settld 0.1.5 → 0.2.0

package/docs/QUICKSTART_PROFILES.md

@@ -0,0 +1,198 @@
+# Quickstart: Profiles CLI
+
+Goal: scaffold, validate, and simulate a policy profile with the Settld CLI.
+
+## Prerequisites
+
+- Node.js 20+
+- Repo checkout with dependencies installed (`npm ci`)
+
+## 0) One-command runtime setup (recommended before `profile apply`)
+
+Non-interactive setup (manual mode):
+
+```bash
+./bin/settld.js setup --yes --mode manual --host codex --base-url http://127.0.0.1:3000 --tenant-id tenant_default --api-key sk_runtime_apply --profile-id engineering-spend
+```
+
+`settld setup` now also emits `SETTLD_PAID_TOOLS_AGENT_PASSPORT` automatically, so paid MCP tools run with policy-bound passport context without manual JSON editing.
+Add `--smoke` if you want setup to run an immediate MCP probe before moving on.
+
+Bootstrap mode (same flow, runtime key minted by onboarding endpoint):
+
+```bash
+./bin/settld.js setup --yes --mode bootstrap --host codex --base-url https://api.settld.work --tenant-id tenant_default --bootstrap-api-key mlk_admin_xxx --bootstrap-key-id sk_runtime --bootstrap-scopes runs:read,runs:write --idempotency-key profile_setup_bootstrap_1
+```
+
+If you only want runtime env + host wiring (without applying a profile), add:
+
+```bash
+--skip-profile-apply
+```
+
+To validate payment evidence early, run a paid demo after setup and verify the first exported receipt:
+
+```bash
+npm run demo:mcp-paid-exa
+jq -c 'first' artifacts/mcp-paid-exa/*/x402-receipts.export.jsonl > /tmp/settld-first-receipt.json
+settld x402 receipt verify /tmp/settld-first-receipt.json --format json --json-out /tmp/settld-first-receipt.verify.json
+```
+
+To verify MCP wiring immediately during setup, add:
+
+```bash
+--smoke
+```
+
+Single command that loads setup exports and applies a profile:
+
+```bash
+eval "$(./bin/settld.js setup --yes --mode manual --host codex --base-url http://127.0.0.1:3000 --tenant-id tenant_default --api-key sk_runtime_apply | grep '^export ')" && ./bin/settld.js profile apply ./profiles/engineering-spend.profile.json --format json
+```
+
+## 1) List available starter profiles
+
+Installed CLI:
+
+```bash
+npx settld profile list
+```
+
+Repo checkout:
+
+```bash
+./bin/settld.js profile list
+```
+
+Example output:
+
+```text
+engineering-spend	engineering	Engineering Spend	<profile_fingerprint_sha256>
+procurement	procurement	Procurement	<profile_fingerprint_sha256>
+data-api-buyer	data	Data API Buyer	<profile_fingerprint_sha256>
+support-automation	support	Support Automation	<profile_fingerprint_sha256>
+finance-controls	finance	Finance Controls	<profile_fingerprint_sha256>
+growth-marketing	marketing	Growth Marketing	<profile_fingerprint_sha256>
+```
+
+## 2) Initialize a profile
+
+Installed CLI:
+
+```bash
+npx settld profile init engineering-spend --out ./profiles/engineering-spend.profile.json
+```
+
+Repo checkout:
+
+```bash
+./bin/settld.js profile init engineering-spend --out ./profiles/engineering-spend.profile.json
+```
+
+Example output:
+
+```text
+ok	engineering-spend	/home/you/repo/profiles/engineering-spend
+```
+
+## 3) Validate profile schema + semantics
+
+Installed CLI:
+
+```bash
+npx settld profile validate ./profiles/engineering-spend.profile.json --format json
+```
+
+Repo checkout:
+
+```bash
+./bin/settld.js profile validate ./profiles/engineering-spend.profile.json --format json
+```
+
+Example output:
+
+```json
+{
+  "schemaVersion": "SettldProfileValidationReport.v1",
+  "ok": true,
+  "profileId": "engineering-spend",
+  "profileFingerprintVersion": "SettldProfileFingerprint.v1",
+  "profileFingerprint": "<sha256>",
+  "errors": [],
+  "warnings": []
+}
+```
+
+## 4) Simulate policy decisions
+
+Installed CLI:
+
+```bash
+npx settld profile simulate ./profiles/engineering-spend.profile.json --format json
+```
+
+Repo checkout:
+
+```bash
+./bin/settld.js profile simulate ./profiles/engineering-spend.profile.json --format json
+```
+
+Example output:
+
+```json
+{
+  "schemaVersion": "SettldProfileSimulationReport.v1",
+  "ok": true,
+  "profileId": "engineering-spend",
+  "decision": "allow",
+  "requiredApprovers": 0,
+  "approvalsProvided": 0,
+  "selectedApprovalTier": "auto",
+  "reasons": [],
+  "reasonCodes": [],
+  "reasonDetails": [],
+  "reasonRegistryVersion": "SettldProfileSimulationReasonRegistry.v1",
+  "profileFingerprintVersion": "SettldProfileFingerprint.v1",
+  "profileFingerprint": "<sha256>"
+}
+```
+
+To simulate with explicit scenario data:
+
+```bash
+./bin/settld.js profile simulate ./profiles/engineering-spend.profile.json --scenario ./test/fixtures/profile/scenario-allow.json --format json
+```
+
+## 5) Apply profile to runtime
+
+Set runtime connection/auth values:
+
+```bash
+export SETTLD_BASE_URL=http://127.0.0.1:3000
+export SETTLD_TENANT_ID=tenant_default
+export SETTLD_API_KEY=sk_runtime_apply
+# optional override:
+export SETTLD_SPONSOR_WALLET_REF=wallet_ops_default
+```
+
+Dry-run first (no live writes):
+
+```bash
+./bin/settld.js profile apply ./profiles/engineering-spend.profile.json --dry-run --format json
+```
+
+Then execute live apply:
+
+```bash
+./bin/settld.js profile apply ./profiles/engineering-spend.profile.json --format json
+```
+
+`profile apply` also accepts runtime-prefixed aliases:
+`SETTLD_RUNTIME_BASE_URL`, `SETTLD_RUNTIME_TENANT_ID`, `SETTLD_RUNTIME_BEARER_TOKEN`.
+
+## Common troubleshooting
+
+- `unknown profile`: run `settld profile list` and use one of the listed IDs.
+- `validation failed`: fix reported schema/semantic errors, then rerun `profile validate`.
+- `scenario file not found`: pass an existing JSON scenario path to `profile simulate`.
+- `profile apply missing runtime config`: set runtime base URL, tenant ID, bearer token, and wallet ref before running live apply.

