glippy-mcp 0.2.0 → 0.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "glippy-mcp",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "MCP server for GEO (Generative Engine Optimization) analysis — check any domain's AI-readiness",
   "main": "src/index.js",
   "type": "module",

package/src/geo-checker.js

@@ -3006,6 +3006,10 @@ function checkPerformance($) {
 // CHECK CATEGORY 10: Agent Interactivity (WebMCP + UCP)
 // ---------------------------------------------------------------------------
 
+// LATEST_UCP_VERSION: gating threshold for 2026-04-08 spec additions
+// (signing_keys, order webhook_url, etc. become required at this version).
+const LATEST_UCP_VERSION = '2026-04-08';
+
 function checkWebMCP($, pageType, ucpData) {
   const checks = [];
   let score = 0;
@@ -3350,6 +3354,40 @@ function checkWebMCP($, pageType, ucpData) {
       const capabilities = capsArray; // Already normalized above
       const transportKeys = ['rest', 'mcp', 'a2a', 'embedded'];
 
+      // UCP CHECK 2.5: Cache Headers (only when caller passed response headers)
+      const ucpHeaders = ucpData && ucpData.headers ? ucpData.headers : null;
+      if (ucpHeaders) {
+        const headerLookup = (n) => {
+          const lower = n.toLowerCase();
+          for (const k of Object.keys(ucpHeaders)) {
+            if (k.toLowerCase() === lower) return String(ucpHeaders[k] || '');
+          }
+          return '';
+        };
+        const ct = headerLookup('content-type').toLowerCase();
+        const cc = headerLookup('cache-control').toLowerCase();
+        const ctOk = ct.startsWith('application/json');
+        const ccTokens = cc.split(',').map(s => s.trim());
+        const hasPublic = ccTokens.includes('public');
+        const hasBadDirective = ccTokens.some(t => t === 'private' || t === 'no-store' || t === 'no-cache');
+        const maxAgeMatch = cc.match(/max-age=(\d+)/);
+        const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : -1;
+        const ccOk = hasPublic && !hasBadDirective && maxAge >= 60;
+        maxScore += 5;
+        if (ctOk && ccOk) {
+          score += 5;
+          checks.push({ status: 'pass', label: 'UCP profile cache headers OK', detail: `Content-Type application/json with Cache-Control: public, max-age=${maxAge}` });
+        } else {
+          score += 2;
+          const issues = [];
+          if (!ctOk) issues.push(`content-type "${ct || 'missing'}" (expected application/json)`);
+          if (!hasPublic) issues.push('cache-control missing "public"');
+          if (hasBadDirective) issues.push('cache-control contains private/no-store/no-cache');
+          if (maxAge < 60) issues.push(`max-age=${maxAge >= 0 ? maxAge : 'missing'} (expected >=60)`);
+          checks.push({ status: 'warn', label: 'UCP profile cache headers need attention', detail: issues.slice(0, 3).join('; '), found: issues });
+        }
+      }
+
       // UCP CHECK 2: Profile Completeness
       let completenessIssues = [];
       if (!versionDatePattern.test(version)) completenessIssues.push('version not date-formatted (expected YYYY-MM-DD)');
@@ -3379,25 +3417,94 @@ function checkWebMCP($, pageType, ucpData) {
         checks.push({ status: 'warn', label: `UCP profile has ${completenessIssues.length} issue(s)`, detail: completenessIssues.slice(0, 3).join('; '), found: completenessIssues.slice(0, 5) });
       }
 
