@agenttrust-sdk/mcp 0.2.6 → 0.3.1

package/dist/embedded-data/devnet-smoke.json

@@ -5,8 +5,8 @@
   "mint": "2EGGN4fB5nkhuJQJ1mE9DrCBqmuCECSAvocMU4xbNqMY",
   "transferAmount": "1000",
   "signedTransfer": {
-    "signature": "4fPgTL7EGJniGJgf2uQ4NkLXmwKJiF7SNW7dACvVJE8jTgUE9y5wTFbFFaNVSSJ7KAvpMQXgJ7P2y62duiga9Vmt",
-    "explorer": "https://explorer.solana.com/tx/4fPgTL7EGJniGJgf2uQ4NkLXmwKJiF7SNW7dACvVJE8jTgUE9y5wTFbFFaNVSSJ7KAvpMQXgJ7P2y62duiga9Vmt?cluster=devnet"
+    "signature": "uXL2Kk1C9JQPSQ8gY4VpRUyKNP2muP4ouF1kToz6BoAdNygVrbxaqwy9xHPCLupczAKsYHKyFkTvHEZ1P5ZDyhs",
+    "explorer": "https://explorer.solana.com/tx/uXL2Kk1C9JQPSQ8gY4VpRUyKNP2muP4ouF1kToz6BoAdNygVrbxaqwy9xHPCLupczAKsYHKyFkTvHEZ1P5ZDyhs?cluster=devnet"
   },
   "emitFeedback": {
     "signature": "jMobmWJUAXuL8FmQujfxW9NmeMbzADUoABzqjiMeuc5m3YXyeuZeUw1ZJc29JGsqyWQGDY8q3vrtBdamhKXraag",
@@ -19,6 +19,6 @@
     "asset": "C6cuZeDT4kmCC1RXw8mzaoLGwmAMe5fHDvutAjicVi8B",
     "atomStats": "4z9RiK6B49QZbmqPM9yNZWgfxYD3tvQ3NETU6X89f5mv"
   },
-  "facilitatorBalanceSol": "6.990858",
-  "capturedAt": "2026-05-07T19:29:46.411Z"
+  "facilitatorBalanceSol": "8.905693",
+  "capturedAt": "2026-05-06T17:53:48.313Z"
 }

