diff --git a/public/capabilities.html b/public/capabilities.html
index fece6cc..da4d325 100644
--- a/public/capabilities.html
+++ b/public/capabilities.html
@@ -23,9 +23,9 @@
   <section class="section"><div class="container"><p class="capability-intro">Capabilities are not the verifier itself. A capability is an action/verb family that receipts can describe. It can include request schemas, receipt schemas, examples, agent cards, ENS records, MCP tool definitions, OpenAPI operations, and SDK usage.</p><div class="steps-grid"><div class="step-card"><div class="step-num">1</div><h3>Semantics</h3><p>Capability semantics define verb meaning and expected execution intent.</p></div><div class="step-card"><div class="step-num">2</div><h3>Request schema</h3><p>Request schemas define valid inputs before runtime execution begins.</p></div><div class="step-card"><div class="step-num">3</div><h3>Runtime execution</h3><p>Runtime executes the action and signs receipts using signer identity and key material.</p></div><div class="step-card"><div class="step-num">4</div><h3>Canonical receipt</h3><p>Canonical receipts include <code>metadata.proof</code> fields for JSON canonicalization, SHA-256 hashing, and Ed25519 signatures.</p></div><div class="step-card"><div class="step-num">5</div><h3>Discovery surface</h3><p>MCP bridge and API discovery surfaces expose callable tools and operations.</p></div><div class="step-card"><div class="step-num">6</div><h3>Verification</h3><p>Verifier validation confirms proof integrity, and tamper invalidation fails altered receipts.</p></div></div></div></section>
   <section class="section section-alt"><div class="container"><div class="section-eyebrow">Schemas and CLAS source</div><h2 class="section-h2">Inspect live schemas and capability source.</h2><p class="section-p">Use these links to inspect the schema index, Trust Verification schema paths, API contract details, and the CLAS source repository.</p><div class="build-actions"><a class="build-action primary" href="/schemas.html">Open schemas index</a><a class="build-action" href="/schemas.html">Inspect schemas</a><a class="build-action" href="/schemas.html">Inspect Trust Verification schema family</a><a class="build-action" href="/schemas.html">Inspect proof envelope schema model</a><a class="build-action" href="/api.html">API Reference</a><a class="build-action" href="https://github.com/commandlayer/commandlayer-clas" target="_blank" rel="noopener">View schema source</a><a class="build-action" href="/receipts.html">Receipts model</a><a class="build-action" href="/sdk-records.html">SDK Records</a></div></div></section>
   <section class="section section-alt"><div class="container"><div class="section-eyebrow">Capability Map</div><h2 class="section-h2">One map for actions, discovery, and proof.</h2><p class="section-p">Trust Verification is live now. Future capability families are marked Draft or Planned to show protocol expansion, not current production coverage.</p><p class="section-p"><strong>Trust boundary:</strong> Capability selection describes what an action is. Receipt verification proves what happened.</p>
-  <div class="build-panel" aria-live="polite"><div class="build-head"><div><h3>Build plan</h3><p>Select capability groups for your agent stack. Export local manifests, SDK config, agent cards, ENS records, and discovery drafts.</p></div><button class="clear-plan" type="button" id="clearPlanBtn">Clear plan</button></div><div class="build-items" id="buildItems"><span class="build-empty">No capabilities selected yet.</span></div><div class="build-actions"><button class="build-action primary" type="button" id="exportManifestBtn">Export manifest</button><button class="build-action" type="button" id="copyManifestBtn">Copy manifest JSON</button><button class="build-action" type="button" id="copySdkConfigBtn">Copy SDK config</button><button class="build-action" type="button" id="copyAgentCardBtn">Copy agent card</button><button class="build-action" type="button" id="copyEnsBtn">Copy ENS records</button><button class="build-action" type="button" id="copyDiscoveryBtn">Copy MCP surface</button></div><div class="build-actions"><a class="build-action" href="/receipts.html">Understand receipts</a><a class="build-action" href="/sdk-records.html">Wrap an action with SDK</a><a class="build-action" href="/proof.html">View Live Proof</a><a class="build-action" href="/claim.html">Activate namespace</a></div><div class="build-actions"><a class="build-action" id="downloadLiveSchemasBtn" href="#" role="button" aria-disabled="true">Download all live CLAS schemas</a><a class="build-action" id="downloadSchemaIndexBtn" href="/schemas/index.json" download>Download schema index</a><a class="build-action" id="viewClasRepoBtn" href="https://github.com/commandlayer/commandlayer-clas" target="_blank" rel="noopener">View CLAS repo</a><a class="build-action" id="downloadLiveManifestsBtn" href="/capabilities/trust-verification/manifest.json" download>Download all live manifests</a></div><pre class="export-box" id="exportBox"></pre></div>
+  <div class="build-panel" aria-live="polite"><div class="build-head"><div><h3>Build plan</h3><p>Select capability groups for your agent stack. Export local manifests, SDK config, agent cards, ENS records, and discovery drafts.</p></div><button class="clear-plan" type="button" id="clearPlanBtn">Clear plan</button></div><div class="build-items" id="buildItems"><span class="build-empty">No capabilities selected yet.</span></div><div class="build-actions"><button class="build-action primary" type="button" id="exportManifestBtn">Export manifest</button><button class="build-action" type="button" id="copyManifestBtn">Copy manifest JSON</button><button class="build-action" type="button" id="copySdkConfigBtn">Copy SDK config</button><button class="build-action" type="button" id="copyAgentCardBtn">Copy agent card</button><button class="build-action" type="button" id="copyEnsBtn">Copy ENS records</button><button class="build-action" type="button" id="copyDiscoveryBtn">Copy MCP surface</button></div><div class="build-actions"><a class="build-action" href="/receipts.html">Understand receipts</a><a class="build-action" href="/sdk-records.html">Wrap an action with SDK</a><a class="build-action" href="/proof.html">View Live Proof</a><a class="build-action" href="/claim.html">Activate namespace</a></div><div class="build-actions"><a class="build-action" id="downloadLiveSchemasBtn" href="/schemas/trust-verification/manifest.json" download="trust-verification.manifest.json">Download all live CLAS schemas</a><a class="build-action" id="downloadSchemaIndexBtn" href="/schemas/trust-verification/capabilities.json" download="trust-verification.capabilities.json">Download capability groups</a><a class="build-action" id="viewClasRepoBtn" href="https://github.com/commandlayer/commandlayer-clas" target="_blank" rel="noopener">View CLAS repo</a><a class="build-action" id="downloadLiveManifestsBtn" href="/capabilities/trust-verification/manifest.json" download>Download all live manifests</a></div><pre class="export-box" id="exportBox"></pre></div>
   <div class="cap-grid">
-<article class="cap-card" data-cap-id="trust-verification" data-cap-name="Trust Verification v1" data-snippet="verify" data-status="live" data-manifest="/capabilities/trust-verification/manifest.json" data-schema-request-prefix="/schemas/trust/" data-schema-receipt-prefix="/schemas/trust/"><div class="cap-head"><div class="cap-title">Trust Verification v1</div><span class="status live">Live</span></div><p class="cap-desc">Canonical runtime signing and verification verbs for trusted receipt workflows.</p><div class="pill-row"><span class="cap-pill">verify</span><span class="cap-pill">sign</span><span class="cap-pill">attest</span><span class="cap-pill">authorize</span><span class="cap-pill">approve</span><span class="cap-pill">reject</span><span class="cap-pill">permit</span><span class="cap-pill">grant</span><span class="cap-pill">authenticate</span><span class="cap-pill">endorse</span></div><div class="badge-row"><span class="mini-badge">Runtime live</span><span class="mini-badge">MCP bridge live</span><span class="mini-badge">Verifier tested</span><span class="mini-badge">SDK supported</span></div><div class="cap-actions"><a class="cap-action" href="/capabilities/trust-verification/manifest.json" download>Download manifest</a><a class="cap-action" href="/schemas/live-clas-schemas.index.json" download>Download all family schemas</a><a class="cap-action" href="/capabilities/trust-verification/manifest.json" target="_blank" rel="noopener">View family manifest</a><button class="cap-action" data-copy-snippet>Copy SDK snippet</button><button class="cap-action primary" data-add-plan>Add to build plan</button></div></article>
+<article class="cap-card" data-cap-id="trust-verification" data-cap-name="Trust Verification v1" data-snippet="verify" data-status="live" data-manifest="/capabilities/trust-verification/manifest.json" data-schema-request-prefix="/schemas/trust-verification/" data-schema-receipt-prefix="/schemas/trust-verification/"><div class="cap-head"><div class="cap-title">Trust Verification v1</div><span class="status live">Live</span></div><p class="cap-desc">Canonical runtime signing and verification verbs for trusted receipt workflows.</p><div class="pill-row"><span class="cap-pill">verify</span><span class="cap-pill">sign</span><span class="cap-pill">attest</span><span class="cap-pill">authorize</span><span class="cap-pill">approve</span><span class="cap-pill">reject</span><span class="cap-pill">permit</span><span class="cap-pill">grant</span><span class="cap-pill">authenticate</span><span class="cap-pill">endorse</span></div><div class="badge-row"><span class="mini-badge">Runtime live</span><span class="mini-badge">MCP bridge live</span><span class="mini-badge">Verifier tested</span><span class="mini-badge">SDK supported</span></div><div class="cap-actions"><a class="cap-action" href="/capabilities/trust-verification/manifest.json" download>Download manifest</a><a class="cap-action" href="/schemas/trust-verification/manifest.json" download="trust-verification.manifest.json">Download all family schemas</a><a class="cap-action" href="/capabilities/trust-verification/manifest.json" target="_blank" rel="noopener">View family manifest</a><button class="cap-action" data-copy-snippet>Copy SDK snippet</button><button class="cap-action primary" data-add-plan>Add to build plan</button></div></article>
 <article class="cap-card" data-cap-id="ai-utility-actions" data-cap-name="AI / Utility Actions" data-snippet="summarize" data-status="draft"><div class="cap-head"><div class="cap-title">AI / Utility Actions</div><span class="status">Draft</span></div><p class="cap-desc">General AI and utility verbs for transformation and understanding workflows.</p><div class="pill-row"><span class="cap-pill">summarize</span><span class="cap-pill">classify</span><span class="cap-pill">clean</span><span class="cap-pill">parse</span><span class="cap-pill">explain</span><span class="cap-pill">analyze</span><span class="cap-pill">format</span><span class="cap-pill">convert</span><span class="cap-pill">describe</span><span class="cap-pill">fetch</span></div><div class="cap-actions"><button class="cap-action disabled" type="button" disabled>Manifest planned</button><button class="cap-action" data-copy-snippet>Copy SDK snippet</button><button class="cap-action primary" data-add-plan>Add to build plan</button></div></article>
 <article class="cap-card" data-cap-id="commerce-payments" data-cap-name="Commerce & Payments" data-snippet="authorize" data-status="planned"><div class="cap-head"><div class="cap-title">Commerce & Payments</div><span class="status">Planned</span></div><p class="cap-desc">Financial transaction and settlement verbs for commerce systems.</p><div class="pill-row"><span class="cap-pill">authorize</span><span class="cap-pill">checkout</span><span class="cap-pill">purchase</span><span class="cap-pill">invoice</span><span class="cap-pill">disburse</span><span class="cap-pill">refund</span><span class="cap-pill">bill</span><span class="cap-pill">charge</span><span class="cap-pill">fund</span><span class="cap-pill">reconcile</span></div><div class="cap-actions"><button class="cap-action disabled" type="button" disabled>Manifest planned</button><button class="cap-action" data-copy-snippet>Copy SDK snippet</button><button class="cap-action primary" data-add-plan>Add to build plan</button></div></article>
 <article class="cap-card" data-cap-id="identity-compliance" data-cap-name="Identity & Compliance" data-snippet="kyc" data-status="planned"><div class="cap-head"><div class="cap-title">Identity & Compliance</div><span class="status">Planned</span></div><p class="cap-desc">Identity assurance, compliance, and policy eligibility verbs.</p><div class="pill-row"><span class="cap-pill">kyc</span><span class="cap-pill">identify</span><span class="cap-pill">screen</span><span class="cap-pill">audit</span><span class="cap-pill">attest</span><span class="cap-pill">certify</span><span class="cap-pill">register</span><span class="cap-pill">license</span><span class="cap-pill">access</span><span class="cap-pill">revoke</span></div><div class="cap-actions"><button class="cap-action disabled" type="button" disabled>Manifest planned</button><button class="cap-action" data-copy-snippet>Copy SDK snippet</button><button class="cap-action primary" data-add-plan>Add to build plan</button></div></article>
@@ -40,19 +40,19 @@
   <footer><div class="container footer-grid"><div><h4>Product</h4><a href="/protocol.html">Protocol</a><a href="/capabilities.html">Capabilities</a><a href="/receipts.html">Receipts</a><a href="/proof.html">Live Proof</a><a href="/integrations.html">Integrations</a><a href="/sdk-records.html">SDK</a><a href="/claim.html">Claim</a></div><div><h4>Developers</h4><a href="/docs.html">Docs</a><a href="/docs/wrap-your-agent.html">Wrap Your Agent</a><a href="/runtime.html">Runtime</a><a href="/mcp.html">MCP Bridge</a><a href="/schemas.html">Schemas</a><a href="/api.html">API Reference</a><a href="https://github.com/commandlayer" target="_blank" rel="noopener">GitHub</a></div><div><h4>Proof</h4><a href="/verify.html">Verifier</a><a href="/stack-proof-demo.html">Production Proof</a><a href="/receipts.html">Receipts</a><a href="/proof.html">Live Proof</a></div></div></footer>
   <div class="verb-modal" id="verbModal" aria-hidden="true"><div class="verb-panel" role="dialog" aria-modal="true" aria-labelledby="verbTitle"><div class="verb-panel-head"><div><h3 class="verb-title" id="verbTitle">Verb detail</h3><p class="verb-meta" id="verbMeta"></p></div><button class="verb-close" type="button" id="verbCloseBtn" aria-label="Close verb details">Close</button></div><p class="verb-desc" id="verbDesc"></p><div class="verb-actions" id="verbActions"></div><p class="verb-note" id="verbNote"></p></div></div><div class="toast" id="toast"></div>
   <script>
-const KEY='commandlayer.buildPlan.v1';const itemsEl=document.getElementById('buildItems');const toast=document.getElementById('toast');const exportBox=document.getElementById('exportBox');function getPlan(){try{return JSON.parse(localStorage.getItem(KEY)||'[]')}catch{return[]}}function selectedIds(){const ids=getPlan().map(x=>x.id);return ids.length?ids:['trust-verification']}function setPlan(plan){localStorage.setItem(KEY,JSON.stringify(plan));renderPlan()}function showToast(msg){toast.textContent=msg;toast.classList.add('show');setTimeout(()=>toast.classList.remove('show'),1800)}function renderPlan(){const plan=getPlan();itemsEl.innerHTML='';if(!plan.length){itemsEl.innerHTML='<span class="build-empty">No capabilities selected yet.</span>';return}plan.forEach(item=>{const tag=document.createElement('span');tag.className='build-tag';tag.textContent=item.name;const btn=document.createElement('button');btn.type='button';btn.textContent='×';btn.setAttribute('aria-label','Remove '+item.name);btn.onclick=()=>setPlan(getPlan().filter(x=>x.id!==item.id));tag.appendChild(btn);itemsEl.appendChild(tag)})}function snippetFor(verb){return `const { output, receipt } = await cl.wrap("${verb}", async () => {\n  return { ok: true };\n});`}function buildManifest(){const selected=getPlan();return {type:'commandlayer.capability_build_plan',version:'1.0.0',created_at:new Date().toISOString(),selected_capability_groups:selected,runtime:'https://runtime.commandlayer.org',verifier:'runtime /verify or configured verifier',proof_model:'metadata.proof'}}function agentCard(){return {type:'commandlayer.agent_card',version:'1.0.0',name:'runtime.commandlayer.eth',capabilities:selectedIds(),verifier:'/api/verify',generated_at:new Date().toISOString(),note:'Draft agent card generated locally from the selected capability build plan.'}}function ensRecords(){const caps=selectedIds().join(',');return [`cl.capabilities=${caps}`,'cl.verifier=https://www.commandlayer.org/api/verify','cl.sig.pub=ed25519:<public-key>','cl.sig.kid=vC4WbcNoq2znSCiQ','cl.sig.canonical=json.sorted_keys.v1','cl.receipt.signer=runtime.commandlayer.eth','agent-endpoint[mcp]=https://mcp.commandlayer.org/mcp'].join('\n')}function discoverySurface(){return {type:'commandlayer.discovery_surface_draft',version:'1.0.0',capabilities:selectedIds(),tools:['clas.trust-verification.verify','clas.trust-verification.sign','clas.trust-verification.attest','clas.trust-verification.authorize','clas.trust-verification.approve','clas.trust-verification.reject','clas.trust-verification.permit','clas.trust-verification.grant','clas.trust-verification.authenticate','clas.trust-verification.endorse'],bridge_note:'MCP is a bridge. Runtime signs. Verifier validates.',verification_endpoint:'/api/verify',generated_at:new Date().toISOString()}}function sdkConfig(){return `import { CommandLayer } from "@commandlayer/agent-sdk";\n\nconst cl = new CommandLayer({\n  agent: "runtime.commandlayer.eth",\n  privateKeyPem: process.env.CL_PRIVATE_KEY_PEM,\n  keyId: "vC4WbcNoq2znSCiQ"\n});\n\nconst capabilities = ${JSON.stringify(getPlan().map(x=>x.id),null,2)};\n\nexport { cl, capabilities };`}function showExport(value){const text=typeof value==='string'?value:JSON.stringify(value||buildManifest(),null,2);exportBox.textContent=text;exportBox.classList.add('show');return text}async function copyOutput(label,value){await navigator.clipboard.writeText(showExport(value));showToast(label+' copied')}document.querySelectorAll('[data-add-plan]').forEach(btn=>btn.addEventListener('click',()=>{const card=btn.closest('.cap-card');const item={id:card.dataset.capId,name:card.dataset.capName,status:card.dataset.status||'planned',manifest:card.dataset.manifest||null,default_verb:card.dataset.snippet||null};const plan=getPlan();if(!plan.find(x=>x.id===item.id)){plan.push(item);setPlan(plan);showToast(item.name+' added to build plan')}else showToast(item.name+' is already in your build plan')}));document.querySelectorAll('[data-copy-snippet]').forEach(btn=>btn.addEventListener('click',async()=>{const verb=btn.closest('.cap-card').dataset.snippet||'verify';await navigator.clipboard.writeText(snippetFor(verb));showToast('SDK snippet copied for '+verb)}));document.getElementById('clearPlanBtn').onclick=()=>{setPlan([]);exportBox.classList.remove('show');showToast('Build plan cleared')};document.getElementById('exportManifestBtn').onclick=()=>{const json=showExport(buildManifest());const blob=new Blob([json],{type:'application/json'});const url=URL.createObjectURL(blob);const a=document.createElement('a');a.href=url;a.download='commandlayer-build-plan.json';a.click();URL.revokeObjectURL(url);showToast('Build plan manifest exported')};document.getElementById('copyManifestBtn').onclick=()=>copyOutput('Build plan JSON',buildManifest());document.getElementById('copySdkConfigBtn').onclick=()=>copyOutput('SDK config',sdkConfig());document.getElementById('copyAgentCardBtn').onclick=()=>copyOutput('Agent card',agentCard());document.getElementById('copyEnsBtn').onclick=()=>copyOutput('ENS records',ensRecords());document.getElementById('copyDiscoveryBtn').onclick=()=>copyOutput('MCP surface draft',discoverySurface());const liveVerbDescriptions={verify:'Verify a receipt proof payload and confirm signature validity.',sign:'Sign canonical output with runtime signer identity.',attest:'Attach a cryptographic attestation to action output.',authorize:'Authorize an action against policy and signer context.',approve:'Approve a workflow decision with signed proof.',reject:'Reject a workflow decision with signed proof.',permit:'Permit scoped access with verifiable authorization.',grant:'Grant delegated permission with proof binding.',authenticate:'Authenticate identity claims and bind signer evidence.',endorse:'Endorse an action outcome with verifier-ready proof.'};
