diff --git a/README.md b/README.md
index 94920e3..61dd048 100644
--- a/README.md
+++ b/README.md
@@ -43,19 +43,24 @@ An MCP server with three tools at different trust levels. A trusted agent (with
 
 | Scenario | Agent | Tool | Trust Level | Result |
 |----------|-------|------|-------------|--------|
-| 1 | Trusted (DV badge) | `get_price` | 0 (open) | ALLOW |
-| 2 | Trusted (DV badge) | `place_order` | 2 (DV+) | ALLOW |
+| 1 | Trusted (badged) | `get_price` | 0 (open) | ALLOW |
+| 2 | Trusted (badged) | `place_order` | 1 (PoP) | ALLOW |
 | 3 | Untrusted (no badge) | `get_price` | 0 (open) | ALLOW |
-| 4 | Untrusted (no badge) | `place_order` | 2 (DV+) | **DENY** |
+| 4 | Untrusted (no badge) | `place_order` | 1 (PoP) | **DENY** |
+| 5 | Trusted (badge **revoked**) | `place_order` | 1 (PoP) | **DENY** |
 
 ### Setup
 
 ```bash
 cd demo-one
 ./setup.sh              # Creates venv, installs deps, downloads binary
-cp .env.example .env    # Fill in your API key + server ID
+                        # Auto-creates .env from .env.example if missing
 ```
 
+Edit `.env` with your credentials:
+- `CAPISCIO_API_KEY` — from [app.capisc.io](https://app.capisc.io) → Settings → API Keys
+- `CAPISCIO_SERVER_ID` — from Dashboard → MCP Servers (or set to `auto`)
+
 ### Run
 
 ```bash
@@ -70,10 +75,10 @@ python run_demo.py
 @server.tool(min_trust_level=0)
 async def get_price(sku: str) -> str: ...
 
-@server.tool(min_trust_level=2)
+@server.tool(min_trust_level=1)
 async def place_order(sku: str, quantity: int) -> str: ...
 
-@server.tool(min_trust_level=4)
+@server.tool(min_trust_level=2)
 async def cancel_all_orders() -> str: ...
 ```
 
@@ -128,10 +133,11 @@ Shows how org-level policy changes alter trust enforcement at runtime. The prese
 
 ```bash
 cd demo-two
-./setup.sh
-cp .env.example .env    # Fill in API key, server ID, org ID, admin JWT
+./setup.sh              # Auto-creates .env from .env.example if missing
 ```
 
