloudflare Turnstile anti-sybil — env 缺失则跳过(dev/pre-launch fallback,不阻断)
+        const turnstileSecret = process.env.TURNSTILE_SECRET_KEY;
+        if (turnstileSecret) {
+            if (!turnstile_token || typeof turnstile_token !== 'string') {
+                return void errorRes(res, 400, 'CAPTCHA_REQUIRED', '请完成人机校验');
+            }
+            // P1-3:Cloudflare Turnstile token 通常 <2KB,卡 4KB 防大体积注入 siteverify 浪费带宽
+            if (turnstile_token.length > 4096) {
+                return void errorRes(res, 400, 'CAPTCHA_INVALID', '人机校验未通过,请刷新后重试');
+            }
+            try {
+                const remoteIp = req.ip || req.socket?.remoteAddress || '';
+                const verifyRes = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+                    method: 'POST',
+                    headers: { 'content-type': 'application/x-www-form-urlencoded' },
+                    body: new URLSearchParams({ secret: turnstileSecret, response: turnstile_token, ...(remoteIp ? { remoteip: remoteIp } : {}) }).toString(),
+                });
+                const verifyJson = await verifyRes.json();
+                if (!verifyJson.success) {
+                    return void errorRes(res, 403, 'CAPTCHA_INVALID', '人机校验未通过,请刷新后重试', { codes: verifyJson['error-codes'] });
+                }
+            }
+            catch (e) {
+                // siteverify 网络故障 — 保守拒绝(防绕过),用户重试即可
+                return void errorRes(res, 503, 'CAPTCHA_VERIFY_UNAVAILABLE', '人机校验服务暂不可用,请稍后再试');
+            }
+        }
         const trimmed = name.trim();
         if (trimmed.length < 2 || trimmed.length > 40)
             return void errorRes(res, 400, 'NAME_LENGTH', '名称长度需在 2–40 个字符之间');

package/dist/pwa/routes/checkout-helpers.js

@@ -1,5 +1,6 @@
+import { buildIntentMandate, signMandate } from './ap2-mandate.js';
 export function registerCheckoutHelpersRoutes(app, deps) {
-    const { db, auth, generateId, formatProductForAgent } = deps;
+    const { db, auth, generateId, formatProductForAgent, signPassport, issuerAddress } = deps;
     app.get('/api/checkout/tax-preview', (req, res) => {
         const user = auth(req, res);
         if (!user)
@@ -43,7 +44,7 @@ export function registerCheckoutHelpersRoutes(app, deps) {
                 : '跨境订单 — 协议无该地区税费数据，请咨询当地海关',
         });
     });
-    app.post('/api/verify-price', (req, res) => {
+    app.post('/api/verify-price', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -71,6 +72,25 @@ export function registerCheckoutHelpersRoutes(app, deps) {
       INSERT INTO price_sessions (token, product_id, user_id, price, quantity, created_at, expires_at)
       VALUES (?, ?, ?, ?, ?, ?, ?)
     `).run(token, product_id, user.id, product.price, qty, now.toISOString(), expiresAt.toISOString());
+        // AP2 (B.4 b) — Intent Mandate 并存输出;不破坏现有 session_token
+        let ap2_intent_mandate = null;
+        try {
+            const out = buildIntentMandate({
+                issuerDid: 'did:web:webaz.xyz',
+                issuerAddress: issuerAddress(),
+                issuedAt: now.toISOString(),
+                expiresAt: expiresAt.toISOString(),
+                principal: { role: 'user', id: user.id },
+                productId: product_id,
+                productName: typeof product.title === 'string' ? product.title : undefined,
+                quantity: qty,
+                maxUnitPrice: product.price,
+                currency: 'WAZ',
+                sessionToken: token,
+            });
+            ap2_intent_mandate = await signMandate(out, signPassport);
+        }
+        catch { /* AP2 副输出失败不阻断主流程 */ }
         res.json({
             session_token: token,
             verified_price: product.price,
@@ -80,6 +100,7 @@ export function registerCheckoutHelpersRoutes(app, deps) {
             expires_at: expiresAt.toISOString(),