+const KEY='commandlayer.buildPlan.v1';const itemsEl=document.getElementById('buildItems');const toast=document.getElementById('toast');const exportBox=document.getElementById('exportBox');function getPlan(){try{return JSON.parse(localStorage.getItem(KEY)||'[]')}catch{return[]}}function selectedIds(){const ids=getPlan().map(x=>x.id);return ids.length?ids:['trust-verification']}function setPlan(plan){localStorage.setItem(KEY,JSON.stringify(plan));renderPlan()}function showToast(msg){toast.textContent=msg;toast.classList.add('show');setTimeout(()=>toast.classList.remove('show'),1800)}function renderPlan(){const plan=getPlan();itemsEl.innerHTML='';if(!plan.length){itemsEl.innerHTML='<span class="build-empty">No capabilities selected yet.</span>';return}plan.forEach(item=>{const tag=document.createElement('span');tag.className='build-tag';tag.textContent=item.name;const btn=document.createElement('button');btn.type='button';btn.textContent='×';btn.setAttribute('aria-label','Remove '+item.name);btn.onclick=()=>setPlan(getPlan().filter(x=>x.id!==item.id));tag.appendChild(btn);itemsEl.appendChild(tag)})}function snippetFor(verb){return `const { output, receipt } = await cl.wrap("${verb}", async () => {\n  return { ok: true };\n});`}function buildManifest(){const selected=getPlan();return {type:'commandlayer.capability_build_plan',version:'1.0.0',created_at:new Date().toISOString(),selected_capability_groups:selected,runtime:'https://runtime.commandlayer.org',verifier:'runtime /verify or configured verifier',proof_model:'metadata.proof'}}function agentCard(){return {type:'commandlayer.agent_card',version:'1.0.0',name:'runtime.commandlayer.eth',capabilities:selectedIds(),verifier:'/api/verify',generated_at:new Date().toISOString(),note:'Draft agent card generated locally from the selected capability build plan.'}}function ensRecords(){const caps=selectedIds().join(',');return [`cl.capabilities=${caps}`,'cl.verifier=https://commandlayer.org/api/verify','cl.sig.pub=ed25519:<public-key>','cl.sig.kid=vC4WbcNoq2znSCiQ','cl.sig.canonical=json.sorted_keys.v1','cl.receipt.signer=runtime.commandlayer.eth','agent-endpoint[mcp]=https://mcp.commandlayer.org/mcp'].join('\n')}function discoverySurface(){return {type:'commandlayer.discovery_surface_draft',version:'1.0.0',capabilities:selectedIds(),tools:['clas.trust-verification.verify','clas.trust-verification.sign','clas.trust-verification.attest','clas.trust-verification.authorize','clas.trust-verification.approve','clas.trust-verification.reject','clas.trust-verification.permit','clas.trust-verification.grant','clas.trust-verification.authenticate','clas.trust-verification.endorse'],bridge_note:'MCP is a bridge. Runtime signs. Verifier validates.',verification_endpoint:'/api/verify',generated_at:new Date().toISOString()}}function sdkConfig(){return `import { CommandLayer } from "@commandlayer/agent-sdk";\n\nconst cl = new CommandLayer({\n  agent: "runtime.commandlayer.eth",\n  privateKeyPem: process.env.CL_PRIVATE_KEY_PEM,\n  keyId: "vC4WbcNoq2znSCiQ"\n});\n\nconst capabilities = ${JSON.stringify(getPlan().map(x=>x.id),null,2)};\n\nexport { cl, capabilities };`}function showExport(value){const text=typeof value==='string'?value:JSON.stringify(value||buildManifest(),null,2);exportBox.textContent=text;exportBox.classList.add('show');return text}async function copyOutput(label,value){await navigator.clipboard.writeText(showExport(value));showToast(label+' copied')}document.querySelectorAll('[data-add-plan]').forEach(btn=>btn.addEventListener('click',()=>{const card=btn.closest('.cap-card');const item={id:card.dataset.capId,name:card.dataset.capName,status:card.dataset.status||'planned',manifest:card.dataset.manifest||null,default_verb:card.dataset.snippet||null};const plan=getPlan();if(!plan.find(x=>x.id===item.id)){plan.push(item);setPlan(plan);showToast(item.name+' added to build plan')}else showToast(item.name+' is already in your build plan')}));document.querySelectorAll('[data-copy-snippet]').forEach(btn=>btn.addEventListener('click',async()=>{const verb=btn.closest('.cap-card').dataset.snippet||'verify';await navigator.clipboard.writeText(snippetFor(verb));showToast('SDK snippet copied for '+verb)}));document.getElementById('clearPlanBtn').onclick=()=>{setPlan([]);exportBox.classList.remove('show');showToast('Build plan cleared')};document.getElementById('exportManifestBtn').onclick=()=>{const json=showExport(buildManifest());const blob=new Blob([json],{type:'application/json'});const url=URL.createObjectURL(blob);const a=document.createElement('a');a.href=url;a.download='commandlayer-build-plan.json';a.click();URL.revokeObjectURL(url);showToast('Build plan manifest exported')};document.getElementById('copyManifestBtn').onclick=()=>copyOutput('Build plan JSON',buildManifest());document.getElementById('copySdkConfigBtn').onclick=()=>copyOutput('SDK config',sdkConfig());document.getElementById('copyAgentCardBtn').onclick=()=>copyOutput('Agent card',agentCard());document.getElementById('copyEnsBtn').onclick=()=>copyOutput('ENS records',ensRecords());document.getElementById('copyDiscoveryBtn').onclick=()=>copyOutput('MCP surface draft',discoverySurface());const liveVerbDescriptions={verify:'Verify a receipt proof payload and confirm signature validity.',sign:'Sign canonical output with runtime signer identity.',attest:'Attach a cryptographic attestation to action output.',authorize:'Authorize an action against policy and signer context.',approve:'Approve a workflow decision with signed proof.',reject:'Reject a workflow decision with signed proof.',permit:'Permit scoped access with verifiable authorization.',grant:'Grant delegated permission with proof binding.',authenticate:'Authenticate identity claims and bind signer evidence.',endorse:'Endorse an action outcome with verifier-ready proof.'};
 const TRUST_VERBS=['verify','sign','attest','authorize','approve','reject','permit','grant','authenticate','endorse'];
-const TRUST_SCHEMA_REGISTRY=TRUST_VERBS.reduce((acc,verb)=>{acc[verb]={request:`/schemas/trust/${verb}.request.schema.json`,receipt:`/schemas/trust/${verb}.receipt.schema.json`};return acc;},{});
+const TRUST_SCHEMA_REGISTRY=TRUST_VERBS.reduce((acc,verb)=>{acc[verb]={request:`/schemas/trust-verification/${verb}/${verb}.request.schema.json`,receipt:`/schemas/trust-verification/${verb}/${verb}.receipt.schema.json`};return acc;},{});
 const liveSchemaPaths=[];
 const liveSchemaMap={};
 const liveManifests=['/capabilities/trust-verification/manifest.json'];
 const sourceBase='https://github.com/commandlayer/commandlayer-clas';
-const sourceTreeBase=`${sourceBase}/tree/main/schemas/trust`;
-const sourceRawBase='https://raw.githubusercontent.com/commandlayer/commandlayer-clas/main/schemas/trust';
+const sourceTreeBase=`${sourceBase}/tree/main/schemas/trust-verification`;
+const sourceRawBase='https://raw.githubusercontent.com/commandlayer/commandlayer-clas/main/schemas/trust-verification';
 const verbModal=document.getElementById('verbModal');const verbTitle=document.getElementById('verbTitle');const verbMeta=document.getElementById('verbMeta');const verbDesc=document.getElementById('verbDesc');const verbActions=document.getElementById('verbActions');const verbNote=document.getElementById('verbNote');const verbCloseBtn=document.getElementById('verbCloseBtn');let lastPill=null;
-function toAbsolutePublicUrl(path){return `https://www.commandlayer.org${path}`}
+function toAbsolutePublicUrl(path){return `https://commandlayer.org${path}`}
 async function urlExists(url){try{const res=await fetch(url,{method:'HEAD'});return res.ok}catch{return false}}
-async function resolveSchemaForVerb(verb,type){const localPath=TRUST_SCHEMA_REGISTRY[verb]?.[type];if(!localPath)return null;if(liveSchemaMap[localPath])return liveSchemaMap[localPath];const fileName=localPath.split('/').pop();const rawUrl=`${sourceRawBase}/${fileName}`;if(await urlExists(localPath)){liveSchemaMap[localPath]={path:localPath,publicUrl:toAbsolutePublicUrl(localPath),sourceUrl:`${sourceTreeBase}/${fileName}`};if(!liveSchemaPaths.includes(localPath))liveSchemaPaths.push(localPath);return liveSchemaMap[localPath];}if(await urlExists(rawUrl)){liveSchemaMap[localPath]={path:rawUrl,publicUrl:rawUrl,sourceUrl:`${sourceTreeBase}/${fileName}`};if(!liveSchemaPaths.includes(rawUrl))liveSchemaPaths.push(rawUrl);return liveSchemaMap[localPath];}liveSchemaMap[localPath]=null;return null}
+async function resolveSchemaForVerb(verb,type){const localPath=TRUST_SCHEMA_REGISTRY[verb]?.[type];if(!localPath)return null;if(liveSchemaMap[localPath])return liveSchemaMap[localPath];const fileName=localPath.split('/').pop();const rawUrl=`${sourceRawBase}/${verb}/${fileName}`;if(await urlExists(localPath)){liveSchemaMap[localPath]={path:localPath,publicUrl:toAbsolutePublicUrl(localPath),sourceUrl:`${sourceTreeBase}/${verb}/${fileName}`};if(!liveSchemaPaths.includes(localPath))liveSchemaPaths.push(localPath);return liveSchemaMap[localPath];}if(await urlExists(rawUrl)){liveSchemaMap[localPath]={path:rawUrl,publicUrl:rawUrl,sourceUrl:`${sourceTreeBase}/${verb}/${fileName}`};if(!liveSchemaPaths.includes(rawUrl))liveSchemaPaths.push(rawUrl);return liveSchemaMap[localPath];}liveSchemaMap[localPath]=null;return null}
 function closeVerbModal(){verbModal.classList.remove('show');verbModal.setAttribute('aria-hidden','true');if(lastPill)lastPill.focus()}
 function makeAction(label,opts={}){const a=document.createElement(opts.href?'a':'button');a.className='cap-action';a.textContent=label;if(opts.href){a.href=opts.href;if(opts.download)a.setAttribute('download',opts.download===true?'':opts.download);if(opts.target){a.target='_blank';a.rel='noopener'}}else{a.type='button';a.onclick=opts.onClick||(()=>{})}if(opts.disabled){a.classList.add('disabled');a.setAttribute('aria-disabled','true');if(a.tagName==='BUTTON')a.disabled=true;else{a.removeAttribute('href');a.removeAttribute('download');a.tabIndex=-1}}return a}
 async function openVerbDetail(card,pill){lastPill=pill;const verb=pill.dataset.verb;const capName=card.dataset.capName;const status=(card.dataset.status||'planned');verbTitle.textContent=verb+' · '+capName;verbMeta.textContent='Status: '+status.charAt(0).toUpperCase()+status.slice(1);verbDesc.textContent=status==='live'?(liveVerbDescriptions[verb]||'Live trust-verification verb for verifiable execution receipts.'):'Schema not published yet';verbActions.innerHTML='';if(status==='live'){const requestMeta=await resolveSchemaForVerb(verb,'request');const receiptMeta=await resolveSchemaForVerb(verb,'receipt');verbActions.appendChild(makeAction('Download request schema',{href:requestMeta?.path,download:`${verb}.request.schema.json`,disabled:!requestMeta}));verbActions.appendChild(makeAction('Download receipt schema',{href:receiptMeta?.path,download:`${verb}.receipt.schema.json`,disabled:!receiptMeta}));verbActions.appendChild(makeAction('Copy request schema URL',{disabled:!requestMeta,onClick:async()=>{await navigator.clipboard.writeText(requestMeta.publicUrl);showToast('Request schema URL copied')}}));verbActions.appendChild(makeAction('Copy receipt schema URL',{disabled:!receiptMeta,onClick:async()=>{await navigator.clipboard.writeText(receiptMeta.publicUrl);showToast('Receipt schema URL copied')}}));verbActions.appendChild(makeAction('Copy example JSON',{onClick:async()=>{const sample={capability:card.dataset.capId,verb,status:'live',request:{example:true}};await navigator.clipboard.writeText(JSON.stringify(sample,null,2));showToast('Example JSON copied')}}));verbActions.appendChild(makeAction('View source in CLAS repo',{href:requestMeta?.sourceUrl||sourceTreeBase,target:'_blank'}));verbActions.appendChild(makeAction('Add to build plan',{onClick:()=>{const btn=card.querySelector('[data-add-plan]');if(btn)btn.click()}}));verbNote.textContent=requestMeta||receiptMeta?'Schema download URLs are live for this verb.':'Schema not published yet for this verb.';}else{verbActions.appendChild(makeAction('Add to build plan',{onClick:()=>{const btn=card.querySelector('[data-add-plan]');if(btn)btn.click()}}));verbNote.textContent='Schema not published yet. Status: '+status.charAt(0).toUpperCase()+status.slice(1);}verbModal.classList.add('show');verbModal.setAttribute('aria-hidden','false');verbCloseBtn.focus()}
@@ -60,8 +60,8 @@
 async function downloadFamilyBundle(){const bundle=await buildFamilySchemaBundle();const blob=new Blob([JSON.stringify(bundle,null,2)],{type:'application/json'});const url=URL.createObjectURL(blob);const a=document.createElement('a');a.href=url;a.download='trust-verification-v1.schemas.json';a.click();URL.revokeObjectURL(url);showToast('Trust Verification family schemas bundle downloaded')}
 document.querySelectorAll('.cap-card').forEach(card=>{card.querySelectorAll('.cap-pill').forEach(pill=>{const verb=(pill.textContent||'').trim().toLowerCase();pill.dataset.verb=verb;pill.setAttribute('role','button');pill.setAttribute('tabindex','0');pill.setAttribute('aria-label','View details for '+verb+' in '+card.dataset.capName);pill.addEventListener('click',()=>openVerbDetail(card,pill));pill.addEventListener('keydown',e=>{if(e.key==='Enter'||e.key===' '){e.preventDefault();openVerbDetail(card,pill)}})})});
 verbCloseBtn.onclick=closeVerbModal;verbModal.addEventListener('click',e=>{if(e.target===verbModal)closeVerbModal()});document.addEventListener('keydown',e=>{if(e.key==='Escape'&&verbModal.classList.contains('show'))closeVerbModal()});
-const familyDownloadBtn=document.querySelector('[data-cap-id="trust-verification"] a.cap-action[href="/schemas/live-clas-schemas.index.json"]');if(familyDownloadBtn){familyDownloadBtn.href='#';familyDownloadBtn.removeAttribute('download');familyDownloadBtn.addEventListener('click',e=>{e.preventDefault();downloadFamilyBundle()});}
-const schemasBtn=document.getElementById('downloadLiveSchemasBtn');schemasBtn.href='#';schemasBtn.removeAttribute('download');schemasBtn.addEventListener('click',async e=>{e.preventDefault();await downloadFamilyBundle()});schemasBtn.removeAttribute('aria-disabled');schemasBtn.classList.remove('disabled');
+const familyDownloadBtn=document.querySelector('[data-cap-id="trust-verification"] a.cap-action[href="/schemas/live-clas-schemas.index.json"]');if(familyDownloadBtn){familyDownloadBtn.href='/schemas/trust-verification/manifest.json';familyDownloadBtn.setAttribute('download','trust-verification.manifest.json');}
+const schemasBtn=document.getElementById('downloadLiveSchemasBtn');schemasBtn.href='/schemas/trust-verification/manifest.json';schemasBtn.setAttribute('download','trust-verification.manifest.json');schemasBtn.removeAttribute('aria-disabled');schemasBtn.classList.remove('disabled');
 const manifestsBtn=document.getElementById('downloadLiveManifestsBtn');if(!liveManifests.length){manifestsBtn.classList.add('disabled');manifestsBtn.removeAttribute('href');manifestsBtn.setAttribute('aria-disabled','true');manifestsBtn.textContent='No live manifests published';}
 const schemaIndexBtn=document.getElementById('downloadSchemaIndexBtn');schemaIndexBtn.href='/schemas/index.json';schemaIndexBtn.setAttribute('download','schema-index.json');
 document.getElementById('addTrustBtn').onclick=()=>{const btn=document.querySelector('[data-cap-id="trust-verification"] [data-add-plan]');if(btn)btn.click()};renderPlan();
diff --git a/public/schemas/trust-verification/README.md b/public/schemas/trust-verification/README.md
new file mode 100644
index 0000000..e3e80cc
--- /dev/null
+++ b/public/schemas/trust-verification/README.md
@@ -0,0 +1,107 @@
+# CLAS Trust Verification v1
+
+## 1. Overview
+
+Trust Verification v1 defines a standards-oriented, machine-readable schema family for trust-related machine actions and decisions. It provides canonical verbs and structured receipts for verification, identity confirmation, permissioning, attestations, approvals, rejections, signatures, and endorsements.