-      // UCP CHECK 3: Capability Coverage
+      // UCP CHECK 3: Capability Coverage (synced with extension processUCPProfile)
       const capNames = capabilities.map(c => c.name || '');
       const coreCapabilities = {
         'dev.ucp.shopping.checkout': 'Checkout',
         'dev.ucp.shopping.identity_linking': 'Identity Linking',
         'dev.ucp.shopping.order': 'Order Management',
+        'dev.ucp.shopping.cart': 'Cart',
       };
+      // Catalog has sub-capabilities; credit if any match the catalog prefix.
+      const hasCatalog = capNames.some(n => n.startsWith('dev.ucp.shopping.catalog'));
       const presentCore = Object.keys(coreCapabilities).filter(c => capNames.includes(c));
-      const missingCore = Object.entries(coreCapabilities).filter(([k]) => !capNames.includes(k)).map(([, v]) => v);
+      if (hasCatalog) presentCore.push('dev.ucp.shopping.catalog');
+      const missingEntries = Object.entries(coreCapabilities).filter(([k]) => !capNames.includes(k));
+      if (!hasCatalog) missingEntries.push(['dev.ucp.shopping.catalog', 'Catalog']);
+      const missingCore = missingEntries.map(([, v]) => v);
+      const totalCore = Object.keys(coreCapabilities).length + 1; // +1 for Catalog
 
       maxScore += 10;
-      if (presentCore.length === 3) {
+      if (presentCore.length === totalCore) {
         score += 10;
-        checks.push({ status: 'pass', label: 'All 3 core UCP capabilities declared', detail: 'Checkout, Identity Linking, and Order Management' });
+        checks.push({ status: 'pass', label: `All ${totalCore} core UCP capabilities declared`, detail: 'Checkout, Identity Linking, Order Management, Cart, and Catalog' });
       } else if (presentCore.length > 0) {
         score += 5;
-        checks.push({ status: 'warn', label: `${presentCore.length}/3 core UCP capabilities declared`, detail: `Missing: ${missingCore.join(', ')}`, found: presentCore });
+        checks.push({ status: 'warn', label: `${presentCore.length}/${totalCore} core UCP capabilities declared`, detail: `Missing: ${missingCore.join(', ')}`, found: presentCore });
+      } else {
+        checks.push({ status: 'info', label: 'No core UCP capabilities declared', detail: 'Consider adding checkout, identity_linking, order, cart, and catalog capabilities' });
+      }
+
+      // 2026-04-08 spec gating: declared version >= 2026-04-08?
+      const isV2 = versionDatePattern.test(version) && version >= LATEST_UCP_VERSION;
+
+      // UCP CHECK 3.5: Signing Keys (RFC 9421 ES256, mandatory in 2026-04-08)
+      const signingKeys = Array.isArray(profile.signing_keys) ? profile.signing_keys : null;
+      if (signingKeys && signingKeys.length > 0) {
+        const malformed = signingKeys.filter(k => !k || !k.kid || k.kty !== 'EC' || k.crv !== 'P-256' || !k.x || !k.y);
+        maxScore += 10;
+        if (malformed.length === 0) {
+          score += 10;
+          checks.push({ status: 'pass', label: `${signingKeys.length} UCP signing key(s) declared`, detail: 'Profile advertises EC P-256 JWK(s) for RFC 9421 message signing' });
+        } else {
+          score += 3;
