docs: receive policy in D6, Key Documents, new diagram

README.md

@@ -114,7 +114,7 @@ The complete runtime container view — services, databases, queues, and their c
 
 ![Container Runtime — C4 Level 2](docs/diagrams/platform/02-container-runtime-c4.svg)
 
-*Gateway, auth service, registry, scheduler, connector runtime, and policy engine run as independent services. Each has a dedicated store; the durable scheduler owns the retry/wakeup loop.*
+*Gateway (public REST API), agent-core (workflow engine), auth service, MCP platform (48 JSON-RPC tools), and tool registry run as Cloud Run services sharing a PostgreSQL instance. The scheduler runs on the gateway via internal tick endpoints.*
 
 ---
 
@@ -141,12 +141,24 @@ pytest
 | Document | Description |
 |---|---|
 | [`integration-quickstart.md`](docs/integration-quickstart.md) | End-to-end onboarding path for new integrators |
-| [`examples-cloud-vs-protocol.md`](docs/examples-cloud-vs-protocol.md) | What works with AXME Cloud vs AXP-only mode |
 | [`public-api-auth.md`](docs/public-api-auth.md) | Authentication: platform API keys, actor tokens, JWT validation |
-| [`security-overview.md`](docs/security-overview.md) | Public security architecture, controls, and enterprise review baseline |
-| [`public-api-families-d1-intents-inbox-approvals.md`](docs/public-api-families-d1-intents-inbox-approvals.md) | Full API family reference for intents, inbox, and approvals |
+| [`security-overview.md`](docs/security-overview.md) | Security architecture, controls, and enterprise review baseline |
 | [`supported-limits-and-error-model.md`](docs/supported-limits-and-error-model.md) | Rate limits, quotas, error codes, retriability table |
 | [`migration-and-deprecation-policy.md`](docs/migration-and-deprecation-policy.md) | API versioning, deprecation timelines, migration guides |
+| [`mcp-api-reference.md`](docs/mcp-api-reference.md) | MCP Server — all 48 tools, auth model, response format |
+| [`cross-org-receive-policy.md`](docs/cross-org-receive-policy.md) | Cross-org intent delivery: org policy + agent overrides |
+| [`agent-addressing.md`](docs/agent-addressing.md) | Agent address registry, agent:// URI scheme |
+
+### API Family References
+
+| Document | Scope |
+|---|---|
+| [`D1 — Intents, Inbox, Approvals`](docs/public-api-families-d1-intents-inbox-approvals.md) | Intent CRUD, SSE, lifecycle events, human tasks |
+| [`D2 — Webhooks, Capabilities`](docs/public-api-families-d2-webhooks-capabilities.md) | Webhook subscriptions, deliveries, event types |
+| [`D3 — Users`](docs/public-api-families-d3-users.md) | User profiles, nicks, contacts |
+| [`D4 — Invites, Media`](docs/public-api-families-d4-invites-media.md) | Invite links, media upload/download |
+| [`D5 — Schemas`](docs/public-api-families-d5-schemas.md) | Schema governance, payload validation |
+| [`D6 — Enterprise Governance`](docs/public-api-families-d6-enterprise-governance.md) | Orgs, workspaces, members, agents, policies, quotas |
 
 ---
 

docs/diagrams/axme-complete-architecture.mmd

@@ -105,7 +105,7 @@ flowchart TB
             SCHED["Scheduler\nTick loop\nDeadline enforcement\nRetries"]:::service
             TOOLREG["Tool Registry\nAction catalog\nWorkflow compilation"]:::service
             POLICY["Policy Engine\nAccess decisions\nConsent checks\nRisk evaluation"]:::service
-            MCP["MCP Server\nTool access\nData access"]:::service
+            MCP["MCP Platform\n48 JSON-RPC tools\nMirrors CLI"]:::service
         end
     end
 