+
+The intent is protocol interoperability: consistent request/receipt structures that can be validated, exchanged, and independently verified across systems.
+
+## 2. Canonical verbs
+
+Trust Verification v1 defines these canonical verbs:
+
+- `verify`
+- `authenticate`
+- `authorize`
+- `attest`
+- `sign`
+- `permit`
+- `grant`
+- `approve`
+- `reject`
+- `endorse`
+
+## 3. Verb definitions
+
+- **verify**: checks whether a subject, proof, receipt, signature, artifact, claim, or workflow result is valid.
+- **authenticate**: confirms the identity of an actor, signer, agent, service, key, user, or caller.
+- **authorize**: determines whether an actor is allowed to perform an action under a policy or scope.
+- **attest**: creates a signed claim about a subject.
+- **sign**: applies cryptographic authorship, approval, or intent to a payload.
+- **permit**: represents a portable permission artifact.
+- **grant**: issues access, authority, rights, or permission to an actor.
+- **approve**: records a positive decision on a proposal, transaction, request, deployment, or workflow step.
+- **reject**: records a negative decision on a proposal, transaction, request, deployment, or workflow step.
+- **endorse**: adds reputation, support, or trust weight to an actor, signer, claim, schema, service, or capability.
+
+## 4. Semantic boundaries
+
+- **verify vs attest**
+  - `verify` evaluates existing evidence and returns a validity outcome.
+  - `attest` produces new signed evidence (a claim) about a subject.
+
+- **authenticate vs authorize**
+  - `authenticate` answers "who is this actor?"
+  - `authorize` answers "what is this actor allowed to do?"
+
+- **authorize vs approve**
+  - `authorize` is policy/scope enforcement for allowed actions.
+  - `approve` is a decision event on a specific request, transaction, or workflow step.
+
+- **grant vs permit**
+  - `grant` is the issuance action that assigns rights.
+  - `permit` is the transferable/portable artifact expressing those rights.
+
+- **approve vs reject**
+  - `approve` records a positive decision.
+  - `reject` records a negative decision.
+
+- **sign vs attest**
+  - `sign` binds cryptographic intent/authorship to payload bytes.
+  - `attest` expresses a semantic claim about a subject and is typically signed.
+
+- **endorse vs certify**
+  - `endorse` adds support or trust weight without claiming formal institutional certification.
+  - `certify` is intentionally excluded from v1 because it overlaps with `verify` and `attest` and may imply regulatory or institutional certification semantics.
+
+## 5. Shared proof model
+
+Every receipt references the shared proof schema:
+
+- `../_shared/proof.schema.json`
+
+Shared proof fields (as defined in `_shared/proof.schema.json`):
+
+- `metadata.proof.canonicalization` — canonicalization identifier (const: `json.sorted_keys.v1`)
+- `metadata.proof.hash.alg` — hash algorithm (const: `SHA-256`)
+- `metadata.proof.hash.value` — lowercase SHA-256 hex digest (`64` hex chars)
+- `metadata.proof.signature.alg` — signature algorithm (const: `Ed25519`)
+- `metadata.proof.signature.value` — signature value
+- `metadata.proof.signature.kid` — key identifier
+
+These fields provide a common cryptographic envelope model across all verb receipts.
+
+## 6. Schema-valid vs cryptographically valid
+
+A receipt can be valid JSON and pass schema validation while still failing cryptographic verification.
+
+Tampered receipts are expected to remain schema-valid but fail signature/hash verification.
+
+Schema conformance and cryptographic integrity are separate checks and must both be evaluated.
+
+## 7. Examples
+
+Each verb's `examples/` folder includes:
+
+- `valid.request.json`: a schema-valid request example for the verb.
+- `valid.receipt.json`: a schema-valid receipt example with intact proof fields.
+- `tampered.receipt.json`: a schema-valid receipt whose payload/proof relationship has been altered and should fail cryptographic verification.
+- `invalid.receipt.json`: a receipt that fails schema validation.
+
+## 8. File convention
+
+Each verb folder contains:
+
+- `<verb>.request.schema.json`
+- `<verb>.receipt.schema.json`
+- `examples/`
diff --git a/public/schemas/trust-verification/_shared/proof.schema.json b/public/schemas/trust-verification/_shared/proof.schema.json
new file mode 100644
index 0000000..e59b10d
--- /dev/null
+++ b/public/schemas/trust-verification/_shared/proof.schema.json
@@ -0,0 +1,103 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/_shared/proof.schema.json",
+  "title": "CLAS Trust Proof",
+  "description": "Shared proof envelope for trust verification receipts.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "canonicalization",
+    "hash",
+    "signature"
+  ],
+  "properties": {
+    "canonicalization": {
+      "$comment": "erc8211.composable.v1: ERC-8211 composable execution canonicalization recognized. Merkle authorization verification is deferred pending the companion Merkle authorization ERC.",
+      "enum": [
+        "json.sorted_keys.v1",
+        "erc8211.composable.v1"
+      ]
+    },
+    "hash": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "alg",
+        "value"
+      ],
+      "properties": {
+        "alg": {
+          "const": "SHA-256"
+        },
+        "value": {
+          "type": "string",
+          "pattern": "^[a-fA-F0-9]{64}$"
+        }
+      }
+    },
+    "signature": {
+      "oneOf": [
+        {
+          "type": "object",
+          "additionalProperties": false,
+          "required": [
+            "alg",
+            "value",
+            "kid"
+          ],
+          "properties": {
+            "alg": {
+              "const": "Ed25519"
+            },
+            "value": {
+              "type": "string",
+              "minLength": 16
+            },
+            "kid": {
+              "type": "string",
+              "minLength": 1
+            }
+          }
+        },
+        {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "required": [
+              "alg",
+              "value",
+              "kid",
+              "role"
+            ],
+            "properties": {
+              "alg": {
+                "const": "Ed25519"
+              },
+              "value": {
+                "type": "string",
+                "minLength": 16
+              },
+              "kid": {
+                "type": "string",
+                "minLength": 1
+              },
+              "role": {
+                "type": "string",
+                "enum": [
+                  "user",
+                  "solver",
+                  "relayer",
+                  "agent",
+                  "runtime",
+                  "verifier"
+                ]
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/_shared/trace.schema.json b/public/schemas/trust-verification/_shared/trace.schema.json
new file mode 100644
index 0000000..f06314f
--- /dev/null
+++ b/public/schemas/trust-verification/_shared/trace.schema.json
@@ -0,0 +1,36 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/_shared/trace.schema.json",
+  "title": "CLAS Trace",
+  "description": "Shared trace envelope for correlating requests and receipts across agents, hops, workflows, solver fills, and spans.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "trace_id"
+  ],
+  "properties": {
+    "trace_id": {
+      "type": "string",
+      "maxLength": 128
+    },
+    "span_id": {
+      "type": "string",
+      "maxLength": 128
+    },
+    "parent_span_id": {
+      "type": "string",
+      "maxLength": 128
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "tags": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "string",
+        "maxLength": 512
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/approve/approve.mcp.tool.schema.json b/public/schemas/trust-verification/approve/approve.mcp.tool.schema.json
new file mode 100644
index 0000000..9d35270
--- /dev/null
+++ b/public/schemas/trust-verification/approve/approve.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_approve",
+  "title": "CLAS Trust Approve",
+  "description": "Record a positive decision on a proposal, transaction, request, deployment, or workflow step. Successful execution returns a CLAS approve receipt.",
+  "inputSchema": {
+    "$ref": "./approve.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./approve.receipt.schema.json",
+    "description": "CLAS approve receipt returned when approve execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": false
+  }
+}
diff --git a/public/schemas/trust-verification/approve/approve.openapi.yaml b/public/schemas/trust-verification/approve/approve.openapi.yaml
new file mode 100644
index 0000000..133075a
--- /dev/null
+++ b/public/schemas/trust-verification/approve/approve.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Approve API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/approve:
+    post:
+      operationId: approveTrustVerificationAction
+      description: Record a positive decision on a proposal, transaction, request, deployment, or workflow step.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./approve.request.schema.json
+      responses:
+        '200':
+          description: Approve receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./approve.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/approve/approve.receipt.schema.json b/public/schemas/trust-verification/approve/approve.receipt.schema.json
new file mode 100644
index 0000000..a2f5029
--- /dev/null
+++ b/public/schemas/trust-verification/approve/approve.receipt.schema.json
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/approve/approve.receipt.schema.json",
+  "title": "CLAS Trust Approve Receipt",
+  "description": "A signed receipt proving that an approval decision was made.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "approval",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "approve"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./approve.request.schema.json"
+    },
+    "approval": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "approved",
+            "denied",
+            "conditional",
+            "expired"
+          ]
+        },
+        "approval_id": {
+          "type": "string"
+        },
+        "reason": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/approve/approve.request.schema.json b/public/schemas/trust-verification/approve/approve.request.schema.json
new file mode 100644
index 0000000..693dd00
--- /dev/null
+++ b/public/schemas/trust-verification/approve/approve.request.schema.json
@@ -0,0 +1,29 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/approve/approve.request.schema.json",
+  "title": "CLAS Trust Approve Request",
+  "description": "A request to approve a proposal, action, request, policy, artifact, transaction, or workflow step.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "approver", "subject"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "approve" },
+    "approver": { "type": "string", "minLength": 1 },
+    "subject": {
+      "type": "object",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 },
+        "uri": { "type": "string" },
+        "content_hash": { "type": "string", "pattern": "^sha256:[a-fA-F0-9]{64}$" }
+      }
+    },
+    "approval_scope": { "type": "string" },
+    "conditions": { "type": "object", "additionalProperties": true },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/approve/examples/invalid.receipt.json b/public/schemas/trust-verification/approve/examples/invalid.receipt.json
new file mode 100644
index 0000000..4b87ee6
--- /dev/null
+++ b/public/schemas/trust-verification/approve/examples/invalid.receipt.json
@@ -0,0 +1,51 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "approve",
+  "receipt_id": "rcpt-approve-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "approve",
+    "approver": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "deployment_request",
+      "id": "deploy-orders-api-2026-05-10-rc3",
+      "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "approval_scope": "production-deployment",
+    "conditions": {
+      "change_window": "2026-05-10T13:00:00Z/2026-05-10T14:00:00Z",
+      "requires_post_check": "synthetic-http-5m"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.prod.change-approval.v5",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-approve-20260510-0001",
+      "correlation_id": "corr-release-20260510-a8"
+    }
+  },
+  "approval": {
+    "status": "approved",
+    "approval_id": "approval-prod-deploy-20260510-01",
+    "reason": "All deployment gates passed and change window active.",
+    "expires_at": "2026-05-10T14:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/approve/examples/tampered.receipt.json b/public/schemas/trust-verification/approve/examples/tampered.receipt.json
new file mode 100644
index 0000000..05c457b
--- /dev/null
+++ b/public/schemas/trust-verification/approve/examples/tampered.receipt.json
@@ -0,0 +1,51 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "approve",
+  "receipt_id": "rcpt-approve-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "approve",
+    "approver": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "deployment_request",
+      "id": "deploy-orders-api-2026-05-10-rc3",
+      "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "approval_scope": "production-deployment",
+    "conditions": {
+      "change_window": "2026-05-10T13:00:00Z/2026-05-10T14:00:00Z",
+      "requires_post_check": "synthetic-http-5m"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.prod.change-approval.v5",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-approve-20260510-0001",
+      "correlation_id": "corr-release-20260510-a8"
+    }
+  },
+  "approval": {
+    "status": "conditional",
+    "approval_id": "approval-prod-deploy-20260510-01",
+    "reason": "All deployment gates passed and change window active.",
+    "expires_at": "2026-05-10T14:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/approve/examples/valid.receipt.json b/public/schemas/trust-verification/approve/examples/valid.receipt.json
new file mode 100644
index 0000000..16031cc
--- /dev/null
+++ b/public/schemas/trust-verification/approve/examples/valid.receipt.json
@@ -0,0 +1,51 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "approve",
+  "receipt_id": "rcpt-approve-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "approve",
+    "approver": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "deployment_request",
+      "id": "deploy-orders-api-2026-05-10-rc3",
+      "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "approval_scope": "production-deployment",
+    "conditions": {
+      "change_window": "2026-05-10T13:00:00Z/2026-05-10T14:00:00Z",
+      "requires_post_check": "synthetic-http-5m"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.prod.change-approval.v5",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-approve-20260510-0001",
+      "correlation_id": "corr-release-20260510-a8"
+    }
+  },
+  "approval": {
+    "status": "approved",
+    "approval_id": "approval-prod-deploy-20260510-01",
+    "reason": "All deployment gates passed and change window active.",
+    "expires_at": "2026-05-10T14:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/approve/examples/valid.request.json b/public/schemas/trust-verification/approve/examples/valid.request.json
new file mode 100644
index 0000000..77f5194
--- /dev/null
+++ b/public/schemas/trust-verification/approve/examples/valid.request.json
@@ -0,0 +1,24 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "approve",
+  "approver": "runtime.commandlayer.eth",
+  "subject": {
+    "type": "deployment_request",
+    "id": "deploy-orders-api-2026-05-10-rc3",
+    "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  },
+  "approval_scope": "production-deployment",
+  "conditions": {
+    "change_window": "2026-05-10T13:00:00Z/2026-05-10T14:00:00Z",
+    "requires_post_check": "synthetic-http-5m"
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "policy_id": "policy.prod.change-approval.v5",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-approve-20260510-0001",
+    "correlation_id": "corr-release-20260510-a8"
+  }
+}
diff --git a/public/schemas/trust-verification/attest/attest.mcp.tool.schema.json b/public/schemas/trust-verification/attest/attest.mcp.tool.schema.json
new file mode 100644
index 0000000..b70d43a
--- /dev/null
+++ b/public/schemas/trust-verification/attest/attest.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_attest",
+  "title": "CLAS Trust Attest",
+  "description": "Produce a signed attestation about a subject or fact. Successful execution returns a CLAS attest receipt.",
+  "inputSchema": {
+    "$ref": "./attest.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./attest.receipt.schema.json",
+    "description": "CLAS attest receipt returned when attestation execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": true
+  }
+}
diff --git a/public/schemas/trust-verification/attest/attest.openapi.yaml b/public/schemas/trust-verification/attest/attest.openapi.yaml
new file mode 100644
index 0000000..8727392
--- /dev/null
+++ b/public/schemas/trust-verification/attest/attest.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Attest API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/attest:
+    post:
+      operationId: attestTrustVerificationAction
+      description: Create a signed claim about a subject.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./attest.request.schema.json
+      responses:
+        '200':
+          description: Attestation receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./attest.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/attest/attest.receipt.schema.json b/public/schemas/trust-verification/attest/attest.receipt.schema.json
new file mode 100644
index 0000000..687b2f0
--- /dev/null
+++ b/public/schemas/trust-verification/attest/attest.receipt.schema.json
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/attest/attest.receipt.schema.json",
+  "title": "CLAS Trust Attest Receipt",
+  "description": "A signed receipt proving that an attestation was issued.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "attestation",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "attest"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./attest.request.schema.json"
+    },
+    "attestation": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status",
+        "statement"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "attested",
+            "refused",
+            "revoked"
+          ]
+        },
+        "statement": {
+          "type": "string"
+        },
+        "attestation_id": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/attest/attest.request.schema.json b/public/schemas/trust-verification/attest/attest.request.schema.json
new file mode 100644
index 0000000..e220c9f
--- /dev/null
+++ b/public/schemas/trust-verification/attest/attest.request.schema.json
@@ -0,0 +1,40 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/attest/attest.request.schema.json",
+  "title": "CLAS Trust Attest Request",
+  "description": "A request to produce an attestation about a subject or fact.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "attester", "subject", "statement"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "attest" },
+    "attester": { "type": "string", "minLength": 1 },
+    "subject": {
+      "type": "object",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 }
+      }
+    },
+    "statement": { "type": "string", "minLength": 1 },
+    "evidence": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": true,
+        "required": ["type", "id"],
+        "properties": {
+          "type": { "type": "string" },
+          "id": { "type": "string" },
+          "uri": { "type": "string" },
+          "hash": { "type": "string", "pattern": "^sha256:[a-fA-F0-9]{64}$" }
+        }
+      }
