diff --git a/AGENTS.md b/AGENTS.md
index 39b4efa..3241cbf 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -125,17 +125,27 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
   non-mainnet is denied. Migrations 0024–0025. Three reviewer passes; live gate
   `validate-gate.sh` 10/10. Detail: `docs/guides/payments.md`, `plans/agent-payment-connect-scope.md`.
 
-- **Onboarding doc-harness — BOTH stages `completed-clean`.** Stage 1 (SDK integration, no
-  payments) prior session; **Stage 2 (regtest buyer-pays) this session, converged run 1→3.**
-  Rig + publishable walkthrough: `onboarding-harness/stage2/STAGE2-RESULT.md`. Doc fixes live
-  on `keysat-docs` (agent.html/install.html); the served `openapi.rs` BTCPay paths reach the
-  live spec as of `:58`. The two stages have only been validated **separately**, not as one run.
+- **Onboarding doc-harness — BOTH stages `completed-clean`, AND validated as ONE combined run.**
+  Stage 1 (SDK integration) + Stage 2 (regtest buyer-pays) prior sessions; **the combined
+  operator-order journey (gate a paid product, then a buyer pays to unlock the gated feature)
+  ran `completed-clean` on the first pass this session** and was independently re-verified end to
+  end (gate shut 401/403 → BTCPay regtest connected by scoped key → 50k-sat regtest payment
+  settled → purchased license opened the gate live, 200 + CSV). Rig: `onboarding-harness/stage2/`
+  (`run-stage2.sh` now carries the four-step combined brief; `probe.sh` now actually mints
+  `.live-env`). Walkthrough: `onboarding-harness/stage2/STAGE2-RESULT.md`. Doc fixes live on
+  `keysat-docs` (agent.html/install.html); the served `openapi.rs` BTCPay paths reached the live
+  spec as of `:58`.
+
+- **Public sites refreshed this session** (via `~/.keysat/deploy-sites.sh`): `agent.html#connect-btcpay`
+  gained the buyer-pays money path (`POST /v1/purchase` → poll → `license_key`, tied to the
+  worked-example gate); `keysat-xyz-landing` agent section gained an "Example prompt" card (the
+  one-liner an operator hands an agent). Note: `publish.sh` ships the **s9pk only** and is gated on
+  a version bump — it does NOT touch the HTML sites; `deploy-sites.sh` is the tool for those.
 
 - **Next (priority order)**:
   1. Operator data action (needs the master key): grant `unlimited_merchant_profiles` to
      Pro/Patron on the live master (confirmed-absent details in Open TODOs).
   2. 3 multi-profile UIs + split `audit:read` (ROADMAP / Open TODOs).
-  3. Optional: a single combined SDK-integration + buyer-pays onboarding-tester run.
 
 - **P2/P3 debt (unchanged, see ROADMAP)**: `set_product_entitlements_catalog` missing
   `rows_affected` guard; no rate-limit on purchase/redeem (spoofable XFF); `422`/`415`