glippy-mcp 0.1.0 → 0.3.0

package/src/geo-checker.js

@@ -9,6 +9,19 @@ import http from 'node:http';
 import https from 'node:https';
 import { URL } from 'node:url';
 import * as cheerio from 'cheerio';
+import { chromeFetch } from './chrome-fetcher.js';
+
+// Status codes that indicate the server is refusing or stalling a bot-shaped
+// request rather than serving real content. 202 (Amazon) and 400 (Douglas)
+// sit here because in practice those are only returned to non-browser UAs.
+const BOT_BLOCK_STATUS = new Set([202, 400, 401, 403, 407, 429, 503]);
+function looksBotBlocked(res) {
+  if (!res) return true;
+  if (res.statusCode == null) return true;
+  if (BOT_BLOCK_STATUS.has(res.statusCode)) return true;
+  if (res.statusCode >= 200 && res.statusCode < 300 && !res.body) return true;
+  return false;
+}
 
 // ---------------------------------------------------------------------------
 // Constants
@@ -750,8 +763,11 @@ function detectPageType($, schemaTypes, pathname) {
   if (['Article', 'NewsArticle', 'BlogPosting', 'TechArticle'].some((t) => schemaTypes.has(t))) return 'article';
   if (['LocalBusiness', 'Restaurant', 'Store'].some((t) => schemaTypes.has(t))) return 'local-business';
 
-  // Heuristic: homepage detection
-  if (pathname === '/' || pathname === '/index.html' || pathname === '/index.php' || pathname === '') return 'homepage';
+  // Heuristic: homepage detection (including language/locale-prefixed homepages like /en/, /de-DE/, /nl/)
+  // Strip a leading language or locale segment before checking so multilingual
+  // sites hosting their homepage at /en/ or /nl-NL/ are not treated as generic.
+  const normalizedPath = pathname.replace(/^\/[a-z]{2}(?:[-_][a-z]{2,3})?\/?$/i, '/');
+  if (normalizedPath === '/' || normalizedPath === '/index.html' || normalizedPath === '/index.php' || normalizedPath === '') return 'homepage';
 
   // Heuristic: FAQ page via DOM
   const faqIndicators = $('[class*="faq"], [id*="faq"], details, [class*="accordion"]');
@@ -1439,7 +1455,7 @@ function checkAccessibility($) {
   const unlabeledInputList = [];
   inputs.each((_, el) => {
     const id = $(el).attr('id');
-    const hasLabel = id && $(`label[for="${id}"]`).length > 0;
+    const hasLabel = id && $(`label[for="${id.replace(/(["\\])/g, '\\$1')}"]`).length > 0;
     const hasAriaLabel = $(el).attr('aria-label') || $(el).attr('aria-labelledby');
     const wrappedInLabel = $(el).closest('label').length > 0;
     const hasPlaceholder = $(el).attr('placeholder');
@@ -1885,6 +1901,63 @@ function checkMachineReadability($, robotsTxtData, llmsTxtData, responseHeaders)
   return { checks, score: maxScore > 0 ? Math.round((score / maxScore) * 100) : 0, category: 'Machine Readability' };
 }
 
+// ---------------------------------------------------------------------------
+// Trust signal evidence extractor
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract raw nav/header/footer links plus language signals. Hardcoded pattern
+ * lists cannot keep up with ~100 languages and typos; instead we surface the
+ * raw anchor text + href so the calling LLM (or downstream consumer) can
+ * classify trust signals (about / contact / legal / imprint / cookies)
+ * semantically in whatever language the site uses.
+ *
+ * @param {cheerio.CheerioAPI} $
+ * @returns {{
+ *   htmlLang: string|null,
+ *   hreflangs: string[],
+ *   navLinks: Array<{href: string, text: string, rel: string|null}>,
+ *   footerLinks: Array<{href: string, text: string, rel: string|null}>,
+ * }}
+ */
+function extractTrustSignals($) {
+  const PER_LOCATION_LIMIT = 80;
+  const MAX_TEXT_LEN = 120;
+
+  function collect(selector) {
+    const out = [];
+    const seen = new Set();
+    $(selector).find('a[href]').each((_, el) => {
+      if (out.length >= PER_LOCATION_LIMIT) return false;
+      const $el = $(el);
+      const href = ($el.attr('href') || '').trim();
+      if (!href || href.startsWith('#') || href.toLowerCase().startsWith('javascript:')) return;
+      const text = $el.text().trim().replace(/\s+/g, ' ').slice(0, MAX_TEXT_LEN);
+      const key = `${href}|${text}`;
+      if (seen.has(key)) return;
+      seen.add(key);
+      out.push({ href, text, rel: $el.attr('rel') || null });
+    });
+    return out;
+  }
+
+  const navLinks = collect('header, nav, [role="navigation"], [class*="menu" i], [class*="navigation" i], [id*="menu" i], [id*="nav" i]');
+  const footerLinks = collect('footer, [role="contentinfo"], [class*="footer" i], [id*="footer" i]');
+
+  const hreflangs = [];
+  $('link[rel="alternate"][hreflang]').each((_, el) => {
+    const hl = $(el).attr('hreflang');
+    if (hl) hreflangs.push(hl);
+  });
+
+  return {
+    htmlLang: $('html').attr('lang') || null,
+    hreflangs,
+    navLinks,
+    footerLinks,
+  };
+}
+
 // ---------------------------------------------------------------------------
 // CHECK CATEGORY 7: Entity & Authority
 // ---------------------------------------------------------------------------
@@ -2464,20 +2537,133 @@ function checkEntity($, jsonLdData) {
     checks.push({ status: 'info', label: 'No About/Contact page links detected', detail: 'Link to organizational info for E-E-A-T' });
   }
 
