Record onboarding harness + Stage 1 result; scope Stage 2

Current state: the onboarding doc-harness and its Stage 1 completed-clean
result. ROADMAP: spell out Stage 2 (regtest buyer-pays) under the
agent-payment-connect item. Drop the resolved GET /v1/admin/products 405
debt item.

AGENTS.md

@@ -121,6 +121,22 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
   independently confirmed**; verify the StartOS UI shows `0.2.0:57`). `publish.sh` now runs
   `make install` as step 5, so future ships auto-deploy (best-effort, non-fatal).
 
+- **Onboarding doc-harness — Stage 1 (Path 1, no payments): `completed-clean` this session.**
+  New disposable harness at `licensing-service-startos/onboarding-harness/` boots a fresh
+  fixture, mints a `merchant-onboard` key, serves `keysat-docs/` as the corpus, scaffolds a
+  pristine Next.js/TS proof-of-work (`sandbox-template/`), then runs the global
+  `onboarding-tester` agent **docs-only**. Loop converged 5→1→0 stumbles over 3 runs; the
+  publishable walkthrough is harvested into `keysat-docs/agent.html` (#worked-example). Doc
+  fixes shipped: `integrate.html` (real v0.3 SDK shape — `verify()` throws + returns
+  `VerifyOk{payload,…}`, no `valid` bool, `LicensingError`/`.code`), `agent.html`
+  (merchant-onboard role row, product/policy-create workflows, `buyer_note`→`note`, license
+  `/search` endpoint, worked example), `wire-format.html` (issuer-pubkey response shape). Also
+  `openapi.rs` (licenses `product_id` filter, removed phantom `GET /v1/admin/products`, added
+  `/v1/admin/licenses/search`, price-field notes) — **served-spec fixes; fixture was rebuilt to
+  test, but these reach the live spec only on the next daemon release.** keysat-docs static
+  fixes deploy independently. Full record: `onboarding-harness/STAGE1-RESULT.md`. **Stage 2
+  (Path 2, regtest buyer-pays) is gated on agent-payment-connect slices 3–5 below.**
+
 - **In progress — agent-payment-connect (phase 2)**. Approved spec:
   `plans/agent-payment-connect-scope.md`. Lets a scoped key connect a BTCPay provider, but
   ONLY on a sandbox daemon and ONLY for a non-mainnet network — never folded into a role

ROADMAP.md

@@ -16,8 +16,18 @@ Longer-term backlog. Near-term state lives in `AGENTS.md` → Current state.
   (never bundled into `merchant-onboard`), gated by a daemon-level **sandbox-mode flag** as the
   outer gate (production daemons reject scoped connect entirely) with a **network gate** inner
   defense (regtest/testnet/signet only, fail-closed to mainnet). BTCPay network is derived from
-  an on-chain address prefix (no `server/info` field exists). Feeds the doc-harness Path 2
-  (regtest buyer-pays). Ships after doc-harness Path 1.
+  an on-chain address prefix (no `server/info` field exists).
+- **Onboarding doc-harness — Stage 2 (Path 2, regtest buyer-pays).** Gated on slices 3–5 above.
+  Stage 1 (Path 1, no payments) shipped `completed-clean` this session — harness at
+  `licensing-service-startos/onboarding-harness/`, record in its `STAGE1-RESULT.md`. Stage 2
+  reuses the harness but boots the fixture with `KEYSAT_SANDBOX_MODE` on, stands up a Dockerized
+  BTCPay regtest stack (bitcoind regtest + NBXplorer + Postgres + BTCPay) as additional
+  disposable infra, and grants the agent `merchant-onboard` + `payment_providers:write`. Goal:
+  the agent connects BTCPay (regtest) over the API and drives a test buyer payment that activates
+  a license, with zero master-key steps. The walkthrough must be explicitly labeled
+  regtest/test-network and must state that connecting a real mainnet wallet is the one
+  operator-reserved step **by design** (a key that can redirect funds stays with the human) — a
+  security feature, not a gap.
 
 ## Packaging & distribution