package/docs/README.md

@@ -6,6 +6,7 @@ For curated public docs, start here:
 
 - [Settld Docs home](./gitbook/README.md)
 - [Quickstart](./gitbook/quickstart.md)
+- [Quickstart: Profiles CLI](./QUICKSTART_PROFILES.md)
 - [Core Primitives](./gitbook/core-primitives.md)
 - [API Reference](./gitbook/api-reference.md)
 - [Conformance](./gitbook/conformance.md)
@@ -13,3 +14,20 @@ For curated public docs, start here:
 - [Guides](./gitbook/guides.md)
 - [Security Model](./gitbook/security-model.md)
 - [FAQ](./gitbook/faq.md)
+
+## Fastest onboarding path
+
+1. Run `settld setup` (or `./bin/settld.js setup`) with your host, tenant, and API key.
+2. Activate your host and run `npm run mcp:probe`.
+3. Run `npm run demo:mcp-paid-exa`.
+4. Verify the first receipt:
+
+```bash
+jq -c 'first' artifacts/mcp-paid-exa/*/x402-receipts.export.jsonl > /tmp/settld-first-receipt.json
+settld x402 receipt verify /tmp/settld-first-receipt.json --format json --json-out /tmp/settld-first-receipt.verify.json
+```
+
+Reference docs:
+
+- `docs/QUICKSTART_MCP_HOSTS.md`
+- `docs/QUICKSTART_MCP.md`

package/docs/RELEASE_CHECKLIST.md

@@ -5,6 +5,14 @@ This checklist is the “no surprises” gate for shipping Settld as a product (
 ## Preconditions
 
