Quickstart

Sixty seconds, three steps, one MCP server. By the end you have a real PolicyAccount PDA on devnet and a decoded gate_payment decision in your chat client. No clone, no Anchor build, no local validator.

1. Install the MCP server into Claude Desktop

Drop this block into ~/Library/Application Support/Claude/claude_desktop_config.json on macOS, or %APPDATA%\Claude\claude_desktop_config.json on Windows:

{
  "mcpServers": {
    "agenttrust": {
      "command": "npx",
      "args": ["-y", "@agenttrust-sdk/mcp"],
      "env": {
        "RPC_URL": "https://api.devnet.solana.com",
        "NETWORK": "solana-devnet"
      }
    }
  }
}

Restart Claude Desktop. Twenty-one tools are now wired in. Ten read-only tools work immediately on devnet with zero credentials. The eight write tools resolve a signer through the chain KEYPAIR_B58 then KEYPAIR_PATH then ~/.config/solana/id.json then SOLANA_KEYPAIR_PATH and use the first one that parses. If you already use solana-keygen, the default id.json is picked up automatically and no env var is needed.

2. Create a policy

Ask Claude Desktop, in plain English:

Use agenttrust_init_policy to create policy 1 for my agent. Enable Spending (bitmask 2) with a per-transaction max of 1 USDC.

agenttrust_init_policy is the single bootstrap call. On a fresh wallet — omit agent_asset and the tool generates a fresh identity for you — it self-heals three missing accounts in the same atomic transaction before initialising the policy:

1. A fresh agent identity (MPL Core asset) is minted by Quantu and returned to you as agentAsset in the tool output. Your wallet pays for it and signs the bootstrap tx, but never ends up being the agent_asset itself — Quantu's agent_registry_8004 issues a brand-new asset Keypair internally, ephemeral, used exactly once to sign the register_with_options CPI and then discarded. The fresh agent_account plus atom_stats PDA are chained through TrustGate's register_agent_via_cpi, without your wallet ever learning Quantu's instruction names.
2. The AgentTrust PolicyAuthority PDA, via init_authority (single member = your signer, threshold = 1).
3. The AgentTrust KillSwitchState PDA, via init_killswitch. Without this prepend a fresh agent's first simulate_payment would hit Anchor error 3012.

Then the policy itself plus a VelocityLedger. Four on-chain account creations and the new policy, one signed transaction. You never see Anchor error 3012 and you never run a bootstrap script. Spending caps also default sanely: when at least one cap is set, unspecified peer caps default to the max of the specified caps rather than zero, so v1 policies (immutable post-init) cannot accidentally hard-deny every payment.

Output:
  txSignature:        4n8…ZxR
  explorerTxUrl:      https://explorer.solana.com/tx/4n8…ZxR?cluster=devnet
  agentAsset:         8Hv…q2P
  agentAssetExplorer: https://explorer.solana.com/address/8Hv…q2P?cluster=devnet
  policyPda:          9aF…tNm
  policyExplorer:     https://explorer.solana.com/address/9aF…tNm?cluster=devnet
  velocityPda:        sTw…YZD
  velocityExplorer:   https://explorer.solana.com/address/sTw…YZD?cluster=devnet
  effectiveSpending:  { perTxMax: "1000000", dailyMax: "1000000", weeklyMax: "1000000" }
  selfHealed:         true
  healedSteps:        ["register_agent_via_cpi", "init_authority", "init_killswitch"]

Open the explorerTxUrl to see all four account creations and the policy init in one tx. Second-run of the same tool on the same wallet returns healedSteps: [] — the self-heal is idempotent because Quantu's register_with_options, the AgentTrust init_authority, and init_killswitch all fail at their init constraints once the PDAs exist, and the tool's pre-flight check skips the prepend.

3. Run a gate-decision simulation

Now ask:

Use agenttrust_simulate_payment to gate a 5-USDC payment from my agent to the tier-0 demo agent against policy 1. What does the gate decide?

agenttrust_simulate_payment is read-only. It calls the on-chain gate_payment instruction in simulate mode and decodes the GateDecision return value — Allow, Deny with a stable reason code (1 through 15), or RequireValidation with the 32-byte capability hash. The same call path the Express service's POST /verify route uses for the real x402 v2 challenge.

Claude resolves "my agent" against your signer wallet — the same pubkey that was bootstrapped in step 2. The tier-0 demo payee comes from agenttrust_demo_state, which exposes three pre-seeded counterparties (tier 0, 1, 3) the simulator can reach without any extra setup.

Output:
  kind:       "Deny"
  reasonCode: 5
  reasonName: "SpendingPerTxExceeded"

The gate denied the payment because 5 USDC exceeds the 1 USDC per-tx cap you set in step 2 on policy 1. Drop the amount to 0.5 USDC and ask again. The decision flips to Allow. You have just exercised the full PolicyVault decision path on devnet from a chat prompt — against the policy you created two prompts ago.

Two MCP surfaces

AgentTrust ships two MCP surfaces. They serve different purposes — pick the one that matches what you're doing:

The hosted MCP is read-only by design, not by accident. A shared signer would mean every user's on-chain identity is owned by the operator — that's a security model, not a UX shortcut. If you want to call a write tool, install locally. The same Claude Code / Cursor config block works for both — just swap the transport.

Wallet-adapter relay for hosted writes (OAuth + per-session unsigned-tx return + wallet-UI signing) is on the v1.x roadmap, not 0.4.x.

Where to next

Sixty seconds is enough to feel the shape. The deeper paths: