fix: align TrustLevel enum with RFC-002 v1.4

README.md

@@ -36,7 +36,7 @@ MCP Guard solves this with:
 | **@guard decorator** | Protect tools with trust-level requirements |
 | **Evidence logging** | Cryptographic audit trail for every invocation |
 | **Server identity** | Verify MCP servers before connecting |
-| **Trust levels** | 0 (self-signed) → 4 (continuous validation) |
+| **Trust levels** | 0 (self-signed) → 4 (extended validation) |
 
 ## Quickstart 1: Server-Side (Tool Guarding)
 
@@ -164,13 +164,15 @@ export CAPISCIO_CORE_ADDR="localhost:50051"
 
 ## Trust Levels
 
-| Level | Name | Description |
-|-------|------|-------------|
-| 0 | Self-Signed | `did:key` issuer, cryptographic identity only |
-| 1 | Domain Validated (DV) | Domain ownership verified |
-| 2 | Organization Validated (OV) | Organization identity verified |
-| 3 | Extended Validation (EV) | Legal entity verification |
-| 4 | Continuous Validation (CV) | Runtime attestation |
+Per RFC-002 v1.4:
+
+| Level | Name | Validation | Use Case |
+|-------|------|------------|----------|
+| 0 | Self-Signed (SS) | None, `did:key` issuer | Local dev, testing, demos |
+| 1 | Registered (REG) | Account registration | Development, internal agents |
+| 2 | Domain Validated (DV) | DNS/HTTP challenge | Production, B2B agents |
+| 3 | Organization Validated (OV) | DUNS/legal entity | High-trust production |
+| 4 | Extended Validated (EV) | Manual review + legal | Regulated industries |
 
 ## Evidence Logging
 

capiscio_mcp/types.py

@@ -71,19 +71,21 @@ class DenyReason(str, Enum):
 
 class TrustLevel(IntEnum):
     """
-    Trust levels per RFC-002.
-
-    - LEVEL_0: Self-signed (did:key issuer)
-    - LEVEL_1: Domain Validated (DV)
-    - LEVEL_2: Organization Validated (OV)
-    - LEVEL_3: Extended Validation (EV)
-    - LEVEL_4: Continuous Validation (CV)
-    """
-    LEVEL_0 = 0  # Self-signed
-    LEVEL_1 = 1  # DV
-    LEVEL_2 = 2  # OV
-    LEVEL_3 = 3  # EV
-    LEVEL_4 = 4  # CV
+    Trust levels per RFC-002 v1.4.
+
+    - LEVEL_0: Self-Signed (SS) - did:key issuer, no external validation
+    - LEVEL_1: Registered (REG) - Account registration with CapiscIO Registry
+    - LEVEL_2: Domain Validated (DV) - DNS/HTTP challenge proving domain control
+    - LEVEL_3: Organization Validated (OV) - DUNS/legal entity verification
+    - LEVEL_4: Extended Validated (EV) - Manual review + legal agreement
+
+    See: https://docs.capisc.io/rfcs/002-trust-badge/#5-trust-levels
+    """
+    LEVEL_0 = 0  # Self-Signed (SS)
+    LEVEL_1 = 1  # Registered (REG)
+    LEVEL_2 = 2  # Domain Validated (DV)
+    LEVEL_3 = 3  # Organization Validated (OV)
+    LEVEL_4 = 4  # Extended Validated (EV)
 
 
 # =============================================================================

docs/getting-started/quickstart.md

@@ -76,13 +76,15 @@ elif result.state == ServerState.UNVERIFIED_ORIGIN:
 
 ## Trust Levels
 
-| Level | Name | Who Issues | Use Case |
+Per RFC-002 v1.4:
+
+| Level | Name | Validation | Use Case |
 |-------|------|------------|----------|
-| 0 | Self-Signed | Agent itself (`did:key`) | Development, testing |
-| 1 | Domain Validated (DV) | CapiscIO Registry | Production agents |
-| 2 | Organization Validated (OV) | CapiscIO Registry | Business agents |
-| 3 | Extended Validation (EV) | CapiscIO Registry | Financial, healthcare |
-| 4 | Continuous Validation (CV) | CapiscIO Registry | Critical infrastructure |
+| 0 | Self-Signed (SS) | None, `did:key` issuer | Local dev, testing, demos |
+| 1 | Registered (REG) | Account registration | Development, internal agents |
+| 2 | Domain Validated (DV) | DNS/HTTP challenge | Production, B2B agents |
+| 3 | Organization Validated (OV) | DUNS/legal entity | High-trust production |
+| 4 | Extended Validated (EV) | Manual review + legal | Regulated industries |
 
 ## Next Steps
 

docs/guides/server-side.md

@@ -97,12 +97,12 @@ async def read_file(path: str) -> str:
 
 @guard(min_trust_level=3)
 async def write_file(path: str, content: str) -> None:
-    """High-risk: Write files (EV required)."""
+    """High-risk: Write files (OV required)."""
     pass
 
 @guard(min_trust_level=4)
 async def execute_command(cmd: str) -> str:
-    """Critical: Execute shell commands (CV required)."""
+    """Critical: Execute shell commands (EV required)."""
     pass
 ```
 

docs/index.md

@@ -22,7 +22,7 @@ MCP Guard solves this with:
 | **@guard decorator** | Protect tools with trust-level requirements |
 | **Evidence logging** | Cryptographic audit trail for every invocation |
 | **Server identity** | Verify MCP servers before connecting |
-| **Trust levels** | 0 (self-signed) → 4 (continuous validation) |
+| **Trust levels** | 0 (self-signed) → 4 (extended validation) |
 
 ## Quick Example
 
@@ -54,13 +54,15 @@ if result.state == ServerState.VERIFIED_PRINCIPAL:
 
 ## Trust Levels
 
-| Level | Name | Description |
-|-------|------|-------------|
-| 0 | Self-Signed | `did:key` issuer, cryptographic identity only |
-| 1 | Domain Validated (DV) | Domain ownership verified |
-| 2 | Organization Validated (OV) | Organization identity verified |
-| 3 | Extended Validation (EV) | Legal entity verification |
-| 4 | Continuous Validation (CV) | Runtime attestation |
+Per RFC-002 v1.4:
+
+| Level | Name | Validation | Use Case |
+|-------|------|------------|----------|
+| 0 | Self-Signed (SS) | None, `did:key` issuer | Local dev, testing, demos |
+| 1 | Registered (REG) | Account registration | Development, internal agents |
+| 2 | Domain Validated (DV) | DNS/HTTP challenge | Production, B2B agents |
+| 3 | Organization Validated (OV) | DUNS/legal entity | High-trust production |
+| 4 | Extended Validated (EV) | Manual review + legal | Regulated industries |
 
 ## Next Steps