+    },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/attest/examples/invalid.receipt.json b/public/schemas/trust-verification/attest/examples/invalid.receipt.json
new file mode 100644
index 0000000..b82bbb2
--- /dev/null
+++ b/public/schemas/trust-verification/attest/examples/invalid.receipt.json
@@ -0,0 +1,60 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "attest",
+  "receipt_id": "",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "attest",
+    "attester": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "container_image",
+      "id": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334",
+      "uri": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334"
+    },
+    "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+    "evidence": [
+      {
+        "type": "sbom",
+        "id": "sbom-payments-20260510",
+        "uri": "s3://acme-secure-artifacts/sbom/payments-20260510.spdx.json",
+        "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      {
+        "type": "scan_report",
+        "id": "scan-trivy-20260510-01",
+        "uri": "s3://acme-secure-artifacts/scans/payments-20260510-trivy.json",
+        "hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+      }
+    ],
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.image-vuln-gate.v2",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-attest-20260510-0001",
+      "correlation_id": "corr-build-20260510-i7"
+    }
+  },
+  "attestation": {
+    "status": "attested",
+    "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+    "attestation_id": "att-image-vuln-20260510-01",
+    "expires_at": "2026-06-10T12:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/attest/examples/tampered.receipt.json b/public/schemas/trust-verification/attest/examples/tampered.receipt.json
new file mode 100644
index 0000000..e5d1299
--- /dev/null
+++ b/public/schemas/trust-verification/attest/examples/tampered.receipt.json
@@ -0,0 +1,60 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "attest",
+  "receipt_id": "rcpt-attest-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "attest",
+    "attester": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "container_image",
+      "id": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334",
+      "uri": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334"
+    },
+    "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+    "evidence": [
+      {
+        "type": "sbom",
+        "id": "sbom-payments-20260510",
+        "uri": "s3://acme-secure-artifacts/sbom/payments-20260510.spdx.json",
+        "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      {
+        "type": "scan_report",
+        "id": "scan-trivy-20260510-01",
+        "uri": "s3://acme-secure-artifacts/scans/payments-20260510-trivy.json",
+        "hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+      }
+    ],
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.image-vuln-gate.v2",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-attest-20260510-0001",
+      "correlation_id": "corr-build-20260510-i7"
+    }
+  },
+  "attestation": {
+    "status": "revoked",
+    "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+    "attestation_id": "att-image-vuln-20260510-01",
+    "expires_at": "2026-06-10T12:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/attest/examples/valid.receipt.json b/public/schemas/trust-verification/attest/examples/valid.receipt.json
new file mode 100644
index 0000000..f727f86
--- /dev/null
+++ b/public/schemas/trust-verification/attest/examples/valid.receipt.json
@@ -0,0 +1,60 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "attest",
+  "receipt_id": "rcpt-attest-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "attest",
+    "attester": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "container_image",
+      "id": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334",
+      "uri": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334"
+    },
+    "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+    "evidence": [
+      {
+        "type": "sbom",
+        "id": "sbom-payments-20260510",
+        "uri": "s3://acme-secure-artifacts/sbom/payments-20260510.spdx.json",
+        "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      {
+        "type": "scan_report",
+        "id": "scan-trivy-20260510-01",
+        "uri": "s3://acme-secure-artifacts/scans/payments-20260510-trivy.json",
+        "hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+      }
+    ],
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.image-vuln-gate.v2",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-attest-20260510-0001",
+      "correlation_id": "corr-build-20260510-i7"
+    }
+  },
+  "attestation": {
+    "status": "attested",
+    "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+    "attestation_id": "att-image-vuln-20260510-01",
+    "expires_at": "2026-06-10T12:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/attest/examples/valid.request.json b/public/schemas/trust-verification/attest/examples/valid.request.json
new file mode 100644
index 0000000..78533d3
--- /dev/null
+++ b/public/schemas/trust-verification/attest/examples/valid.request.json
@@ -0,0 +1,33 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "attest",
+  "attester": "runtime.commandlayer.eth",
+  "subject": {
+    "type": "container_image",
+    "id": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334",
+    "uri": "ghcr.io/acme/payments@sha256:9f4ce1de2cbb19aa1f8d36a717f6312ad28d7cb151f5e4d7dcce8fd001122334"
+  },
+  "statement": "Image passed vulnerability policy P0/P1 gate at build time.",
+  "evidence": [
+    {
+      "type": "sbom",
+      "id": "sbom-payments-20260510",
+      "uri": "s3://acme-secure-artifacts/sbom/payments-20260510.spdx.json",
+      "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    {
+      "type": "scan_report",
+      "id": "scan-trivy-20260510-01",
+      "uri": "s3://acme-secure-artifacts/scans/payments-20260510-trivy.json",
+      "hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+    }
+  ],
+  "context": {
+    "environment": "prod-us-east-1",
+    "policy_id": "policy.image-vuln-gate.v2",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-attest-20260510-0001",
+    "correlation_id": "corr-build-20260510-i7"
+  }
+}
diff --git a/public/schemas/trust-verification/authenticate/authenticate.mcp.tool.schema.json b/public/schemas/trust-verification/authenticate/authenticate.mcp.tool.schema.json
new file mode 100644
index 0000000..b7a7102
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/authenticate.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_authenticate",
+  "title": "CLAS Trust Authenticate",
+  "description": "Confirm the identity of an actor, signer, agent, service, key, user, or caller. Successful execution returns a CLAS authenticate receipt.",
+  "inputSchema": {
+    "$ref": "./authenticate.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./authenticate.receipt.schema.json",
+    "description": "CLAS authenticate receipt returned when authenticate execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": true,
+    "destructiveHint": false,
+    "idempotentHint": true,
+    "openWorldHint": true
+  }
+}
diff --git a/public/schemas/trust-verification/authenticate/authenticate.openapi.yaml b/public/schemas/trust-verification/authenticate/authenticate.openapi.yaml
new file mode 100644
index 0000000..1e2142b
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/authenticate.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Authenticate API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/authenticate:
+    post:
+      operationId: authenticateTrustVerificationAction
+      description: Confirm the identity of an actor, signer, agent, service, key, user, or caller.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./authenticate.request.schema.json
+      responses:
+        '200':
+          description: Authenticate receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./authenticate.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/authenticate/authenticate.receipt.schema.json b/public/schemas/trust-verification/authenticate/authenticate.receipt.schema.json
new file mode 100644
index 0000000..6e5407a
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/authenticate.receipt.schema.json
@@ -0,0 +1,91 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/authenticate/authenticate.receipt.schema.json",
+  "title": "CLAS Trust Authenticate Receipt",
+  "description": "A signed receipt proving that an authentication action was performed.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "authentication",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "authenticate"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./authenticate.request.schema.json"
+    },
+    "authentication": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "authenticated",
+            "unauthenticated",
+            "uncertain",
+            "expired"
+          ]
+        },
+        "subject_id": {
+          "type": "string"
+        },
+        "method": {
+          "type": "string"
+        },
+        "confidence": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "reason": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authenticate/authenticate.request.schema.json b/public/schemas/trust-verification/authenticate/authenticate.request.schema.json
new file mode 100644
index 0000000..1e95619
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/authenticate.request.schema.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/authenticate/authenticate.request.schema.json",
+  "title": "CLAS Trust Authenticate Request",
+  "description": "A request to authenticate the identity of an actor, signer, service, key, agent, or caller.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "subject"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "authenticate" },
+    "subject": {
+      "type": "object",
+      "description": "The identity-bearing subject being authenticated.",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 },
+        "uri": { "type": "string" },
+        "claimed_identity": { "type": "string" },
+        "content_hash": { "type": "string", "pattern": "^sha256:[a-fA-F0-9]{64}$" }
+      }
+    },
+    "method": {
+      "type": "string"
+    },
+    "credential": {
+      "type": "object",
+      "additionalProperties": true
+    },
+    "context": {
+      "type": "object",
+      "additionalProperties": true
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authenticate/examples/invalid.receipt.json b/public/schemas/trust-verification/authenticate/examples/invalid.receipt.json
new file mode 100644
index 0000000..05b6918
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/examples/invalid.receipt.json
@@ -0,0 +1,40 @@
+{
+  "version": "1.0.0",
+  "family": "trust-verification",
+  "verb": "authenticate",
+  "receipt_id": "rcpt-authenticate-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust-verification",
+    "verb": "authenticate",
+    "subject": {
+      "type": "agent_signer",
+      "id": "agent.build-bot-17",
+      "uri": "did:pkh:eip155:1:0xC0MM4ND1A7ER0000000000000000000000000017",
+      "claimed_identity": "runtime.commandlayer.eth",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "method": "did-sig-challenge",
+    "credential": {
+      "type": "challenge_response",
+      "challenge_id": "chal-auth-20260510-01",
+      "nonce": "n-9b38eab246",
+      "audience": "clas-control-plane"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-authn-20260510-0001",
+      "correlation_id": "corr-authn-20260510-z9"
+    }
+  },
+  "authentication": {
+    "status": "authenticated",
+    "subject_id": "agent.build-bot-17",
+    "method": "did-sig-challenge",
+    "confidence": 0.98,
+    "reason": "Challenge response verified against DID document.",
+    "expires_at": "2026-05-10T15:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z"
+}
diff --git a/public/schemas/trust-verification/authenticate/examples/tampered.receipt.json b/public/schemas/trust-verification/authenticate/examples/tampered.receipt.json
new file mode 100644
index 0000000..10b7cb2
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/examples/tampered.receipt.json
@@ -0,0 +1,54 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authenticate",
+  "receipt_id": "rcpt-authenticate-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "authenticate",
+    "subject": {
+      "type": "agent_signer",
+      "id": "agent.build-bot-17",
+      "uri": "did:pkh:eip155:1:0xC0MM4ND1A7ER0000000000000000000000000017",
+      "claimed_identity": "runtime.commandlayer.eth",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "method": "did-sig-challenge",
+    "credential": {
+      "type": "challenge_response",
+      "challenge_id": "chal-auth-20260510-01",
+      "nonce": "n-9b38eab246",
+      "audience": "clas-control-plane"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-authn-20260510-0001",
+      "correlation_id": "corr-authn-20260510-z9"
+    }
+  },
+  "authentication": {
+    "status": "unauthenticated",
+    "subject_id": "agent.build-bot-17",
+    "method": "did-sig-challenge",
+    "confidence": 0.0,
+    "reason": "TAMPERED: status changed from authenticated to unauthenticated after signing.",
+    "expires_at": "2026-05-10T15:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authenticate/examples/valid.receipt.json b/public/schemas/trust-verification/authenticate/examples/valid.receipt.json
new file mode 100644
index 0000000..16fb368
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/examples/valid.receipt.json
@@ -0,0 +1,54 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authenticate",
+  "receipt_id": "rcpt-authenticate-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "authenticate",
+    "subject": {
+      "type": "agent_signer",
+      "id": "agent.build-bot-17",
+      "uri": "did:pkh:eip155:1:0xC0MM4ND1A7ER0000000000000000000000000017",
+      "claimed_identity": "runtime.commandlayer.eth",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "method": "did-sig-challenge",
+    "credential": {
+      "type": "challenge_response",
+      "challenge_id": "chal-auth-20260510-01",
+      "nonce": "n-9b38eab246",
+      "audience": "clas-control-plane"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-authn-20260510-0001",
+      "correlation_id": "corr-authn-20260510-z9"
+    }
+  },
+  "authentication": {
+    "status": "authenticated",
+    "subject_id": "agent.build-bot-17",
+    "method": "did-sig-challenge",
+    "confidence": 0.98,
+    "reason": "Challenge response verified against DID document.",
+    "expires_at": "2026-05-10T15:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authenticate/examples/valid.request.json b/public/schemas/trust-verification/authenticate/examples/valid.request.json
new file mode 100644
index 0000000..c9adaf4
--- /dev/null
+++ b/public/schemas/trust-verification/authenticate/examples/valid.request.json
@@ -0,0 +1,25 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authenticate",
+  "subject": {
+    "type": "agent_signer",
+    "id": "agent.build-bot-17",
+    "uri": "did:pkh:eip155:1:0xC0MM4ND1A7ER0000000000000000000000000017",
+    "claimed_identity": "runtime.commandlayer.eth",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  },
+  "method": "did-sig-challenge",
+  "credential": {
+    "type": "challenge_response",
+    "challenge_id": "chal-auth-20260510-01",
+    "nonce": "n-9b38eab246",
+    "audience": "clas-control-plane"
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-authn-20260510-0001",
+    "correlation_id": "corr-authn-20260510-z9"
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/authorize.mcp.tool.schema.json b/public/schemas/trust-verification/authorize/authorize.mcp.tool.schema.json
new file mode 100644
index 0000000..2b2295f
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/authorize.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_authorize",
+  "title": "CLAS Trust Authorize",
+  "description": "Authorize a principal to perform an action on a resource. Successful execution returns a CLAS authorize receipt.",
+  "inputSchema": {
+    "$ref": "./authorize.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./authorize.receipt.schema.json",
+    "description": "CLAS authorize receipt returned when authorization execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": true,
+    "destructiveHint": false,
+    "idempotentHint": true,
+    "openWorldHint": true
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/authorize.openapi.yaml b/public/schemas/trust-verification/authorize/authorize.openapi.yaml
new file mode 100644
index 0000000..8ea516c
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/authorize.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Authorize API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/authorize:
+    post:
+      operationId: authorizeTrustVerificationAction
+      description: Determine whether an actor may perform an action under a policy or scope.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./authorize.request.schema.json
+      responses:
+        '200':
+          description: Authorization receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./authorize.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/authorize/authorize.receipt.schema.json b/public/schemas/trust-verification/authorize/authorize.receipt.schema.json
new file mode 100644
index 0000000..25c47ff
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/authorize.receipt.schema.json
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/authorize/authorize.receipt.schema.json",
+  "title": "CLAS Trust Authorize Receipt",
+  "description": "A signed receipt proving that an authorization decision was made.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "decision",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "authorize"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./authorize.request.schema.json"
+    },
+    "decision": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "authorized",
+            "denied",
+            "conditional",
+            "expired"
+          ]
+        },
+        "reason": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "policy_id": {
+          "type": "string"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/authorize.request.schema.json b/public/schemas/trust-verification/authorize/authorize.request.schema.json
new file mode 100644
index 0000000..4fb65f1
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/authorize.request.schema.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/authorize/authorize.request.schema.json",
+  "title": "CLAS Trust Authorize Request",
+  "description": "A request to authorize a principal to perform an action on a resource.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "principal", "action", "resource"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "authorize" },
+    "principal": { "type": "string", "minLength": 1 },
+    "action": { "type": "string", "minLength": 1 },
+    "resource": {
+      "type": "object",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 },
+        "uri": { "type": "string" }
+      }
+    },
+    "constraints": { "type": "object", "additionalProperties": true },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/examples/invalid.receipt.json b/public/schemas/trust-verification/authorize/examples/invalid.receipt.json
new file mode 100644
index 0000000..676b1ea
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/examples/invalid.receipt.json
@@ -0,0 +1,50 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authorize",
+  "receipt_id": "rcpt-authorize-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "authorize",
+    "principal": "agent:runtime/build-bot-17",
+    "action": "deploy",
+    "resource": {
+      "type": "k8s_deployment",
+      "id": "orders-api",
+      "uri": "urn:k8s:prod-us-east-1:namespace/payments:deployment/orders-api"
+    },
+    "constraints": {
