settld 0.1.2 → 0.2.0

package/docs/QUICKSTART_MCP.md

@@ -0,0 +1,377 @@
+# Quickstart: MCP (Stdio Spike)
+
+This quickstart connects an MCP-compatible agent/client to Settld using the Sprint 23 `stdio` MCP spike server.
+
+For host-specific setup (Claude, Cursor, Codex, OpenClaw), see `docs/QUICKSTART_MCP_HOSTS.md`.
+
+## Prerequisites
+
+- Node.js 20+
+- A Settld API key with appropriate scopes (`keyId.secret` format)
+- Settld API reachable (local `npm run dev:api` or hosted)
+
+## Fast Path (Recommended)
+
+Run guided setup first:
+
+```bash
+npx -y settld setup
+```
+
+Then run a smoke probe:
+
+```bash
+npm run mcp:probe
+```
+
+If you prefer to wire everything manually, use the fallback steps in `Run The MCP Server` below.
+
+## One-Command Local Demo (Paid MCP Exa Flow)
+
+Boots local API + provider wrapper + x402 gateway, runs MCP `settld.exa_search_paid`, verifies signatures/tokens, and writes an artifact bundle.
+
+To scaffold your own paid tool server quickly:
+
+```bash
+npx create-settld-paid-tool my-paid-tool
+```
+
+Run provider conformance/publish with machine-readable artifacts:
+
+```bash
+npm run provider:conformance -- \
+  --manifest ./paid-tool-manifest.json \
+  --base-url http://127.0.0.1:9402 \
+  --api-url http://127.0.0.1:3000 \
+  --api-key "$SETTLD_API_KEY" \
+  --json-out artifacts/provider-conformance.json
+
+npm run provider:publish -- \
+  --manifest ./paid-tool-manifest.json \
+  --base-url http://127.0.0.1:9402 \
+  --api-url http://127.0.0.1:3000 \
+  --api-key "$SETTLD_API_KEY" \
+  --json-out artifacts/provider-publication.json \
+  --conformance-json-out artifacts/provider-conformance-from-publish.json
+```
+
+Notes:
+
+- `provider:conformance` exits non-zero when verdict is not `ok` (use `--allow-fail` to keep exit code `0`).
+- `provider:publish` exits non-zero when `runConformance` is enabled and publication is not `certified` (use `--allow-fail` to keep exit code `0`).
+
+```bash
+npm run demo:mcp-paid-exa
+npm run demo:mcp-paid-weather
+npm run demo:mcp-paid-llm
+```
+
+Circle sandbox mode (real reserve path):
+
+```bash
+SETTLD_DEMO_CIRCLE_MODE=sandbox \
+X402_REQUIRE_EXTERNAL_RESERVE=1 \
+npm run demo:mcp-paid-exa -- --circle=sandbox
+```
+
+Circle sandbox mode with batch settlement execution:
+
+```bash
+SETTLD_DEMO_CIRCLE_MODE=sandbox \
+SETTLD_DEMO_RUN_BATCH_SETTLEMENT=1 \
+SETTLD_DEMO_BATCH_PROVIDER_WALLET_ID="$CIRCLE_WALLET_ID_ESCROW" \
+X402_REQUIRE_EXTERNAL_RESERVE=1 \
+npm run demo:mcp-paid-exa -- --circle=sandbox
+```
+
+Success output:
+
+```text
+PASS artifactDir=artifacts/mcp-paid-exa/...
+gateId=...
+decisionId=...
+settlementReceiptId=...
+```
+
+Artifact bundle includes:
+
+- `summary.json`
+- `mcp-call.raw.json`
+- `mcp-call.parsed.json`
+- `response-body.json`
+- `gate-state.json`
+- `reserve-state.json`
+- `provider-signature-verification.json`
+- `settld-pay-token-verification.json`
+- `batch-payout-registry.json` (when `SETTLD_DEMO_RUN_BATCH_SETTLEMENT=1`)
+- `batch-worker-state.json` (when `SETTLD_DEMO_RUN_BATCH_SETTLEMENT=1`)
+- `batch-settlement.json` (when `SETTLD_DEMO_RUN_BATCH_SETTLEMENT=1`)
+
+## First verified receipt (keep this artifact)
+
+The demo exports receipts to:
+
+- `<artifactDir>/x402-receipts.export.jsonl`
+- `<artifactDir>/x402-receipts.sample-verification.json`
+
+Convert the first exported receipt row into a standalone JSON file and verify it:
+
+```bash
+jq -c 'first' <artifactDir>/x402-receipts.export.jsonl > /tmp/settld-first-receipt.json
+settld x402 receipt verify /tmp/settld-first-receipt.json --format json --json-out /tmp/settld-first-receipt.verify.json
+```
+
+Keep `/tmp/settld-first-receipt.verify.json` (or check in an equivalent artifact path in CI). This is the deterministic
+proof packet for the first paid action.
