Platform capabilities
What's live on Graunt.
Every capability on this page is operational on the marketplace today. If it isn't listed here, Graunt doesn't offer it.
Live capabilities
-
Access decision service
Single primary access gate for entitled access.
-
Receipts audit grade
14-kind append-only audit-grade receipt chain.
-
Deliveries first class
First-class delivery artifact per entitled access event.
-
Output rights snapshot
Per-listing declarative output-rights with frozen-at-checkout snapshot.
-
Publication trust pipeline v0
Deterministic publication trust pipeline runs automatically when a listing enters review and produces a public_status plus seller_next_action. Eligible candidates publish through the canonical publication gate; listings with missing or fixable items receive a seller fix list; listings the pipeline could not verify are reviewed manually before publication.
-
Publication auto approve low risk
Auto-publication is live for eligible listings: deterministic publication checks run automatically on submission and eligible candidates publish through the canonical publication gate. Manual review is retained for escalations.
-
Query licensing v0
Query Licensing v0 with STUB_VERIFIER and bounded answer hashing.
-
Live verifier LLM
Live LLM-backed query-license verifier. POST /v1/query/ask dispatches to the live verifier when the operator flag is enabled; the stub verifier remains a runtime fallback. Receipts carry the required verification sentence verbatim; the verifier does not certify semantic truth.
-
Splice row
ROW_SPLICE — row-level rights-aware sub-product carve-out.
-
Splice jurisdiction
JURISDICTION_SPLICE — geo-scoped sub-product carve-out.
-
Splice answer context
ANSWER_CONTEXT_SPLICE — answer-context derived sub-product.
-
MCP transport live
Live MCP server transport for agent integrations. GET /v1/mcp/server-info and POST /v1/mcp/messages (JSON-RPC 2.0). Authenticated agents using a buyer-organization credential or a scoped grnt_agent_* credential can discover listings, read agent commerce manifests, inspect capability state, and run preflight quotes. Stateless v0; mutating commerce operations route through the canonical /v1/agents/* HTTP path.
-
Proof hash only
HASH_ONLY proof kind for receipts.
-
Starter supply marketplace
Starter AI/workflow packet categories, collection pages, Studio helper copy, and agent-readable listing filters are available for reviewed listings. Publication remains review-gated; empty collections may appear until supply is approved.
-
Verified provider tier
Graunt-reviewed provider tiers, provider profiles, listing badges, and provider-term visibility are available for marketplace listings. Provider tiers reflect Graunt review state and do not imply external identity verification unless separately stated with evidence.
-
Marketplace discovery canonical
Canonical marketplace routes (/explore, /sell, /api-agents, /trust), preserved compatibility 301 redirects from legacy routes (/catalog, /sellers, /agents, /trust-and-safety), aligned agent-readable discovery metadata (OpenAPI route examples + /llms.txt + JSON-LD canonical URL fields), and refreshed nav/footer canonical links. Older public URLs continue to resolve via tested compatibility redirects.
-
Refinery validator v0
Deterministic refinery packet validator v0 is callable at POST /v1/refinery/validate. Validates packet manifests against the universal-packet-contract envelope (Presence + Validation + Coherence). No LLM, no external network. Emits DRAFT, PUBLISH_BLOCKED, PASSED_WITH_NOTES, or PASSED.
-
Refinery candidate intake
Authenticated seller-or-both organizations can submit private refinery candidates via POST /v1/refinery/candidates and import validator-passing packets via POST /v1/refinery/import (bypassing the refinery-imposed price floor via the typed refinery_imports record). Candidates are stored under a restricted S3 prefix and NEVER appear in /v1/listings, search, /llms.txt, OpenAPI, or any agent surface. Cross-org GET returns 404.