+      "scope": "cluster:prod-us-east-1/namespace:payments",
+      "max_duration_seconds": 1800
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.deploy.payments.v3",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-authz-20260510-0001",
+      "correlation_id": "corr-release-20260510-r42"
+    }
+  },
+  "decision": {
+    "status": "authorized",
+    "reason": "Principal has deploy scope for payments namespace.",
+    "expires_at": "2026-05-10T14:30:00Z",
+    "policy_id": "policy.deploy.payments.v3"
+  },
+  "ts": "not-a-timestamp",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/examples/tampered.receipt.json b/public/schemas/trust-verification/authorize/examples/tampered.receipt.json
new file mode 100644
index 0000000..104e140
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/examples/tampered.receipt.json
@@ -0,0 +1,49 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authorize",
+  "receipt_id": "rcpt-authorize-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "authorize",
+    "principal": "agent:runtime/build-bot-17",
+    "action": "deploy",
+    "resource": {
+      "type": "k8s_deployment",
+      "id": "orders-api",
+      "uri": "urn:k8s:prod-us-east-1:namespace/payments:deployment/orders-api"
+    },
+    "constraints": {
+      "scope": "cluster:prod-us-east-1"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.deploy.payments.v3",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-authz-20260510-0001",
+      "correlation_id": "corr-release-20260510-r42"
+    }
+  },
+  "decision": {
+    "status": "authorized",
+    "reason": "Principal has deploy scope for payments namespace.",
+    "expires_at": "2026-05-10T14:30:00Z",
+    "policy_id": "policy.deploy.payments.v3"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/examples/valid.receipt.json b/public/schemas/trust-verification/authorize/examples/valid.receipt.json
new file mode 100644
index 0000000..09f047e
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/examples/valid.receipt.json
@@ -0,0 +1,50 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authorize",
+  "receipt_id": "rcpt-authorize-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "authorize",
+    "principal": "agent:runtime/build-bot-17",
+    "action": "deploy",
+    "resource": {
+      "type": "k8s_deployment",
+      "id": "orders-api",
+      "uri": "urn:k8s:prod-us-east-1:namespace/payments:deployment/orders-api"
+    },
+    "constraints": {
+      "scope": "cluster:prod-us-east-1/namespace:payments",
+      "max_duration_seconds": 1800
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.deploy.payments.v3",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-authz-20260510-0001",
+      "correlation_id": "corr-release-20260510-r42"
+    }
+  },
+  "decision": {
+    "status": "authorized",
+    "reason": "Principal has deploy scope for payments namespace.",
+    "expires_at": "2026-05-10T14:30:00Z",
+    "policy_id": "policy.deploy.payments.v3"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/authorize/examples/valid.request.json b/public/schemas/trust-verification/authorize/examples/valid.request.json
new file mode 100644
index 0000000..93de68a
--- /dev/null
+++ b/public/schemas/trust-verification/authorize/examples/valid.request.json
@@ -0,0 +1,23 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "authorize",
+  "principal": "agent:runtime/build-bot-17",
+  "action": "deploy",
+  "resource": {
+    "type": "k8s_deployment",
+    "id": "orders-api",
+    "uri": "urn:k8s:prod-us-east-1:namespace/payments:deployment/orders-api"
+  },
+  "constraints": {
+    "scope": "cluster:prod-us-east-1/namespace:payments",
+    "max_duration_seconds": 1800
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "policy_id": "policy.deploy.payments.v3",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-authz-20260510-0001",
+    "correlation_id": "corr-release-20260510-r42"
+  }
+}
diff --git a/public/schemas/trust-verification/capabilities.json b/public/schemas/trust-verification/capabilities.json
new file mode 100644
index 0000000..c2ae21a
--- /dev/null
+++ b/public/schemas/trust-verification/capabilities.json
@@ -0,0 +1,224 @@
+{
+  "family": "trust-verification",
+  "version": "1.0.0",
+  "capabilities": [
+    {
+      "canonical_name": "clas.trust-verification.verify",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "verify",
+      "status": "stable",
+      "title": "Verify Trust Evidence",
+      "description": "Evaluates trust evidence and returns a machine-verifiable verification result. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/verify/verify.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/verify/verify.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/verify/examples",
+      "openapi_path": "schemas/trust-verification/verify/verify.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/verify/verify.mcp.tool.schema.json",
+      "verifier_expectations": [
+        "schema_valid",
+        "hash_matched",
+        "signature_valid",
+        "signer_resolved",
+        "signer_matched",
+        "trust_verb_identified",
+        "trust_verb"
+      ],
+      "sdk_usage": "cl.wrap(\"verify\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "verifyagent.eth",
+        "mcp_tool_name": "clas_trust_verify",
+        "api_endpoint": "/v1/trust-verification/verify"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.authenticate",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "authenticate",
+      "status": "stable",
+      "title": "Authenticate Actor Identity",
+      "description": "Confirms the identity of an actor, signer, agent, or service for trust workflows. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/authenticate/authenticate.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/authenticate/authenticate.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/authenticate/examples",
+      "openapi_path": "schemas/trust-verification/authenticate/authenticate.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/authenticate/authenticate.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"authenticate\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "authenticateagent.eth",
+        "mcp_tool_name": "clas_trust_authenticate",
+        "api_endpoint": "/v1/trust-verification/authenticate"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.authorize",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "authorize",
+      "status": "stable",
+      "title": "Authorize Requested Action",
+      "description": "Determines whether an authenticated actor is allowed to perform an action under policy and scope. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/authorize/authorize.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/authorize/authorize.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/authorize/examples",
+      "openapi_path": "schemas/trust-verification/authorize/authorize.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/authorize/authorize.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"authorize\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "authorizeagent.eth",
+        "mcp_tool_name": "clas_trust_authorize",
+        "api_endpoint": "/v1/trust-verification/authorize"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.attest",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "attest",
+      "status": "stable",
+      "title": "Attest Trust Claim",
+      "description": "Creates a signed trust claim about a subject for downstream verification. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/attest/attest.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/attest/attest.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/attest/examples",
+      "openapi_path": "schemas/trust-verification/attest/attest.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/attest/attest.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"attest\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "attestagent.eth",
+        "mcp_tool_name": "clas_trust_attest",
+        "api_endpoint": "/v1/trust-verification/attest"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.sign",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "sign",
+      "status": "stable",
+      "title": "Sign Trust Payload",
+      "description": "Applies cryptographic signature intent to trust payloads and records proof metadata. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/sign/sign.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/sign/sign.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/sign/examples",
+      "openapi_path": "schemas/trust-verification/sign/sign.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/sign/sign.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"sign\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "signagent.eth",
+        "mcp_tool_name": "clas_trust_sign",
+        "api_endpoint": "/v1/trust-verification/sign"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.permit",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "permit",
+      "status": "stable",
+      "title": "Permit Access Artifact",
+      "description": "Represents and validates a portable permission artifact for trust-based access flows. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/permit/permit.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/permit/permit.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/permit/examples",
+      "openapi_path": "schemas/trust-verification/permit/permit.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/permit/permit.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"permit\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "permitagent.eth",
+        "mcp_tool_name": "clas_trust_permit",
+        "api_endpoint": "/v1/trust-verification/permit"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.grant",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "grant",
+      "status": "stable",
+      "title": "Grant Rights",
+      "description": "Issues rights or permissions to an actor within a trust-verification context. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/grant/grant.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/grant/grant.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/grant/examples",
+      "openapi_path": "schemas/trust-verification/grant/grant.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/grant/grant.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"grant\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "grantagent.eth",
+        "mcp_tool_name": "clas_trust_grant",
+        "api_endpoint": "/v1/trust-verification/grant"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.approve",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "approve",
+      "status": "stable",
+      "title": "Approve Trust Decision",
+      "description": "Records a positive trust decision on a request, transaction, or workflow step. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/approve/approve.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/approve/approve.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/approve/examples",
+      "openapi_path": "schemas/trust-verification/approve/approve.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/approve/approve.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"approve\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "approveagent.eth",
+        "mcp_tool_name": "clas_trust_approve",
+        "api_endpoint": "/v1/trust-verification/approve"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.reject",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "reject",
+      "status": "stable",
+      "title": "Reject Trust Decision",
+      "description": "Records a negative trust decision on a request, transaction, or workflow step. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/reject/reject.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/reject/reject.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/reject/examples",
+      "openapi_path": "schemas/trust-verification/reject/reject.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/reject/reject.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"reject\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "rejectagent.eth",
+        "mcp_tool_name": "clas_trust_reject",
+        "api_endpoint": "/v1/trust-verification/reject"
+      }
+    },
+    {
+      "canonical_name": "clas.trust-verification.endorse",
+      "family": "trust-verification",
+      "version": "1.0.0",
+      "verb": "endorse",
+      "status": "stable",
+      "title": "Endorse Trust Subject",
+      "description": "Adds support or trust weight to a subject, claim, signer, or capability. ENS namespace is optional discovery metadata and is not required.",
+      "request_schema_path": "schemas/trust-verification/endorse/endorse.request.schema.json",
+      "receipt_schema_path": "schemas/trust-verification/endorse/endorse.receipt.schema.json",
+      "examples_path": "schemas/trust-verification/endorse/examples",
+      "openapi_path": "schemas/trust-verification/endorse/endorse.openapi.yaml",
+      "mcp_tool_schema_path": "schemas/trust-verification/endorse/endorse.mcp.tool.schema.json",
+      "verifier_expectations": ["schema_valid", "hash_matched", "signature_valid", "signer_resolved", "signer_matched", "trust_verb_identified", "trust_verb"],
+      "sdk_usage": "cl.wrap(\"endorse\", handler)",
+      "discovery_hints": {
+        "ens_namespace": "endorseagent.eth",
+        "mcp_tool_name": "clas_trust_endorse",
+        "api_endpoint": "/v1/trust-verification/endorse"
+      }
+    }
+  ]
+}
diff --git a/public/schemas/trust-verification/discovery/README.md b/public/schemas/trust-verification/discovery/README.md
new file mode 100644
index 0000000..cc71450
--- /dev/null
+++ b/public/schemas/trust-verification/discovery/README.md
@@ -0,0 +1,30 @@
+# Trust Verification Discovery Records (Examples)
+
+These discovery records are **optional metadata examples** for CLAS trust-verification agents.
+
+## Purpose
+
+The example records in this folder connect:
+
+- canonical capability names
+- request and receipt schemas
+- OpenAPI descriptions
+- MCP tool schemas
+- verifier expectations
+- ENS namespace hints
+- agent-card style discovery metadata
+
+## Important Notes
+
+- CLAS remains **network-agnostic**; discovery records are not required for CLAS capability execution.
+- ENS is optional and can make discovery records easier to resolve in compatible ecosystems.
+- ERC-8004 is optional and can assist registry alignment where supported.
+- Canonical capability names come from the trust-verification capability catalog at `../capabilities.json`.
+
+## Included Example Records
+
+- `verifyagent.discovery.json`
+- `authorizeagent.discovery.json`
+- `attestagent.discovery.json`
+
+All records in this directory are marked with `"status": "example"` and are documentation artifacts only. They are not assertions of live ENS or registry publication.
diff --git a/public/schemas/trust-verification/discovery/attestagent.discovery.json b/public/schemas/trust-verification/discovery/attestagent.discovery.json
new file mode 100644
index 0000000..af49300
--- /dev/null
+++ b/public/schemas/trust-verification/discovery/attestagent.discovery.json
@@ -0,0 +1,47 @@
+{
+  "type": "commandlayer.discovery_record",
+  "version": "1.0.0",
+  "agent_name": "attestagent.eth",
+  "status": "example",
+  "family": "trust-verification",
+  "capabilities": [
+    "clas.trust-verification.attest"
+  ],
+  "capability_catalog_path": "../capabilities.json",
+  "schemas": {
+    "request_schema_path": "../attest/attest.request.schema.json",
+    "receipt_schema_path": "../attest/attest.receipt.schema.json"
+  },
+  "openapi_path": "../attest/attest.openapi.yaml",
+  "mcp_tool_schema_path": "../attest/attest.mcp.tool.schema.json",
+  "verifier": {
+    "endpoint": "https://www.commandlayer.org/api/verify",
+    "expected_checks": [
+      "schema_valid",
+      "hash_matched",
+      "signature_valid",
+      "signer_resolved",
+      "signer_matched",
+      "trust_verb_identified",
+      "trust_verb"
+    ]
+  },
+  "proof_url_pattern": "https://www.commandlayer.org/verify/r/{receipt_id}",
+  "ens": {
+    "required": false,
+    "namespace": "attestagent.eth",
+    "txt_record_examples": [
+      "cl.capabilities",
+      "cl.verifier",
+      "cl.proof_url",
+      "cl.schema",
+      "cl.openapi",
+      "cl.mcp"
+    ]
+  },
+  "erc8004": {
+    "required": false,
+    "note": "Can be used as optional registry alignment where supported."
+  },
+  "notes": "Example discovery record only. CLAS does not require ENS or ERC-8004."
+}
diff --git a/public/schemas/trust-verification/discovery/authorizeagent.discovery.json b/public/schemas/trust-verification/discovery/authorizeagent.discovery.json
new file mode 100644
index 0000000..103be0f
--- /dev/null
+++ b/public/schemas/trust-verification/discovery/authorizeagent.discovery.json
@@ -0,0 +1,47 @@
+{
+  "type": "commandlayer.discovery_record",
+  "version": "1.0.0",
+  "agent_name": "authorizeagent.eth",
+  "status": "example",
+  "family": "trust-verification",
+  "capabilities": [
+    "clas.trust-verification.authorize"
+  ],
+  "capability_catalog_path": "../capabilities.json",
+  "schemas": {
+    "request_schema_path": "../authorize/authorize.request.schema.json",
+    "receipt_schema_path": "../authorize/authorize.receipt.schema.json"
+  },
+  "openapi_path": "../authorize/authorize.openapi.yaml",
+  "mcp_tool_schema_path": "../authorize/authorize.mcp.tool.schema.json",
+  "verifier": {
+    "endpoint": "https://www.commandlayer.org/api/verify",
+    "expected_checks": [
+      "schema_valid",
+      "hash_matched",
+      "signature_valid",
+      "signer_resolved",
+      "signer_matched",
+      "trust_verb_identified",
+      "trust_verb"
+    ]
+  },
+  "proof_url_pattern": "https://www.commandlayer.org/verify/r/{receipt_id}",
+  "ens": {
+    "required": false,
+    "namespace": "authorizeagent.eth",
+    "txt_record_examples": [
+      "cl.capabilities",
+      "cl.verifier",
+      "cl.proof_url",
+      "cl.schema",
+      "cl.openapi",
+      "cl.mcp"
+    ]
+  },
+  "erc8004": {
+    "required": false,
+    "note": "Can be used as optional registry alignment where supported."
+  },
+  "notes": "Example discovery record only. CLAS does not require ENS or ERC-8004."
+}
diff --git a/public/schemas/trust-verification/discovery/verifyagent.discovery.json b/public/schemas/trust-verification/discovery/verifyagent.discovery.json
new file mode 100644
index 0000000..2463123
--- /dev/null
+++ b/public/schemas/trust-verification/discovery/verifyagent.discovery.json
@@ -0,0 +1,47 @@
+{
+  "type": "commandlayer.discovery_record",
+  "version": "1.0.0",
+  "agent_name": "verifyagent.eth",
+  "status": "example",
+  "family": "trust-verification",
+  "capabilities": [
+    "clas.trust-verification.verify"
+  ],
+  "capability_catalog_path": "../capabilities.json",
+  "schemas": {
+    "request_schema_path": "../verify/verify.request.schema.json",
+    "receipt_schema_path": "../verify/verify.receipt.schema.json"
+  },
+  "openapi_path": "../verify/verify.openapi.yaml",
+  "mcp_tool_schema_path": "../verify/verify.mcp.tool.schema.json",
+  "verifier": {
+    "endpoint": "https://www.commandlayer.org/api/verify",
+    "expected_checks": [
+      "schema_valid",
+      "hash_matched",
+      "signature_valid",
+      "signer_resolved",
+      "signer_matched",
+      "trust_verb_identified",
+      "trust_verb"
+    ]
+  },
+  "proof_url_pattern": "https://www.commandlayer.org/verify/r/{receipt_id}",
+  "ens": {
+    "required": false,
+    "namespace": "verifyagent.eth",
+    "txt_record_examples": [
+      "cl.capabilities",
+      "cl.verifier",
+      "cl.proof_url",
+      "cl.schema",
+      "cl.openapi",
+      "cl.mcp"
+    ]
+  },
+  "erc8004": {
+    "required": false,
+    "note": "Can be used as optional registry alignment where supported."