package/dist/embedded-docs/architecture.mdx

@@ -0,0 +1,174 @@
+---
+title: Architecture
+description: How the three Anchor programs, the SDK, and the facilitator-adapter layer compose into one settlement path.
+---
+
+AgentTrust is three Anchor programs plus a TypeScript surface that mounts them on any x402 facilitator. This page is the wiring. Byte-precise PDA layouts, instruction signatures, and deny-reason codes live under [Programs](/programs/policy-vault).
+
+## Composition diagram
+
+```
+┌───────────────────────────────────────────────────────────────────────┐
+│  x402 Facilitator (Pay.sh ★ default · Dexter · atxp · MCPay)          │
+│                                                                       │
+│   import { mountTrustGate } from "@agenttrust-sdk/trustgate/express"  │
+│   await mountTrustGate(app, { atomicityEnforced: true, … })           │
+│                                                                       │
+│  ★ Pay.sh = Solana Foundation's first x402 facilitator (May 5, 2026)  │
+└───────────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼  POST /verify | /settle | /dispute
+       ┌──────────────────────────────────────────────────────────┐
+       │  TrustGate (Anchor program)                              │
+       │  ├─ init_authority (per-facilitator PDA)                 │
+       │  ├─ emit_feedback  ── PDA-signed CPI ──┐                 │
+       │  └─ dispute_payment                    │                 │
+       └─────────────────┬──────────────────────┼─────────────────┘
+                         │                      │
+                         │ CPI                  │ CPI
+                         ▼                      ▼
+       ┌─────────────────────────────┐  ┌──────────────────────────────┐
+       │  PolicyVault                │  │  Quantu agent-registry-8004  │
+       │  ├─ gate_payment composer   │  │  ├─ give_feedback            │
+       │  │   (fail-fast 5 policies) │  │  └─ atom-engine::AtomStats   │
+       │  ├─ KillSwitch • Spending   │  │     (tier @ byte 551)        │
+       │  ├─ Velocity • Counterparty │  │                              │
+       │  └─ RequireValidation       │  │  Pinned commit: bfb09ad      │
+       │                             │  │  Read via byte-offset parser │
+       │  reads ValidationAttestation│  │     (zero Cargo dep)         │
+       └─────────────────┬───────────┘  └──────────────────────────────┘
+                         │
+                         ▼
+       ┌──────────────────────────────────────────┐
+       │  ValidationRegistry                      │
+       │  ├─ register_namespace / _attestor       │
+       │  ├─ request / respond / revoke           │
+       │  └─ ValidationAttestation PDA            │
+       │     (read by PolicyVault parser)         │
+       └──────────────────────────────────────────┘
+```
+
+A single `composeAtomicSettleTx()` call in the SDK builds one Solana transaction with three instructions in canonical order: `gate_payment_strict` → SPL `transferChecked` → `emit_feedback`. The transaction either commits all three or none — never two of three. That is the load-bearing safety property the SDK enforces at three layers.
+
+## The three programs
+
+### PolicyVault — the decision engine
+
+Five orthogonal policy kinds compose under one `gate_payment` instruction with fail-fast semantics:
+
+| Order | Policy | What it checks |
+|---|---|---|
+| 1 | `KillSwitch` | per-agent paused flag — multisig-controlled emergency stop |
+| 2 | `Spending` | per-tx, daily (UTC midnight), weekly (ISO Monday) limits |
+| 3 | `Velocity` | sliding-window cumulative spend, payer-tier-decayed limits |
+| 4 | `CounterpartyTier` | payee `AtomStats.trust_tier` (byte 551), risk score, confidence |
+| 5 | `RequireValidation` | gates against a `ValidationAttestation` PDA (capability proof) |
+
+The composer returns `Allow`, `Deny(reason)`, or `RequireValidation(capability_hash)`. State changes — daily / weekly counters, velocity ledger — apply only on `Allow`. `Deny` and `RequireValidation` mutate nothing.
+
+A strict variant — `gate_payment_strict` — converts non-`Allow` into `Err`. That is the variant the SDK's atomic composer uses: any `Deny` on the gate fails the entire bundled transaction. The Phase J5 Kani proof `gate_payment_strict_correctness` pins the biconditional — strict returns `Ok(())` if and only if the lazy composer returns `Allow` — so a future change cannot silently re-route the `Deny` arm to an `Ok` return.
+
+Byte-precise reference: [PolicyVault](/programs/policy-vault). Composer: [Composer](/programs/policy-vault/composer).
+
+### TrustGate — the facilitator-side program
+
+Two PDAs, three instructions:
+
+| PDA | Seeds | Role |
+|---|---|---|
+| `TrustGateAuthority` | `["trustgate_auth", facilitator]` | Per-facilitator PDA signer for the CPI |
+| `FeedbackEmissionLog` | `["feedback_log", payment_id_hash]` | Init-only idempotency receipt |
+
+`emit_feedback` PDA-signs a CPI into Quantu's `agent-registry-8004::give_feedback`. The `FeedbackEmissionLog` is created via Anchor's `init` constraint — a second tx with the same `payment_id_hash` fails account-already-in-use, so retries cannot double-emit. `dispute_payment` writes a negative-score variant for disputed payments.
+
+Byte-precise reference: [TrustGate](/programs/trustgate). SDK reference: [SDK → mountTrustGate](/sdk/mount-trustgate).
+
+### ValidationRegistry — the third ERC-8004 leg
+
+Five instructions over four PDAs:
+
+| Instruction | Effect |
+|---|---|
+| `register_namespace` | permissionless; caller computes `SHA256(name_utf8)` |
+| `register_attestor` | self-registration with display URI |
+| `request_validation` | open a request for `(subject, capability)` |
+| `respond_to_validation` | attestor writes the attestation PDA |
+| `revoke_validation` | original attestor sets `revoked = true` |