-  // Privacy / Terms links (trust signals)
-  const privacyPatterns = ['privacy', 'datenschutz', 'privacidad', 'privacidade', 'confidentialite', 'riservatezza', 'privacybeleid', 'integritet', 'gizlilik'];
-  const termsPatterns = ['terms', 'voorwaarden', 'agb', 'condiciones', 'termos', 'conditions-generales', 'condizioni', 'villkor', 'regulamin', 'kosullar'];
-  const privacySelector = privacyPatterns.map((p) => `a[href*="${p}"]`).join(', ');
-  const termsSelector = termsPatterns.map((p) => `a[href*="${p}"]`).join(', ');
-  const privacyLink = $(privacySelector);
-  const termsLink = $(termsSelector);
+  // Privacy / Terms / Imprint / Cookies links (trust signals, multi-language)
+  // Hardcoded patterns are a fallback heuristic; the extractTrustSignals
+  // evidence payload on the analysis result lets LLM callers reclassify
+  // semantically in any language.
+  const privacyPatterns = [
+    // English
+    'privacy', 'privacy-policy',
+    // Latin-alphabet European languages
+    'datenschutz', 'privatsphaere', 'privatsphare',
+    'privacidad', 'politica-de-privacidad',
+    'privacidade', 'politica-de-privacidade',
+    'confidentialite', 'politique-de-confidentialite', 'vie-privee',
+    'riservatezza', 'privacy-italia',
+    'privacybeleid', 'privacyverklaring',
+    'integritet', 'integritetspolicy',
+    'personvern',
+    'tietosuoja', 'yksityisyys',
+    'persondata', 'fortrolighed',
+    'adatvedelem',
+    'prywatnosc', 'polityka-prywatnosci',
+    'soukromi', 'ochrana-osobnich-udaju',
+    'ochrana-osobnych-udajov',
+    'confidentialitate',
+    'poverljivost', 'privatnost',
+    'zasebnost',
+    'privatesia', 'privatnost-hr',
+    'konfidentsialnost', 'privatnost-ba',
+    'gizlilik',
+    'privatumas', 'privatuma',
+    'yasslilik',
+    // Romanized non-Latin
+    'konfidentsialnost', 'konfidentsialnost-ua', 'konfidentsialnist',
+    'idiotikotita', 'aporrito', 'prostasia-dedomenon',
+    'puraibashi', 'puraibasi-porisi',
+    'geinsajeongbobo', 'gaeinjeongbo',
+    'yinsi', 'yinsi-zhengce',
+    'khasusiyat', 'khososi',
+    'harimiyat',
+    'niji-gopaniyata', 'gopaniyata',
+    'gopniyata',
+    'kerahasiaan', 'privasi',
+    'quyen-rieng-tu', 'bao-mat',
+    'khwam-pen-suanto', 'nayobai-khwampensuntu',
+  ];
+  const termsPatterns = [
+    // English
+    'terms', 'terms-of-service', 'terms-of-use', 'terms-conditions', 'tos',
+    // Latin-alphabet European languages
+    'agb', 'nutzungsbedingungen', 'geschaeftsbedingungen',
+    'condiciones', 'terminos', 'terminos-y-condiciones', 'condiciones-de-uso',
+    'termos', 'termos-de-uso', 'termos-de-servico',
+    'conditions-generales', 'cgu', 'cgv', 'mentions-contrat',
+    'condizioni', 'termini', 'termini-e-condizioni',
+    'voorwaarden', 'algemene-voorwaarden', 'gebruiksvoorwaarden',
+    'villkor', 'anvandarvillkor', 'allmanna-villkor',
+    'brukervilkar', 'vilkar',
+    'kayttoehdot', 'ehdot',
+    'betingelser', 'vilkaar', 'handelsbetingelser',
+    'szerzodesi-feltetelek', 'felhasznalasi-feltetelek',
+    'regulamin', 'warunki',
+    'podminky', 'vseobecne-obchodni-podminky', 'obchodni-podminky',
+    'obchodne-podmienky',
+    'termeni-si-conditii', 'termeni',
+    'uslovi', 'uvjeti', 'pogoji',
+    'kosullar', 'kullanim-kosullari',
+    'salygos', 'naudojimo-salygos',
+    'noteikumi',
+    'kasutustingimused',
+    // Romanized non-Latin
+    'usloviya', 'usloviya-ispolzovaniya', 'pravila',
+    'umovy', 'pravyla',
+    'oroi', 'oroi-xrisis',
+    'riyoukiyaku', 'riyou-kiyaku', 'kiyaku',
+    'iyong-yakgwan', 'yakgwan',
+    'tiaokuan', 'fuwu-tiaokuan', 'shiyong-tiaokuan',
+    'shuruth', 'shuroot-alistikhdam',
+    'sharayit-estefadeh', 'sharayet',
+    'niyam-shartein', 'shartein',
+    'sharth-o',
+    'ketentuan', 'syarat-ketentuan',
+    'dieu-khoan', 'dieu-khoan-su-dung',
+    'khoapkamnot', 'ngeuankhai-kan-chai',
+  ];
+  const imprintPatterns = [
+    // Legally required in DE/AT/CH, common across DACH + EU
+    'impressum', 'imprint', 'mentions-legales', 'aviso-legal',
+    'note-legali', 'colofon', 'colophon', 'wettelijke-vermelding',
+    'juridisk-information', 'oikeudellinen-huomautus',
+    'aviso-legal-pt', 'noticia-legal',
+    'pravni-udaje', 'pravne-informacie',
+    'yasal-bildirim', 'yasal-uyari',
+    'informacje-prawne',
+    'hukuki-bilgiler',
+    'impresum',
+  ];
+  const cookiePatterns = [
+    'cookie', 'cookies', 'cookiebeleid', 'cookie-policy',
+    'politique-cookies', 'politica-cookies', 'politica-de-cookies',
+    'cookierichtlinie', 'cookie-einstellungen',
+    'kekse', 'cookie-instellingen',
+    'soubory-cookie', 'sukromie-cookie',
+    'cerezler', 'gizlilik-cerezler',
+    'pliki-cookie',
+    'fichiers-cookie',
+    'kukit',
+  ];
+  const buildSelector = (patterns) => patterns.map((p) => `a[href*="${p}" i]`).join(', ');
+  const privacyLink = $(buildSelector(privacyPatterns));
+  const termsLink = $(buildSelector(termsPatterns));
+  const imprintLink = $(buildSelector(imprintPatterns));
+  const cookieLink = $(buildSelector(cookiePatterns));
 