+  },
+  "notes": "Example discovery record only. CLAS does not require ENS or ERC-8004."
+}
diff --git a/public/schemas/trust-verification/endorse/endorse.mcp.tool.schema.json b/public/schemas/trust-verification/endorse/endorse.mcp.tool.schema.json
new file mode 100644
index 0000000..780c457
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/endorse.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_endorse",
+  "title": "CLAS Trust Endorse",
+  "description": "Add reputation, support, or trust weight to an actor, signer, claim, schema, service, or capability. Successful execution returns a CLAS endorse receipt.",
+  "inputSchema": {
+    "$ref": "./endorse.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./endorse.receipt.schema.json",
+    "description": "CLAS endorse receipt returned when endorse execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": true
+  }
+}
diff --git a/public/schemas/trust-verification/endorse/endorse.openapi.yaml b/public/schemas/trust-verification/endorse/endorse.openapi.yaml
new file mode 100644
index 0000000..542f738
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/endorse.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Endorse API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/endorse:
+    post:
+      operationId: endorseTrustVerificationAction
+      description: Add reputation, support, or trust weight to an actor, signer, claim, schema, service, or capability.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./endorse.request.schema.json
+      responses:
+        '200':
+          description: Endorse receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./endorse.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/endorse/endorse.receipt.schema.json b/public/schemas/trust-verification/endorse/endorse.receipt.schema.json
new file mode 100644
index 0000000..5bcc2d8
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/endorse.receipt.schema.json
@@ -0,0 +1,82 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/endorse/endorse.receipt.schema.json",
+  "title": "CLAS Trust Endorse Receipt",
+  "description": "A signed receipt proving that an endorsement was issued.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "endorsement_result",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "endorse"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./endorse.request.schema.json"
+    },
+    "endorsement_result": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "endorsed",
+            "refused",
+            "revoked"
+          ]
+        },
+        "endorsement_id": {
+          "type": "string"
+        },
+        "reason": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/endorse/endorse.request.schema.json b/public/schemas/trust-verification/endorse/endorse.request.schema.json
new file mode 100644
index 0000000..334dcdf
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/endorse.request.schema.json
@@ -0,0 +1,35 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/endorse/endorse.request.schema.json",
+  "title": "CLAS Trust Endorse Request",
+  "description": "A request to endorse a subject, claim, agent, action, artifact, or credential.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "endorser", "subject", "endorsement"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "endorse" },
+    "endorser": { "type": "string", "minLength": 1 },
+    "subject": {
+      "type": "object",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 }
+      }
+    },
+    "endorsement": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["statement"],
+      "properties": {
+        "statement": { "type": "string", "minLength": 1 },
+        "scope": { "type": "string" },
+        "confidence": { "type": "number", "minimum": 0, "maximum": 1 }
+      }
+    },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/endorse/examples/invalid.receipt.json b/public/schemas/trust-verification/endorse/examples/invalid.receipt.json
new file mode 100644
index 0000000..7110f20
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/examples/invalid.receipt.json
@@ -0,0 +1,50 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "endorse",
+  "receipt_id": "rcpt-endorse-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "endorse",
+    "endorser": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "service_identity",
+      "id": "svc://payments/settlement-orchestrator",
+      "uri": "spiffe://acme.prod/payments/settlement-orchestrator",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "endorsement": {
+      "statement": "Service identity is approved to sign settlement batch receipts.",
+      "scope": "capability:settlement-receipt-signing",
+      "confidence": 0.94
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-endorse-20260510-0001",
+      "correlation_id": "corr-settlement-20260510-e3"
+    }
+  },
+  "endorsement_result": {
+    "status": "endorsed",
+    "endorsement_id": "endorse-settlement-signer-20260510-01",
+    "reason": "Identity met provenance, uptime, and key-rotation requirements.",
+    "expires_at": "2026-11-10T00:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/endorse/examples/tampered.receipt.json b/public/schemas/trust-verification/endorse/examples/tampered.receipt.json
new file mode 100644
index 0000000..22dbd8e
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/examples/tampered.receipt.json
@@ -0,0 +1,50 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "endorse",
+  "receipt_id": "rcpt-endorse-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "endorse",
+    "endorser": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "service_identity",
+      "id": "svc://payments/settlement-orchestrator",
+      "uri": "spiffe://acme.prod/payments/settlement-orchestrator",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "endorsement": {
+      "statement": "Service identity is approved to sign settlement batch receipts.",
+      "scope": "capability:settlement-receipt-signing",
+      "confidence": 0.55
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-endorse-20260510-0001",
+      "correlation_id": "corr-settlement-20260510-e3"
+    }
+  },
+  "endorsement_result": {
+    "status": "endorsed",
+    "endorsement_id": "endorse-settlement-signer-20260510-01",
+    "reason": "Identity met provenance, uptime, and key-rotation requirements.",
+    "expires_at": "2026-11-10T00:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/endorse/examples/valid.receipt.json b/public/schemas/trust-verification/endorse/examples/valid.receipt.json
new file mode 100644
index 0000000..3dde3db
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/examples/valid.receipt.json
@@ -0,0 +1,50 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "endorse",
+  "receipt_id": "rcpt-endorse-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "endorse",
+    "endorser": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "service_identity",
+      "id": "svc://payments/settlement-orchestrator",
+      "uri": "spiffe://acme.prod/payments/settlement-orchestrator",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "endorsement": {
+      "statement": "Service identity is approved to sign settlement batch receipts.",
+      "scope": "capability:settlement-receipt-signing",
+      "confidence": 0.94
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-endorse-20260510-0001",
+      "correlation_id": "corr-settlement-20260510-e3"
+    }
+  },
+  "endorsement_result": {
+    "status": "endorsed",
+    "endorsement_id": "endorse-settlement-signer-20260510-01",
+    "reason": "Identity met provenance, uptime, and key-rotation requirements.",
+    "expires_at": "2026-11-10T00:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/endorse/examples/valid.request.json b/public/schemas/trust-verification/endorse/examples/valid.request.json
new file mode 100644
index 0000000..dd51244
--- /dev/null
+++ b/public/schemas/trust-verification/endorse/examples/valid.request.json
@@ -0,0 +1,23 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "endorse",
+  "endorser": "runtime.commandlayer.eth",
+  "subject": {
+    "type": "service_identity",
+    "id": "svc://payments/settlement-orchestrator",
+    "uri": "spiffe://acme.prod/payments/settlement-orchestrator",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  },
+  "endorsement": {
+    "statement": "Service identity is approved to sign settlement batch receipts.",
+    "scope": "capability:settlement-receipt-signing",
+    "confidence": 0.94
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-endorse-20260510-0001",
+    "correlation_id": "corr-settlement-20260510-e3"
+  }
+}
diff --git a/public/schemas/trust-verification/grant/examples/invalid.receipt.json b/public/schemas/trust-verification/grant/examples/invalid.receipt.json
new file mode 100644
index 0000000..f6971c0
--- /dev/null
+++ b/public/schemas/trust-verification/grant/examples/invalid.receipt.json
@@ -0,0 +1,54 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "grant",
+  "receipt_id": "rcpt-grant-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "grant",
+    "grantor": "runtime.commandlayer.eth",
+    "grantee": "agent:runtime/data-exporter-02",
+    "grant": {
+      "type": "access",
+      "value": "read-export-jobs",
+      "scope": "dataset:finance-settlements",
+      "resource": {
+        "type": "dataset",
+        "id": "finance-settlements",
+        "uri": "urn:datahub:dataset:finance-settlements"
+      }
+    },
+    "conditions": {
+      "expires_at": "2026-12-31T23:59:59Z",
+      "justification": "quarterly-close automation"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-grant-20260510-0001",
+      "correlation_id": "corr-data-20260510-g2"
+    }
+  },
+  "grant_result": {
+    "status": "authorized",
+    "grant_id": "grant-data-exporter-20260510-01",
+    "reason": "Automation approved for quarterly close process.",
+    "expires_at": "2026-12-31T23:59:59Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/grant/examples/tampered.receipt.json b/public/schemas/trust-verification/grant/examples/tampered.receipt.json
new file mode 100644
index 0000000..83e8e06
--- /dev/null
+++ b/public/schemas/trust-verification/grant/examples/tampered.receipt.json
@@ -0,0 +1,54 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "grant",
+  "receipt_id": "rcpt-grant-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "grant",
+    "grantor": "runtime.commandlayer.eth",
+    "grantee": "agent:runtime/data-exporter-02",
+    "grant": {
+      "type": "access",
+      "value": "read-export-jobs",
+      "scope": "dataset:finance-settlements",
+      "resource": {
+        "type": "dataset",
+        "id": "finance-payroll",
+        "uri": "urn:datahub:dataset:finance-payroll"
+      }
+    },
+    "conditions": {
+      "expires_at": "2026-12-31T23:59:59Z",
+      "justification": "quarterly-close automation"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-grant-20260510-0001",
+      "correlation_id": "corr-data-20260510-g2"
+    }
+  },
+  "grant_result": {
+    "status": "granted",
+    "grant_id": "grant-data-exporter-20260510-01",
+    "reason": "Automation approved for quarterly close process.",
+    "expires_at": "2026-12-31T23:59:59Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/grant/examples/valid.receipt.json b/public/schemas/trust-verification/grant/examples/valid.receipt.json
new file mode 100644
index 0000000..5c5ae96
--- /dev/null
+++ b/public/schemas/trust-verification/grant/examples/valid.receipt.json
@@ -0,0 +1,54 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "grant",
+  "receipt_id": "rcpt-grant-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "grant",
+    "grantor": "runtime.commandlayer.eth",
+    "grantee": "agent:runtime/data-exporter-02",
+    "grant": {
+      "type": "access",
+      "value": "read-export-jobs",
+      "scope": "dataset:finance-settlements",
+      "resource": {
+        "type": "dataset",
+        "id": "finance-settlements",
+        "uri": "urn:datahub:dataset:finance-settlements"
+      }
+    },
+    "conditions": {
+      "expires_at": "2026-12-31T23:59:59Z",
+      "justification": "quarterly-close automation"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-grant-20260510-0001",
+      "correlation_id": "corr-data-20260510-g2"
+    }
+  },
+  "grant_result": {
+    "status": "granted",
+    "grant_id": "grant-data-exporter-20260510-01",
+    "reason": "Automation approved for quarterly close process.",
+    "expires_at": "2026-12-31T23:59:59Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/grant/examples/valid.request.json b/public/schemas/trust-verification/grant/examples/valid.request.json
new file mode 100644
index 0000000..14bcfc3
--- /dev/null
+++ b/public/schemas/trust-verification/grant/examples/valid.request.json
@@ -0,0 +1,27 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "grant",
+  "grantor": "runtime.commandlayer.eth",
+  "grantee": "agent:runtime/data-exporter-02",
+  "grant": {
+    "type": "access",
+    "value": "read-export-jobs",
+    "scope": "dataset:finance-settlements",
+    "resource": {
+      "type": "dataset",
+      "id": "finance-settlements",
+      "uri": "urn:datahub:dataset:finance-settlements"
+    }
+  },
+  "conditions": {
+    "expires_at": "2026-12-31T23:59:59Z",
+    "justification": "quarterly-close automation"
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-grant-20260510-0001",
+    "correlation_id": "corr-data-20260510-g2"
+  }
+}
diff --git a/public/schemas/trust-verification/grant/grant.mcp.tool.schema.json b/public/schemas/trust-verification/grant/grant.mcp.tool.schema.json
new file mode 100644
index 0000000..0b337aa
--- /dev/null
+++ b/public/schemas/trust-verification/grant/grant.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_grant",
+  "title": "CLAS Trust Grant",
+  "description": "Issue access, authority, rights, or permission to an actor. Successful execution returns a CLAS grant receipt.",
+  "inputSchema": {
+    "$ref": "./grant.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./grant.receipt.schema.json",
+    "description": "CLAS grant receipt returned when grant execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": false
+  }
+}
diff --git a/public/schemas/trust-verification/grant/grant.openapi.yaml b/public/schemas/trust-verification/grant/grant.openapi.yaml
new file mode 100644
index 0000000..65aba3c
--- /dev/null
+++ b/public/schemas/trust-verification/grant/grant.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Grant API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/grant:
+    post:
+      operationId: grantTrustVerificationAction
+      description: Issue access, authority, rights, or permission to an actor.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./grant.request.schema.json
+      responses:
+        '200':
+          description: Grant receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./grant.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/grant/grant.receipt.schema.json b/public/schemas/trust-verification/grant/grant.receipt.schema.json
new file mode 100644
index 0000000..609cc9b
--- /dev/null
+++ b/public/schemas/trust-verification/grant/grant.receipt.schema.json
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/grant/grant.receipt.schema.json",
+  "title": "CLAS Trust Grant Receipt",
+  "description": "A signed receipt proving that a grant was issued, refused, revoked, or expired.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "grant_result",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "grant"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./grant.request.schema.json"
+    },
+    "grant_result": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "granted",
+            "refused",
+            "revoked",
+            "expired"
+          ]
+        },
+        "grant_id": {
+          "type": "string"
+        },
+        "reason": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/grant/grant.request.schema.json b/public/schemas/trust-verification/grant/grant.request.schema.json
new file mode 100644
index 0000000..0483363
--- /dev/null
+++ b/public/schemas/trust-verification/grant/grant.request.schema.json
@@ -0,0 +1,29 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/grant/grant.request.schema.json",
+  "title": "CLAS Trust Grant Request",
+  "description": "A request to grant a role, right, capability, credential, or access to a principal.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "grantor", "grantee", "grant"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "grant" },
+    "grantor": { "type": "string", "minLength": 1 },
+    "grantee": { "type": "string", "minLength": 1 },
+    "grant": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["type", "value"],
+      "properties": {
+        "type": { "type": "string", "enum": ["role", "right", "capability", "access", "credential", "other"] },
+        "value": { "type": "string", "minLength": 1 },
+        "scope": { "type": "string" },
+        "resource": { "type": "object", "additionalProperties": true }
+      }
+    },
+    "conditions": { "type": "object", "additionalProperties": true },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/manifest.json b/public/schemas/trust-verification/manifest.json
new file mode 100644
index 0000000..174ec1a
--- /dev/null
+++ b/public/schemas/trust-verification/manifest.json
@@ -0,0 +1,88 @@
+{
+  "family": "trust-verification",
+  "version": "1.0.0",
+  "status": "draft-v1",
+  "shared_proof_schema": "_shared/proof.schema.json",
+  "verbs": [
+    {
+      "verb": "verify",
+      "request_schema": "verify/verify.request.schema.json",
+      "receipt_schema": "verify/verify.receipt.schema.json",
+      "examples_path": "verify/examples",
+      "openapi_path": "verify/verify.openapi.yaml",
+      "mcp_tool_schema_path": "verify/verify.mcp.tool.schema.json"
+    },
+    {
+      "verb": "authenticate",
+      "request_schema": "authenticate/authenticate.request.schema.json",
+      "receipt_schema": "authenticate/authenticate.receipt.schema.json",
+      "examples_path": "authenticate/examples",
+      "openapi_path": "authenticate/authenticate.openapi.yaml",
+      "mcp_tool_schema_path": "authenticate/authenticate.mcp.tool.schema.json"
+    },
+    {
+      "verb": "authorize",
+      "request_schema": "authorize/authorize.request.schema.json",
+      "receipt_schema": "authorize/authorize.receipt.schema.json",
+      "examples_path": "authorize/examples",
+      "openapi_path": "authorize/authorize.openapi.yaml",
+      "mcp_tool_schema_path": "authorize/authorize.mcp.tool.schema.json"
+    },
+    {
+      "verb": "attest",
+      "request_schema": "attest/attest.request.schema.json",
+      "receipt_schema": "attest/attest.receipt.schema.json",
+      "examples_path": "attest/examples",
+      "openapi_path": "attest/attest.openapi.yaml",
+      "mcp_tool_schema_path": "attest/attest.mcp.tool.schema.json"
+    },
+    {
+      "verb": "sign",
+      "request_schema": "sign/sign.request.schema.json",
+      "receipt_schema": "sign/sign.receipt.schema.json",
+      "examples_path": "sign/examples",
+      "openapi_path": "sign/sign.openapi.yaml",
+      "mcp_tool_schema_path": "sign/sign.mcp.tool.schema.json"
+    },
+    {
+      "verb": "permit",
+      "request_schema": "permit/permit.request.schema.json",
+      "receipt_schema": "permit/permit.receipt.schema.json",