+          checks.push({ status: 'warn', label: `${malformed.length}/${signingKeys.length} UCP signing key(s) malformed`, detail: 'Each key must have kid, kty=EC, crv=P-256, x, y', found: malformed.map(k => k && k.kid ? k.kid : '<missing kid>').slice(0, 5) });
+        }
+      } else if (isV2) {
+        maxScore += 10;
+        score += 3;
+        checks.push({ status: 'warn', label: 'UCP signing keys missing', detail: 'UCP 2026-04-08 mandates RFC 9421 ES256 signatures; profile must publish signing_keys[]' });
       } else {
-        checks.push({ status: 'info', label: 'No core UCP capabilities declared', detail: 'Consider adding checkout, identity_linking, and order capabilities' });
+        checks.push({ status: 'info', label: 'UCP signing keys not declared', detail: 'UCP 2026-04-08 will require signing_keys[]; consider adding for forward compatibility' });
+      }
+
+      // UCP CHECK 3.6: Catalog Sub-Capability Coverage
+      const catalogCaps = capabilities.filter(c => (c.name || '').startsWith('dev.ucp.shopping.catalog'));
+      if (catalogCaps.length > 0) {
+        const subs = ['search', 'lookup', 'get_product'];
+        const presentSubs = subs.filter(s => catalogCaps.some(c => c.name === `dev.ucp.shopping.catalog.${s}` || c.name === 'dev.ucp.shopping.catalog'));
+        const missingSubs = subs.filter(s => !presentSubs.includes(s));
+        maxScore += 5;
+        if (missingSubs.length === 0) {
+          score += 5;
+          checks.push({ status: 'pass', label: 'Catalog capability fully declared', detail: 'search, lookup, and get_product sub-capabilities all present' });
+        } else {
+          score += 3;
+          checks.push({ status: 'warn', label: `Catalog declared with ${presentSubs.length}/${subs.length} sub-capabilities`, detail: `Missing: ${missingSubs.join(', ')}`, found: missingSubs });
+        }
+      } else if (capNames.includes('dev.ucp.shopping.cart')) {
+        checks.push({ status: 'info', label: 'Cart declared without Catalog', detail: 'Consider adding catalog.search / catalog.lookup so agents can discover products before adding to cart' });
+      }
+
+      // UCP CHECK 3.7: Order Webhook URL (required in 2026-04-08)
+      const orderCap = capabilities.find(c => c.name === 'dev.ucp.shopping.order');
+      if (orderCap) {
+        const webhookUrl = orderCap.config && orderCap.config.webhook_url;
+        if (webhookUrl && typeof webhookUrl === 'string' && webhookUrl.startsWith('https://')) {
+          maxScore += 5;
+          score += 5;
+          checks.push({ status: 'pass', label: 'Order webhook URL declared', detail: 'config.webhook_url is HTTPS, enabling real-time order updates' });
+        } else if (webhookUrl) {
+          maxScore += 5;
+          score += 2;
+          checks.push({ status: 'warn', label: 'Order webhook URL is not HTTPS', detail: 'config.webhook_url must use https://' });
+        } else if (isV2) {
+          maxScore += 5;
+          score += 2;
+          checks.push({ status: 'warn', label: 'Order webhook URL missing', detail: 'UCP 2026-04-08 requires config.webhook_url on the order capability for real-time updates' });
+        } else {
+          checks.push({ status: 'info', label: 'Order webhook URL not declared', detail: 'UCP 2026-04-08 will require config.webhook_url on order capabilities' });
+        }
       }
 