   maxScore += 5;
-  if (privacyLink.length > 0 || termsLink.length > 0) {
+  const legalSignals = [];
+  if (privacyLink.length > 0) legalSignals.push('privacy');
+  if (termsLink.length > 0) legalSignals.push('terms');
+  if (imprintLink.length > 0) legalSignals.push('imprint');
+  if (cookieLink.length > 0) legalSignals.push('cookies');
+
+  if (legalSignals.length >= 2) {
     score += 5;
-    checks.push({ status: 'pass', label: 'Legal pages linked', detail: `Privacy: ${privacyLink.length > 0 ? 'yes' : 'no'}, Terms: ${termsLink.length > 0 ? 'yes' : 'no'}` });
+    checks.push({ status: 'pass', label: `Legal pages linked (${legalSignals.length})`, detail: `Detected: ${legalSignals.join(', ')}` });
+  } else if (legalSignals.length === 1) {
+    score += 3;
+    checks.push({ status: 'warn', label: `Only one legal page linked (${legalSignals[0]})`, detail: 'Add the others (privacy, terms, imprint, cookies) for full trust signals. Heuristic may miss non-Latin scripts — check evidence payload.' });
   } else {
-    checks.push({ status: 'info', label: 'No privacy/terms links detected', detail: null });
+    checks.push({ status: 'info', label: 'No legal page links detected by heuristic', detail: 'If the site is non-English, verify via the footerLinks evidence payload before treating as missing.' });
   }
 
   // E-E-A-T Experience Signals (10 pts)
@@ -2539,7 +2725,7 @@ function checkEntity($, jsonLdData) {
   const hasPhone = /(\+?\d{1,3}[-.\s]?)?\(?\d{2,4}\)?[-.\s]?\d{3,4}[-.\s]?\d{3,4}/.test(bodyText);
   const hasEmail = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z]{2,}\b/i.test(bodyText);
   const hasAddress = $('[itemprop="address"], [class*="address"], address').length > 0;
-  const hasContactPage = $('a[href*="contact"]').length > 0;
+  const hasContactPage = contactLink.length > 0;
   const contactSignals = (hasPhone ? 1 : 0) + (hasEmail ? 1 : 0) + (hasAddress ? 1 : 0) + (hasContactPage ? 1 : 0);
   maxScore += 5;
   if (contactSignals >= 3) {
@@ -2820,6 +3006,10 @@ function checkPerformance($) {
 // CHECK CATEGORY 10: Agent Interactivity (WebMCP + UCP)
 // ---------------------------------------------------------------------------
 
+// LATEST_UCP_VERSION: gating threshold for 2026-04-08 spec additions
+// (signing_keys, order webhook_url, etc. become required at this version).
+const LATEST_UCP_VERSION = '2026-04-08';
+
 function checkWebMCP($, pageType, ucpData) {
   const checks = [];
   let score = 0;
@@ -2985,7 +3175,7 @@ function checkWebMCP($, pageType, ucpData) {
         const name = input.attr('name');
         const type = input.attr('type');
         const id = input.attr('id');
-        const label = id ? $(`label[for="${id}"]`).length > 0 : false;
+        const label = id ? $(`label[for="${id.replace(/(["\\])/g, '\\$1')}"]`).length > 0 : false;
         const ariaLabel = input.attr('aria-label');
         const placeholder = input.attr('placeholder');
 
