Add answer-first FAQ schema and VCALM comparisons to verticals

.gitignore

@@ -7,7 +7,5 @@ _site/
 .fastembed_cache/
 .claude/
 
-# Internal planning / private material — must NOT land in a public repo
-raw-materials.md
-ia-education-flagship.md
-seo-targets.md
+# Internal planning
+scratchpad/

src/assets/styles.css

@@ -299,6 +299,19 @@ p {
     color: var(--seal);
 }
 
+/* Answer-first paragraph: a direct, extractable answer to the page's primary
+   query, placed right under the hero. Tuned for SEO/GEO (answer engines read
+   the top of the page first), so keep it visually quieter than the promise. */
+.hero .direct-answer {
+    margin-top: 1.25rem;
+    font-size: 1.02rem;
+    line-height: 1.6;
+    color: var(--ink-soft);
+    max-width: var(--measure);
+    border-left: 3px solid var(--seal);
+    padding-left: 1rem;
+}
+
 /* ============================ SCENARIO / PULLQUOTE ============================ */
 .scenario {
     margin: 2rem 0;

src/verticals/education/index.njk

@@ -9,12 +9,37 @@ permalink: /education/
 ---
 {# Single-page vertical: SERP magnet, human journey, and technical model on one
    screen. Answers "would this work for us?" without forcing a click-through. #}
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    {"@type": "Question", "name": "How do you issue a digital diploma?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Issue the diploma as a W3C Verifiable Credential over VCALM (the VC API). The university signs the credential and delivers it to the graduate's wallet over a short HTTP exchange. Any conformant wallet can hold it, and any institution can verify it cryptographically — no central identity provider required."}},
+    {"@type": "Question", "name": "Can you verify academic credentials online?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. When a credential is issued as a W3C Verifiable Credential, an admissions office or employer verifies it instantly by checking its cryptographic proof and the issuer's identity — no phone calls to the registrar and no PDF forwarding, including across borders."}},
+    {"@type": "Question", "name": "Is there an API to issue student credentials?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. VCALM (the VC API) is an open W3C HTTP API for issuing, presenting, and verifying credentials such as diplomas, transcripts, and enrollment proofs. You pick a VCALM provider and can swap it later without re-integrating."}},
+    {"@type": "Question", "name": "Can verifiable credentials verify a foreign degree?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. A diploma issued as a W3C Verifiable Credential verifies anywhere that reads the standard, so a degree issued in one country can be verified by an institution in another in seconds, without contacting the issuer."}},
+    {"@type": "Question", "name": "Why VCALM vs. OID4?",
+     "acceptedAnswer": {"@type": "Answer", "text": "You pick a VCALM provider and can swap it. You aren't locked to one wallet vendor or one stack, unlike the OID4VCI / OID4VP approach where interoperability is mainly at the wallet layer."}}
+  ]
+}
+</script>
 <section class="hero">
   <h1>{{ title }}</h1>
   <p class="promise">
     Issue diplomas, transcripts, and enrollment proofs that any wallet can hold
     and any institution can verify — without a central identity provider.
   </p>
+  <p class="direct-answer">
+    To issue a digital diploma, a university signs it as a
+    <strong>W3C Verifiable Credential</strong> and delivers it to the graduate's
+    wallet over <strong>VCALM</strong> (the VC API). Any conformant wallet holds
+    it; any institution verifies it cryptographically — instantly, across
+    borders, with no central identity provider.
+  </p>
 </section>
 
 <section class="flow">
@@ -130,10 +155,33 @@ permalink: /education/
   </p>
 </section>
 
-<section class="why">
-  <h2>Why VCALM vs. the alternative</h2>
-  <p>
-    You pick a VCALM provider and can swap it. You aren't locked to one wallet
-    vendor or one stack. <a href="/why-vcalm/">See the full comparison.</a>
-  </p>
-</section>
+<article class="prose">
+  <h2>Common questions</h2>
+  <div class="faq">
+    <h3>How do you issue a digital diploma?</h3>
+    <p>
+      The university signs the diploma as a W3C Verifiable Credential and
+      delivers it to the graduate's wallet over VCALM (the VC API). See the
+      <a href="/education/build/issuer/">issuer quick start</a>.
+    </p>
+
+    <h3>Can you verify academic credentials online?</h3>
+    <p>
+      Yes — an admissions office or employer checks the credential's
+      cryptographic proof and the issuer's identity instantly, with no calls to
+      the registrar, including across borders.
+    </p>
+
+    <h3>Is there an API to issue student credentials?</h3>
+    <p>
+      Yes. VCALM (the VC API) is an open W3C HTTP API for issuing, presenting,
+      and verifying credentials. <a href="/what-is-vcalm/">What is VCALM?</a>
+    </p>
+
+    <h3>Why VCALM vs. OID4?</h3>
+    <p>
+      You pick a VCALM provider and can swap it. You aren't locked to one wallet
+      vendor or one stack. <a href="/why-vcalm/">See the full comparison.</a>
+    </p>
+  </div>
+</article>