       // UCP CHECK 4: Extension Support
@@ -3424,6 +3531,20 @@ function checkWebMCP($, pageType, ucpData) {
         }
       }
 
+      // Cart-specific transport recommendation (2026-04-08 adds embedded binding).
+      if (capNames.includes('dev.ucp.shopping.cart')) {
+        const cartTransports = new Set(allTransports.map(t => t.transport));
+        const cartRecommended = cartTransports.has('embedded') || cartTransports.has('mcp');
+        maxScore += 3;
+        if (cartRecommended) {
+          score += 3;
+          checks.push({ status: 'pass', label: 'Cart capability has embedded or MCP transport', detail: 'UCP 2026-04-08 recommends embedded or MCP transport for cart capability' });
+        } else {
+          score += 1;
+          checks.push({ status: 'warn', label: 'Cart capability missing embedded/MCP transport', detail: 'UCP 2026-04-08 recommends adding an embedded transport binding for cart so agents can hand off to checkout' });
+        }
+      }
+
       if (allTransports.length > 1) {
         maxScore += 10;
         const httpsTransports = allTransports.filter(t => (t.endpoint || '').startsWith('https://') && (t.schema || '').startsWith('https://'));
@@ -3470,8 +3591,8 @@ function checkWebMCP($, pageType, ucpData) {
       // UCP CHECK 8: Page-Type-Specific Recommendations
       const commercePageTypes = ['product', 'ecommerce', 'saas', 'local-business'];
       const ucpRecommendations = {
-        'product': 'Should have checkout + fulfillment + discount capabilities',
-        'ecommerce': 'Should have checkout + fulfillment; consider identity linking for personalization',
+        'product': 'Should have checkout + cart + catalog + fulfillment capabilities',
+        'ecommerce': 'Should have checkout + cart + catalog; consider identity linking for personalization',
         'saas': 'Should have checkout for subscription/trial flows',
         'local-business': 'Consider checkout for booking/purchasing services',
         'homepage': 'UCP profile should be accessible at domain root /.well-known/ucp',
@@ -3480,6 +3601,51 @@ function checkWebMCP($, pageType, ucpData) {
       if (ucpRecommendations[pageType]) {
         checks.push({ status: 'pass', label: `UCP detected on ${pageType} page`, detail: ucpRecommendations[pageType] });
       }
+
+      // UCP CHECK 9: Disclosure / Eligibility / Signals / Delegation feature advertisement (info-only).
+      const advertisedFeatures = new Set();
+      for (const cap of capabilities) {
+        const feats = Array.isArray(cap.features) ? cap.features : [];
+        for (const f of feats) {
+          if (typeof f === 'string') advertisedFeatures.add(f);
+        }
+      }
+      const trackedFeatures = ['eligibility_claims', 'signals', 'disclosure_messages', 'link_delegation'];
+      const presentFeats = trackedFeatures.filter(f => advertisedFeatures.has(f));
+      if (presentFeats.length > 0) {
+        checks.push({ status: 'info', label: `${presentFeats.length} UCP feature(s) advertised`, detail: `Capabilities advertise: ${presentFeats.join(', ')}`, found: presentFeats });
+      } else {
+        checks.push({ status: 'info', label: 'No optional UCP features advertised', detail: 'eligibility_claims, signals, disclosure_messages, and link_delegation are optional but improve agent trust negotiation' });
+      }
+
+      // UCP CHECK 10: Spec Version Currency (info-only).
+      if (versionDatePattern.test(version)) {
+        if (version === LATEST_UCP_VERSION) {
+          checks.push({ status: 'info', label: 'UCP version is current', detail: `Profile declares the latest known UCP version (${version})` });
+        } else if (version < LATEST_UCP_VERSION) {
+          checks.push({ status: 'info', label: 'UCP version is older than latest', detail: `Profile declares ${version}; latest known is ${LATEST_UCP_VERSION}` });
+        } else {
+          checks.push({ status: 'info', label: 'UCP version newer than checker knows', detail: `Profile declares ${version}; this checker is calibrated against ${LATEST_UCP_VERSION}` });
+        }
+      }
+
+      // UCP CHECK 11: A2A agent-card.json (only when profile advertises an a2a transport)
+      const agentCard = ucpData && ucpData.agentCard;
+      if (agentCard) {
+        if (agentCard.exists && agentCard.valid) {
+          maxScore += 3;
+          score += 3;
+          checks.push({ status: 'pass', label: 'A2A agent card found', detail: '/.well-known/agent-card.json is reachable and parses as JSON' });
+        } else if (agentCard.exists && !agentCard.valid) {
+          maxScore += 3;
+          checks.push({ status: 'warn', label: 'A2A agent card not valid JSON', detail: '/.well-known/agent-card.json was reachable but did not parse as JSON' });
+        } else if (agentCard.missing) {
+          maxScore += 3;
+          checks.push({ status: 'warn', label: 'A2A agent card not found', detail: 'Profile advertises an a2a transport but /.well-known/agent-card.json returns 404' });
+        } else {
+          checks.push({ status: 'info', label: 'A2A agent card unreachable', detail: agentCard.statusCode ? `HTTP ${agentCard.statusCode}` : 'fetch error' });
+        }
+      }
     }
   } else {
     // No UCP profile found — informational only, no penalty
@@ -3487,10 +3653,15 @@ function checkWebMCP($, pageType, ucpData) {
     if (commercePageTypes.includes(pageType)) {
       checks.push({ status: 'info', label: 'No UCP discovery file found', detail: 'UCP enables AI agents to discover commerce capabilities via /.well-known/ucp' });
     } else {
-      checks.push({ status: 'info', label: 'No UCP discovery file found', detail: 'UCP enables AI agents to discover commerce capabilities — most relevant for commerce pages' });
+      checks.push({ status: 'info', label: 'No UCP discovery file found', detail: 'UCP enables AI agents to discover commerce capabilities - most relevant for commerce pages' });
     }
   }
 