+Edit `.env` with your credentials (API key, server ID, org ID, admin JWT).
+
 Create the three policy proposals:
 ```bash
 source .venv/bin/activate
@@ -230,7 +236,7 @@ All agents use `CapiscIO.connect()` to get a cryptographic identity (DID), regis
 ```bash
 cd a2a-demos
 ./scripts/setup.sh   # Creates per-agent .venvs, installs deps + shared module
-cp .env.example .env
+                     # Auto-creates .env files from .env.example if missing
 ```
 
 ### 2. Configure environment
diff --git a/demo-one/setup.sh b/demo-one/setup.sh
index f7f4bbb..1144d97 100644
--- a/demo-one/setup.sh
+++ b/demo-one/setup.sh
@@ -60,13 +60,18 @@ path = ensure_binary()
 print(f'  Binary cached at: {path}')
 "
 
-# ── 3. Verify .env ──────────────────────────────────────────────────────
+# ── 3. Scaffold .env ─────────────────────────────────────────────────────
 echo ""
 if [ -f "$SCRIPT_DIR/.env" ]; then
     echo "✓ .env file found"
 else
-    echo "⚠ No .env file found. Copy .env.example to .env and fill in your credentials:"
-    echo "    cp .env.example .env"
+    cp "$SCRIPT_DIR/.env.example" "$SCRIPT_DIR/.env"
+    echo "⚠️  Created .env from .env.example — edit it with your credentials:"
+    echo "    $SCRIPT_DIR/.env"
+    echo ""
+    echo "   Required:"
+    echo "     CAPISCIO_API_KEY   — from https://app.capisc.io → Settings → API Keys"
+    echo "     CAPISCIO_SERVER_ID — from https://app.capisc.io → MCP Servers (or set to 'auto')"
 fi
 
 echo ""
diff --git a/demo-two/setup.sh b/demo-two/setup.sh
index 4851ea4..25ccd35 100644
--- a/demo-two/setup.sh
+++ b/demo-two/setup.sh
@@ -59,14 +59,18 @@ echo ""
 echo "Pre-downloading capiscio-core binary…"
 python3 -c "from capiscio_mcp._core.lifecycle import ensure_binary; ensure_binary()"
 
-# ── .env check ───────────────────────────────────────────
+# ── Scaffold .env ────────────────────────────────────────
 echo ""
-if [ ! -f ".env" ]; then
-    echo "⚠  No .env file found."
-    echo "   Copy .env.example to .env and fill in your values:"
-    echo "   cp .env.example .env"
-else
+if [ -f ".env" ]; then
     echo "✓  .env file found"
+else
+    cp "$SCRIPT_DIR/.env.example" "$SCRIPT_DIR/.env"
+    echo "⚠️  Created .env from .env.example — edit it with your credentials:"
+    echo "    $(pwd)/.env"
+    echo ""
+    echo "   Required:"
+    echo "     CAPISCIO_API_KEY   — from https://app.capisc.io → Settings → API Keys"
+    echo "     CAPISCIO_SERVER_ID — from https://app.capisc.io → MCP Servers (or set to 'auto')"
 fi
 
 echo ""
@@ -74,9 +78,8 @@ echo "════════════════════════
 echo "  Setup complete!"
 echo ""
 echo "  Next steps:"
-echo "    1. cp .env.example .env  (if not done)"
-echo "    2. Fill in credentials in .env"
-echo "    3. python scripts/setup_policies.py  (create policies)"
-echo "    4. source .venv/bin/activate"
-echo "    5. python run_demo.py"
+echo "    1. Edit .env with your credentials (if just created)"
+echo "    2. python scripts/setup_policies.py  (create policies)"
+echo "    3. source .venv/bin/activate"
+echo "    4. python run_demo.py"
 echo "═══════════════════════════════════════════════════════"
diff --git a/scripts/setup.sh b/scripts/setup.sh
index 11e8f05..50777f5 100755
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -115,11 +115,34 @@ echo "   MODE: LOCAL REPOS (editable installs)"
 echo "   Changes to capiscio-sdk-python, capiscio-mcp-python,"
 echo "   and langchain-capiscio take effect immediately."
 fi
+# Scaffold .env files for each demo if missing
+ENV_SCAFFOLDED=false
+for demo_dir in demo-one demo-two mcp-demo; do
+    if [ -f "$SCRIPT_DIR/$demo_dir/.env.example" ] && [ ! -f "$SCRIPT_DIR/$demo_dir/.env" ]; then
+        cp "$SCRIPT_DIR/$demo_dir/.env.example" "$SCRIPT_DIR/$demo_dir/.env"
+        echo "   ⚠️  Created $demo_dir/.env from .env.example"
+        ENV_SCAFFOLDED=true
+    fi
+done
+if [ -f "$SCRIPT_DIR/.env.example" ] && [ ! -f "$SCRIPT_DIR/.env" ]; then
+    cp "$SCRIPT_DIR/.env.example" "$SCRIPT_DIR/.env"
+    echo "   ⚠️  Created .env from .env.example"
+    ENV_SCAFFOLDED=true
+fi
+
 echo ""
+if [ "$ENV_SCAFFOLDED" = true ]; then
 echo "Next steps:"
-echo "   1. Copy .env.example to .env and add your credentials:"
-echo "      - OPENAI_API_KEY (required)"
-echo "      - CAPISCIO_API_KEY (from app.capisc.io → Settings → API Keys)"
+echo "   1. Edit the generated .env files with your credentials."
+echo "      Each demo has different required fields — open the .env to see them."
+echo "      Common fields:"
+echo "        - CAPISCIO_API_KEY  (from app.capisc.io → Settings → API Keys)"
+echo "        - OPENAI_API_KEY    (required for agents)"
+echo "        - CAPISCIO_SERVER_ID (demo-one, demo-two: from Dashboard → MCP Servers)"
+else
+echo "Next steps:"
+echo "   1. Verify your .env credentials are current"
+fi
 echo ""
 echo "   2. Run agents:  ./scripts/run-agents.sh"
 echo ""