src/verticals/government/index.njk

@@ -9,13 +9,39 @@ permalink: /government/
 ---
 {# Single-page government/DMV vertical. Anchor: mobile driver's license (mDL).
    Lean on wallet-choice / no-allow-list / privacy — the user-liberty angle. #}
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    {"@type": "Question", "name": "How is a mobile driver's license (mDL) issued and verified?",
+     "acceptedAnswer": {"@type": "Answer", "text": "The DMV signs the license as a W3C Verifiable Credential and delivers it to the resident's wallet of choice over VCALM (the VC API). A relying party verifies it cryptographically in person or online — no callbacks to the DMV — and the resident approves each share with one tap."}},
+    {"@type": "Question", "name": "Can a digital ID prove age without revealing a birthdate?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. With selective disclosure, a resident can prove a single fact — such as 'over 21' or 'license valid' — without revealing name, address, or birthdate. Only the field requested is shared."}},
+    {"@type": "Question", "name": "Does a mobile driver's license lock residents to a government app?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Not with VCALM. The license works with any conformant wallet, so residents keep their choice of app. The OpenID/mdoc approach often pairs with wallet attestation and allow-lists, which let the state decide which apps are accepted."}},
+    {"@type": "Question", "name": "Is a VCALM mobile driver's license private?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. Data minimization is built into every request, nothing is shared without explicit one-tap consent, and the state cannot observe where the credential is used."}},
+    {"@type": "Question", "name": "Why VCALM vs. OID4?",
+     "acceptedAnswer": {"@type": "Answer", "text": "The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet attestation and allow-lists, which means the DMV has to certify, build, and maintain an integration for every wallet it supports. With VCALM you issue once to an open standard and any conformant wallet works, so there is no per-wallet integration to own."}}
+  ]
+}
+</script>
 <section class="hero">
   <h1>{{ title }}</h1>
   <p class="promise">
     Issue mobile driver's licenses and digital IDs that residents truly control —
     verifiable in person or online, with the wallet of their choice, and without
     locking citizens to a government-approved app.
   </p>
+  <p class="direct-answer">
+    To issue a mobile driver's license, a DMV signs it as a
+    <strong>W3C Verifiable Credential</strong> and delivers it to the resident's
+    wallet of choice over <strong>VCALM</strong> (the VC API). A relying party
+    verifies it cryptographically — in person or online — and with selective
+    disclosure the resident can prove one fact, like "over 21," without
+    revealing name, address, or birthdate.
+  </p>
 </section>
 
 <section class="flow">
@@ -130,12 +156,36 @@ permalink: /government/
   </p>
 </section>
 
-<section class="why">
-  <h2>Why VCALM vs. the alternative</h2>
-  <p>
-    The OpenID-based, mdoc-centric approach often pairs with wallet "attestation"
-    and allow-lists — the state, in effect, picks which apps citizens may use.
-    VCALM keeps wallet choice with the resident and works natively with W3C
-    Verifiable Credentials. <a href="/why-vcalm/">See the full comparison.</a>
-  </p>
-</section>
+<article class="prose">
+  <h2>Common questions</h2>
+  <div class="faq">
+    <h3>Can a digital ID prove age without revealing a birthdate?</h3>
+    <p>
+      Yes. With selective disclosure, a resident proves a single fact — "over
+      21," "license valid" — without revealing name, address, or birthdate.
+    </p>
+
+    <h3>Does a mobile driver's license lock residents to a government app?</h3>
+    <p>
+      Not with VCALM — the license works with any conformant wallet. The
+      OpenID/mdoc approach often pairs with attestation and allow-lists that let
+      the state decide which apps are accepted.
+    </p>
+
+    <h3>Is a VCALM mobile driver's license private?</h3>
+    <p>
+      Yes. Data minimization is built into every request, nothing is shared
+      without one-tap consent, and the state can't see where it's used.
+    </p>
+
+    <h3>Why VCALM vs. OID4?</h3>
+    <p>
+      The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet
+      "attestation" and allow-lists — which means the DMV has to certify, and
+      build and maintain an integration for, every wallet it wants to support.
+      With VCALM, you issue once to an open standard and any conformant wallet
+      works, so there's no per-wallet integration to own. <a href="/why-vcalm/">See
+      the full comparison.</a>
+    </p>
+  </div>
+</article>

