docs: surgical README improvements + publish technical one-pager

profile/README.md

@@ -18,6 +18,8 @@ The specifications, SDKs, and conformance tests are free and open. Begin in soft
 [![AAIF](https://img.shields.io/badge/Targeting-AAIF_%2F_Linux_Foundation-6366f1)](https://agenticai.foundation)
 [![CC Summit](https://img.shields.io/badge/Launching-CC_Summit_Jun_23_2026-7c3aed)](https://confidentialcomputingsummit.com)
 
+> **The 2-minute version:** [technical one-pager](technical-one-pager.md).
+
 ## Projects
 
 | Project | Description | License | Status |
@@ -61,9 +63,9 @@ To get involved, open a [GitHub Discussion](https://github.com/orgs/agentrust-io
 
 ## Zero-Trust Framework Alignment
 
-agentrust-io is our proposed **reference architecture for zero-trust agentic AI.** The Anthropic *Zero-Trust for AI Agents* eBook (May 2026) adapts NIST SP 800-207 to agentic systems, calling for continuous verification at six layers: agent identity and authentication, supply chain security, MCP and tool security, policy enforcement and governance, multi-agent coordination, and detection and response. This section maps each layer to the agentrust-io stack and names the gaps honestly.
+agentrust-io is our proposed **reference architecture for zero-trust agentic AI.** The Anthropic *Zero-Trust for AI Agents* eBook (May 2026) adapts NIST SP 800-207 to agentic systems. We map our stack to six verification areas drawn from it — agent identity and authentication, supply chain security, MCP and tool security, policy enforcement and governance, multi-agent coordination, and detection and response — and name the gaps honestly.
 
-The core argument in that document: traditional perimeter security fails for AI agents because a signed JWT proves *who called an API*, not *what agent made the call*, *which system prompt was active*, *which model version ran*, or *under which policy it was operating*. That is the problem this org was built to solve.
+The eBook's core point on identity: agent identity must be cryptographically rooted, because a label is trivial to forge — perimeter authentication alone cannot secure an autonomous agent. The sharper framing, and the gap this org was built to close: a signed JWT proves *who called an API*, not *what agent made the call*, *which system prompt was active*, *which model version ran*, or *under which policy it was operating*.
 
 ### Agent Identity: closing the attestation gap
 
@@ -136,10 +138,11 @@ The eBook calls for policy at four layers (model, agent, tool, request) with fle
 | EAR (draft-ietf-rats-ar4si) | Verifier appraisal output |
 | MCP / A2A | Agent tool-call transcript surface |
 | AIBOM (SPDX 3.0 / CycloneDX 1.7) | Model component inventory |
+| CBOM (CycloneDX) | Cryptographic bill of materials — crypto libraries/algorithms in use (post-quantum readiness) |
 
 **[TRACE Registry](https://github.com/agentrust-io/trace-registry)** is the public append-only Merkle registry of TRACE claim anchors. The GitHub mirror exists so any party can verify anchors independently. Git's immutable commit history is the tamper-evident proof.
 
-**AGT (Agent Governance Toolkit)** ([microsoft/agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit), created by Imran Siddique (Chief Platform Officer, OPAQUE) while at Microsoft and released under the MIT license) provides the runtime governance layer: trust score decay (a score at deployment is meaningless six months later), the VADP delegation protocol (scope-narrowing agent-to-agent delegation with verifiable credentials), and a fleet daemon for multi-agent orchestration.
+**AGT (Agent Governance Toolkit)** ([microsoft/agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit), created by Imran Siddique (Chief Platform Officer, OPAQUE) while at Microsoft and released under the MIT license — 4,250+ stars, 10/10 OWASP Agentic Top 10) provides the runtime governance layer: trust score decay (a score at deployment is meaningless six months later), scope-chain delegation (monotonic narrowing: agent-to-agent delegation with verifiable credentials), and a fleet daemon for multi-agent orchestration.
 
 ### Multi-Agent Coordination Governance
 
@@ -157,7 +160,7 @@ Multi-agent architecture compounds it: an orchestrator delegates to sub-agents,
 
 This is the layer the **Anthropic *Zero-Trust for AI Agents*** framework calls for: authentication of agent-to-agent communication, RBAC for agent hierarchies, consensus for high-stakes decisions; and where the stack enforces it:
 
-- **Agent Manifest artifact #8 (A2A delegation)** binds the full agent-to-agent trust chain into the signed manifest. A delegated scope can never exceed the orchestrator's own attested permissions; orchestrator spoofing and scope laundering are structurally prevented. AGT's VADP supplies the mechanism: scope-narrowing delegation with verifiable credentials.
+- **Agent Manifest artifact #8 (A2A delegation)** binds the full agent-to-agent trust chain into the signed manifest. A delegated scope can never exceed the orchestrator's own attested permissions; orchestrator spoofing and scope laundering are structurally prevented. AGT supplies the mechanism: scope-chain delegation (monotonic narrowing) with verifiable credentials.
 - **TRACE** records each agent's actions as a hashed, counted `tool_transcript`, so the full interaction graph of a multi-agent run can be reconstructed and proven after the fact.
 