+
+The v1 sybil-resistance model is downstream-consumer filtering: PolicyVault stores a per-policy `accepted_attestors[]` array (length 2). Only attestations from those keys flip `RequireValidation` to `Allow`. Permissionless registration plus opinionated downstream filtering trades global gatekeeping for local trust — the only model that scales with the number of facilitators.
+
+Byte-precise reference: [ValidationRegistry](/programs/validation-registry). v1 capability namespaces seeded on devnet: [Reference → Capability namespaces](/reference/capability-namespaces).
+
+## The FacilitatorAdapter pattern
+
+Every x402 facilitator carries the same payment intent but differs in headers, body shape, proof payload, retry behavior, and settlement metadata. The adapter layer isolates those differences in five methods:
+
+| Method | Responsibility |
+|---|---|
+| `parseRequest(req)` | translate the facilitator's request into `VerifyContext` |
+| `formatChallenge(decision, ctx)` | render `Allow` / `Deny` / `RequireValidation` in that facilitator's wire format |
+| `formatSettlement(ctx)` | produce settlement metadata or an unsigned transaction skeleton |
+| `validatePaymentProof(proof, ctx)` | verify proof shape and cross-check the verify-time context |
+| `emitFeedback(ctx, settlement)` | call the feedback CPI idempotently |
+
+Routes (`/verify`, `/settle`, `/dispute`), the policy gate, and the registry reads do not branch on facilitator name. Pay.sh is the canonical implementation in [`trustgate/server/src/facilitators/pay-sh/`](https://github.com/agenttrust-labs/agenttrust/tree/main/trustgate/server/src/facilitators/pay-sh); Dexter, atxp, and MCPay share the same interface. Adding a fifth facilitator stays under a hundred lines.
+
+Walkthrough: [Pay.sh adapter](/integration-guides/pay-sh-adapter). Build your own: [Facilitator adapters](/integration-guides/facilitator-adapters).
+
+## The atomic-tx invariant
+
+`gate_payment_strict` mutates state on `Allow`:
+
+- `PolicyAccount.spending_today_used`, `spending_today_anchor`
+- `PolicyAccount.spending_week_used`, `spending_week_anchor`
+- `VelocityLedger.cumulative_amount`, `last_commit_slot`
+
+If the SPL transfer reverts after that mutation — and the two instructions are in *different* Solana transactions — the gate's state is durable while no value moved. Subsequent `gate_payment` calls read the inflated counters and may deny a legitimate payment, or velocity caps appear hit when nothing real has happened.
+
+The corruption vector is most cleanly triggered by a Token-2022 mint with a `TransferHook` extension that reverts on a compliance check, but it is mint-extension-agnostic: any failing inner instruction in a split flow corrupts state the same way.
+
+The SDK closes the corruption vector at three layers:
+
+1. **Compile-time literal-type guard.** `AtomicityEnforced` is the literal type `{ atomicityEnforced: true }`. TypeScript rejects callers passing `false` or omitting the field. No runtime cost.
+2. **Runtime guard.** `assertAtomicityEnforced` throws `AtomicityNotEnforcedError` for any value that isn't strictly `=== true`. Catches `as any` cast bypasses.
+3. **Composer structure.** `composeAtomicSettleTx` returns one `Transaction` with exactly three instructions in canonical order (gate, transfer, feedback). Any other shape is a programming error.
+
+Plus the on-chain Kani proof `gate_payment_strict_correctness` pins the strict handler's contract end-to-end: `Ok(())` if and only if the composer returned `Allow`. Full proof: [Verification → Atomic-tx invariant](/verification/atomic-tx-invariant). Background: [`docs/proofs/transfer-hook-atomicity.md`](https://github.com/agenttrust-labs/agenttrust/blob/main/docs/proofs/transfer-hook-atomicity.md).
+
+## ERC-8004 wiring
+
+Quantu Labs published two of the three ERC-8004 legs on Solana:
+
+- `agent-registry-8004` — agent identity plus the reputation surface (the `give_feedback` instruction). Each agent gets a Metaplex Core asset plus a Borsh-typed `AgentAccount` PDA.
+- `atom-engine` — confidence-weighted reputation aggregation. The `AtomStats` PDA stores `tier_immediate` and `tier_confirmed` as single bytes.
+
+The third leg — capability validation — was scaffolded in `8004-solana` v0.4 then archived in v0.5.0 pending a redesign. AgentTrust's `ValidationRegistry` productizes it. The semantics align with the ERC-8004 V variant: who attests to a capability the payer's policy requires (KYC tier, audit attestation, jurisdictional compliance, model-card provenance, payment-network membership).
+
+PolicyVault reads from both Quantu legs:
+
+| Field | Source PDA | Offset | Width |
+|---|---|---|---|
+| trust tier (immediate) | `AtomStats` | byte 551 | u8 |
+| trust tier (confirmed) | `AtomStats` | byte 555 | u8 |
+| risk score | `AtomStats` | byte 549 | u8 |
+| confidence | `AtomStats` | byte 557 | u16 LE |
+| schema version canary | `AtomStats` | byte 560 | u8 (must equal 1) |
+
+A schema bump on the Quantu side fails the canary check loud rather than silently misreading fields. Full byte-offset reference: [Reference → Byte offsets](/reference/byte-offset-reference).
+
+## Read next
+
+<Cards>
+  <Card title="PolicyVault composer" href="/programs/policy-vault/composer">
+    The pure-Rust orchestration that ties the five policy kinds together.
+  </Card>
+  <Card title="Atomic-tx invariant" href="/verification/atomic-tx-invariant">
+    Three layers of proof that gate + transfer + feedback execute as one tx or none.
+  </Card>
+  <Card title="Live evidence" href="/verification/live-evidence">
+    Six Kani proofs, devnet smoke traces, the chained-validation 4-sig trace.
+  </Card>
+  <Card title="Pay.sh adapter" href="/integration-guides/pay-sh-adapter">
+    The canonical FacilitatorAdapter implementation, end to end.
+  </Card>
+</Cards>