             expires_in_seconds: 600,
             note: '此价格在10分钟内有效。下单时传入 session_token 可保证此价格不变。',
+            ap2_intent_mandate,
         });
     });
 }

package/dist/pwa/routes/orders-create.js

@@ -1,6 +1,7 @@
+import { buildCartMandate, buildPaymentMandate, signMandate } from './ap2-mandate.js';
 export function registerOrdersCreateRoutes(app, deps) {
-    const { db, auth, isTrustedRole, generateId, generateRecipientCode, DONATION_VALID_PCTS, INTERNAL_AUDITOR_ID, addHours, getActiveFlashSale, applyCouponToOrder, getProtocolParam, getProductShareChain, isAllowedSponsor, checkStockAndMaybeDelist, auditSponsorChainCross, appendOrderEvent, transition, notifyTransition, shouldAutoAccept, ensureCharityRep, broadcastSystemEvent } = deps;
-    app.post('/api/orders', (req, res) => {
+    const { db, auth, isTrustedRole, generateId, generateRecipientCode, DONATION_VALID_PCTS, INTERNAL_AUDITOR_ID, addHours, getActiveFlashSale, applyCouponToOrder, getProtocolParam, getProductShareChain, isAllowedSponsor, checkStockAndMaybeDelist, auditSponsorChainCross, appendOrderEvent, transition, notifyTransition, shouldAutoAccept, ensureCharityRep, broadcastSystemEvent, signPassport, issuerAddress } = deps;
+    app.post('/api/orders', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -334,6 +335,48 @@ export function registerOrdersCreateRoutes(app, deps) {
             broadcastSystemEvent('order_created', '📦', `订单创建 ${orderId} · ${totalAmount} WAZ`, orderId);
         }
         catch { }
-        res.json({ success: true, order_id: orderId, total_amount: totalAmount, auto_accepted: autoAccepted || undefined });
+        // AP2 (B.4 b) — Cart + Payment Mandate 双输出;签名失败不阻断主流程
+        let ap2_cart_mandate = null;
+        let ap2_payment_mandate = null;
+        try {
+            const productName = typeof product.title === 'string' ? product.title : String(product.id);
+            const cartOut = buildCartMandate({
+                issuerDid: 'did:web:webaz.xyz',
+                issuerAddress: issuerAddress(),
+                principal: { role: 'user', id: user.id },
+                orderId,
+                items: [{ sku: String(product.id), name: productName, quantity: reqQty, unit_price: basePrice, line_total: subtotal }],
+                subtotal,
+                fees: {
+                    ...(couponDiscount > 0 ? { coupon_discount: -couponDiscount } : {}),
+                    ...(insurancePremium > 0 ? { insurance: insurancePremium } : {}),
+                    ...(donationAmount > 0 ? { donation: donationAmount } : {}),
+                },
+                total: totalAmount,
+                currency: 'WAZ',
+            });
+            ap2_cart_mandate = await signMandate(cartOut, signPassport);
+            const payOut = buildPaymentMandate({
+                issuerDid: 'did:web:webaz.xyz',
+                issuerAddress: issuerAddress(),
+                payer: { role: 'user', id: user.id },
+                payee: { role: 'merchant', id: String(product.seller_uid) },
+                amount: totalAmount,
+                currency: 'WAZ',
+                paymentMethod: 'webaz_escrow',
+                orderId,
+                escrowReleaseCondition: 'buyer_confirms_receipt_or_auto_after_window',
+            });
+            ap2_payment_mandate = await signMandate(payOut, signPassport);
+        }
+        catch { /* AP2 mandate 失败仅影响 AP2-aware agent,主流程已成功 */ }
+        res.json({
+            success: true,
+            order_id: orderId,
+            total_amount: totalAmount,
+            auto_accepted: autoAccepted || undefined,
+            ap2_cart_mandate,
+            ap2_payment_mandate,
+        });
     });
 }

package/dist/pwa/routes/public-utils.js

@@ -53,7 +53,13 @@ export function registerPublicUtilsRoutes(app, deps) {
     app.get('/api/system-flags', (_req, res) => {