+      "examples_path": "permit/examples",
+      "openapi_path": "permit/permit.openapi.yaml",
+      "mcp_tool_schema_path": "permit/permit.mcp.tool.schema.json"
+    },
+    {
+      "verb": "grant",
+      "request_schema": "grant/grant.request.schema.json",
+      "receipt_schema": "grant/grant.receipt.schema.json",
+      "examples_path": "grant/examples",
+      "openapi_path": "grant/grant.openapi.yaml",
+      "mcp_tool_schema_path": "grant/grant.mcp.tool.schema.json"
+    },
+    {
+      "verb": "approve",
+      "request_schema": "approve/approve.request.schema.json",
+      "receipt_schema": "approve/approve.receipt.schema.json",
+      "examples_path": "approve/examples",
+      "openapi_path": "approve/approve.openapi.yaml",
+      "mcp_tool_schema_path": "approve/approve.mcp.tool.schema.json"
+    },
+    {
+      "verb": "reject",
+      "request_schema": "reject/reject.request.schema.json",
+      "receipt_schema": "reject/reject.receipt.schema.json",
+      "examples_path": "reject/examples",
+      "openapi_path": "reject/reject.openapi.yaml",
+      "mcp_tool_schema_path": "reject/reject.mcp.tool.schema.json"
+    },
+    {
+      "verb": "endorse",
+      "request_schema": "endorse/endorse.request.schema.json",
+      "receipt_schema": "endorse/endorse.receipt.schema.json",
+      "examples_path": "endorse/examples",
+      "openapi_path": "endorse/endorse.openapi.yaml",
+      "mcp_tool_schema_path": "endorse/endorse.mcp.tool.schema.json"
+    }
+  ]
+}
diff --git a/public/schemas/trust-verification/permit/examples/invalid.receipt.json b/public/schemas/trust-verification/permit/examples/invalid.receipt.json
new file mode 100644
index 0000000..9dd84c5
--- /dev/null
+++ b/public/schemas/trust-verification/permit/examples/invalid.receipt.json
@@ -0,0 +1,56 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "permit",
+  "receipt_id": "rcpt-permit-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "permit",
+    "issuer": "runtime.commandlayer.eth",
+    "principal": "agent:runtime/reconciler-04",
+    "permission": {
+      "action": "patch",
+      "resource": {
+        "type": "k8s_configmap",
+        "id": "payments-runtime-config",
+        "uri": "urn:k8s:prod-us-east-1:namespace/payments:configmap/payments-runtime-config"
+      },
+      "scope": "namespace:payments"
+    },
+    "conditions": {
+      "expires_at": "2026-05-10T14:00:00Z",
+      "ip_allowlist": [
+        "10.42.0.0/16"
+      ]
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.runtime.patch-configmap.v1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-permit-20260510-0001",
+      "correlation_id": "corr-ops-20260510-p5"
+    }
+  },
+  "permit_result": {
+    "status": "permitted",
+    "permit_id": "permit-runtime-config-patch-20260510-01",
+    "reason": "Emergency config patch approved under scoped policy.",
+    "expires_at": "2026-05-10T14:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "xyz"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/permit/examples/tampered.receipt.json b/public/schemas/trust-verification/permit/examples/tampered.receipt.json
new file mode 100644
index 0000000..b816567
--- /dev/null
+++ b/public/schemas/trust-verification/permit/examples/tampered.receipt.json
@@ -0,0 +1,56 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "permit",
+  "receipt_id": "rcpt-permit-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "permit",
+    "issuer": "runtime.commandlayer.eth",
+    "principal": "agent:runtime/reconciler-04",
+    "permission": {
+      "action": "patch",
+      "resource": {
+        "type": "k8s_configmap",
+        "id": "payments-runtime-config",
+        "uri": "urn:k8s:prod-us-east-1:namespace/payments:configmap/payments-runtime-config"
+      },
+      "scope": "namespace:payments"
+    },
+    "conditions": {
+      "expires_at": "2026-05-10T14:00:00Z",
+      "ip_allowlist": [
+        "10.42.0.0/16"
+      ]
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.runtime.patch-configmap.v1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-permit-20260510-0001",
+      "correlation_id": "corr-ops-20260510-p5"
+    }
+  },
+  "permit_result": {
+    "status": "permitted",
+    "permit_id": "permit-runtime-config-patch-20260510-01",
+    "reason": "Emergency config patch approved under scoped policy.",
+    "expires_at": "2026-05-11T14:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/permit/examples/valid.receipt.json b/public/schemas/trust-verification/permit/examples/valid.receipt.json
new file mode 100644
index 0000000..93a2400
--- /dev/null
+++ b/public/schemas/trust-verification/permit/examples/valid.receipt.json
@@ -0,0 +1,56 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "permit",
+  "receipt_id": "rcpt-permit-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "permit",
+    "issuer": "runtime.commandlayer.eth",
+    "principal": "agent:runtime/reconciler-04",
+    "permission": {
+      "action": "patch",
+      "resource": {
+        "type": "k8s_configmap",
+        "id": "payments-runtime-config",
+        "uri": "urn:k8s:prod-us-east-1:namespace/payments:configmap/payments-runtime-config"
+      },
+      "scope": "namespace:payments"
+    },
+    "conditions": {
+      "expires_at": "2026-05-10T14:00:00Z",
+      "ip_allowlist": [
+        "10.42.0.0/16"
+      ]
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "policy_id": "policy.runtime.patch-configmap.v1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-permit-20260510-0001",
+      "correlation_id": "corr-ops-20260510-p5"
+    }
+  },
+  "permit_result": {
+    "status": "permitted",
+    "permit_id": "permit-runtime-config-patch-20260510-01",
+    "reason": "Emergency config patch approved under scoped policy.",
+    "expires_at": "2026-05-10T14:00:00Z"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/permit/examples/valid.request.json b/public/schemas/trust-verification/permit/examples/valid.request.json
new file mode 100644
index 0000000..3a85f78
--- /dev/null
+++ b/public/schemas/trust-verification/permit/examples/valid.request.json
@@ -0,0 +1,29 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "permit",
+  "issuer": "runtime.commandlayer.eth",
+  "principal": "agent:runtime/reconciler-04",
+  "permission": {
+    "action": "patch",
+    "resource": {
+      "type": "k8s_configmap",
+      "id": "payments-runtime-config",
+      "uri": "urn:k8s:prod-us-east-1:namespace/payments:configmap/payments-runtime-config"
+    },
+    "scope": "namespace:payments"
+  },
+  "conditions": {
+    "expires_at": "2026-05-10T14:00:00Z",
+    "ip_allowlist": [
+      "10.42.0.0/16"
+    ]
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "policy_id": "policy.runtime.patch-configmap.v1",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-permit-20260510-0001",
+    "correlation_id": "corr-ops-20260510-p5"
+  }
+}
diff --git a/public/schemas/trust-verification/permit/permit.mcp.tool.schema.json b/public/schemas/trust-verification/permit/permit.mcp.tool.schema.json
new file mode 100644
index 0000000..37e2695
--- /dev/null
+++ b/public/schemas/trust-verification/permit/permit.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_permit",
+  "title": "CLAS Trust Permit",
+  "description": "Create or manage a portable permission artifact. Successful execution returns a CLAS permit receipt.",
+  "inputSchema": {
+    "$ref": "./permit.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./permit.receipt.schema.json",
+    "description": "CLAS permit receipt returned when permit execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": false
+  }
+}
diff --git a/public/schemas/trust-verification/permit/permit.openapi.yaml b/public/schemas/trust-verification/permit/permit.openapi.yaml
new file mode 100644
index 0000000..efcaf85
--- /dev/null
+++ b/public/schemas/trust-verification/permit/permit.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Permit API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/permit:
+    post:
+      operationId: permitTrustVerificationAction
+      description: Create or manage a portable permission artifact.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./permit.request.schema.json
+      responses:
+        '200':
+          description: Permit receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./permit.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/permit/permit.receipt.schema.json b/public/schemas/trust-verification/permit/permit.receipt.schema.json
new file mode 100644
index 0000000..4b01d67
--- /dev/null
+++ b/public/schemas/trust-verification/permit/permit.receipt.schema.json
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/permit/permit.receipt.schema.json",
+  "title": "CLAS Trust Permit Receipt",
+  "description": "A signed receipt proving that a permission was issued, refused, or revoked.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "permit_result",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "permit"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./permit.request.schema.json"
+    },
+    "permit_result": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "permitted",
+            "refused",
+            "revoked",
+            "expired"
+          ]
+        },
+        "permit_id": {
+          "type": "string"
+        },
+        "reason": {
+          "type": "string"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/permit/permit.request.schema.json b/public/schemas/trust-verification/permit/permit.request.schema.json
new file mode 100644
index 0000000..af7b869
--- /dev/null
+++ b/public/schemas/trust-verification/permit/permit.request.schema.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/permit/permit.request.schema.json",
+  "title": "CLAS Trust Permit Request",
+  "description": "A request to permit a principal to take a scoped action under defined conditions.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "issuer", "principal", "permission"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "permit" },
+    "issuer": { "type": "string", "minLength": 1 },
+    "principal": { "type": "string", "minLength": 1 },
+    "permission": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["action", "resource"],
+      "properties": {
+        "action": { "type": "string", "minLength": 1 },
+        "resource": {
+          "type": "object",
+          "additionalProperties": true,
+          "required": ["type", "id"],
+          "properties": {
+            "type": { "type": "string", "minLength": 1 },
+            "id": { "type": "string", "minLength": 1 },
+            "uri": { "type": "string" }
+          }
+        },
+        "scope": { "type": "string" }
+      }
+    },
+    "conditions": { "type": "object", "additionalProperties": true },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/reject/examples/invalid.receipt.json b/public/schemas/trust-verification/reject/examples/invalid.receipt.json
new file mode 100644
index 0000000..31d6129
--- /dev/null
+++ b/public/schemas/trust-verification/reject/examples/invalid.receipt.json
@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "reject",
+  "receipt_id": "rcpt-reject-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "reject",
+    "rejector": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "deployment_request",
+      "id": "deploy-orders-api-2026-05-10-rc3",
+      "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3"
+    },
+    "reason": "Canary error budget exceeded during pre-prod validation.",
+    "policy_id": "policy.prod.error-budget-gate.v2",
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-reject-20260510-0001",
+      "correlation_id": "corr-release-20260510-r8"
+    }
+  },
+  "rejection": {
+    "status": "denied",
+    "reason": "Canary error budget exceeded during pre-prod validation.",
+    "policy_id": "policy.prod.error-budget-gate.v2",
+    "appeal_uri": "https://go.acme.internal/change-appeals/deploy-orders-api-2026-05-10-rc3"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/reject/examples/tampered.receipt.json b/public/schemas/trust-verification/reject/examples/tampered.receipt.json
new file mode 100644
index 0000000..6b03ff7
--- /dev/null
+++ b/public/schemas/trust-verification/reject/examples/tampered.receipt.json
@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "reject",
+  "receipt_id": "rcpt-reject-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "reject",
+    "rejector": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "deployment_request",
+      "id": "deploy-orders-api-2026-05-10-rc3",
+      "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3"
+    },
+    "reason": "Canary error budget exceeded during pre-prod validation.",
+    "policy_id": "policy.prod.error-budget-gate.v2",
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-reject-20260510-0001",
+      "correlation_id": "corr-release-20260510-r8"
+    }
+  },
+  "rejection": {
+    "status": "rejected",
+    "reason": "Manual approval missing from security duty officer.",
+    "policy_id": "policy.prod.error-budget-gate.v2",
+    "appeal_uri": "https://go.acme.internal/change-appeals/deploy-orders-api-2026-05-10-rc3"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/reject/examples/valid.receipt.json b/public/schemas/trust-verification/reject/examples/valid.receipt.json
new file mode 100644
index 0000000..69276f9
--- /dev/null
+++ b/public/schemas/trust-verification/reject/examples/valid.receipt.json
@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "reject",
+  "receipt_id": "rcpt-reject-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "reject",
+    "rejector": "runtime.commandlayer.eth",
+    "subject": {
+      "type": "deployment_request",
+      "id": "deploy-orders-api-2026-05-10-rc3",
+      "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3"
+    },
+    "reason": "Canary error budget exceeded during pre-prod validation.",
+    "policy_id": "policy.prod.error-budget-gate.v2",
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-reject-20260510-0001",
+      "correlation_id": "corr-release-20260510-r8"
+    }
+  },
+  "rejection": {
+    "status": "rejected",
+    "reason": "Canary error budget exceeded during pre-prod validation.",
+    "policy_id": "policy.prod.error-budget-gate.v2",
+    "appeal_uri": "https://go.acme.internal/change-appeals/deploy-orders-api-2026-05-10-rc3"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/reject/examples/valid.request.json b/public/schemas/trust-verification/reject/examples/valid.request.json
new file mode 100644
index 0000000..ea15a0f
--- /dev/null
+++ b/public/schemas/trust-verification/reject/examples/valid.request.json
@@ -0,0 +1,19 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "reject",
+  "rejector": "runtime.commandlayer.eth",
+  "subject": {
+    "type": "deployment_request",
+    "id": "deploy-orders-api-2026-05-10-rc3",
+    "uri": "cl://deploy/requests/deploy-orders-api-2026-05-10-rc3"
+  },
+  "reason": "Canary error budget exceeded during pre-prod validation.",
+  "policy_id": "policy.prod.error-budget-gate.v2",
+  "context": {
+    "environment": "prod-us-east-1",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-reject-20260510-0001",
+    "correlation_id": "corr-release-20260510-r8"
+  }
+}
diff --git a/public/schemas/trust-verification/reject/reject.mcp.tool.schema.json b/public/schemas/trust-verification/reject/reject.mcp.tool.schema.json
new file mode 100644
index 0000000..45cdccd
--- /dev/null
+++ b/public/schemas/trust-verification/reject/reject.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_reject",
+  "title": "CLAS Trust Reject",
+  "description": "Record a negative decision on a proposal, transaction, request, deployment, or workflow step. Successful execution returns a CLAS reject receipt.",
+  "inputSchema": {
+    "$ref": "./reject.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./reject.receipt.schema.json",
+    "description": "CLAS reject receipt returned when reject execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": false
+  }
+}
diff --git a/public/schemas/trust-verification/reject/reject.openapi.yaml b/public/schemas/trust-verification/reject/reject.openapi.yaml
new file mode 100644
index 0000000..04bcaa9
--- /dev/null
+++ b/public/schemas/trust-verification/reject/reject.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Reject API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/reject:
+    post:
+      operationId: rejectTrustVerificationAction
+      description: Record a negative decision on a proposal, transaction, request, deployment, or workflow step.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./reject.request.schema.json
+      responses:
+        '200':
+          description: Reject receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./reject.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/reject/reject.receipt.schema.json b/public/schemas/trust-verification/reject/reject.receipt.schema.json
new file mode 100644
index 0000000..010a0cc
--- /dev/null
+++ b/public/schemas/trust-verification/reject/reject.receipt.schema.json
@@ -0,0 +1,78 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/reject/reject.receipt.schema.json",
+  "title": "CLAS Trust Reject Receipt",
+  "description": "A signed receipt proving that a rejection decision was made.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "rejection",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "reject"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./reject.request.schema.json"
+    },
+    "rejection": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status",
+        "reason"
+      ],
+      "properties": {
+        "status": {
+          "const": "rejected"
+        },
+        "reason": {
+          "type": "string",
+          "minLength": 1
+        },
+        "policy_id": {
+          "type": "string"
+        },
+        "appeal_uri": {
+          "type": "string"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/reject/reject.request.schema.json b/public/schemas/trust-verification/reject/reject.request.schema.json
new file mode 100644
index 0000000..76b566d
--- /dev/null
+++ b/public/schemas/trust-verification/reject/reject.request.schema.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/reject/reject.request.schema.json",
+  "title": "CLAS Trust Reject Request",
+  "description": "A request to reject a claim, request, proposal, action, artifact, or authorization attempt.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "rejector", "subject", "reason"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "reject" },
+    "rejector": { "type": "string", "minLength": 1 },
+    "subject": {
+      "type": "object",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 },
+        "uri": { "type": "string" }
+      }
+    },
+    "reason": { "type": "string", "minLength": 1 },
+    "policy_id": { "type": "string" },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/sign/examples/invalid.receipt.json b/public/schemas/trust-verification/sign/examples/invalid.receipt.json
new file mode 100644
index 0000000..4bc5555
--- /dev/null
+++ b/public/schemas/trust-verification/sign/examples/invalid.receipt.json
@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "sign",
+  "receipt_id": "rcpt-sign-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "sign",
+    "signer": "runtime.commandlayer.eth",
+    "payload": {