package/dist/embedded-docs/getting-started/quickstart.mdx

@@ -1,100 +1,123 @@
 ---
 title: Quickstart
-description: Run AgentTrust with Pay.sh in under 10 minutes.
+description: Hit the hosted devnet build, install the SDK, wire the MCP server. Three paths, no clone, under five minutes.
 ---
 
-This page gets you from a clean checkout to a Pay.sh + AgentTrust server you can hit locally. It shows the x402 challenge, the Pay.sh retry, the AgentTrust decision, and the feedback receipt path.
+Three live paths. Each runs against the hosted devnet endpoints under `*.agenttrust.tech`. None require a local clone.
 
-## 1. Install
+## 1. Hit the live demo
+
+The demo at [`demo.agenttrust.tech`](https://demo.agenttrust.tech) runs the full Pay.sh + AgentTrust flow against deployed devnet programs. With no payment proof, `/protected` returns a real x402 v2 challenge:
 
 ```bash
-pnpm install
+curl -i https://demo.agenttrust.tech/protected
 ```
 
-The public SDK package is `@agenttrust-sdk/trustgate`. The Pay.sh demo imports the server workspace package directly so it can exercise the adapter layer before packaging.
-
-## 2. Build the demo
+The response carries `HTTP/2 402` with a SERVICE-signed `payment-required` envelope (base64). To walk the full Allow → settle → emit_feedback path, install Pay.sh and let it pay:
 
 ```bash
-pnpm --filter ./examples/pay-sh-demo build
+pay --sandbox curl https://demo.agenttrust.tech/protected
 ```
 