+  // Shopify dual-surface info shortcut (fires whether or not UCP profile exists).
+  if (ucpData && ucpData.shopifyHosted) {
+    checks.push({ status: 'info', label: 'Shopify-hosted: dual UCP surface expected', detail: 'Per-shop endpoint at /api/ucp/mcp; global catalog at https://discover.shopifyapps.com/global/mcp' });
+  }
+
   return { checks, score: maxScore > 0 ? Math.round((score / maxScore) * 100) : 0, category: 'Agent Interactivity' };
 }
 
@@ -4766,11 +4937,54 @@ async function checkGEO(domain, options = {}) {
       const profile = JSON.parse(ucpRes.body);
       output.ucpProfile.exists = true;
       output.ucpProfile.content = profile;
+      output.ucpProfile.headers = ucpRes.headers || {};
     }
   } catch (err) {
     output.ucpProfile.error = err.message;
   }
 
+  // --- /.well-known/agent-card.json (A2A discovery; only meaningful when profile advertises a2a) ---
+  try {
+    const services = output.ucpProfile.content && output.ucpProfile.content.ucp && output.ucpProfile.content.ucp.services;
+    const advertisesA2a = services && Object.values(services).some(svc => svc && typeof svc === 'object' && svc.a2a);
+    if (advertisesA2a) {
+      const cardUrl = `${baseUrl}/.well-known/agent-card.json`;
+      const cardRes = await throttledFetchUrl(cardUrl, FETCH_TIMEOUT_MS, MAX_TEXT_BODY_SIZE).catch(() => ({ body: null, statusCode: null }));
+      if (cardRes.statusCode === 200 && cardRes.body) {
+        try {
+          JSON.parse(cardRes.body);
+          output.ucpProfile.agentCard = { url: cardUrl, exists: true, valid: true };
+        } catch {
+          output.ucpProfile.agentCard = { url: cardUrl, exists: true, valid: false };
+        }
+      } else if (cardRes.statusCode === 404) {
+        output.ucpProfile.agentCard = { url: cardUrl, exists: false, missing: true };
+      } else {
+        output.ucpProfile.agentCard = { url: cardUrl, exists: false, statusCode: cardRes.statusCode };
+      }
+    }
+  } catch (err) {
+    output.ucpProfile.agentCard = { error: err.message };
+  }
+
+  // --- Shopify host detection (for dual-surface info shortcut in checks) ---
+  try {
+    const homepageHeaders = homepageRes && homepageRes.headers ? homepageRes.headers : {};
+    const headerLookup = (n) => {
+      const lower = n.toLowerCase();
+      for (const k of Object.keys(homepageHeaders)) {
+        if (k.toLowerCase() === lower) return String(homepageHeaders[k] || '');
+      }
+      return '';
+    };
+    const host = (cleanDomain || '').toLowerCase();
+    const isShopifyDomain = host.endsWith('.myshopify.com') || host === 'myshopify.com';
+    const isShopifyByHeader = !!(headerLookup('x-shopid') || headerLookup('x-shardid') || headerLookup('x-shopify-stage') || headerLookup('powered-by').toLowerCase().includes('shopify'));
+    output.ucpProfile.shopifyHosted = isShopifyDomain || isShopifyByHeader;
+  } catch (err) {
+    output.ucpProfile.shopifyHosted = false;
+  }
+
   // --- Homepage (full 16-category analysis) ---
   try {
     output.homepage.statusCode = homepageRes.statusCode;