@@ -3164,6 +3354,40 @@ function checkWebMCP($, pageType, ucpData) {
       const capabilities = capsArray; // Already normalized above
       const transportKeys = ['rest', 'mcp', 'a2a', 'embedded'];
 
+      // UCP CHECK 2.5: Cache Headers (only when caller passed response headers)
+      const ucpHeaders = ucpData && ucpData.headers ? ucpData.headers : null;
+      if (ucpHeaders) {
+        const headerLookup = (n) => {
+          const lower = n.toLowerCase();
+          for (const k of Object.keys(ucpHeaders)) {
+            if (k.toLowerCase() === lower) return String(ucpHeaders[k] || '');
+          }
+          return '';
+        };
+        const ct = headerLookup('content-type').toLowerCase();
+        const cc = headerLookup('cache-control').toLowerCase();
+        const ctOk = ct.startsWith('application/json');
+        const ccTokens = cc.split(',').map(s => s.trim());
+        const hasPublic = ccTokens.includes('public');
+        const hasBadDirective = ccTokens.some(t => t === 'private' || t === 'no-store' || t === 'no-cache');
+        const maxAgeMatch = cc.match(/max-age=(\d+)/);
+        const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : -1;
+        const ccOk = hasPublic && !hasBadDirective && maxAge >= 60;
+        maxScore += 5;
+        if (ctOk && ccOk) {
+          score += 5;
+          checks.push({ status: 'pass', label: 'UCP profile cache headers OK', detail: `Content-Type application/json with Cache-Control: public, max-age=${maxAge}` });
+        } else {
+          score += 2;
+          const issues = [];
+          if (!ctOk) issues.push(`content-type "${ct || 'missing'}" (expected application/json)`);
+          if (!hasPublic) issues.push('cache-control missing "public"');
+          if (hasBadDirective) issues.push('cache-control contains private/no-store/no-cache');
+          if (maxAge < 60) issues.push(`max-age=${maxAge >= 0 ? maxAge : 'missing'} (expected >=60)`);
+          checks.push({ status: 'warn', label: 'UCP profile cache headers need attention', detail: issues.slice(0, 3).join('; '), found: issues });
+        }
+      }
+
       // UCP CHECK 2: Profile Completeness
       let completenessIssues = [];
       if (!versionDatePattern.test(version)) completenessIssues.push('version not date-formatted (expected YYYY-MM-DD)');
@@ -3193,25 +3417,94 @@ function checkWebMCP($, pageType, ucpData) {
         checks.push({ status: 'warn', label: `UCP profile has ${completenessIssues.length} issue(s)`, detail: completenessIssues.slice(0, 3).join('; '), found: completenessIssues.slice(0, 5) });
       }
 
-      // UCP CHECK 3: Capability Coverage
+      // UCP CHECK 3: Capability Coverage (synced with extension processUCPProfile)
       const capNames = capabilities.map(c => c.name || '');
       const coreCapabilities = {
         'dev.ucp.shopping.checkout': 'Checkout',
         'dev.ucp.shopping.identity_linking': 'Identity Linking',
         'dev.ucp.shopping.order': 'Order Management',
+        'dev.ucp.shopping.cart': 'Cart',
       };
+      // Catalog has sub-capabilities; credit if any match the catalog prefix.
+      const hasCatalog = capNames.some(n => n.startsWith('dev.ucp.shopping.catalog'));
       const presentCore = Object.keys(coreCapabilities).filter(c => capNames.includes(c));
-      const missingCore = Object.entries(coreCapabilities).filter(([k]) => !capNames.includes(k)).map(([, v]) => v);
+      if (hasCatalog) presentCore.push('dev.ucp.shopping.catalog');
+      const missingEntries = Object.entries(coreCapabilities).filter(([k]) => !capNames.includes(k));
+      if (!hasCatalog) missingEntries.push(['dev.ucp.shopping.catalog', 'Catalog']);
+      const missingCore = missingEntries.map(([, v]) => v);
+      const totalCore = Object.keys(coreCapabilities).length + 1; // +1 for Catalog
 
