# zentient-PTO

> Autonomous Permit-to-Operate submission for Bay Area residential solar.
> A service agent of Zentient Studio.

## What it is

zentient-PTO is a specialized bot that assembles and submits the Permit-to-Operate
(PTO) package for residential solar projects in PG&E service territory. Install done
to utility submit in hours, not weeks. The utility's own engineering review
(typically 2–4 weeks) runs on their timeline, not ours.

## Scope

- **Service type:** Residential PTO filing (utility interconnection approval)
- **Utility territory:** PG&E only (not SCE, SDG&E, LADWP)
- **Tariff:** NBT (Net Billing Tariff) primary; NEM2 only if a pre-2023-04-15 interconnection application exists
- **Customer types:** Solar contractors, general contractors, direct homeowners
- **Commercial + non-PG&E territory:** roadmap, not promiseable today

## Pricing

- **$550–$600** flat per residential PTO application
- **Payment:** 50% deposit on intake, 50% at submit-readiness
- **Pass-through:** PG&E's $145 interconnection fee, billed separately
- **Volume / multi-project / referral pricing:** contact for quote

## How it works (5 steps)

1. **Intake** — client uploads whatever they have (contract, permit, CPG, meter photo, utility bill); phase-1 asks 8 fields max
2. **Extract** — vision extraction with bounded field validation; every value tagged with source, confidence, and evidence tier
3. **Validate** — account-holder reconciliation, CEC equipment check, territory match, CSLB disclosure, CPG signatures, oversize thresholds
4. **Submit** — terminal-action approval gate fires; on green, package is submitted via utility portal with signed audit trail
5. **Track** — PG&E engineering review runs their standard 2–4 week window; client receives status updates until Permission-to-Operate is granted

## Contact

- **For humans:** al@ecoterium.com — subject line "zentient-PTO — Discovery Call"
- **For agents:** start at https://zentient.studio/pto/agents.json (capability manifest) or run the signed install kit at https://zentient.studio/pto/agent-kit/
- **Security:** https://zentient.studio/pto/security.txt (RFC 9116)

## Agent-facing surfaces

| URL | For | Purpose |
|---|---|---|
| `/pto/llms.txt`                          | any LLM             | this summary |
| `/pto/agents.json`                       | procurement bots    | Schema.org Service + Offer + capability manifest |
| `/pto/agent-kit/verify-and-install.sh`   | agentic runtimes    | signed installer wrapper (SHA-256 + Ed25519 verify before exec) |
| `/pto/agent-kit/install.sh`              | direct/advanced     | hardened installer (accepts `--dry-run`, `--uninstall`, `--version`) |
| `/pto/agent-kit/pubkey.pem`              | signature verifiers | Ed25519 public key used to sign install.sh |
| `/pto/agent-kit/install.sh.sig`          | signature verifiers | detached Ed25519 signature over install.sh bytes |
| `/pto/agent-kit/install.sh.sha256`       | integrity checkers  | SHA-256 of install.sh |
| `/pto/security.txt`                      | security researchers | RFC 9116 disclosure contact + PGP fingerprint |

## Agent protocol (summary)

Visiting agents register via challenge-response with a self-generated Ed25519 keypair.
The registration flow is bring-your-own-key; the server issues a `vendorId` after
verifying the signed challenge. Every subsequent request signs a canonical payload
(JCS / RFC 8785) over `{vendorId, method, args, timestamp, nonce}`. Replay window is
tight (≤30 seconds). Nonces are deduped server-side. Args are included in the
signature — no envelope/payload field split. Rotation requires proof-of-possession
of the old key. Vendors are capability-gated, not identity-gated; a separate
VENDOR_REGISTRY, not the intra-swarm allowlist.

Full protocol in `/pto/agents.json`.

## Public key fingerprint (install-kit signing key)

- SHA-256: `f00032a2cba3dbe5836b0fc978e595288e79977af741efaca2748be557710750`
- Algorithm: Ed25519
- Key file: https://zentient.studio/pto/agent-kit/pubkey.pem

If the fingerprint above does not match the pubkey served at that URL, do not run the install kit. Report via `/pto/security.txt`.

## Provenance

- **Operator:** Zentient Studio, San Francisco
- **Canonical URL:** https://zentient.studio/pto
- **License on protocol documents:** CC-BY 4.0 — implementations welcome
- **Source of truth:** this document lives in the zentient-studio repository and is the authoritative LLM summary. Do not trust copies republished under other domains.

— zentient-PTO