 - `npm test` is green on main.
+- Main-branch release gate jobs are green in `.github/workflows/tests.yml` for the release commit:
+  - `noo_44_47_48_regressions` (NOO-44/47/48 fail-closed regression lane)
+  - `kernel_v0_ship_gate`
+  - `production_cutover_gate`
+  - `offline_verification_parity_gate` (NOO-50)
+  - `onboarding_host_success_gate`
+- Public package smoke for OpenClaw onboarding is green:
+  - `npm run test:ci:public-openclaw-npx-smoke`
 - `CHANGELOG.md` is updated and accurate.
 - Protocol v1 freeze gate is satisfied (no accidental v1 schema/vector drift).
 - Minimum production topology is defined for the target environment:
@@ -16,6 +24,9 @@ This checklist is the “no surprises” gate for shipping Settld as a product (
   - `SETTLD_STAGING_OPS_TOKEN`
 - npm publish secret is configured for `.github/workflows/release.yml` if you want direct registry distribution:
   - `NPM_TOKEN`
+- Optional launch cutover packet signing inputs are configured for `.github/workflows/go-live-gate.yml` if signed packets are required:
+  - secret: `LAUNCH_CUTOVER_PACKET_SIGNING_PRIVATE_KEY_PEM`
+  - variable: `LAUNCH_CUTOVER_PACKET_SIGNATURE_KEY_ID`
 - PyPI Trusted Publisher is configured for `.github/workflows/release.yml` and the `pypi` GitHub environment is allowed.
 - PyPI Trusted Publisher is configured for `.github/workflows/python-pypi.yml` and the `pypi` GitHub environment is allowed (if using the Python-only lane).
 - TestPyPI Trusted Publisher is configured for `.github/workflows/python-testpypi.yml` and the `testpypi` GitHub environment is allowed.
@@ -31,6 +42,7 @@ For a v1 freeze release, the GitHub Release MUST include:
 - `conformance-v1.tar.gz` + `conformance-v1-SHA256SUMS`
 - `settld-audit-packet-v1.zip` + `settld-audit-packet-v1.zip.sha256`
 - `release_index_v1.json` + `release_index_v1.sig` (signed release manifest)
+- `release-promotion-guard.json` (NOO-65 promotion guard report)
 
 Release-gate evidence should also include:
 
@@ -47,6 +59,11 @@ Release-gate evidence should also include:
 - `artifacts/throughput/10x-drill-summary.json`
 - `artifacts/gates/s13-go-live-gate.json`
 - `artifacts/gates/s13-launch-cutover-packet.json`
+- when signing is configured, packet includes `signature` with `schemaVersion=LaunchCutoverPacketSignature.v1`
+- `artifacts/gates/production-cutover-gate.json`
+- `artifacts/gates/offline-verification-parity-gate.json` (NOO-50)
+- `artifacts/gates/onboarding-host-success-gate.json`
+- `artifacts/gates/release-promotion-guard.json` (NOO-65)
 
 See `docs/spec/SUPPLY_CHAIN.md` for the release-channel threat model and verification posture.
 
@@ -145,8 +162,17 @@ Required gate reports:
 
 - `artifacts/throughput/10x-drill-summary.json`
 - `artifacts/throughput/10x-incident-rehearsal-summary.json`
+- `artifacts/gates/production-cutover-gate.json`
 - `artifacts/gates/s13-go-live-gate.json`
 - `artifacts/gates/s13-launch-cutover-packet.json`
+- Live deploy readiness run (manual workflow): `artifacts/gates/production-cutover-gate-prod.json`
+
+Promotion guard order (fail-closed):
+
+1. NOO-50 parity gate report is generated on main (`artifacts/gates/offline-verification-parity-gate.json`).
+2. S13 go-live workflow report set is generated for the same release commit (`s13-go-live-gate.json` + `s13-launch-cutover-packet.json`).
+3. Release workflow binds all required gate artifacts (kernel, production cutover, NOO-50 parity, onboarding host success, S13 go-live, S13 launch packet, hosted baseline evidence) into NOO-65.
+4. Release workflow must emit `artifacts/gates/release-promotion-guard.json` with `verdict.ok=true` before artifact publish jobs execute.
 
 Related runbooks:
 

package/docs/RELEASING.md

@@ -20,6 +20,7 @@ See `docs/RELEASE_CHECKLIST.md` for the definitive artifact completeness require
 5. Run packaging smoke test:
    - `node scripts/ci/npm-pack-smoke.mjs`
    - `node scripts/ci/cli-pack-smoke.mjs`
+   - `node scripts/ci/run-public-openclaw-npx-smoke.mjs`
    - `python3 -m build packages/api-sdk-python --sdist --wheel --outdir /tmp/settld-python-dist-smoke`
    - Optionally generate full release artifacts locally: `npm run release:artifacts`
 6. Create a tag and push it:

package/docs/SLO.md

@@ -62,9 +62,70 @@ DLQ backlog is an on-call page. Pending backlog at end-of-run implies workers ar
 
 If the outbox is growing without being drained, the system is not steady-state safe.
 