 Once every agent carries attested proof of *what it is* and emits verifiable evidence of *what it did*. 

profile/technical-one-pager.md

@@ -0,0 +1,42 @@
+# agentrust-io — Technical One-Pager
+
+> **The open, verifiable trust layer for agentic AI.**
+> Developer preview / open RFC · public launch at the **Confidential Computing Summit, June 23 2026** · [github.com/agentrust-io](https://github.com/agentrust-io)
+
+## The attestation gap
+
+Anthropic's [*Zero-Trust for AI Agents*](https://claude.com/blog/zero-trust-for-ai-agents) (May 2026) named the problem and pointed the direction: agent identity has to be **cryptographically rooted** — a label is trivial to forge — and perimeter tokens alone can't secure an autonomous agent. Here's the gap that leaves: a signed JWT proves *who* called an API, not *what* agent made the call, *which* system prompt was active, *which* model version ran, or *under which* policy. **agentrust-io is the open implementation built to close it.** It lets agents run on regulated, proprietary, and sovereign data with evidence the builder can verify directly — and any auditor, customer, or regulator can independently confirm, without trusting the operator. It replaces "guardrails that will *probably* catch it, and observability that will *probably* flag it after the fact" with independently verifiable proof.
+
+## Built on proven foundations
+
+agentrust-io stands on two things that already exist and work.
+
+**1 · Policy — the Agent Governance Toolkit (AGT).** Created by Imran Siddique (now OPAQUE's Chief Platform Officer) at Microsoft and open-sourced under MIT: 4,250+ stars, 590+ forks since its April 2026 public launch; 10/10 OWASP Agentic Top 10 coverage; ships trust-score decay, scope-chain delegation (monotonic narrowing), and a multi-agent fleet daemon; now being considered by AAIF for standardization.
+
+**2 · Enforcement — a confidential runtime, pluggable by design.** The policy bundle is sealed and measured inside a TEE on the confidential-computing silicon you already operate — Intel TDX, AMD SEV-SNP, NVIDIA CC, or TPM. The OPAQUE Confidential AI is the hardware-rooted, managed reference implementation; an operator can bring its own.
+
+agentrust-io doesn't reinvent governance — it makes AGT's policy **provable** by binding it to a hardware-attested confidential runtime. A policy decision isn't just enforced; it's evidenced.
+
+## How it works
+
+Three components, composing standards you already trust (MCP, A2A, SPIFFE, SLSA, Cedar, RATS/EAT; aligned to NIST SP 800-207):
+
+| Component | Role |
+|---|---|
+| **Agent Manifest** — deploy-time integrity | The agent's complete signed definition — far more than identity. Binds the 10 artifacts (system prompt, policy bundle, tool manifest, model identity, RAG corpus, memory baseline, decision trace, A2A delegation, supply-chain provenance, HITL approvals) into one hardware-attestable document, so a modified agent can't pass as the one you approved. |
+| **cMCP** — Confidential MCP Runtime | Runs inside the confidential runtime. Every MCP tool call is evaluated against a Cedar policy bundle inside a TEE; the policy-bundle hash is measured into the hardware attestation report before any code runs. A swapped policy or a CVE in the evaluator is structurally detectable — not just prohibited. |
+| **TRACE** — the portable record | The signed envelope that binds every other standard's evidence into one verifiable record (see below). |
+
+The stack runs at one of four conformance levels (L0–L3): software-only → TEE-attested → full-stack / regulated (DORA, EU AI Act) → post-quantum (ML-DSA-65) for sovereign and classified deployments.
+
+## TRACE — the envelope that ties it together
+
+TRACE (Trust Runtime Attestation and Compliance Evidence) is the portable governance record at the center of the stack: a single attestation envelope (EAT/JWT, per the IETF RATS model) that **carries the other standards' evidence** — build provenance (SLSA), workload identity (SPIFFE SVID), model inventory (AIBOM), a cryptographic bill of materials (CBOM — the crypto libraries and algorithms in use), and the agent's tool-call transcript — cryptographically bound and anchored in an append-only transparency log. One verifiable record that proves **what an agent was** and **what it did**, reconstructable after the fact and confirmable by a party with no reason to trust the operator. Open spec; we intend to submit it to AAIF.
+
+## About OPAQUE
+
+OPAQUE is the Confidential AI company. Born from UC Berkeley's RISELab (now the Sky Compute Lab), OPAQUE lets organizations run AI models, agents, and workflows on their most sensitive data with hardware-rooted isolation and verifiable evidence that approved governance policies were enforced. Founded by Dr. Ion Stoica (co-founder of Databricks; co-director, UC Berkeley Sky Compute Lab), Dr. Raluca Ada Popa (ACM Grace Hopper Award winner; Senior Staff Research Scientist at Google DeepMind, where she leads AGI security research), and Rishabh Poddar (CTO). Aaron Fulkerson is Chief Executive Officer, and Imran Siddique, creator of the open-source Agent Governance Toolkit (AGT), is Chief Platform Officer. OPAQUE created the Confidential Computing Summit, now co-hosted with the Linux Foundation.
+
+---
+
+Questions or to get involved: [GitHub Discussions](https://github.com/orgs/agentrust-io/discussions) · back to the [org overview](README.md).