-## 3. Start the server
+Three deterministic counterparties drive each decision branch. Fetch their pubkeys from the demo's health endpoint:
 
 ```bash
-pnpm --filter ./examples/pay-sh-demo dev
+curl -s https://demo.agenttrust.tech/health | jq '.counterparties'
 ```
 
-The server listens on `:3402` and exposes:
+| Tier | Header | Decision |
+| --- | --- | --- |
+| 0 | `X-Demo-Payer-Agent: <tier-0 pubkey>` | `402 Deny — CounterpartyTierBelowMin` |
+| 1 | `X-Demo-Payer-Agent: <tier-1 pubkey>` | `402 Deny — CounterpartyTierBelowMin` |
+| 3 | `X-Demo-Payer-Agent: <tier-3 pubkey>` | `200 Allow + X-Payment-Receipt` |
 
-| Route | Purpose |
-| --- | --- |
-| `GET /health` | deterministic demo counterparties and facilitator key |
-| `GET /protected` | Pay.sh-gated resource |
+The full atomic-settlement trace (gate, transfer, feedback) for the tier-3 path is captured under [Verification → Devnet smoke](/verification/devnet-smoke).
 
-## 4. Drive the Pay.sh path
+## 2. Install the SDK
 
-Without a payment proof, `/protected` returns `402 Payment Required` with a base64 x402 v2 challenge.
+Add [`@agenttrust-sdk/trustgate@0.2.0`](https://www.npmjs.com/package/@agenttrust-sdk/trustgate) to any Node project:
 
 ```bash
-curl -i https://demo.agenttrust.tech/protected
+pnpm add @agenttrust-sdk/trustgate
 ```
 
-With Pay.sh installed, let the CLI pay and retry.
+Mount the middleware on an Express app:
 
-```bash
-pay --sandbox curl https://demo.agenttrust.tech/protected
-```
+```ts
+import express from "express";
+import { Keypair } from "@solana/web3.js";
+import { mountTrustGate } from "@agenttrust-sdk/trustgate/express";
 
-For a deterministic Allow path, use the tier-3 demo counterparty.
+const app = express();
+app.use(express.json());
 
-```bash
-PAYER=$(curl -s https://demo.agenttrust.tech/health | jq -r '.counterparties[2].agent')
-pay --sandbox curl -H "X-Demo-Payer-Agent: $PAYER" https://demo.agenttrust.tech/protected
-```
-
-For a deterministic Deny path, use tier 0.
+await mountTrustGate(app, {
+  rpcUrl:             "https://api.devnet.solana.com",
+  facilitatorKeypair: Keypair.fromSecretKey(/* your facilitator key */),
+  network:            "solana-devnet",
+  atomicityEnforced:  true,             // literal `true` — TS rejects `false`
+});
 
