docs: restore NFT as valid policy anchoring mechanism

NFT on XRPL is still supported for policy document anchoring
(minting NFToken with policy hash URI). Only grant liveness via
NFT (mint-on-issue / burn-on-revoke) was replaced by XLS-70
credentials. All 9 doc files now clearly distinguish:
- NFT = policy document anchoring (supported)
- XLS-70 credentials = grant liveness/revocation (new)

Made-with: Cursor

Author: NAOR YUVAL

README.md

@@ -118,7 +118,7 @@ Import from `mpcp-service/sdk`.
 ```
 mpcp-reference
  ├── src
- │   ├── anchor/          # On-chain adapters: did:xrpl, HCS; grant liveness via XLS-70 credentials
+ │   ├── anchor/          # On-chain adapters: did:xrpl, HCS, XRPL NFT policy anchoring, XLS-70 credential revocation
  │   ├── hash/            # Canonical JSON serialization and SHA-256 hashing
  │   ├── policy-core/     # Policy evaluation engine and types
  │   ├── protocol/        # Artifact types, schemas, SBA/PolicyGrant signing, Trust Bundles

docs/animation/MPCP_ANIMATION_PACK.md

@@ -65,7 +65,7 @@ Narration:
 
 ## Scene 5 — Policy Anchoring
 Visual:
-Policy document hash flowing into a public ledger (Hedera HCS).
+Policy document hash flowing into a public ledger (Hedera HCS or XRPL NFT).
 
 Narration:
 "An optional anchorRef on the PolicyGrant links it to a public ledger record — providing tamper-evident policy history for audit and dispute resolution."
@@ -113,7 +113,7 @@ Autonomous parking example
 Vehicle enters → policy → budget → Trust Gateway → XRPL settlement
 
 Scene 5
-Policy document anchored to ledger (Hedera HCS)
+Policy document anchored to ledger (Hedera HCS or XRPL NFT)
 
 Scene 6
 Verification replay animation

docs/implementation/dispute-verification.md

@@ -18,7 +18,7 @@ const result = verifyDisputedSettlement({
   context: settlementVerificationContext,
   // Optional: ledger anchor result from policy document anchoring
   ledgerAnchor: {
-    anchorRef: grant.anchorRef,  // "hcs:0.0.12345:42"
+    anchorRef: grant.anchorRef,  // e.g. "hcs:0.0.12345:42" or "xrpl:nft:ABC123..."
     rail: "hedera-hcs",
     sequenceNumber: "42",
     topicId: "0.0.12345",

docs/implementation/intent-anchoring.md

@@ -2,11 +2,9 @@
 
 Optional support for publishing MPCP policy documents to distributed ledgers. Provides public auditability, dispute protection, and tamper-evident policy history.
 
-**Hedera HCS** adapter is implemented (publish policy document to a topic). It returns an `anchorRef` that is stored on the PolicyGrant for **policy document** auditability and dispute resolution.
+**Hedera HCS** and **XRPL NFT** adapters support **policy document** anchoring: HCS publishes to a topic; the XRPL path encrypts (optional), stores ciphertext on IPFS, and records the policy via an NFToken whose URI points at that content (`anchorRef` = `xrpl:nft:{tokenId}` with the policy hash in the anchoring flow). Store the returned reference on the PolicyGrant for auditability and dispute resolution.
 
-> **Grant liveness** (revoking or invalidating a grant) is a **separate** mechanism: XRPL **XLS-70** credentials (`CredentialCreate` / `CredentialDelete`), not policy `anchorRef` on HCS.
-
-> **Historical note:** An earlier **XRPL NFT** policy-anchor path (`xrpl:nft:{tokenId}`) existed in reference discussions; it is **removed / superseded** for anchoring. Use HCS for policy documents; use XLS-70 for grant state.
+> **Grant liveness** (revoking or invalidating a grant) is a **separate** mechanism: XRPL **XLS-70** credentials (`CredentialCreate` / `CredentialDelete`). That replaces the older **NFT mint-on-issue / burn-on-revoke** pattern for **grants**. Do not conflate XLS-70 grant credentials with **policy** `anchorRef` on HCS or XRPL NFT.
 
 ## Purpose
 
@@ -21,33 +19,46 @@ The `anchorRef` field on a PolicyGrant identifies the on-chain location of the a
 | Format | Rail | Example |
 |--------|------|---------|
 | `hcs:{topicId}:{seq}` | Hedera HCS | `hcs:0.0.12345:42` |
+| `xrpl:nft:{tokenId}` | XRPL NFT (policy document URI) | `xrpl:nft:00080000...` |
 
 ## Usage
 