@@ -129,7 +129,11 @@ flowchart TB
         ADDR_SCHEME["agent://org_slug/workspace_slug/sa_name"]:::agent
         ADDR_REGISTRY["Agent Registry"]:::agent
         ADDR_ROUTING["Routing Engine"]:::agent
+        ADDR_SEND_POLICY["Send Policy\nallowlist / denylist"]:::agent
+        ADDR_RECEIVE_POLICY["Receive Policy\norg: open / allowlist / closed\nagent override: allow / block"]:::agent
         ADDR_SCHEME --> ADDR_REGISTRY --> ADDR_ROUTING
+        ADDR_REGISTRY --> ADDR_SEND_POLICY
+        ADDR_REGISTRY --> ADDR_RECEIVE_POLICY
     end
 
     %% ═══════════════════════════════════════════════
@@ -167,6 +171,9 @@ flowchart TB
                 T_QUOTA[("quota_counters")]:::datastore
                 T_TENANT[("tenant_placements")]:::datastore
                 T_AUDIT[("enterprise_admin_audit_events")]:::datastore
+                T_ADDR_REG[("agent_address_registry")]:::datastore
+                T_ORG_RCV[("org_receive_policies")]:::datastore
+                T_AGT_RCV[("agent_receive_overrides")]:::datastore
             end
 
             subgraph PG_WEBHOOK["Webhooks"]
@@ -228,7 +235,8 @@ flowchart TB
     GW --> SCHED
     GW --> TOOLREG
     GW --> POLICY
-    AC --> MCP
+    CLIENTS --> MCP
+    MCP --> GW
     AC --> TOOLREG
     AC --> POLICY
 

docs/diagrams/platform/02-container-runtime-c4.mmd

@@ -1,12 +1,18 @@
 sequenceDiagram
     autonumber
     participant C as Client/SDK
+    participant M as MCP Server<br/>(AI Assistants)
     participant G as Gateway API
-    participant W as Workflow Runtime
+    participant W as Workflow Runtime<br/>(Agent-Core)
     participant J as Job Scheduler
     participant D as Data Stores
     participant R as Recipient Agent
 
+    Note over M,G: MCP path (AI assistants via JSON-RPC)
+    M->>G: proxy tool call → REST API
+    G-->>M: JSON response → MCP result
+
+    Note over C,G: Direct API path (SDK/CLI)
     C->>G: API request
     G->>D: write request/audit envelope
     G->>W: start or continue workflow

docs/public-api-families-d6-enterprise-governance.md

@@ -78,10 +78,22 @@ Enterprise operation groups currently published on `gateway.v1.json`:
 - agents (agent registry and send policy):
   - `GET /v1/agents`
   - `GET /v1/agents/{address}`
+  - `DELETE /v1/service-accounts/{service_account_id}`
+  - `PATCH /v1/service-accounts/{service_account_id}/delivery`
   - `GET /v1/agents/{address}/policy`
   - `PUT /v1/agents/{address}/policy`
   - `POST /v1/agents/{address}/policy/entries`
   - `DELETE /v1/agents/{address}/policy/entries/{entry_id}`
+- agents (receive override — per-agent cross-org exceptions):
+  - `GET /v1/agents/{address}/receive-override`
+  - `PUT /v1/agents/{address}/receive-override`
+  - `POST /v1/agents/{address}/receive-override/entries`
+  - `DELETE /v1/agents/{address}/receive-override/entries/{entry_id}`
+- organizations (receive policy — cross-org intent delivery control):
+  - `GET /v1/organizations/{org_id}/receive-policy`
+  - `PUT /v1/organizations/{org_id}/receive-policy`
+  - `POST /v1/organizations/{org_id}/receive-policy/entries`
+  - `DELETE /v1/organizations/{org_id}/receive-policy/entries/{entry_id}`
 - naming/routing/transports/deliveries:
   - `POST /v1/principals`
   - `GET /v1/principals/{principal_id}`