         const requireRef = db.prepare("SELECT value FROM system_state WHERE key='require_ref_to_register'").get()?.value === '1';
         const inviteRotation = db.prepare("SELECT value FROM system_state WHERE key='invite_rotation_enabled'").get()?.value === '1';
-        res.json({ require_ref_to_register: requireRef, invite_rotation_enabled: inviteRotation });
+        // #1049 Turnstile 公钥(若启用),前端注册表单 widget 用
+        const turnstileSiteKey = process.env.TURNSTILE_SITE_KEY || null;
+        res.json({
+            require_ref_to_register: requireRef,
+            invite_rotation_enabled: inviteRotation,
+            turnstile_site_key: turnstileSiteKey,
+        });
     });
     // #1045 + #1048 整合 — 公开诚实化 manifest
     //   /.well-known/webaz-protocol.json  — 标准 well-known URL,任何 HTTP 客户端可发现
@@ -83,6 +89,8 @@ export function registerPublicUtilsRoutes(app, deps) {
                 agent_passport: [
                     {
                         address: issuerAddress(),
+                        did_web: 'did:web:webaz.xyz', // W3C DID method,resolve at /.well-known/did.json
+                        did_legacy: 'did:webaz:' + issuerAddress(), // 原自定义形态,Phase 4 webaz_format 仍用
                         scheme: 'eip191',
                         purpose: 'Phase 4 Agent Passport signing (custodian_fingerprint + risk_score + engagement_depth + behavior_profile)',
                         active_since: issuerActiveSince,
@@ -91,6 +99,14 @@ export function registerPublicUtilsRoutes(app, deps) {
                     },
                 ],
             },
+            // 公开披露文档(#1050) — 协议层"钱怎么流"的源真理(协议外可读)
+            disclosures: {
+                economic_model: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/ECONOMIC-MODEL.md',
+                mlm_compliance: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/MLM-COMPLIANCE.md',
+                agent_governance: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/AGENT-GOVERNANCE.md',
+                protocol_compatibility: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/PROTOCOL-COMPATIBILITY-AUDIT-2026-05-30.md',
+                changelog: 'https://github.com/seasonsagents-art/webaz/blob/main/CHANGELOG.md',
+            },
             // 路线图 — 回应"知道还有哪些没做"的诚实化第三层。哲学:公开当前到达点 + 已知未做项,不承诺时间表。
             roadmap: {
                 philosophy: 'Disclose what is done + what is known-not-yet-done. We do not commit to deadlines (pre-launch). We DO commit to honest enumeration.',
@@ -99,11 +115,12 @@ export function registerPublicUtilsRoutes(app, deps) {
                     'Phase 3a-3d access control: registration rate-limit + invite-required + declared-scope reads/writes + non-Passkey writers must declare',
                     'Iron-Rule: arbitrate / vote / agent_revoke / delete_passkey / large withdraw all require live WebAuthn ceremony',
                     'Integrity disclosure: MCP descriptions + /.well-known + pre-launch banner + protocol-status endpoint',
+                    'Cross-user read daily cap — distinct other-user-id per day, Passkey humans capped too (#1043, 2026-05-30)',
+                    'AP2 Mandate dual-output — verify_price + place_order emit signed AP2 Intent/Cart/Payment Mandate alongside webaz format (B.4 b, 2026-05-30)',
+                    'Public economic model document — docs/ECONOMIC-MODEL.md (#1050, 2026-05-30)',
                 ],
                 known_next: [
-                    'Cross-user read daily cap (anti-aggregation; applies to Passkey humans too) — task #1043, awaits real usage to calibrate N',
                     'Registration captcha or email verification (anti-sybil last mile) — task #1049, pre-launch follow-up',
-                    'Public economic model document — task #1050, pre-launch follow-up',
                     'Phase 5 ZK privacy L2/L3 — long-term research; triggered when real cross-protocol consumers appear',