       maxScore += 10;
-      if (presentCore.length === 3) {
+      if (presentCore.length === totalCore) {
         score += 10;
-        checks.push({ status: 'pass', label: 'All 3 core UCP capabilities declared', detail: 'Checkout, Identity Linking, and Order Management' });
+        checks.push({ status: 'pass', label: `All ${totalCore} core UCP capabilities declared`, detail: 'Checkout, Identity Linking, Order Management, Cart, and Catalog' });
       } else if (presentCore.length > 0) {
         score += 5;
-        checks.push({ status: 'warn', label: `${presentCore.length}/3 core UCP capabilities declared`, detail: `Missing: ${missingCore.join(', ')}`, found: presentCore });
+        checks.push({ status: 'warn', label: `${presentCore.length}/${totalCore} core UCP capabilities declared`, detail: `Missing: ${missingCore.join(', ')}`, found: presentCore });
       } else {
-        checks.push({ status: 'info', label: 'No core UCP capabilities declared', detail: 'Consider adding checkout, identity_linking, and order capabilities' });
+        checks.push({ status: 'info', label: 'No core UCP capabilities declared', detail: 'Consider adding checkout, identity_linking, order, cart, and catalog capabilities' });
+      }
+
+      // 2026-04-08 spec gating: declared version >= 2026-04-08?
+      const isV2 = versionDatePattern.test(version) && version >= LATEST_UCP_VERSION;
+
+      // UCP CHECK 3.5: Signing Keys (RFC 9421 ES256, mandatory in 2026-04-08)
+      const signingKeys = Array.isArray(profile.signing_keys) ? profile.signing_keys : null;
+      if (signingKeys && signingKeys.length > 0) {
+        const malformed = signingKeys.filter(k => !k || !k.kid || k.kty !== 'EC' || k.crv !== 'P-256' || !k.x || !k.y);
+        maxScore += 10;
+        if (malformed.length === 0) {
+          score += 10;
+          checks.push({ status: 'pass', label: `${signingKeys.length} UCP signing key(s) declared`, detail: 'Profile advertises EC P-256 JWK(s) for RFC 9421 message signing' });
+        } else {
+          score += 3;
+          checks.push({ status: 'warn', label: `${malformed.length}/${signingKeys.length} UCP signing key(s) malformed`, detail: 'Each key must have kid, kty=EC, crv=P-256, x, y', found: malformed.map(k => k && k.kid ? k.kid : '<missing kid>').slice(0, 5) });
+        }
+      } else if (isV2) {
+        maxScore += 10;
+        score += 3;
+        checks.push({ status: 'warn', label: 'UCP signing keys missing', detail: 'UCP 2026-04-08 mandates RFC 9421 ES256 signatures; profile must publish signing_keys[]' });
+      } else {
+        checks.push({ status: 'info', label: 'UCP signing keys not declared', detail: 'UCP 2026-04-08 will require signing_keys[]; consider adding for forward compatibility' });
+      }
+
+      // UCP CHECK 3.6: Catalog Sub-Capability Coverage
+      const catalogCaps = capabilities.filter(c => (c.name || '').startsWith('dev.ucp.shopping.catalog'));
+      if (catalogCaps.length > 0) {
+        const subs = ['search', 'lookup', 'get_product'];
+        const presentSubs = subs.filter(s => catalogCaps.some(c => c.name === `dev.ucp.shopping.catalog.${s}` || c.name === 'dev.ucp.shopping.catalog'));
+        const missingSubs = subs.filter(s => !presentSubs.includes(s));
+        maxScore += 5;
+        if (missingSubs.length === 0) {
+          score += 5;
+          checks.push({ status: 'pass', label: 'Catalog capability fully declared', detail: 'search, lookup, and get_product sub-capabilities all present' });
+        } else {
+          score += 3;
+          checks.push({ status: 'warn', label: `Catalog declared with ${presentSubs.length}/${subs.length} sub-capabilities`, detail: `Missing: ${missingSubs.join(', ')}`, found: missingSubs });
+        }
+      } else if (capNames.includes('dev.ucp.shopping.cart')) {
+        checks.push({ status: 'info', label: 'Cart declared without Catalog', detail: 'Consider adding catalog.search / catalog.lookup so agents can discover products before adding to cart' });
+      }
+
+      // UCP CHECK 3.7: Order Webhook URL (required in 2026-04-08)
+      const orderCap = capabilities.find(c => c.name === 'dev.ucp.shopping.order');
+      if (orderCap) {
+        const webhookUrl = orderCap.config && orderCap.config.webhook_url;
+        if (webhookUrl && typeof webhookUrl === 'string' && webhookUrl.startsWith('https://')) {
+          maxScore += 5;
+          score += 5;
+          checks.push({ status: 'pass', label: 'Order webhook URL declared', detail: 'config.webhook_url is HTTPS, enabling real-time order updates' });
+        } else if (webhookUrl) {
+          maxScore += 5;
+          score += 2;
+          checks.push({ status: 'warn', label: 'Order webhook URL is not HTTPS', detail: 'config.webhook_url must use https://' });
+        } else if (isV2) {
+          maxScore += 5;
+          score += 2;
+          checks.push({ status: 'warn', label: 'Order webhook URL missing', detail: 'UCP 2026-04-08 requires config.webhook_url on the order capability for real-time updates' });
+        } else {
+          checks.push({ status: 'info', label: 'Order webhook URL not declared', detail: 'UCP 2026-04-08 will require config.webhook_url on order capabilities' });
+        }
       }
 
       // UCP CHECK 4: Extension Support
@@ -3238,6 +3531,20 @@ function checkWebMCP($, pageType, ucpData) {
         }
       }
 