+## SLO-4: Onboarding first-paid-call runtime (host readiness)
+
+**Objective**
+
+- Across supported hosts in the compatibility matrix, first-paid-call runtime remains within a deterministic p95 bound.
+
+**Metric**
+
+- `onboarding_first_paid_call_runtime_ms_p95_gauge` (fallbacks supported by gate script: `first_paid_call_runtime_ms_p95_gauge`, `first_paid_call_latency_ms_p95_gauge`)
+
+**Threshold**
+
+- `p95 <= 2000ms` (default; configurable via `SLO_ONBOARDING_FIRST_PAID_CALL_P95_MAX_MS`)
+
+## SLO-5: Policy decision runtime (latency + errors)
+
+**Objective**
+
+- Policy decision runtime stays fast and low-error on readiness runs.
+
+**Metrics**
+
+- `policy_decision_latency_ms_p95_gauge` (fallbacks supported by gate script)
+- policy decision totals and error totals (`policy_decisions_total` + `outcome=error`, with supported fallbacks)
+
+**Thresholds**
+
+- `policy decision p95 <= 250ms` (default; configurable via `SLO_POLICY_DECISION_LATENCY_P95_MAX_MS`)
+- `policy decision error rate <= 1%` (default; configurable via `SLO_POLICY_DECISION_ERROR_RATE_MAX_PCT`)
+
+## SLO-6: Host onboarding success rate (clean environment)
+
+**Objective**
+
+- Supported hosts must pass deterministic `settld setup --preflight-only` onboarding checks at or above a configured success rate under isolated HOME paths.
+
+**Metrics**
+
+- `onboarding_host_setup_attempts_total_gauge{host=...}`
+- `onboarding_host_setup_success_total_gauge{host=...}`
+- `onboarding_host_setup_failure_total_gauge{host=...}`
+- `onboarding_host_setup_success_rate_pct_gauge{host=...}`
+
+**Threshold**
+
+- Per-host success rate must be `>= 90%` by default (configurable with `ONBOARDING_HOST_SUCCESS_RATE_MIN_PCT`).
+
+**Why**
+
+Preflight success under clean homes verifies host bootstrap reliability and catches host-specific config drift before production cutover.
+
 ## CI enforcement
 
 - Script: `scripts/slo/check.mjs`
 - Source of truth: `/metrics` snapshot taken after the smoke lifecycle completes.
 - Thresholds are configurable via env (see script header).
-
+- Onboarding/policy readiness gate: `scripts/ci/run-onboarding-policy-slo-gate.mjs`
+- Host matrix input: `artifacts/ops/mcp-host-cert-matrix.json`
+- Output artifact: `artifacts/gates/onboarding-policy-slo-gate.json`
+- Onboarding host success gate: `scripts/ci/run-onboarding-host-success-gate.mjs`
+- Output artifact: `artifacts/gates/onboarding-host-success-gate.json`
+- Metrics output directory: `artifacts/ops/onboarding-host-success/`
+- Deterministic binding: onboarding gates emit `artifactHashScope` + `artifactHash` over canonical report core.
+- Gates are fail-closed when required host checks/metrics are missing or thresholds are breached.
+- CI wiring:
+  - `tests / onboarding_policy_slo_gate` generates matrix + metrics snapshot and runs the onboarding gate.
+  - `tests / onboarding_host_success_gate` runs clean-home preflight onboarding checks per supported host and emits host metrics artifacts.

package/docs/SUMMARY.md

@@ -3,6 +3,7 @@
 - [Settld Documentation](README.md)
 - [Docs Home](gitbook/README.md)
 - [Quickstart](gitbook/quickstart.md)
+- [Quickstart: Profiles CLI](QUICKSTART_PROFILES.md)
 - [Core Primitives](gitbook/core-primitives.md)
 - [API Reference](gitbook/api-reference.md)
 - [Conformance](gitbook/conformance.md)

package/docs/gitbook/README.md

@@ -10,12 +10,24 @@ Settld gives you a canonical economic loop:
 
 ## Start here
 
-- [Quickstart](./quickstart.md) — local stack to conformance in minutes
+- [Quickstart](./quickstart.md) — one-command onboarding to first verified paid receipt
 - [Core Primitives](./core-primitives.md) — protocol objects and invariants
 - [API Reference](./api-reference.md) — endpoint map and auth model
 - [Conformance](./conformance.md) — machine-checkable correctness gates
 - [Closepacks](./closepacks.md) — offline verification workflow
 