-
Refinery compiler foundation
Sellers can register private source artifacts (POST /v1/refinery/artifacts), run private deterministic compiler jobs over them (POST /v1/refinery/jobs) with a recorded step trace, and read the public source-type support matrix (GET /v1/refinery/policies/public-support-matrix). Artifacts and jobs are organization-scoped and never appear in /v1/listings, search, /llms.txt, OpenAPI public discovery, or any agent surface; cross-org GET returns 404. The job trace demonstrates a two-role pipeline (a maker step that generates and a checker step that reviews and corrects), and every provider step records which provider and model performed it for display. A provider matrix registers deterministic + fake providers ENABLED, with the external model providers (OpenAI, Anthropic, xAI) registered for the maker, checker, and listing-suggestion roles but CONFIGURED_NOT_ACTIVE: each carries only an SSM credential-store reference and no stored value, and an admin-editable per-provider prompt template (no value at v0). The compiler runs a deterministic path; external model calls are governed by a separate activation gate.
-
Refinery live model calls
Triple-gated runner for live LLM provider calls (an operator env flag + enabled DB provider status + a resolvable credential + a per-call kill switch + a per-call cost cap). Wired into deterministic job step persistence so every refinery model call flows through the triple gate. Refinery Budget isolation preserved.
-
Agent meta requirement groups
Public read-only discovery of the composable packet requirement groups (SAFE-only projection) at GET /v1/meta/requirement-groups. Registry-derived; no DB; PROTECTED/internal requirement fields are never exposed.
-
Agent meta content profiles
Public read-only discovery of registered content profiles (the validator-passable packet kinds, families, and required requirement groups) at GET /v1/meta/content-profiles. Registry/canon-derived; no DB.
-
Agent meta constitution
Public read-only discovery of the ratified Packet Constitution version (constitution_version) at GET /v1/meta/constitution. Canon-derived; no DB.
-
Agent meta refinery policy
Public read-only disclosure of the Refinery access posture (launch free seed, micro-free threshold, content-integrity profiles, model-assist posture, and the reserved/not-active charging state) at GET /v1/meta/refinery-policy. Config-driven (single active policy row); SAFE projection only — no abuse thresholds, provider internals, or per-account usage. Live paid Refinery processing is not active.
-
Agent meta refinery support matrix
Public read-only thin re-export of the canonical Refinery support matrix at GET /v1/meta/refinery-support-matrix. Same body as GET /v1/refinery/policies/public-support-matrix; surfaced under /v1/meta/ so agents discover the matrix alongside the other agent-readable meta endpoints. Registry-derived; deterministic; no DB.
-
Agent commerce manifest
Public per-listing strict-Zod machine-readable view of an ACTIVE listing's commerce surface at GET /v1/listings/{id}/agent-commerce-manifest. Returns rights snapshot, eligible SKUs, payment channels with truthful capability_status (STRIPE_PAYMENT_INTENT LIVE; BASE_X402_USDC RESERVED for the x402 corridor), agent capability endpoints with per-credential rate limits, discovery_signals, publication metadata summary, freshness, refund policy summary (final-except-fraud), and terms/manifest/constitution versions. No internal/PROTECTED fields, no Stripe ids, no presigned URLs. cache-control: public, max-age=60. 404 on cross-org / non-ACTIVE / non-existent listing.
-
Tiered discovery v1
Deterministic four-stage tier-filter classifier (Stage 1 hard rights / Stage 2 capability match / Stage 3 source quality / Stage 4 textual relevance). Stage 1-3 are hard WHERE-predicate filters; only Stage 4 ranks (existing ts_rank_cd * title_coef). Surfaced via three new hard filters on GET /v1/listings (rights_compatible_with, agent_capability_match, source_quality_min) and per-result discovery_signals block. GET /v1/meta/search-contract returns schema_version 3 with tier_filter_groups (each is_multiplier: false) + agent_commerce_manifest_endpoint + discovery_signals_schema_version '-v1'.
-
Refinery budget refunds v0
Refinery Budget refund / dispute automation v0. The metadata.charge_kind="refinery_budget" branch of the existing refund.* + charge.dispute.* webhook handlers updates refinery_budget_charges only. Marketplace purchase rows, payout_splits, commercial_terms, transfer_data, and application_fee_amount are NEVER mutated by this path.