                 ],
                 deliberate_deferrals: [
@@ -123,6 +140,46 @@ export function registerPublicUtilsRoutes(app, deps) {
         res.setHeader('Cache-Control', 'public, max-age=300');
         res.json(buildProtocolManifest());
     });
+    // W3C DID Document(B.6 b DID 短期 mapping,2026-05-30):
+    //   did:web:webaz.xyz 通过 HTTPS 解析到这里(W3C did:web spec §3.2)
+    //   verificationMethod 用 EcdsaSecp256k1RecoveryMethod2020 + CAIP-10 blockchainAccountId
+    //   任何标准 DID resolver(Veramo / SpruceID / KILT / web5 ...)可 GET → 解出 issuer key → 验 Phase 4 凭证签名
+    app.get('/.well-known/did.json', (_req, res) => {
+        const addr = issuerAddress();
+        res.setHeader('Cache-Control', 'public, max-age=300');
+        res.json({
+            '@context': [
+                'https://www.w3.org/ns/did/v1',
+                'https://w3id.org/security/suites/secp256k1recovery-2020/v2',
+            ],
+            id: 'did:web:webaz.xyz',
+            verificationMethod: [
+                {
+                    id: 'did:web:webaz.xyz#key-1',
+                    type: 'EcdsaSecp256k1RecoveryMethod2020',
+                    controller: 'did:web:webaz.xyz',
+                    // CAIP-10:eip155 namespace + Base mainnet chain id (8453) + 同把 hot wallet 地址(Phase 4 同款)
+                    // 注:WAZ peg USDC,真链 Base/Base Sepolia,但 issuer key 是协议级,链中立,这里只标声明绑定到 Base 用于消费者发现
+                    blockchainAccountId: `eip155:8453:${addr}`,
+                },
+            ],
+            assertionMethod: ['did:web:webaz.xyz#key-1'],
+            authentication: ['did:web:webaz.xyz#key-1'],
+            // 自描述 — 让 resolver 知道这个 DID 用来签 webaz agent passport
+            service: [
+                {
+                    id: 'did:web:webaz.xyz#agent-passport-endpoint',
+                    type: 'WebAZAgentPassportEndpoint',
+                    serviceEndpoint: 'https://webaz.xyz/api/me/agents/:apiKeyPrefix/passport',
+                },
+                {
+                    id: 'did:web:webaz.xyz#protocol-manifest',
+                    type: 'WebAZProtocolManifest',
+                    serviceEndpoint: 'https://webaz.xyz/.well-known/webaz-protocol.json',
+                },
+            ],
+        });
+    });
     app.get('/api/editor-picks', (_req, res) => {
         const products = db.prepare(`
       SELECT ep.id, ep.target_id, ep.title, ep.note, ep.starts_at, ep.ends_at, ep.sort_order,

package/dist/pwa/server.js

@@ -4981,6 +4981,50 @@ function checkMassActionCap(apiKey, action, level) {
     }
     return { ok: true };
 }
+// #1043(补 A) 跨用户读日 cap — distinct other_user_id per day,真人也罩(只是 cap 更高,不再无限)
+// 触发面:只对路径里"显式带其他用户 ID"的端点计数 → /api/users/:id/* 类。
+//   · 防"枚举/扒数据"型读取(剽窃 / 内容农场 / 用户画像批量化)
+//   · 真人监护人(绑 Passkey) 也罩:audit "补 A" — 之前 Passkey 真人无任何 read cap,scraper 拿真人账号即绕过
+//   · 不打 /api/nearby /api/search(地理聚合 / 关键词查),那些已被 B1 read-scope 约束
+const CROSS_USER_READ_DAILY_CAP = {
+    passkey_human: 300, // 真人监护人 — 高但有上限(每天看 300 个不同用户已属异常使用)
+    legend: 200, // 高信誉 agent
+    quality: 100,
+    trusted: 60,
+    new: 30, // 新 agent — 30 个就该有声誉再说
+};
+const crossUserReadBuckets = new Map();
+function extractCrossUserTarget(path, currentUserId) {
+    // /api/users/:id 或 /api/users/:id/anything → :id;同 user 不算跨;sys_* 协议账号不算
+    // P1-4 修:允许 trailing path 缺失(/api/users/:user_id 是合法 endpoint,返回用户档案)
+    const m = path.match(/^\/api\/users\/([^/?#]+)(?:[/?#]|$)/);
+    if (!m)
+        return null;
+    const target = m[1];
+    if (!target || target === currentUserId)
+        return null;
+    if (target.startsWith('sys_'))
+        return null;
+    return target;
+}
+function checkCrossUserReadCap(userId, targetId, level) {
+    const today = todayKey();
+    let bucket = crossUserReadBuckets.get(userId);
+    if (!bucket || bucket.dayKey !== today) {