+## One-command onboarding
+
+```bash
+settld setup --non-interactive --host codex --base-url http://127.0.0.1:3000 --tenant-id tenant_default --settld-api-key sk_live_xxx.yyy --wallet-mode managed --wallet-bootstrap remote --profile-id engineering-spend --smoke
+```
+
+Then:
+
+1. `npm run mcp:probe -- --call settld.about '{}'`
+2. `npm run demo:mcp-paid-exa`
+3. verify first receipt with `settld x402 receipt verify`
+
 ## Implementation path
 
 1. Run local stack and conformance

package/docs/gitbook/quickstart.md

@@ -1,104 +1,103 @@
 # Quickstart
 
-Get from zero to a verified Kernel v0 flow in minutes.
+Get from zero to a verified paid agent action in minutes.
 
 ## Prerequisites
 
 - Node.js 20+
-- Docker Desktop / Docker Engine running
-- `jq` installed (recommended for local checks)
+- Settld API URL
+- Tenant ID
+- Tenant API key (`keyId.secret`)
 
-## 1) Start local stack
+## 0) One-command setup
 
-Installed CLI:
+Run guided setup:
 
 ```bash
-npx settld dev up
+settld setup
 ```
 
-Repo checkout:
+The guided setup uses arrow-key menus for host/wallet/policy decisions, then asks only the next required fields.
+
+Non-interactive example:
 
 ```bash
-./bin/settld.js dev up
+settld setup --non-interactive \
+  --host codex \
+  --base-url http://127.0.0.1:3000 \
+  --tenant-id tenant_default \
+  --settld-api-key sk_live_xxx.yyy \
+  --wallet-mode managed \
+  --wallet-bootstrap remote \
+  --profile-id engineering-spend \
+  --smoke \
+  --out-env ./.tmp/settld.env
 ```
 
-Expected:
+What this does:
 
-- API healthy on local URL
-- local ops token available (`tok_ops` in default dev path)
+- configures host MCP wiring
+- sets runtime env and policy passport
+- applies starter profile
+- runs connectivity smoke checks
 
-## 2) Create a capability template
+## 1) Activate your host
 
-Installed CLI:
+If you wrote an env file, load it:
 
 ```bash
-npx settld init capability my-capability
+source ./.tmp/settld.env
 ```
 
-Repo checkout:
+Then restart your host app (Codex/Claude/Cursor/OpenClaw) so it reloads MCP config.
+
+## 2) Verify MCP connectivity
 
 ```bash
-./bin/settld.js init capability my-capability
+npm run mcp:probe -- --call settld.about '{}'
 ```
 
-Then run the generated capability server (follow generated README in the capability folder).
-
-## 3) Run kernel conformance
-
-Installed CLI:
+Expected outcome:
 
-```bash
-npx settld conformance kernel --ops-token tok_ops --json-out /tmp/kernel-report.json
-```
+- `settld.about` succeeds
+- host can discover `settld.*` tools
 
-Repo checkout:
+## 3) Run first paid call
 
 ```bash
-./bin/settld.js conformance kernel --ops-token tok_ops --json-out /tmp/kernel-report.json
+npm run demo:mcp-paid-exa
 ```
 
-Expected:
+Expected output includes:
 
-- conformance PASS
-- report at `/tmp/kernel-report.json`
+- `PASS artifactDir=...`
+- `gateId=...`
+- `decisionId=...`
+- `settlementReceiptId=...`
 
-## 4) Export and verify a closepack
-
-Use an agreement hash from conformance/test output:
+## 4) Verify first receipt (proof packet)
 
 ```bash
-npx settld closepack export --agreement-hash <agreementHash> --out closepack.zip
-npx settld closepack verify closepack.zip --json-out /tmp/closepack-verify.json
+jq -c 'first' <artifactDir>/x402-receipts.export.jsonl > /tmp/settld-first-receipt.json
+settld x402 receipt verify /tmp/settld-first-receipt.json --format json --json-out /tmp/settld-first-receipt.verify.json
 ```
 
-Expected:
-
-- closepack verify passes
-- JSON verification report produced
+`/tmp/settld-first-receipt.verify.json` is your deterministic verification artifact for audit/compliance.
 