+
+## Authority + Pinning Notes
+
+- Authority enforcement in this flow is API key scope + tenant-bound policy checks at Settld API/gateway surfaces.
+- Replay-critical settlement policy pinning is captured in `SettlementDecisionRecord.v2` (`policyHashUsed`, `verificationMethodHashUsed`), so decisions remain auditable and deterministic.
+- Receipts and exports bind the paid call to decision + settlement artifacts:
+  - `decisionId` (printed by demo and present in receipt data)
+  - `settlementReceiptId` (printed by demo and present in receipt data)
+
+Reference specs:
+
+- `docs/spec/SettlementDecisionRecord.v2.md`
+- `docs/spec/SettlementReceipt.v1.md`
+- `docs/spec/SettlementKernel.v1.md`
+
+## Run The MCP Server
+
+Primary path:
+
+```bash
+settld setup
+npm run mcp:server
+```
+
+Manual fallback (if you skip setup):
+
+```bash
+export SETTLD_BASE_URL='https://api.settld.work'   # or http://127.0.0.1:3000
+export SETTLD_TENANT_ID='tenant_default'
+export SETTLD_API_KEY='sk_live_xxx.yyy'            # keyId.secret (do not commit)
+export SETTLD_PROTOCOL='1.0'                       # optional; server will try to auto-discover
+export SETTLD_PAID_TOOLS_BASE_URL='http://127.0.0.1:8402' # optional; paid x402 tools
+```
+
+Start the server:
+
+```bash
+npm run mcp:server
+```
+
+The server speaks JSON-RPC 2.0 over `stdio` and exposes curated tools.
+If you run it in a normal terminal, it will just sit waiting for JSON-RPC input (this is expected). Use `mcp:probe` below to validate it end-to-end.
+
+## Optional: HTTP Gateway (HTTP -> MCP stdio)
+
+This is useful if you can do HTTP calls but cannot spawn a local MCP process.
+
+```bash
+export MCP_HTTP_PORT=8787
+npm run mcp:http
+```
+
+Then send JSON-RPC requests:
+
+```bash
+curl -sS http://127.0.0.1:8787/rpc \
+  -H 'content-type: application/json' \
+  -d '{"jsonrpc":"2.0","id":"1","method":"initialize","params":{"protocolVersion":"2024-11-05","clientInfo":{"name":"curl","version":"0"},"capabilities":{}}}' | jq .
+```
+
+## Sanity Check (No Manual JSON Copy/Paste)
+
+```bash
+npm run mcp:probe
+```
+
+This spawns the MCP server, runs `initialize` and `tools/list`, prints the responses, and exits.
+
+## x402 Gate Smoke (create -> verify -> get)
+
+Run an end-to-end x402 gate flow over MCP with explicit idempotency keys:
+
+```bash
+npm run -s mcp:probe -- --x402-smoke
+```
+
+This performs:
+
+1. `settld.x402_gate_create`
+2. `settld.x402_gate_verify` (auto-authorize enabled by default)
+3. `settld.x402_gate_get`
+
+You can override payloads from a JSON file:
+
+```bash
+cat > /tmp/settld-mcp-x402-smoke.json <<'JSON'
+{
+  "create": {
+    "amountCents": 250,
+    "idempotencyKey": "mcp_probe_create_custom_1"
+  },
+  "verify": {
+    "idempotencyKey": "mcp_probe_verify_custom_1",
+    "authorizeIdempotencyKey": "mcp_probe_auth_custom_1"
+  }
+}
+JSON
+
+npm run -s mcp:probe -- --x402-smoke --x402-smoke-file /tmp/settld-mcp-x402-smoke.json
+```
+
+## Agreement Delegation Tools (create/list)
+
+Create a delegation edge and list it via MCP:
+
+```bash
+cat > /tmp/settld-mcp-delegation-create.json <<'JSON'
+{
+  "parentAgreementHash": "1111111111111111111111111111111111111111111111111111111111111111",
+  "childAgreementHash": "2222222222222222222222222222222222222222222222222222222222222222",
+  "delegatorAgentId": "agt_parent",
+  "delegateeAgentId": "agt_child",
+  "budgetCapCents": 500,
+  "idempotencyKey": "mcp_probe_delegation_create_1"
+}
+JSON
+
+npm run -s mcp:probe -- --call-file settld.agreement_delegation_create /tmp/settld-mcp-delegation-create.json
+npm run -s mcp:probe -- --call settld.agreement_delegation_list '{"agreementHash":"1111111111111111111111111111111111111111111111111111111111111111","status":"active","limit":20,"offset":0}'
+```
+
+`settld.agreement_delegation_create` responses include `delegation.delegationHash` for deterministic orchestration and audit bindings.