+      // Cart-specific transport recommendation (2026-04-08 adds embedded binding).
+      if (capNames.includes('dev.ucp.shopping.cart')) {
+        const cartTransports = new Set(allTransports.map(t => t.transport));
+        const cartRecommended = cartTransports.has('embedded') || cartTransports.has('mcp');
+        maxScore += 3;
+        if (cartRecommended) {
+          score += 3;
+          checks.push({ status: 'pass', label: 'Cart capability has embedded or MCP transport', detail: 'UCP 2026-04-08 recommends embedded or MCP transport for cart capability' });
+        } else {
+          score += 1;
+          checks.push({ status: 'warn', label: 'Cart capability missing embedded/MCP transport', detail: 'UCP 2026-04-08 recommends adding an embedded transport binding for cart so agents can hand off to checkout' });
+        }
+      }
+
       if (allTransports.length > 1) {
         maxScore += 10;
         const httpsTransports = allTransports.filter(t => (t.endpoint || '').startsWith('https://') && (t.schema || '').startsWith('https://'));
@@ -3284,8 +3591,8 @@ function checkWebMCP($, pageType, ucpData) {
       // UCP CHECK 8: Page-Type-Specific Recommendations
       const commercePageTypes = ['product', 'ecommerce', 'saas', 'local-business'];
       const ucpRecommendations = {
-        'product': 'Should have checkout + fulfillment + discount capabilities',
-        'ecommerce': 'Should have checkout + fulfillment; consider identity linking for personalization',
+        'product': 'Should have checkout + cart + catalog + fulfillment capabilities',
+        'ecommerce': 'Should have checkout + cart + catalog; consider identity linking for personalization',
         'saas': 'Should have checkout for subscription/trial flows',
         'local-business': 'Consider checkout for booking/purchasing services',
         'homepage': 'UCP profile should be accessible at domain root /.well-known/ucp',
@@ -3294,6 +3601,51 @@ function checkWebMCP($, pageType, ucpData) {
       if (ucpRecommendations[pageType]) {
         checks.push({ status: 'pass', label: `UCP detected on ${pageType} page`, detail: ucpRecommendations[pageType] });
       }
+
+      // UCP CHECK 9: Disclosure / Eligibility / Signals / Delegation feature advertisement (info-only).
+      const advertisedFeatures = new Set();
+      for (const cap of capabilities) {
+        const feats = Array.isArray(cap.features) ? cap.features : [];
+        for (const f of feats) {
+          if (typeof f === 'string') advertisedFeatures.add(f);
+        }
+      }
+      const trackedFeatures = ['eligibility_claims', 'signals', 'disclosure_messages', 'link_delegation'];
+      const presentFeats = trackedFeatures.filter(f => advertisedFeatures.has(f));
+      if (presentFeats.length > 0) {
+        checks.push({ status: 'info', label: `${presentFeats.length} UCP feature(s) advertised`, detail: `Capabilities advertise: ${presentFeats.join(', ')}`, found: presentFeats });
+      } else {
+        checks.push({ status: 'info', label: 'No optional UCP features advertised', detail: 'eligibility_claims, signals, disclosure_messages, and link_delegation are optional but improve agent trust negotiation' });
+      }
+
+      // UCP CHECK 10: Spec Version Currency (info-only).
+      if (versionDatePattern.test(version)) {
+        if (version === LATEST_UCP_VERSION) {
+          checks.push({ status: 'info', label: 'UCP version is current', detail: `Profile declares the latest known UCP version (${version})` });
+        } else if (version < LATEST_UCP_VERSION) {
+          checks.push({ status: 'info', label: 'UCP version is older than latest', detail: `Profile declares ${version}; latest known is ${LATEST_UCP_VERSION}` });
+        } else {
+          checks.push({ status: 'info', label: 'UCP version newer than checker knows', detail: `Profile declares ${version}; this checker is calibrated against ${LATEST_UCP_VERSION}` });
+        }
+      }
+
+      // UCP CHECK 11: A2A agent-card.json (only when profile advertises an a2a transport)
+      const agentCard = ucpData && ucpData.agentCard;
+      if (agentCard) {
+        if (agentCard.exists && agentCard.valid) {
+          maxScore += 3;
+          score += 3;
+          checks.push({ status: 'pass', label: 'A2A agent card found', detail: '/.well-known/agent-card.json is reachable and parses as JSON' });
+        } else if (agentCard.exists && !agentCard.valid) {
+          maxScore += 3;
+          checks.push({ status: 'warn', label: 'A2A agent card not valid JSON', detail: '/.well-known/agent-card.json was reachable but did not parse as JSON' });
+        } else if (agentCard.missing) {
+          maxScore += 3;
+          checks.push({ status: 'warn', label: 'A2A agent card not found', detail: 'Profile advertises an a2a transport but /.well-known/agent-card.json returns 404' });
+        } else {
+          checks.push({ status: 'info', label: 'A2A agent card unreachable', detail: agentCard.statusCode ? `HTTP ${agentCard.statusCode}` : 'fetch error' });
+        }
+      }
     }
   } else {
     // No UCP profile found — informational only, no penalty
@@ -3301,10 +3653,15 @@ function checkWebMCP($, pageType, ucpData) {
     if (commercePageTypes.includes(pageType)) {
       checks.push({ status: 'info', label: 'No UCP discovery file found', detail: 'UCP enables AI agents to discover commerce capabilities via /.well-known/ucp' });
     } else {
-      checks.push({ status: 'info', label: 'No UCP discovery file found', detail: 'UCP enables AI agents to discover commerce capabilities — most relevant for commerce pages' });
+      checks.push({ status: 'info', label: 'No UCP discovery file found', detail: 'UCP enables AI agents to discover commerce capabilities - most relevant for commerce pages' });
     }
   }
 
