Current state: combined run + live docs/landing (two-path install, example prompt)

Trim Current state to the combined onboarding run (validated) and the live docs/
landing additions: agent.html buyer-pays money path, landing example-prompt card,
and the two-path Install section (Start9 vs run-from-source). Drop the done
"combined run" from Next and the redundant publish.sh/deploy-sites note (it lives
in docs/guides/startos-packaging.md).

AGENTS.md

@@ -111,48 +111,32 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
 
 ## Current state (2026-06-17)
 
-- **Live / canonical**: **`0.2.0:58`** published — registry + `files.keysat.xyz/keysat.s9pk`,
-  GitHub `v0.2.0-58`, universal multi-arch (x86_64 + aarch64). Live box
-  `immense-voyage.local` **confirmed on `:58`** (operator-verified in the StartOS UI). All
-  three public sites deployed (`keysat.xyz`, `docs.keysat.xyz`, `registry.keysat.xyz`).
-  Migrations through 0025; four SDKs published.
+- **Live / canonical: `0.2.0:58`** — registry + `files.keysat.xyz/keysat.s9pk`, GitHub `v0.2.0-58`,
+  universal (x86_64 + aarch64); live box `immense-voyage.local` confirmed on `:58`. Migrations
+  through 0025; four SDKs published. All three public sites deployed (keysat.xyz, docs.keysat.xyz,
+  registry.keysat.xyz).
 
-- **Shipped in `:58` — agent-payment-connect complete (slices 1–5).** A scoped key with the
-  à-la-carte `payment_providers:write` scope connects a BTCPay provider over the API, but
-  ONLY on a sandbox daemon (`KEYSAT_SANDBOX_MODE`) for a non-mainnet store;
-  master/mainnet/production + disconnect stay master-only. The gate fails closed: the store's
-  network is resolved from its on-chain receive address at callback, anything not provably
-  non-mainnet is denied. Migrations 0024–0025. Three reviewer passes; live gate
-  `validate-gate.sh` 10/10. Detail: `docs/guides/payments.md`, `plans/agent-payment-connect-scope.md`.
+- **agent-payment-connect (slices 1–5) shipped in `:58`.** A `payment_providers:write` scoped key
+  connects BTCPay over the API, but only on a sandbox daemon for a non-mainnet store (fail-closed);
+  master/mainnet/production + disconnect stay master-only. Detail: `docs/guides/payments.md`.
 
-- **Onboarding doc-harness — BOTH stages `completed-clean`, AND validated as ONE combined run.**
-  Stage 1 (SDK integration) + Stage 2 (regtest buyer-pays) prior sessions; **the combined
-  operator-order journey (gate a paid product, then a buyer pays to unlock the gated feature)
-  ran `completed-clean` on the first pass this session** and was independently re-verified end to
-  end (gate shut 401/403 → BTCPay regtest connected by scoped key → 50k-sat regtest payment
-  settled → purchased license opened the gate live, 200 + CSV). Rig: `onboarding-harness/stage2/`
-  (`run-stage2.sh` now carries the four-step combined brief; `probe.sh` now actually mints
-  `.live-env`). Walkthrough: `onboarding-harness/stage2/STAGE2-RESULT.md`. Doc fixes live on
-  `keysat-docs` (agent.html/install.html); the served `openapi.rs` BTCPay paths reached the live
-  spec as of `:58`.
+- **Onboarding doc-harness — all `completed-clean`.** Stage 1 (SDK integration), Stage 2 (regtest
+  buyer-pays), and the **combined operator-order journey** (gate a paid product → buyer pays →
+  purchased license unlocks the gate) all pass docs-only under a scoped key. Rig:
+  `onboarding-harness/` (`stage2/run-stage2.sh` four-step brief; `probe.sh` mints `.live-env`);
+  walkthroughs in `stage2/STAGE2-RESULT.md`. Live docs now cover the case: `agent.html#connect-btcpay`
+  buyer-pays money path; landing got an "Example prompt" card + a two-path Install section
+  (Start9 one-click / sideload `keysat.s9pk`, vs. run-from-source on any Linux box — both
+  self-hosting, free at Creator tier, license to expand).
 
-- **Public sites refreshed this session** (via `~/.keysat/deploy-sites.sh`): `agent.html#connect-btcpay`
-  gained the buyer-pays money path (`POST /v1/purchase` → poll → `license_key`, tied to the
-  worked-example gate); `keysat-xyz-landing` agent section gained an "Example prompt" card (the
-  one-liner an operator hands an agent). Note: `publish.sh` ships the **s9pk only** and is gated on
-  a version bump — it does NOT touch the HTML sites; `deploy-sites.sh` is the tool for those.
-
-- **Next (priority order)**:
-  1. Operator data action (needs the master key): grant `unlimited_merchant_profiles` to
-     Pro/Patron on the live master (confirmed-absent details in Open TODOs).
+- **Next (priority order):**
+  1. Operator data action (needs master key): grant `unlimited_merchant_profiles` to Pro/Patron on
+     the live master (confirmed-absent; steps in Open TODOs).
   2. 3 multi-profile UIs + split `audit:read` (ROADMAP / Open TODOs).
 
-- **P2/P3 debt (unchanged, see ROADMAP)**: `set_product_entitlements_catalog` missing
-  `rows_affected` guard; no rate-limit on purchase/redeem (spoofable XFF); `422`/`415`
-  plain-text not JSON; `slug` unvalidated; dep advisories (`sqlx`→≥0.8.1,
-  `rustls-webpki`→≥0.103.12); no CI / fmt-clippy unenforced; outbound webhook SSRF;
-  design-contract conformance.
+- **Debt (P2/P3, see ROADMAP):** rate-limit purchase/redeem; `422`/`415` JSON; `slug` validation;
+  `set_product_entitlements_catalog` `rows_affected` guard; dep advisories (`sqlx`≥0.8.1,
+  `rustls-webpki`≥0.103.12); no CI / fmt-clippy unenforced; webhook SSRF; design-contract conformance.
 
-- **Tests/build**: full suite green — lib **18**, api **65**, subscriptions 7, upgrades 9,
-  worker 3, crosscheck 4, migrations 9 (through **0025**); `cargo check` + `npm run check`
-  clean (1 intentional deprecation warning); new code clippy-clean.
+- **Tests/build:** full suite green (lib 18, api 65, subscriptions 7, upgrades 9, worker 3,
+  crosscheck 4, migrations 9 through 0025); `cargo check` + `npm run check` clean.