-```bash
-PAYER=$(curl -s https://demo.agenttrust.tech/health | jq -r '.counterparties[0].agent')
-pay --sandbox curl -H "X-Demo-Payer-Agent: $PAYER" https://demo.agenttrust.tech/protected
+app.listen(3000);
 ```
 
-## 5. Run the same flow without the CLI
+The `atomicityEnforced: true` literal is the SDK's load-bearing guard. The compile-time type rejects callers who omit it, the runtime throws on `as any` bypasses, and the on-chain `gate_payment_strict_correctness` Kani proof binds the strict handler's return value to the composer's `Allow` arm. Full details: [Atomic-tx invariant](/verification/atomic-tx-invariant).
 
-The integration tests synthesize Pay.sh proof bodies and drive the same Express route in-process.
+You now have:
 
-```bash
-pnpm --filter ./examples/pay-sh-demo test
-```
+- `POST /verify` — read-only `gate_payment` simulation
+- `POST /settle` — one-tx atomic settle (gate + transfer + feedback)
+- `POST /dispute` — dispute path
+- `GET /receipt/:hash` — `FeedbackEmissionLog` lookup by payment hash
 
-## What happens inside
+## 3. Wire the MCP server
 
-```ts
-adapter.parseRequest(req)
-  -> VerifyContext
-  -> decide(ctx)
-  -> adapter.formatChallenge(decision, ctx)
-  -> adapter.validatePaymentProof(proof, ctx)
-  -> adapter.emitFeedback(ctx, settlement)
+[`@agenttrust-sdk/mcp@0.2.6`](https://www.npmjs.com/package/@agenttrust-sdk/mcp) exposes 18 tools to any Model Context Protocol client. For Claude Desktop, drop this into your config (`~/Library/Application Support/Claude/claude_desktop_config.json` on macOS):
+
+```json
+{
+  "mcpServers": {
+    "agenttrust": {
+      "command": "npx",
+      "args": ["-y", "@agenttrust-sdk/mcp"],
+      "env": {
+        "RPC_URL": "https://api.devnet.solana.com",
+        "NETWORK": "solana-devnet"
+      }
+    }
+  }
+}
 ```
 
-The local demo stubs RPC and CPI so CI can run without devnet. The server package carries the real Anchor path: `trustgate/server/src/chain.ts` loads the deployed devnet programs, `/verify` simulates `gate_payment`, and `/settle` delegates proof validation plus feedback emission through the active adapter.
+Restart Claude Desktop. Then ask:
 
-Production fills these same dependency seams:
+- *"What demo agents are available on AgentTrust?"*
+- *"Simulate a 5-USDC payment from the tier-3 demo agent to the tier-0 demo agent against policy 1. What does the gate decide?"*
+- *"Search the AgentTrust docs for the atomic-tx invariant."*
 
-| Seam | Demo implementation | Production implementation |
-| --- | --- |
-| `decide(ctx)` | static tier table | `simulateGatePayment` against devnet programs |
-| `validateOnChainTx` | synthetic confirmed tx | RPC + SPL transfer parser |
-| `emitFeedbackCpi` | synthetic feedback signature | Anchor call into `trustgate::emit_feedback` |
+A hosted HTTP transport is also live at [`mcp.agenttrust.tech`](https://mcp.agenttrust.tech) for clients that speak `StreamableHTTPServerTransport`. Full setup: [MCP → Install](/mcp/install).
 
-## Pinned devnet IDs
+## What's running where
 
 <ProgramIdsTable />
 
+| Surface | URL |
+| --- | --- |
+| Demo | [`demo.agenttrust.tech`](https://demo.agenttrust.tech) |
+| Facilitator (`/verify` + `/settle`) | [`api.agenttrust.tech`](https://api.agenttrust.tech) |
+| MCP HTTP endpoint | [`mcp.agenttrust.tech`](https://mcp.agenttrust.tech) |
+| Repo | [`github.com/agenttrust-labs/agenttrust`](https://github.com/agenttrust-labs/agenttrust) |
+
 ## Read next
 
-- [Pay.sh adapter](/integration-guides/pay-sh-adapter)
-- [Facilitator adapters](/integration-guides/facilitator-adapters)
-- [Atomic-tx invariant](/sdk/atomic-tx-invariant)
+<Cards>
+  <Card title="Architecture" href="/architecture">
+    How the three programs, the SDK, and the adapter layer compose into one settlement path.
+  </Card>
+  <Card title="Pay.sh adapter" href="/integration-guides/pay-sh-adapter">
+    The live Pay.sh integration end to end — challenge, retry, settle, feedback.
+  </Card>
+  <Card title="Atomic-tx invariant" href="/verification/atomic-tx-invariant">
+    Why gate + transfer + feedback must execute as one Solana transaction or none.
+  </Card>
+</Cards>

package/dist/embedded-docs/index.mdx

@@ -1,64 +1,81 @@
 ---
-title: Introduction
-description: AgentTrust is the Solana policy and feedback layer for x402 facilitators.
+title: AgentTrust
+description: Three Anchor programs that complete the third leg of ERC-8004 on Solana — the policy, settlement, and feedback layer for x402 facilitators.
 ---
 