+  // Shopify dual-surface info shortcut (fires whether or not UCP profile exists).
+  if (ucpData && ucpData.shopifyHosted) {
+    checks.push({ status: 'info', label: 'Shopify-hosted: dual UCP surface expected', detail: 'Per-shop endpoint at /api/ucp/mcp; global catalog at https://discover.shopifyapps.com/global/mcp' });
+  }
+
   return { checks, score: maxScore > 0 ? Math.round((score / maxScore) * 100) : 0, category: 'Agent Interactivity' };
 }
 
@@ -4243,6 +4600,16 @@ function analyseHTML(html, domain, robotsTxtData, llmsTxtData, responseHeaders,
     headings: { h1: [], h2: [] },
     lang: null,
     hasStructuredData: false,
+    // Raw evidence for language-agnostic trust signal classification.
+    // Populated by extractTrustSignals; consumers running inside an LLM can
+    // reclassify legal / about / contact / imprint / cookies semantically
+    // instead of relying on the heuristic pattern lists.
+    evidence: {
+      htmlLang: null,
+      hreflangs: [],
+      navLinks: [],
+      footerLinks: [],
+    },
   };
 
   if (!html) return result;
@@ -4265,6 +4632,9 @@ function analyseHTML(html, domain, robotsTxtData, llmsTxtData, responseHeaders,
   const pageType = detectPageType($, schemaTypes, pathname);
   result.pageType = pageType;
 
+  // Extract language-agnostic trust signal evidence
+  result.evidence = extractTrustSignals($);
+
   // Populate basic metadata fields (backward-compatible with old analyseHTML)
   result.title = $('title').first().text().trim() || null;
   result.lang = $('html').attr('lang') || null;
@@ -4391,6 +4761,7 @@ function analyseHTML(html, domain, robotsTxtData, llmsTxtData, responseHeaders,
 async function checkGEO(domain, options = {}) {
   const maxPages = options.maxPages ?? MAX_PAGES_PER_DOMAIN;
   const skipCache = options.skipCache ?? false;
+  const renderMode = options.renderMode ?? 'auto'; // 'static' | 'chrome' | 'auto'
 
   // Check cache first (unless explicitly skipped)
   if (!skipCache) {
@@ -4500,7 +4871,9 @@ async function checkGEO(domain, options = {}) {
     [robotsRes, llmsRes, homepageRes, sitemapRes, ucpRes] = await Promise.all([
       throttledFetchUrl(robotsUrl, FETCH_TIMEOUT_MS, MAX_TEXT_BODY_SIZE).catch(() => ({ body: null, statusCode: null, headers: {} })),
       throttledFetchUrl(llmsUrl, FETCH_TIMEOUT_MS, MAX_TEXT_BODY_SIZE).catch(() => ({ body: null, statusCode: null, headers: {} })),
-      throttledFetchUrl(homepageUrl).catch(() => ({ body: null, statusCode: null, headers: {} })),
+      renderMode === 'chrome'
+        ? chromeFetch(homepageUrl).catch(() => ({ body: null, statusCode: null, headers: {} }))
+        : throttledFetchUrl(homepageUrl).catch(() => ({ body: null, statusCode: null, headers: {} })),
       throttledFetchUrl(sitemapUrl, FETCH_TIMEOUT_MS, MAX_TEXT_BODY_SIZE).catch(() => ({ body: null, statusCode: null, headers: {} })),
       throttledFetchUrl(ucpUrl, FETCH_TIMEOUT_MS, MAX_TEXT_BODY_SIZE).catch(() => ({ body: null, statusCode: null, headers: {} })),
     ]);
@@ -4509,6 +4882,31 @@ async function checkGEO(domain, options = {}) {
     return output;
   }
 
+  // Auto fallback: if static fetch couldn't get the homepage (bot block,
+  // WAF, or network error), retry via headless Chrome. Record that we
+  // rendered via Chrome so downstream multi-page crawl uses it too.
+  let useChromeForCrawl = renderMode === 'chrome';
+  if (renderMode === 'auto' && looksBotBlocked(homepageRes)) {
+    const chromeRes = await chromeFetch(homepageUrl).catch(() => null);
+    const chromeOk =
+      chromeRes &&
+      typeof chromeRes.statusCode === 'number' &&
+      chromeRes.statusCode >= 200 &&
+      chromeRes.statusCode < 300 &&
+      chromeRes.body;
+    if (chromeOk) {
+      homepageRes = chromeRes;
+      useChromeForCrawl = true;
+      output.renderMode = 'chrome-fallback';
+    } else {
+      output.renderMode = chromeRes && chromeRes.statusCode
+        ? `chrome-blocked-${chromeRes.statusCode}`
+        : 'static-blocked';
+    }
+  } else {
+    output.renderMode = renderMode === 'chrome' ? 'chrome' : 'static';
+  }
+
   // --- robots.txt ---
   try {
     if (robotsRes.statusCode === 200 && robotsRes.body) {
@@ -4539,15 +4937,63 @@ async function checkGEO(domain, options = {}) {
       const profile = JSON.parse(ucpRes.body);
       output.ucpProfile.exists = true;
       output.ucpProfile.content = profile;
+      output.ucpProfile.headers = ucpRes.headers || {};
     }
   } catch (err) {
     output.ucpProfile.error = err.message;
   }
 