+
+## Live Call Without Shell-JSON Footguns
+
+If your terminal copy/paste keeps inserting line breaks, pass tool arguments via a JSON file:
+
+```bash
+cat > /tmp/settld-mcp-create-agreement.json <<'JSON'
+{"amountCents":500,"currency":"USD","title":"MCP live probe","capability":"agent-task:demo","disputeWindowDays":7}
+JSON
+
+npm run -s mcp:probe -- --call-file settld.create_agreement /tmp/settld-mcp-create-agreement.json
+```
+
+Alternative that avoids paste issues entirely:
+
+```bash
+jq -n '{amountCents:500,currency:"USD",title:"MCP live probe",capability:"agent-task:demo",disputeWindowDays:7}' \
+  > /tmp/settld-mcp-create-agreement.json
+```
+
+## Tool Flow (Typical)
+
+1. Create an agreement (marketplace-backed) and a run:
+
+Method: `tools/call`
+
+Tool: `settld.create_agreement`
+
+Arguments example:
+
+```json
+{
+  "amountCents": 500,
+  "currency": "USD",
+  "title": "MCP spike agreement",
+  "capability": "agent-task:demo",
+  "disputeWindowDays": 7
+}
+```
+
+2. Submit evidence for the run:
+
+Tool: `settld.submit_evidence`
+
+```json
+{
+  "agentId": "<payeeAgentId from create_agreement>",
+  "runId": "<runId from create_agreement>",
+  "evidenceRef": "evidence://demo/step-1"
+}
+```
+
+3. Settle the run:
+
+Tool: `settld.settle_run`
+
+```json
+{
+  "agentId": "<payeeAgentId>",
+  "runId": "<runId>",
+  "outcome": "completed",
+  "outputRef": "evidence://demo/output"
+}
+```
+
+4. Resolve the settlement (so it is no longer `locked`):
+
+Tool: `settld.resolve_settlement`
+
+```json
+{
+  "runId": "<runId>",
+  "status": "released",
+  "reason": "demo settlement resolution"
+}
+```
+
+5. Open a dispute (only valid within the dispute window):
+
+Tool: `settld.open_dispute`
+
+```json
+{
+  "runId": "<runId>",
+  "reason": "Disputing for demo purposes",
+  "evidenceRefs": ["evidence://demo/dispute/1"],
+  "waitMs": 5000
+}
+```
+
+## Paid Tool Flows (`settld.exa_search_paid`, `settld.weather_current_paid`)
+
+Both paid tools exercise the same x402 path from MCP:
+
+1. First call returns `402` from the paid endpoint.
+2. MCP wrapper retries with `x-settld-gate-id`.
+3. Gateway returns `200` and `x-settld-*` verification/settlement headers.
+
+Run the local paid upstream + gateway from `docs/QUICKSTART_X402_GATEWAY.md`, then invoke:
+
+```bash
+cat > /tmp/settld-mcp-exa-search.json <<'JSON'
+{"query":"dentist near me chicago","numResults":3}
+JSON
+
+SETTLD_PAID_TOOLS_BASE_URL='http://127.0.0.1:8402' \
+npm run -s mcp:probe -- --call-file settld.exa_search_paid /tmp/settld-mcp-exa-search.json
+```
+
+Exa call result includes:
+
+- `response`: Exa-style search body.
+- `headers`: captured `x-settld-*` verification/settlement headers.
+
+Weather call example:
+
+```bash
+cat > /tmp/settld-mcp-weather.json <<'JSON'
+{"city":"Chicago","unit":"f"}
+JSON
+
+SETTLD_PAID_TOOLS_BASE_URL='http://127.0.0.1:8402' \
+npm run -s mcp:probe -- --call-file settld.weather_current_paid /tmp/settld-mcp-weather.json
+```
+
+## Notes
+
+- Writes require `x-settld-protocol`. The MCP server sets this automatically for write calls.