-AgentTrust is the Solana policy and feedback layer for x402 facilitators.
-
-Pay.sh is the first concrete adapter: an AgentTrust-aware service can emit a Pay.sh x402 challenge, verify the SERVICE signature, run the policy decision, and settle with feedback tied to the same payment context. The same adapter contract is designed for Dexter, atxp_ai, MCPay, and the next facilitator without rewriting the routes.
+Quantu Labs shipped two of the three ERC-8004 legs on Solana — agent identity (`agent-registry-8004`) and reputation (`atom-engine`). The third leg, capability validation, was archived in v0.5.0 pending a redesign. AgentTrust ships that third leg, plus a policy engine that reads Quantu's reputation tier byte by byte, plus a facilitator-side program that emits feedback through Quantu's existing CPI surface.
 
 <KaniProofBadge />
 
-## What AgentTrust ships today
+## Hit it now
 
-AgentTrust ships as three Anchor programs, a TypeScript SDK, and a facilitator-adapter layer.
+Three live paths against the hosted devnet build. No clone, no setup.
 
-| Part | Reads | Writes | Result |
-| --- | --- | --- | --- |
-| PolicyVault | payer and payee trust data | policy counters and velocity ledgers | `Allow`, `Deny`, or `RequireValidation` |
-| TrustGate | PolicyVault decisions | Quantu feedback logs | x402 status and ERC-8004 feedback |
-| ValidationRegistry | attestor profiles and attestations | capability attestations | reusable validation evidence |
-| Pay.sh adapter | x402 v2 `PaymentRequirements` | SERVICE-signed challenge and feedback receipt | live Pay.sh integration path |
+```bash
+# 1. See an x402 challenge from a real facilitator
+curl -i https://demo.agenttrust.tech/protected
 
-## Facilitator status
+# 2. Install the SDK
+pnpm add @agenttrust-sdk/trustgate
 
-| Facilitator | Status | Notes |
-| --- | --- | --- |
-| Pay.sh | live | First concrete adapter; launch announced by Solana Foundation with Google Cloud on May 5, 2026. |
-| Dexter | in flight | Worked example for the next adapter path; current repo carries a roadmap stub until full wiring lands. |
-| atxp_ai | roadmap | Stubbed explicitly so callers see a planned integration, not an accidental absence. |
-| MCPay | roadmap | Stubbed explicitly for the same adapter contract. |
+# 3. Wire the MCP server into Claude Desktop / Cursor
+npx -y @agenttrust-sdk/mcp
+```
 
-Pay.sh launch reference: [Solana Foundation launch note](https://solana.com/news/solana-foundation-launches-pay-sh-in-collaboration-with-google-cloud).
+## What's deployed
 
-## Devnet deployment
+<ProgramIdsTable />
 
-The current Frontier build is deployed on Solana devnet and keeps the same adapter boundary for mainnet rollout.
+[SDK on npm](https://www.npmjs.com/package/@agenttrust-sdk/trustgate) ·
+[MCP on npm](https://www.npmjs.com/package/@agenttrust-sdk/mcp) ·
+[Repo](https://github.com/agenttrust-labs/agenttrust) ·
+[Hosted demo](https://demo.agenttrust.tech) ·
+[Hosted facilitator](https://api.agenttrust.tech) ·
+[Hosted MCP](https://mcp.agenttrust.tech)
 
-<ProgramIdsTable />
+## The three programs
 
-## The shortest path
+**PolicyVault** is the decision engine. Five orthogonal policy kinds — `KillSwitch`, `Spending`, `Velocity`, `CounterpartyTier`, `RequireValidation` — composed under one `gate_payment` instruction with fail-fast semantics. The composer returns `Allow`, `Deny(reason)`, or `RequireValidation(capability_hash)`. `CounterpartyTier` reads byte 551 of Quantu's `AtomStats` through a manual byte-offset parser pinned to commit `bfb09ad` (zero Cargo dep on Quantu's crate, schema-version canary at byte 560 catches drift).
 