-## 5) Replay-evaluate
+## 5) Optional: policy profile workflows
 
 ```bash
-curl -s "http://127.0.0.1:3000/ops/tool-calls/replay-evaluate?agreementHash=<agreementHash>" \
-  -H "x-proxy-ops-token: tok_ops" | jq .
+settld profile list
+settld profile init engineering-spend --out ./profiles/engineering-spend.profile.json
+settld profile validate ./profiles/engineering-spend.profile.json --format json
+settld profile simulate ./profiles/engineering-spend.profile.json --format json
 ```
 
-Expected: replay comparison fields indicate consistency/match.
-
 ## Troubleshooting
 
-### Docker not found
-
-Install/start Docker. Then rerun `dev up`.
-
-### Node engine warning
-
-Use Node 20+.
-
-### Ops token permission error
-
-Use token with at least `ops_read` scope.
-
-### Port conflicts
-
-Stop process on API port (`3000`) or configure alternate local runtime settings.
+- `SETTLD_API_KEY must be a non-empty string`
+  - ensure key is present in setup flags or shell env.
+- `BYO wallet mode missing required env keys`
+  - provide all required Circle keys in `docs/QUICKSTART_MCP_HOSTS.md`.
+- Host cannot find MCP tools
+  - rerun setup, restart host, then rerun `npm run mcp:probe`.

package/docs/integrations/README.md

@@ -4,6 +4,7 @@ Copy/paste adoption templates and guardrails:
 
 - `github-actions.md` — composite action usage and trust anchor wiring.
 - `github-actions-verify.yml` — pasteable workflow template.
+- `openclaw/PUBLIC_QUICKSTART.md` — public npm onboarding flow for OpenClaw (`npx settld@latest setup`).
 - `openclaw/settld-mcp-skill/SKILL.md` — OpenClaw skill payload for Settld MCP.
 - `openclaw/CLAWHUB_PUBLISH_CHECKLIST.md` — publish + validation checklist for ClawHub.
 

package/docs/integrations/openclaw/PUBLIC_QUICKSTART.md

@@ -0,0 +1,95 @@
+# OpenClaw Public Quickstart (No Repo Clone)
+
+Use this when you want a public user to set up Settld from npm in a fresh machine.
+
+## 1) Install and onboard OpenClaw
+
+Follow OpenClaw docs:
+
+- https://docs.openclaw.ai/install/index
+- https://docs.openclaw.ai/start/wizard
+
+Then run onboarding:
+
+```bash
+openclaw onboard --install-daemon
+openclaw doctor
+```
+
+If `openclaw` is not on PATH yet, use the npx fallback:
+
+```bash
+npx -y openclaw@latest onboard --install-daemon
+```
+
+## 2) Run Settld setup from npm
+
+Interactive path (recommended):
+
+```bash
+npx -y settld@latest setup
+```
+
+Choose:
+
+1. `host`: `openclaw`
+2. wallet mode (`managed` recommended first)
+3. wallet bootstrap (`remote` recommended for first setup)
+4. keep preflight + smoke enabled
+5. apply a starter profile (`engineering-spend`)
+
+Non-interactive path (automation/support):
+
+```bash
+npx -y settld@latest setup \
+  --non-interactive \
+  --host openclaw \
+  --base-url https://api.settld.work \
+  --tenant-id tenant_default \
+  --settld-api-key 'sk_live_xxx.yyy' \
+  --wallet-mode managed \
+  --wallet-bootstrap remote \
+  --profile-id engineering-spend \
+  --smoke
+```
+
+## 3) Verify OpenClaw + Settld are wired
+
+Run:
+
+```bash
+openclaw doctor
+```
+
+Then from OpenClaw chat/test prompt:
+
+- `Call settld.about and return JSON.`
+
+Expected result: success payload with Settld tool metadata.
+
+## 4) Run first paid tool call
+
+From OpenClaw prompt:
+
+- `Run settld.weather_current_paid for city=Chicago unit=f and include x-settld-* headers in the response.`
+
+Expected result:
+
+- tool call succeeds
+- response includes policy/decision/settlement headers (`x-settld-*`)
+
+## 5) Verify receipt artifact (when available)
+
+If you exported a receipt JSON from your Settld environment, verify it offline:
+
+```bash
+npx -y settld@latest x402 receipt verify ./receipt.json --format json
+```
+
+## Notes for operators
+
+- Public users do not need to clone the Settld repo.
+- Public path is valid only after publishing a package version that includes the current setup flow.
+- For OpenClaw skill packaging and publish flow, see:
+  - `docs/integrations/openclaw/settld-mcp-skill/SKILL.md`
+  - `docs/integrations/openclaw/CLAWHUB_PUBLISH_CHECKLIST.md`