+  // --- /.well-known/agent-card.json (A2A discovery; only meaningful when profile advertises a2a) ---
+  try {
+    const services = output.ucpProfile.content && output.ucpProfile.content.ucp && output.ucpProfile.content.ucp.services;
+    const advertisesA2a = services && Object.values(services).some(svc => svc && typeof svc === 'object' && svc.a2a);
+    if (advertisesA2a) {
+      const cardUrl = `${baseUrl}/.well-known/agent-card.json`;
+      const cardRes = await throttledFetchUrl(cardUrl, FETCH_TIMEOUT_MS, MAX_TEXT_BODY_SIZE).catch(() => ({ body: null, statusCode: null }));
+      if (cardRes.statusCode === 200 && cardRes.body) {
+        try {
+          JSON.parse(cardRes.body);
+          output.ucpProfile.agentCard = { url: cardUrl, exists: true, valid: true };
+        } catch {
+          output.ucpProfile.agentCard = { url: cardUrl, exists: true, valid: false };
+        }
+      } else if (cardRes.statusCode === 404) {
+        output.ucpProfile.agentCard = { url: cardUrl, exists: false, missing: true };
+      } else {
+        output.ucpProfile.agentCard = { url: cardUrl, exists: false, statusCode: cardRes.statusCode };
+      }
+    }
+  } catch (err) {
+    output.ucpProfile.agentCard = { error: err.message };
+  }
+
+  // --- Shopify host detection (for dual-surface info shortcut in checks) ---
+  try {
+    const homepageHeaders = homepageRes && homepageRes.headers ? homepageRes.headers : {};
+    const headerLookup = (n) => {
+      const lower = n.toLowerCase();
+      for (const k of Object.keys(homepageHeaders)) {
+        if (k.toLowerCase() === lower) return String(homepageHeaders[k] || '');
+      }
+      return '';
+    };
+    const host = (cleanDomain || '').toLowerCase();
+    const isShopifyDomain = host.endsWith('.myshopify.com') || host === 'myshopify.com';
+    const isShopifyByHeader = !!(headerLookup('x-shopid') || headerLookup('x-shardid') || headerLookup('x-shopify-stage') || headerLookup('powered-by').toLowerCase().includes('shopify'));
+    output.ucpProfile.shopifyHosted = isShopifyDomain || isShopifyByHeader;
+  } catch (err) {
+    output.ucpProfile.shopifyHosted = false;
+  }
+
   // --- Homepage (full 16-category analysis) ---
   try {
     output.homepage.statusCode = homepageRes.statusCode;
-    if (homepageRes.statusCode === 200 && homepageRes.body) {
+    // Accept any 2xx that came back with a body. In practice Chrome often
+    // surfaces 202 (Amazon) or 206 responses that still carry the rendered
+    // document; analysing those is strictly better than dropping the score.
+    const homepageUsable = homepageRes.statusCode >= 200 &&
+      homepageRes.statusCode < 300 && !!homepageRes.body;
+    if (homepageUsable) {
       output.homepage.analysis = analyseHTML(
         homepageRes.body,
         cleanDomain,
@@ -4633,14 +5079,18 @@ async function checkGEO(domain, options = {}) {
       error: output.homepage.error,
     });
 
+    // Chrome fetches are serial (one tab at a time), static fetches run in batches.
+    const concurrency = useChromeForCrawl ? 1 : MAX_CONCURRENT_PAGE_FETCHES;
     // Fetch remaining pages in controlled batches
-    for (let i = 0; i < pagesToCrawl.length; i += MAX_CONCURRENT_PAGE_FETCHES) {
-      const batch = pagesToCrawl.slice(i, i + MAX_CONCURRENT_PAGE_FETCHES);
+    for (let i = 0; i < pagesToCrawl.length; i += concurrency) {
+      const batch = pagesToCrawl.slice(i, i + concurrency);
       const batchResults = await Promise.all(
         batch.map(async (pageUrl) => {
           try {
-            const res = await throttledFetchUrl(pageUrl, PAGE_CRAWL_TIMEOUT_MS);
-            if (res.statusCode === 200 && res.body) {
+            const res = useChromeForCrawl
+              ? await chromeFetch(pageUrl, PAGE_CRAWL_TIMEOUT_MS)
+              : await throttledFetchUrl(pageUrl, PAGE_CRAWL_TIMEOUT_MS);
+            if (res.statusCode >= 200 && res.statusCode < 300 && res.body) {
               // Determine pathname for page type detection
               let pathname = '/';
               try { pathname = new URL(pageUrl).pathname; } catch {}