+- Run event appends require `x-proxy-expected-prev-chain-hash`. The MCP server fetches the current head and supplies it.
+- This is a spike (Sprint 23). Production hardening (SSE transport, rate limiting, etc.) is planned for Sprint 25.

package/docs/QUICKSTART_MCP_HOSTS.md

@@ -0,0 +1,210 @@
+# Quickstart: MCP Host Integrations (Codex, Claude, Cursor, OpenClaw)
+
+This guide is the fastest path to wire Settld into an agent host and confirm a first verified paid action.
+
+Target outcome:
+
+1. Host can call `settld.*` MCP tools.
+2. Wallet mode is configured (`managed`, `byo`, or `none`).
+3. Policy profile is applied.
+4. Smoke call and first paid receipt are green.
+
+For deeper tool-level examples, see `docs/QUICKSTART_MCP.md`.
+
+## 1) Before you run `settld setup`
+
+Required inputs:
+
+- `SETTLD_BASE_URL` (local or hosted API URL)
+- `SETTLD_TENANT_ID`
+- `SETTLD_API_KEY` (`keyId.secret`)
+- Node.js 20+
+
+Recommended non-interactive pattern:
+
+```bash
+settld setup --non-interactive \
+  --host openclaw \
+  --base-url https://api.settld.work \
+  --tenant-id tenant_default \
+  --settld-api-key 'sk_live_xxx.yyy' \
+  --wallet-mode managed \
+  --wallet-bootstrap remote \
+  --profile-id engineering-spend \
+  --smoke \
+  --out-env ./.tmp/settld-openclaw.env
+```
+
+If you want validation only (no config writes):
+
+```bash
+settld setup --non-interactive \
+  --host openclaw \
+  --base-url https://api.settld.work \
+  --tenant-id tenant_default \
+  --settld-api-key 'sk_live_xxx.yyy' \
+  --wallet-mode none \
+  --preflight-only \
+  --report-path ./.tmp/setup-preflight.json \
+  --format json
+```
+
+## 2) Host setup flows
+
+Unified setup command:
+
+```bash
+settld setup
+```
+
+The wizard handles:
+
+- host selection (`codex|claude|cursor|openclaw`)
+- wallet mode selection (`managed|byo|none`)
+- preflight checks (API health, tenant auth, profile baseline, host config path)
+- policy apply + optional smoke
+- interactive menus with arrow keys (Up/Down + Enter) for choice steps
+
+Host-specific non-interactive examples:
+
+```bash
+# Codex
+settld setup --non-interactive --host codex --base-url http://127.0.0.1:3000 --tenant-id tenant_default --settld-api-key sk_live_xxx.yyy --wallet-mode none --profile-id engineering-spend --smoke
+
+# Claude
+settld setup --non-interactive --host claude --base-url http://127.0.0.1:3000 --tenant-id tenant_default --settld-api-key sk_live_xxx.yyy --wallet-mode none --profile-id engineering-spend --smoke
+
+# Cursor
+settld setup --non-interactive --host cursor --base-url http://127.0.0.1:3000 --tenant-id tenant_default --settld-api-key sk_live_xxx.yyy --wallet-mode none --profile-id engineering-spend --smoke
+
+# OpenClaw
+settld setup --non-interactive --host openclaw --base-url http://127.0.0.1:3000 --tenant-id tenant_default --settld-api-key sk_live_xxx.yyy --wallet-mode none --profile-id engineering-spend --smoke
+```
+
+## 3) Wallet modes: managed vs BYO
+
+### Managed (`--wallet-mode managed`)
+
+Managed is the default and recommended first path.
+
+`--wallet-bootstrap auto` behavior:
+
+- If `--circle-api-key` (or `CIRCLE_API_KEY`) is present: local Circle bootstrap.
+- If not present: remote onboarding bootstrap (`/v1/tenants/{tenantId}/onboarding/wallet-bootstrap`).