-Run the Pay.sh demo, then copy the adapter shape into your own facilitator.
+**TrustGate** is the facilitator-side program. One PDA per facilitator (`TrustGateAuthority`) signs the CPI into Quantu's `agent-registry-8004::give_feedback`. `FeedbackEmissionLog` is the per-payment idempotency receipt — Anchor's `init` constraint fails on the second tx with the same `payment_id_hash`, so retries cannot double-emit. The TypeScript SDK, [`@agenttrust-sdk/trustgate@0.2.0`](https://www.npmjs.com/package/@agenttrust-sdk/trustgate), mounts on any Express app in five lines.
 
-```bash
-pnpm --filter ./examples/pay-sh-demo dev
-```
+**ValidationRegistry** productizes the third leg. Five instructions — `register_namespace`, `register_attestor`, `request_validation`, `respond_to_validation`, `revoke_validation` — over four PDAs. The v1 sybil-resistance model is downstream-consumer filtering: PolicyVault stores a per-policy `accepted_attestors[]` array; only attestations from those keys flip the gate to `Allow`. Permissionless registration plus opinionated downstream filtering is the only model that scales with the number of facilitators.
+
+## How they compose
 
-```bash
-pay --sandbox curl https://demo.agenttrust.tech/protected
 ```
+x402 facilitator (Pay.sh, Dexter, atxp, MCPay)
+        │
+        ▼  POST /verify | /settle | /dispute
+TrustGate ─CPI─► agent-registry-8004::give_feedback
+   │
+   │ reads
+   ▼
+PolicyVault ─reads─► AtomStats (Quantu)        ◀── byte 551 (tier)
+   │
+   └─reads─► ValidationAttestation              ◀── byte 8 / 40 / 72 / 208 / 216
+              (ValidationRegistry)
+```
+
+The full wiring story is on [Architecture](/architecture). Byte-precise PDA layouts, instruction signatures, and deny-reason codes live under [Programs](/programs/policy-vault).
 
-## Read next
+## Foundation alignment
+
+Pay.sh is the Solana Foundation's first x402 facilitator, [launched 2026-05-05 with Google Cloud](https://solana.com/news/solana-foundation-launches-pay-sh-in-collaboration-with-google-cloud). AgentTrust ships day-one Pay.sh integration as the canonical adapter — Dexter, atxp, and MCPay share the same five-method `FacilitatorAdapter` contract, so adding a fifth facilitator stays under a hundred lines. Walkthrough: [Pay.sh adapter](/integration-guides/pay-sh-adapter).
+
+## Where to next
 
 <Cards>
   <Card title="Quickstart" href="/getting-started/quickstart">
-    Run the Pay.sh demo and inspect Allow / Deny paths.
+    Hit the live demo, install the SDK, wire the MCP server.
+  </Card>
+  <Card title="Architecture" href="/architecture">
+    The wiring diagram, the FacilitatorAdapter pattern, the atomic-tx invariant.
   </Card>
-  <Card title="Pay.sh adapter" href="/integration-guides/pay-sh-adapter">
-    Walk through the live adapter end to end.
+  <Card title="Live evidence" href="/verification/live-evidence">
+    Six Kani proofs, devnet smoke traces, the chained-validation 4-sig trace, every claim with an Explorer URL.
   </Card>
-  <Card title="Architecture overview" href="/getting-started/architecture-overview">
-    See why the adapter layer exists and how it composes with the programs.
+  <Card title="MCP server" href="/mcp">
+    Eighteen tools that expose every SDK surface to Claude Desktop and Cursor.
   </Card>
 </Cards>