src/verticals/supply-chain/index.njk

@@ -10,13 +10,39 @@ permalink: /supply-chain/
 {# Single-page supply-chain vertical. US-first: lead with "supply chain
    traceability / provenance" (US vocabulary; DSCSA/FSMA/UFLPA drivers).
    "Digital product passport" / DPP is the secondary EU framing. #}
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    {"@type": "Question", "name": "How do you build a digital product passport with verifiable credentials?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Issue the product passport as a W3C Verifiable Credential over VCALM (the VC API). The manufacturer signs a provenance credential — origin, materials, conformity — and links it to a tag or QR on the item. The credential travels with the product, and any buyer, retailer, or auditor can verify it cryptographically without a central database."}},
+    {"@type": "Question", "name": "What is a digital product passport (DPP)?",
+     "acceptedAnswer": {"@type": "Answer", "text": "A Digital Product Passport is a tamper-evident, portable record of a product's origin, materials, and conformity, mandated in the EU by the Ecodesign for Sustainable Products Regulation (ESPR). Issued as a W3C Verifiable Credential, it is the same capability the US calls supply chain traceability and provenance."}},
+    {"@type": "Question", "name": "How do verifiable credentials prevent counterfeiting?",
+     "acceptedAnswer": {"@type": "Answer", "text": "A genuine product carries a cryptographically signed authenticity credential that a counterfeiter cannot forge. Anyone can scan and verify it without contacting the brand, so fakes cannot produce a valid credential and have nowhere to hide."}},
+    {"@type": "Question", "name": "Does this meet DSCSA, FSMA, or UFLPA requirements?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Verifiable Credentials over VCALM provide the tamper-evident, portable provenance records these US supply-chain rules require — proof of sourcing and origin that travels with the product, with no central database to breach."}},
+    {"@type": "Question", "name": "Why VCALM vs. OID4?",
+     "acceptedAnswer": {"@type": "Answer", "text": "You pick a VCALM provider and can swap it. The credential works with any conformant wallet or scanner, so you aren't locked to one vendor's app across your whole supply chain, unlike the OID4VCI / OID4VP approach."}}
+  ]
+}
+</script>
 <section class="hero">
   <h1>{{ title }}</h1>
   <p class="promise">
     Issue provenance and traceability credentials that travel with a product —
     so buyers, retailers, auditors, and customs can verify origin instantly,
     and counterfeits have nowhere to hide.
   </p>
+  <p class="direct-answer">
+    To build a digital product passport, a manufacturer signs a provenance
+    credential as a <strong>W3C Verifiable Credential</strong> over
+    <strong>VCALM</strong> (the VC API) and links it to the item. The credential
+    travels with the product; any buyer, retailer, or auditor verifies origin
+    cryptographically — no central database. The same record is called a
+    <strong>Digital Product Passport (DPP)</strong> in the EU.
+  </p>
 </section>
 
 <section class="flow">
@@ -147,11 +173,37 @@ permalink: /supply-chain/
   </p>
 </section>
 
-<section class="why">
-  <h2>Why VCALM vs. the alternative</h2>
-  <p>
-    You pick a VCALM provider and can swap it. The credential works with any
-    conformant wallet or scanner — you aren't locked to one vendor's app across
-    your whole supply chain.
-  </p>
-</section>
+<article class="prose">
+  <h2>Common questions</h2>
+  <div class="faq">
+    <h3>What is a digital product passport (DPP)?</h3>
+    <p>
+      A tamper-evident, portable record of a product's origin, materials, and
+      conformity — mandated in the EU by the ESPR, and issued as a W3C
+      Verifiable Credential. It's the same capability the US calls supply chain
+      traceability and provenance.
+    </p>
+
+    <h3>How do verifiable credentials prevent counterfeiting?</h3>
+    <p>
+      A genuine product carries a signed authenticity credential a counterfeiter
+      can't forge. Anyone can verify it without contacting the brand, so fakes
+      can't produce a valid credential.
+    </p>
+
+    <h3>Does this meet DSCSA, FSMA, or UFLPA requirements?</h3>
+    <p>
+      Verifiable Credentials over VCALM provide the tamper-evident, portable
+      provenance these rules require — proof that travels with the product, with
+      no central database to breach.
+    </p>
+
+    <h3>Why VCALM vs. OID4?</h3>
+    <p>
+      You pick a VCALM provider and can swap it. The credential works with any
+      conformant wallet or scanner — you aren't locked to one vendor's app
+      across your whole supply chain. <a href="/why-vcalm/">See the full
+      comparison.</a>
+    </p>
+  </div>
+</article>