+
+Force the path explicitly when needed:
+
+```bash
+# force remote wallet creation
+settld setup --non-interactive --host openclaw --base-url https://api.settld.work --tenant-id tenant_default --settld-api-key 'sk_live_xxx.yyy' --wallet-mode managed --wallet-bootstrap remote --profile-id engineering-spend --smoke
+
+# force local wallet creation with Circle credentials
+settld setup --non-interactive --host openclaw --base-url https://api.settld.work --tenant-id tenant_default --settld-api-key 'sk_live_xxx.yyy' --wallet-mode managed --wallet-bootstrap local --circle-api-key 'TEST_API_KEY:...' --profile-id engineering-spend --smoke
+```
+
+### BYO (`--wallet-mode byo`)
+
+Provide your own existing wallet values. Required keys:
+
+- `CIRCLE_BASE_URL`
+- `CIRCLE_BLOCKCHAIN`
+- `CIRCLE_WALLET_ID_SPEND`
+- `CIRCLE_WALLET_ID_ESCROW`
+- `CIRCLE_TOKEN_ID_USDC`
+- `CIRCLE_ENTITY_SECRET_HEX`
+
+Pass as env or repeated `--wallet-env KEY=VALUE` flags:
+
+```bash
+settld setup --non-interactive \
+  --host openclaw \
+  --base-url https://api.settld.work \
+  --tenant-id tenant_default \
+  --settld-api-key 'sk_live_xxx.yyy' \
+  --wallet-mode byo \
+  --wallet-env CIRCLE_BASE_URL=https://api-sandbox.circle.com \
+  --wallet-env CIRCLE_BLOCKCHAIN=BASE-SEPOLIA \
+  --wallet-env CIRCLE_WALLET_ID_SPEND=wid_spend \
+  --wallet-env CIRCLE_WALLET_ID_ESCROW=wid_escrow \
+  --wallet-env CIRCLE_TOKEN_ID_USDC=token_usdc \
+  --wallet-env CIRCLE_ENTITY_SECRET_HEX=$(openssl rand -hex 32) \
+  --profile-id engineering-spend \
+  --smoke
+```
+
+### None (`--wallet-mode none`)
+
+Use this for policy/tooling setup without payment rails yet.
+
+## 4) Activation after setup
+
+`settld setup` writes host MCP config and prints `Combined exports`.
+
+If you used `--out-env`, source it before running tools:
+
+```bash
+source ./.tmp/settld-openclaw.env
+```
+
+Then activate host-side:
+
+- `codex`: restart Codex.
+- `claude`: restart Claude Desktop.
+- `cursor`: restart Cursor.
+- `openclaw`: run `openclaw doctor`, ensure OpenClaw onboarding is complete (`openclaw onboard --install-daemon`), then run `openclaw tui`.
+
+## 5) How the agent uses Settld after activation
+
+After host activation, the agent interacts with Settld through MCP `settld.*` tools.
+
+Typical flow:
+
+1. Connectivity check: `settld.about`
+2. Paid action: `settld.exa_search_paid` or `settld.weather_current_paid`
+3. Policy gate + authorization happen server-side in Settld.
+4. Settld records evidence/decision/receipt artifacts.
+5. You can verify receipts offline (`settld x402 receipt verify`).
+
+Quick local smoke:
+
+```bash
+npm run mcp:probe -- --call settld.about '{}'
+```
+
+First paid run + artifacts:
+
+```bash
+npm run demo:mcp-paid-exa
+```
+
+Verify first receipt from artifacts:
+
+```bash
+# replace <artifactDir> with the printed directory from demo output
+settld x402 receipt verify <artifactDir>/x402-receipt.json --json-out /tmp/settld-first-receipt.json
+```
+
+## 6) Host config helper customization
+
+Default host configuration logic is in:
+
+- `scripts/setup/host-config.mjs`
+
+If you need a custom resolver/writer, pass:
+
+```bash
+settld setup --host-config ./path/to/custom-host-config.mjs
+```
+
+Your helper should provide resolver/setup exports compatible with `scripts/setup/wizard.mjs`.
+
+## 7) Troubleshooting
+
+- `BYO wallet mode missing required env keys`
+  - Provide all required Circle keys in section 3.
+- `host config helper missing`
+  - Add `scripts/setup/host-config.mjs` or pass `--host-config`.
+- `SETTLD_API_KEY must be a non-empty string`
+  - Ensure key is present in shell or setup flags.
+- Host cannot run `npx`
+  - Install Node.js 20+ and ensure `npx` is in `PATH`.

package/docs/QUICKSTART_POLICY_PACKS.md

@@ -0,0 +1,65 @@
+# Quickstart: Policy Packs CLI (v1)
+
+Goal: initialize, simulate, and publish deterministic local policy pack artifacts with `settld policy`.