+      "type": "artifact",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      "uri": "oci://registry.acme.internal/workflows/release-manifest:2026.05.10"
+    },
+    "purpose": "release-manifest-attestation",
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-sign-20260510-0001",
+      "correlation_id": "corr-release-20260510-s11"
+    }
+  },
+  "signature_result": {
+    "status": "signed",
+    "signature_alg": "rsa-pss",
+    "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+    "key_id": "cl-key-1",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/sign/examples/tampered.receipt.json b/public/schemas/trust-verification/sign/examples/tampered.receipt.json
new file mode 100644
index 0000000..8391a36
--- /dev/null
+++ b/public/schemas/trust-verification/sign/examples/tampered.receipt.json
@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "sign",
+  "receipt_id": "rcpt-sign-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "sign",
+    "signer": "runtime.commandlayer.eth",
+    "payload": {
+      "type": "artifact",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      "uri": "oci://registry.acme.internal/workflows/release-manifest:2026.05.10"
+    },
+    "purpose": "release-manifest-attestation",
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-sign-20260510-0001",
+      "correlation_id": "corr-release-20260510-s11"
+    }
+  },
+  "signature_result": {
+    "status": "signed",
+    "signature_alg": "ed25519",
+    "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+    "key_id": "cl-key-1",
+    "content_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/sign/examples/valid.receipt.json b/public/schemas/trust-verification/sign/examples/valid.receipt.json
new file mode 100644
index 0000000..12c8e9e
--- /dev/null
+++ b/public/schemas/trust-verification/sign/examples/valid.receipt.json
@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "sign",
+  "receipt_id": "rcpt-sign-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "sign",
+    "signer": "runtime.commandlayer.eth",
+    "payload": {
+      "type": "artifact",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      "uri": "oci://registry.acme.internal/workflows/release-manifest:2026.05.10"
+    },
+    "purpose": "release-manifest-attestation",
+    "context": {
+      "environment": "prod-us-east-1",
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-sign-20260510-0001",
+      "correlation_id": "corr-release-20260510-s11"
+    }
+  },
+  "signature_result": {
+    "status": "signed",
+    "signature_alg": "ed25519",
+    "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+    "key_id": "cl-key-1",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/sign/examples/valid.request.json b/public/schemas/trust-verification/sign/examples/valid.request.json
new file mode 100644
index 0000000..038bfd8
--- /dev/null
+++ b/public/schemas/trust-verification/sign/examples/valid.request.json
@@ -0,0 +1,18 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "sign",
+  "signer": "runtime.commandlayer.eth",
+  "payload": {
+    "type": "artifact",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+    "uri": "oci://registry.acme.internal/workflows/release-manifest:2026.05.10"
+  },
+  "purpose": "release-manifest-attestation",
+  "context": {
+    "environment": "prod-us-east-1",
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-sign-20260510-0001",
+    "correlation_id": "corr-release-20260510-s11"
+  }
+}
diff --git a/public/schemas/trust-verification/sign/sign.mcp.tool.schema.json b/public/schemas/trust-verification/sign/sign.mcp.tool.schema.json
new file mode 100644
index 0000000..f93228d
--- /dev/null
+++ b/public/schemas/trust-verification/sign/sign.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_sign",
+  "title": "CLAS Trust Sign",
+  "description": "Apply cryptographic authorship, approval, or intent to a payload. Successful execution returns a CLAS sign receipt.",
+  "inputSchema": {
+    "$ref": "./sign.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./sign.receipt.schema.json",
+    "description": "CLAS sign receipt returned when sign execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": false,
+    "destructiveHint": false,
+    "idempotentHint": false,
+    "openWorldHint": false
+  }
+}
diff --git a/public/schemas/trust-verification/sign/sign.openapi.yaml b/public/schemas/trust-verification/sign/sign.openapi.yaml
new file mode 100644
index 0000000..089269e
--- /dev/null
+++ b/public/schemas/trust-verification/sign/sign.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Sign API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/sign:
+    post:
+      operationId: signTrustVerificationAction
+      description: Apply cryptographic authorship, approval, or intent to a payload.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./sign.request.schema.json
+      responses:
+        '200':
+          description: Sign receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./sign.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/sign/sign.receipt.schema.json b/public/schemas/trust-verification/sign/sign.receipt.schema.json
new file mode 100644
index 0000000..22301de
--- /dev/null
+++ b/public/schemas/trust-verification/sign/sign.receipt.schema.json
@@ -0,0 +1,93 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/sign/sign.receipt.schema.json",
+  "title": "CLAS Trust Sign Receipt",
+  "description": "A signed receipt proving that a signing action was performed.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "signature_result",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "sign"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./sign.request.schema.json"
+    },
+    "signature_result": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status",
+        "signature_alg",
+        "signature",
+        "key_id"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "signed",
+            "refused",
+            "failed"
+          ]
+        },
+        "signature_alg": {
+          "const": "ed25519"
+        },
+        "signature": {
+          "type": "string",
+          "minLength": 16
+        },
+        "key_id": {
+          "type": "string",
+          "minLength": 1
+        },
+        "content_hash": {
+          "type": "string",
+          "pattern": "^sha256:[a-fA-F0-9]{64}$"
+        },
+        "reason": {
+          "type": "string"
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/sign/sign.request.schema.json b/public/schemas/trust-verification/sign/sign.request.schema.json
new file mode 100644
index 0000000..576b3f8
--- /dev/null
+++ b/public/schemas/trust-verification/sign/sign.request.schema.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/sign/sign.request.schema.json",
+  "title": "CLAS Trust Sign Request",
+  "description": "A request to cryptographically sign a payload, digest, artifact, or statement.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "signer", "payload"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "sign" },
+    "signer": { "type": "string", "minLength": 1 },
+    "payload": {
+      "type": "object",
+      "additionalProperties": true,
+      "required": ["type"],
+      "properties": {
+        "type": { "type": "string", "enum": ["json", "text", "digest", "artifact", "receipt", "other"] },
+        "content": {},
+        "content_hash": { "type": "string", "pattern": "^sha256:[a-fA-F0-9]{64}$" },
+        "uri": { "type": "string" }
+      }
+    },
+    "purpose": { "type": "string" },
+    "context": { "type": "object", "additionalProperties": true }
+  }
+}
diff --git a/public/schemas/trust-verification/verify/examples/invalid.receipt.json b/public/schemas/trust-verification/verify/examples/invalid.receipt.json
new file mode 100644
index 0000000..78d4b3d
--- /dev/null
+++ b/public/schemas/trust-verification/verify/examples/invalid.receipt.json
@@ -0,0 +1,62 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "verify",
+  "receipt_id": "",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "verify",
+    "subject": {
+      "type": "execution_receipt",
+      "id": "exec-receipt-2026-05-10-001",
+      "uri": "cl://receipts/execution/exec-receipt-2026-05-10-001",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "verification_type": "signature",
+    "criteria": {
+      "required_signer": "runtime.commandlayer.eth",
+      "required_key_id": "cl-key-1",
+      "required_signature_alg": "ed25519"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "network": "base-mainnet",
+      "chain_id": 8453,
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-verify-20260510-0001",
+      "correlation_id": "corr-trustflow-20260510-a1"
+    }
+  },
+  "result": {
+    "status": "verified",
+    "reason": "Signature, signer, and hash all matched policy.",
+    "checks": [
+      {
+        "name": "signature_valid",
+        "passed": true,
+        "detail": "ed25519 signature verified"
+      },
+      {
+        "name": "signer_allowed",
+        "passed": true,
+        "detail": "runtime.commandlayer.eth in trusted signer set"
+      }
+    ]
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/verify/examples/tampered.receipt.json b/public/schemas/trust-verification/verify/examples/tampered.receipt.json
new file mode 100644
index 0000000..38f4477
--- /dev/null
+++ b/public/schemas/trust-verification/verify/examples/tampered.receipt.json
@@ -0,0 +1,62 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "verify",
+  "receipt_id": "rcpt-verify-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "verify",
+    "subject": {
+      "type": "execution_receipt",
+      "id": "exec-receipt-2026-05-10-001",
+      "uri": "cl://receipts/execution/exec-receipt-2026-05-10-001",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "verification_type": "signature",
+    "criteria": {
+      "required_signer": "runtime.commandlayer.eth",
+      "required_key_id": "cl-key-1",
+      "required_signature_alg": "ed25519"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "network": "base-mainnet",
+      "chain_id": 8453,
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-verify-20260510-0001",
+      "correlation_id": "corr-trustflow-20260510-a1"
+    }
+  },
+  "result": {
+    "status": "unverified",
+    "reason": "Signature, signer, and hash all matched policy.",
+    "checks": [
+      {
+        "name": "signature_valid",
+        "passed": true,
+        "detail": "ed25519 signature verified"
+      },
+      {
+        "name": "signer_allowed",
+        "passed": true,
+        "detail": "runtime.commandlayer.eth in trusted signer set"
+      }
+    ]
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/verify/examples/valid.receipt.json b/public/schemas/trust-verification/verify/examples/valid.receipt.json
new file mode 100644
index 0000000..927c5fd
--- /dev/null
+++ b/public/schemas/trust-verification/verify/examples/valid.receipt.json
@@ -0,0 +1,62 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "verify",
+  "receipt_id": "rcpt-verify-20260510-0001",
+  "request": {
+    "version": "1.0.0",
+    "family": "trust",
+    "verb": "verify",
+    "subject": {
+      "type": "execution_receipt",
+      "id": "exec-receipt-2026-05-10-001",
+      "uri": "cl://receipts/execution/exec-receipt-2026-05-10-001",
+      "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    },
+    "verification_type": "signature",
+    "criteria": {
+      "required_signer": "runtime.commandlayer.eth",
+      "required_key_id": "cl-key-1",
+      "required_signature_alg": "ed25519"
+    },
+    "context": {
+      "environment": "prod-us-east-1",
+      "network": "base-mainnet",
+      "chain_id": 8453,
+      "tenant_id": "tenant-acme-prod",
+      "request_id": "req-verify-20260510-0001",
+      "correlation_id": "corr-trustflow-20260510-a1"
+    }
+  },
+  "result": {
+    "status": "verified",
+    "reason": "Signature, signer, and hash all matched policy.",
+    "checks": [
+      {
+        "name": "signature_valid",
+        "passed": true,
+        "detail": "ed25519 signature verified"
+      },
+      {
+        "name": "signer_allowed",
+        "passed": true,
+        "detail": "runtime.commandlayer.eth in trusted signer set"
+      }
+    ]
+  },
+  "ts": "2026-05-10T12:05:00Z",
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/verify/examples/valid.request.json b/public/schemas/trust-verification/verify/examples/valid.request.json
new file mode 100644
index 0000000..40f9425
--- /dev/null
+++ b/public/schemas/trust-verification/verify/examples/valid.request.json
@@ -0,0 +1,25 @@
+{
+  "version": "1.0.0",
+  "family": "trust",
+  "verb": "verify",
+  "subject": {
+    "type": "execution_receipt",
+    "id": "exec-receipt-2026-05-10-001",
+    "uri": "cl://receipts/execution/exec-receipt-2026-05-10-001",
+    "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  },
+  "verification_type": "signature",
+  "criteria": {
+    "required_signer": "runtime.commandlayer.eth",
+    "required_key_id": "cl-key-1",
+    "required_signature_alg": "ed25519"
+  },
+  "context": {
+    "environment": "prod-us-east-1",
+    "network": "base-mainnet",
+    "chain_id": 8453,
+    "tenant_id": "tenant-acme-prod",
+    "request_id": "req-verify-20260510-0001",
+    "correlation_id": "corr-trustflow-20260510-a1"
+  }
+}
diff --git a/public/schemas/trust-verification/verify/verify.mcp.tool.schema.json b/public/schemas/trust-verification/verify/verify.mcp.tool.schema.json
new file mode 100644
index 0000000..2b77957
--- /dev/null
+++ b/public/schemas/trust-verification/verify/verify.mcp.tool.schema.json
@@ -0,0 +1,18 @@
+{
+  "name": "clas_trust_verify",
+  "title": "CLAS Trust Verify",
+  "description": "Verify a claim, artifact, receipt, credential, identity, or action. Successful execution returns a CLAS verify receipt.",
+  "inputSchema": {
+    "$ref": "./verify.request.schema.json"
+  },
+  "outputSchema": {
+    "$ref": "./verify.receipt.schema.json",
+    "description": "CLAS verify receipt returned when verification execution succeeds."
+  },
+  "annotations": {
+    "readOnlyHint": true,
+    "destructiveHint": false,
+    "idempotentHint": true,
+    "openWorldHint": true
+  }
+}
diff --git a/public/schemas/trust-verification/verify/verify.openapi.yaml b/public/schemas/trust-verification/verify/verify.openapi.yaml
new file mode 100644
index 0000000..5ac144e
--- /dev/null
+++ b/public/schemas/trust-verification/verify/verify.openapi.yaml
@@ -0,0 +1,28 @@
+openapi: 3.1.0
+info:
+  title: CLAS Trust Verification Verify API
+  version: 1.0.0
+paths:
+  /v1/trust-verification/verify:
+    post:
+      operationId: verifyTrustVerificationAction
+      description: Verify a subject, proof, receipt, signature, artifact, claim, or workflow result.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: ./verify.request.schema.json
+      responses:
+        '200':
+          description: Verification receipt.
+          content:
+            application/json:
+              schema:
+                $ref: ./verify.receipt.schema.json
+        '400':
+          description: Invalid CLAS request.
+        '401':
+          description: Unauthorized signer or caller.
+        '422':
+          description: Semantic validation failure.
diff --git a/public/schemas/trust-verification/verify/verify.receipt.schema.json b/public/schemas/trust-verification/verify/verify.receipt.schema.json
new file mode 100644
index 0000000..081cd95
--- /dev/null
+++ b/public/schemas/trust-verification/verify/verify.receipt.schema.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/verify/verify.receipt.schema.json",
+  "title": "CLAS Trust Verify Receipt",
+  "description": "A signed receipt proving that a verification action was performed.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "version",
+    "family",
+    "verb",
+    "receipt_id",
+    "request",
+    "result",
+    "ts",
+    "metadata"
+  ],
+  "properties": {
+    "version": {
+      "const": "1.0.0"
+    },
+    "family": {
+      "const": "trust"
+    },
+    "verb": {
+      "const": "verify"
+    },
+    "receipt_id": {
+      "type": "string",
+      "minLength": 1
+    },
+    "request": {
+      "$ref": "./verify.request.schema.json"
+    },
+    "result": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "status"
+      ],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": [
+            "verified",
+            "unverified",
+            "invalid",
+            "inconclusive"
+          ]
+        },
+        "reason": {
+          "type": "string"
+        },
+        "checks": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "required": [
+              "name",
+              "passed"
+            ],
+            "properties": {
+              "name": {
+                "type": "string"
+              },
+              "passed": {
+                "type": "boolean"
+              },
+              "detail": {
+                "type": "string"
+              }
+            }
+          }
+        }
+      }
+    },
+    "ts": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        },
+        "trace": {
+          "$ref": "../_shared/trace.schema.json"
+        }
+      }
+    }
+  }
+}
diff --git a/public/schemas/trust-verification/verify/verify.request.schema.json b/public/schemas/trust-verification/verify/verify.request.schema.json
new file mode 100644
index 0000000..dda87a6
--- /dev/null
+++ b/public/schemas/trust-verification/verify/verify.request.schema.json
@@ -0,0 +1,39 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/verify/verify.request.schema.json",
+  "title": "CLAS Trust Verify Request",
+  "description": "A request to verify a claim, artifact, receipt, credential, identity, or action.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["version", "family", "verb", "subject", "verification_type"],
+  "properties": {
+    "version": { "const": "1.0.0" },
+    "family": { "const": "trust" },
+    "verb": { "const": "verify" },
+    "subject": {
+      "type": "object",
+      "description": "The thing being verified.",
+      "additionalProperties": true,
+      "required": ["type", "id"],
+      "properties": {
+        "type": { "type": "string", "minLength": 1 },
+        "id": { "type": "string", "minLength": 1 },
+        "content_hash": { "type": "string", "pattern": "^sha256:[a-fA-F0-9]{64}$" },
+        "uri": { "type": "string" }
+      }
+    },
+    "verification_type": {
+      "type": "string",
+      "enum": ["signature", "identity", "receipt", "credential", "claim", "artifact", "policy", "other"]
+    },
+    "criteria": {
+      "type": "object",
+      "description": "Verification criteria or policy requirements.",
+      "additionalProperties": true
+    },
+    "context": {
+      "type": "object",
+      "additionalProperties": true
+    }
+  }
+}
diff --git a/scripts/sync-clas-schemas.sh b/scripts/sync-clas-schemas.sh
new file mode 100755
index 0000000..3eb3693
--- /dev/null
+++ b/scripts/sync-clas-schemas.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SRC_ROOT="${1:-../clas/schemas/trust-verification}"
+DEST_ROOT="${2:-public/schemas/trust-verification}"
+
+if [[ ! -d "$SRC_ROOT" ]]; then
+  echo "Source directory not found: $SRC_ROOT" >&2
+  exit 1
+fi
+
+mkdir -p "$(dirname "$DEST_ROOT")"
+rm -rf "$DEST_ROOT"
+mkdir -p "$DEST_ROOT"
+
+cp -a "$SRC_ROOT"/. "$DEST_ROOT"/
+
+echo "Synced CLAS trust-verification schemas"
+echo "Source: $SRC_ROOT"
+echo "Destination: $DEST_ROOT"
+find "$DEST_ROOT" -type f | sort