Cart sessions need persistence guidance

[hemanth]

Problem

The cart capability defines expires_at but says nothing about how cart sessions should persist, what TTLs are reasonable, or how sessions bind to buyers across reconnections.

Every implementer ends up inventing their own approach. Some use server-side durable objects, some use database-backed sessions, some use signed cookies. The spec is silent on all of it.

What's missing

1. Recommended TTL ranges (minutes for food ordering? hours for retail? days for B2B?)
2. Session binding -- how does a returning buyer resume a cart? By cart ID alone? By buyer identity? Both?
3. Reconnection semantics -- if a cart expires mid-conversation with a voice agent, what should happen? Silent recreation? Error?
4. Cross-transport persistence -- a cart created over MCP should be retrievable over REST (and vice versa). The spec doesn't say whether this is expected.

Suggestion

Add a non-normative "Implementation guidance" section to the cart capability covering:

• Minimum recommended TTL by use case (quick-service vs retail vs B2B)
• Cart ID as the canonical resumption handle, independent of transport
• Business SHOULD return expires_at and platform SHOULD warn the buyer before expiry
• Expired carts SHOULD return a specific error code (not just generic 404) so the platform can offer to recreate

This doesn't need to be prescriptive. Even a "here's how we expect this to work" section would save implementers from guessing.