+
+## Starter policy packs
+
+- `engineering-spend`
+- `procurement-enterprise`
+- `data-api-buyer`
+- `support-automation`
+- `finance-controls`
+
+## 1) Initialize a starter pack
+
+Installed CLI:
+
+```bash
+npx settld policy init engineering-spend --out ./policies/engineering.policy-pack.json
+```
+
+Repo checkout:
+
+```bash
+./bin/settld.js policy init engineering-spend --out ./policies/engineering.policy-pack.json
+```
+
+## 2) Simulate a decision
+
+Default scenario (first allowlisted provider/tool, zero spend):
+
+```bash
+./bin/settld.js policy simulate ./policies/engineering.policy-pack.json --format json
+```
+
+Explicit scenario:
+
+```bash
+./bin/settld.js policy simulate ./policies/engineering.policy-pack.json \
+  --scenario-json '{"providerId":"openai","toolId":"llm.inference","amountUsdCents":25000,"monthToDateSpendUsdCents":100000,"approvalsProvided":1,"receiptSigned":true,"toolManifestHashPresent":true,"toolVersionKnown":true}' \
+  --format json
+```
+
+## 3) Publish locally (deterministic report artifact)
+
+```bash
+./bin/settld.js policy publish ./policies/engineering.policy-pack.json --format json
+```
+
+`publish` has no remote dependency. It writes a local `SettldPolicyPublication.v1` artifact and returns a `SettldPolicyPublishReport.v1` with:
+
+- deterministic `policyFingerprint` (canonical JSON SHA-256)
+- deterministic `publicationRef` (`<channel>:<packId>:<fingerprint-prefix>`)
+- `artifactPath` + `artifactSha256`
+
+## Output modes
+
+All commands support:
+
+- `--format text|json` (default `text`)
+- `--json-out <path>` for machine output files
+
+`init` and `publish` also support:
+
+- `--out <path>`
+- `--force` to overwrite an existing path

package/docs/QUICKSTART_PRODUCE.md

@@ -0,0 +1,61 @@
+# Quickstart: Produce + verify a bundle (bootstrap)
+
+This quickstart is for design partners who want an end-to-end “from zero” flow:
+
+1) initialize trust + keys
+2) produce a bundle
+3) verify it strictly and archive the JSON output
+
+## 0) Install (from this repo)
+
+From a checkout:
+
+```sh
+npm ci
+```
+
+## 1) Initialize trust
+
+```sh
+node packages/artifact-produce/bin/settld-trust.js init --out out/trust --format json --force
+```
+
+This writes:
+
+- `out/trust/trust.json` (public trust anchors; safe to commit)
+- `out/trust/keypairs.json` (private keys; **do not commit**)
+
+For production deployments, use remote signing so no private keys touch disk:
+
+- RemoteSigner contract: `docs/spec/REMOTE_SIGNER.md`
+- Operator notes: `docs/OPERATIONS_SIGNING.md`
+
+## 2) Produce a JobProof bundle
+
+```sh
+node packages/artifact-produce/bin/settld-produce.js jobproof \
+  --out out/jobproof \
+  --keys out/trust/keypairs.json \
+  --format json \
+  --deterministic \
+  --force
+```
+
+The output JSON is `ProduceCliOutput.v1` (see `docs/spec/ProduceCliOutput.v1.md`).
+
+## 3) Verify strictly
+
+Export trust anchors from `trust.json`:
+
+```sh
+export SETTLD_TRUSTED_GOVERNANCE_ROOT_KEYS_JSON="$(node -e \"const fs=require('fs'); const t=JSON.parse(fs.readFileSync('out/trust/trust.json','utf8')); process.stdout.write(JSON.stringify(t.governanceRoots||{}))\")"
+export SETTLD_TRUSTED_TIME_AUTHORITY_KEYS_JSON="$(node -e \"const fs=require('fs'); const t=JSON.parse(fs.readFileSync('out/trust/trust.json','utf8')); process.stdout.write(JSON.stringify(t.timeAuthorities||{}))\")"
+```
+
+Then verify and archive machine output:
+
+```sh
+node packages/artifact-verify/bin/settld-verify.js --format json --strict --job-proof out/jobproof > out/verify.json
+```
+
+`out/verify.json` is `VerifyCliOutput.v1` and is intended to be archived as audit evidence.