+        bucket = { dayKey: today, distinct: new Set(), overruns: 0 };
+        crossUserReadBuckets.set(userId, bucket);
+    }
+    // 已读过同一个 target 不再计数(distinct cap)
+    if (!bucket.distinct.has(targetId))
+        bucket.distinct.add(targetId);
+    const cap = CROSS_USER_READ_DAILY_CAP[level] ?? CROSS_USER_READ_DAILY_CAP.new;
+    const used = bucket.distinct.size;
+    if (used > cap) {
+        bucket.overruns++;
+        return { ok: false, cap, used };
+    }
+    return { ok: true, cap, used };
+}
 // 2026-05-23 P0 audit fix 2.2：endpoint → action 映射（用于 declared_scope enforcement）
 // 只对写操作 enforce；读操作不限制（任何 agent 都能读自己范围内的数据）
 function endpointToAction(method, path) {
@@ -5149,6 +5193,29 @@ app.use((req, res, next) => {
             error_code: 'AGENT_RISK_READ_THROTTLED', risk: riskInfo.risk,
         });
     }
+    // #1043(补 A) 跨用户读日 cap — 真人也罩;只对路径里显式带 other user id 的 GET 计数
+    // P0-2 优化:先 regex 快判 path 命中(零开销),命中才查 owner.id + level — 避免每 GET 跑 SQLite
+    // P1-4 修:正则允许 /api/users/:id 无 trailing slash(GET /api/users/:user_id 是返回用户档案的合法端点)
+    if (req.method === 'GET' && /^\/api\/users\/[^/?#]+/.test(req.path)) {
+        const owner = db.prepare(`SELECT id FROM users WHERE api_key = ?`).get(apiKey);
+        if (owner) {
+            const target = extractCrossUserTarget(req.path, owner.id);
+            if (target) {
+                const lvl = riskInfo.hasPasskey
+                    ? 'passkey_human'
+                    : (db.prepare(`SELECT level FROM agent_reputation WHERE api_key = ?`).get(apiKey)?.level || 'new');
+                const cr = checkCrossUserReadCap(owner.id, target, lvl);
+                if (!cr.ok) {
+                    res.setHeader('Retry-After', '600');
+                    return void res.status(429).json({
+                        error: `今日跨用户读已达上限 ${cr.cap}(${lvl})。改天再来,或为该 agent 收窄 declared_scope`,
+                        error_code: 'CROSS_USER_READ_DAILY_CAP',
+                        cap: cr.cap, used: cr.used, level: lvl,
+                    });
+                }
+            }
+        }
+    }
     // 分档 rate limit
     const repRow = db.prepare(`SELECT level FROM agent_reputation WHERE api_key = ?`).get(apiKey);
     const level = repRow?.level || 'new';
@@ -7187,6 +7254,8 @@ registerOrdersCreateRoutes(app, {
     getProductShareChain, isAllowedSponsor, checkStockAndMaybeDelist, auditSponsorChainCross,
     appendOrderEvent, transition, notifyTransition, shouldAutoAccept, ensureCharityRep,
     broadcastSystemEvent,
+    signPassport: (message) => privateKeyToAccount(derivePrivKey('platform-hot-wallet')).signMessage({ message }),
+    issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
 });
 // #1013 Phase 86: 5 disputes 读端点已迁出
 registerDisputesReadRoutes(app, {
@@ -8221,7 +8290,11 @@ registerAnchorsRoutes(app, { db, auth, rateLimitOk });
 registerExternalAnchorsRoutes(app, { db, auth });
 // GET /api/orders/:id/chain + GET /api/orders/:id — Phase 83 已迁出
 // #1013 Phase 109: checkout/tax-preview + verify-price 已迁出
-registerCheckoutHelpersRoutes(app, { db, auth, generateId, formatProductForAgent });
+registerCheckoutHelpersRoutes(app, {
+    db, auth, generateId, formatProductForAgent,
+    signPassport: (message) => privateKeyToAccount(derivePrivKey('platform-hot-wallet')).signMessage({ message }),
+    issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
+});
 // ─── M8 二手板块 ────────────────────────────────────────────
 // #1013 Phase 27: 6 endpoints + 4 SH_* sets + addHours 已迁出到 routes/secondhand.ts
 registerSecondhandRoutes(app, { db, generateId, auth, errorRes });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seasonkoh/webaz",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Agent-native decentralized commerce protocol. Humans and AI agents trade on the same protocol via MCP tools.",
   "main": "dist/mcp.js",
   "bin": {