src/why-vcalm.njk

@@ -3,14 +3,41 @@ layout: layouts/base.njk
 title: "VCALM vs OID4VCI / OID4VP — Why VCALM"
 description: "VCALM vs OID4VP and OID4VCI: a clear comparison for issuing and verifying Verifiable Credentials. Wallet choice, no vendor lock-in, one simple flow, native W3C VC support."
 permalink: /why-vcalm/
+structuredData:
+  "@context": "https://schema.org"
+  "@type": "TechArticle"
+  headline: "VCALM vs OID4VCI / OID4VP"
+  about: "Comparison of VCALM (the VC API) with the OpenID4VC protocols"
+  description: "How VCALM compares to OID4VCI and OID4VP for issuing and verifying Verifiable Credentials: wallet choice, vendor lock-in, flow, and W3C VC support."
+  author:
+    "@type": "Organization"
+    name: "Digital Bazaar, Inc."
 ---
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    {"@type": "Question", "name": "What is the difference between VCALM and OID4VCI / OID4VP?",
+     "acceptedAnswer": {"@type": "Answer", "text": "OID4VCI handles issuance and OID4VP handles presentation as two separate OpenID-based protocols. VCALM handles both in one exchange loop, lets the user keep their choice of wallet, and carries W3C Verifiable Credentials natively. The OpenID high-assurance profile (HAIP) can restrict which wallets are accepted via attestation and allow-lists."}},
+    {"@type": "Question", "name": "Is VCALM an alternative to OpenID4VP?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. VCALM is a W3C protocol that covers the same ground as OID4VCI and OID4VP for moving credentials between issuers, wallets, and verifiers, while keeping wallet choice with the user and avoiding vendor lock-in across the lifecycle."}},
+    {"@type": "Question", "name": "Does OID4VCI support W3C Verifiable Credentials?",
+     "acceptedAnswer": {"@type": "Answer", "text": "The OpenID4VC high-assurance interoperability profile (HAIP) is scoped to SD-JWT and ISO mdoc credential formats and does not include W3C Verifiable Credentials. VCALM carries standards-compliant W3C Verifiable Credentials natively."}},
+    {"@type": "Question", "name": "Why choose VCALM over the OpenID approach?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Choose VCALM when you want users to keep their choice of wallet, want to swap providers without re-integrating across the stack, want issuance and presentation in one flow, and have standardized on W3C Verifiable Credentials."}}
+  ]
+}
+</script>
 <article class="prose why-vcalm">
   <h1>Why VCALM</h1>
   <p class="lede">
-    Both VCALM and the OpenID-based specs (OID4VCI and OID4VP) move credentials
-    between issuers, wallets, and verifiers. The difference is who stays in
-    control — the user, or the vendor. Here's what you get with VCALM, and where
-    the OpenID approach differs.
+    <strong>VCALM is an alternative to OID4VCI and OID4VP.</strong> All three
+    move credentials between issuers, wallets, and verifiers, but VCALM does it
+    in one exchange loop, keeps the user's choice of wallet, and carries W3C
+    Verifiable Credentials natively — where the OpenID specs split issuance and
+    presentation across two protocols and can restrict which wallets are
+    accepted. The difference is who stays in control: the user, or the vendor.
   </p>
 
   <section>
@@ -103,6 +130,34 @@ permalink: /why-vcalm/
     </table>
   </section>
 
+  <section>
+    <h2>Common questions</h2>
+    <div class="faq">
+      <h3>Is VCALM an alternative to OpenID4VP?</h3>
+      <p>
+        Yes. VCALM covers the same ground as OID4VCI and OID4VP — moving
+        credentials between issuers, wallets, and verifiers — while keeping
+        wallet choice with the user and avoiding vendor lock-in across the
+        lifecycle.
+      </p>
+
+      <h3>Does OID4VCI support W3C Verifiable Credentials?</h3>
+      <p>
+        The OpenID4VC high-assurance profile (HAIP) is scoped to SD-JWT and ISO
+        mdoc formats and does not include W3C Verifiable Credentials. VCALM
+        carries standards-compliant W3C Verifiable Credentials natively.
+      </p>
+
+      <h3>When should I choose VCALM?</h3>
+      <p>
+        When you want users to keep their choice of wallet, want to swap
+        providers without re-integrating across the stack, want issuance and
+        presentation in one flow, and have standardized on W3C Verifiable
+        Credentials.
+      </p>
+    </div>
+  </section>
+
   <div class="callout">
     <p>The simplest way to judge for yourself: look at what a developer actually implements.</p>
     <p>