-
Multi provider activation substrate
Multi-provider activation substrate is shipped. /v1/meta/refinery-policy reports per-provider activation status (CONFIGURED_NOT_ACTIVE / ENABLED) for anthropic, openai, xai. Per-provider LIVE flip (POST /v1/admin/refinery/providers/:id/enable) is an operator activation step requiring SSM credential population + an ECS env flip.
-
Reconcile authority production gate
Production entitlement reconciliation authority gate. In NODE_ENV=production, POST /v1/admin/purchases/:id/reconcile-entitlement with dry_run=false REQUIRES X-Reconcile-Authority (HMAC-signed) header. Local HMAC issuer at scripts/operator/issue-reconcile-token.mjs; raw token is NEVER logged; SHA-256 token hash IS recorded in the audit payload.
-
Stripe reconstruction candidates read
Admin read-only Stripe reconstruction-candidates discovery at GET /v1/admin/stripe/reconstruction-candidates. Surfaces Stripe objects (payment_intent / charge / refund / dispute) without a matching local row in purchases OR refinery_budget_charges. Read-only: NEVER calls completePurchase, NEVER mutates entitlements / receipts / payout_splits / accounting_events. Response carries only redacted Stripe id prefixes (pi_*** / ch_*** / re_*** / dp_***) + bounded presence booleans + closed-enum suggested_action.
-
Controlled splice bundles v0
Controlled splice bundles deliver only the source files required to support the selected result, plus the relevant markdown and JSON sidecars. Caller must hold an ACTIVE FULL entitlement bound to the listing's packet bundle revision. Preflight runs deterministically before the build is enqueued. Generated archives are TTL'd; manifest, sidecar manifest, and source originals remain canonical.
-
Subscription working sets v0
Bounded subscription working sets (32 files / 256 MiB / 7-day default TTL) pinned to an active entitlement and optionally to an organization_subscription. Revocation of the bound subscription revokes the working set. Source originals are untouched; only the working-set row + generated archive are affected.
-
Source context receipts v0
Source-context review and source-enrichment receipts are informational, append-only, and never a publish gate. Deterministic + Fake adapters only at v0; live LLM / web enrichment paths are gated by a separate decision and the refinery triple gate.
-
Access pass delegated
Scoped Access Passes are live. Buyers can create a read-only revocable pass (7-day, 30-day default, 90-day, or no-expiry with lazy revocation after 180 days unused) on /orders/:id or /library at one of three scopes — Single packet, Selected packets, or Whole library — and paste it into ChatGPT, Claude, Gemini, or Grok. The pass is rate-limited, audited, revocable (including bearer self-revoke), and exposes content-direct endpoints /v1/access-passes/resources/{id}/content (inline ≤ 1 MiB) and /records (rows). The packet bundle delivery route /v1/entitlements/{id}/packet-bundle remains the path for presigned full-asset downloads. Key access is the default usage path; the portable LLM-ready export pack (/v1/entitlements/{id}/llm-ready-pack) and the original source archive (/v1/entitlements/{id}/source-archive) are the secondary download paths. Submit access passes via Authorization: Bearer gap_live_* header or POST body, or use the read-only /p/ pass link for assistants that fetch URLs.
-
Refund dispute takedown workflow v0
Strict final-sale enforcement with narrow reversal review. Buyers may report a purchase issue under three qualifying grounds (rights failure, fraud, technical delivery failure); admin review records APPROVE / DENY / REOPEN; REVERSED receipts + companion payout-allocation receipt write on APPROVE; takedown intake + admin execution flips listing status to SUSPENDED. Stripe refund-execution remains operator-gated.
-
Agent discovery keys
Agent discovery keys are live: a visitor generates a key on the homepage or /prepare with no account, their agent sends it as Authorization: Bearer gdk_live_* on public discovery reads (listing search, listing detail, listing manifest, meta endpoints) for a tracked identity, and a registered organization can claim the key later. The key also authorizes the anonymous packet-draft surface (/v1/anonymous-drafts — create, upload, validate, attest, submit; drafts stay private to the key). It cannot purchase, cannot access entitled content, and is rejected outside the discovery and anonymous-draft routes. Claiming binds identity, not permissions — and drafts prepared with the key move to the claiming account.