 ```typescript
-import { hederaHcsAnchorPolicyDocument } from "mpcp-service/anchor";
+import {
+  hederaHcsAnchorPolicyDocument,
+  xrplEncryptAndStorePolicyDocument,
+  checkXrplNftRevocation,
+} from "mpcp-service/anchor";
 
 const policyDoc = { version: "1.0", policyHash: "a1b2c3...", issuedAt: "2026-01-01T00:00:00Z" };
 
 // Hedera HCS (requires MPCP_HCS_POLICY_TOPIC_ID, MPCP_HCS_OPERATOR_ID, MPCP_HCS_OPERATOR_KEY)
 const result = await hederaHcsAnchorPolicyDocument(policyDoc);
-// { anchorRef: "hcs:0.0.12345:42", rail: "hedera-hcs", anchoredAt: "..." }
+// { reference: "hcs:0.0.12345:42", rail: "hedera-hcs", anchoredAt: "..." }
+
+// XRPL NFT path: encrypt + IPFS → CID for NFToken URI (`ipfs://{cid}`); mint off-chain / policy authority, then anchorRef = `xrpl:nft:{tokenId}`
+// const prep = await xrplEncryptAndStorePolicyDocument(policyDoc, { encryption: {...}, ipfsStore: myStore });
 
-// Store the anchorRef on the PolicyGrant
+// Optional: verify the policy-anchor NFT still exists on XRPL (policy audit / tamper check).
+// This is not grant liveness — use XLS-70 credentials for that (see PolicyGrant).
+const nftStatus = await checkXrplNftRevocation("00080000ABCD...");
+// { revoked: false } if the anchor NFT still exists; { revoked: true } if burned
+
+// Store the anchor reference on the PolicyGrant (maps to anchorRef on the grant)
 const grant = createPolicyGrant({
   policyHash: "a1b2c3",
   allowedRails: ["xrpl"],
   allowedAssets: [...],
   expiresAt: "2030-12-31T23:59:59Z",
-  anchorRef: result.anchorRef,
+  anchorRef: result.reference,
 });
 ```
 
 ## PolicyAnchorResult
 
 ```typescript
 interface PolicyAnchorResult {
-  anchorRef: string;         // "hcs:{topicId}:{seq}"
+  anchorRef: string;         // "hcs:{topicId}:{seq}" | "xrpl:nft:{tokenId}" (SDK field: `reference`)
   rail: AnchorRail;
   txHash?: string;           // Optional ledger record id (implementation-specific)
   topicId?: string;          // Hedera HCS topic ID
@@ -75,6 +86,17 @@ The Hedera HCS adapter publishes policy documents to a Hedera Consensus Service
 - `MPCP_HCS_POLICY_TOPIC_ID` — HCS topic ID for policy anchoring
 - `HEDERA_NETWORK` (optional) — `testnet` or `mainnet`, default `testnet`
 
+## XRPL NFT Adapter (policy document anchoring)
+
+> **Scope:** This path is for **policy document anchoring** only (tamper-evident policy history on XRPL). **Grant liveness** (revocation) uses **XLS-70 Credentials** — see PolicyGrant and the XRPL profile; do not use NFToken burn as the grant revocation mechanism.
+
+The reference SDK provides `xrplEncryptAndStorePolicyDocument` (in `mpcp-service/anchor`): it encrypts the policy document, uploads the ciphertext via an injected IPFS client, and returns a **CID** intended as the NFToken URI (`ipfs://{cid}`). **NFTokenMint** (and setting `anchorRef` to `xrpl:nft:{tokenId}`) is typically performed by the policy authority service, not inside the lightweight SDK.
+
+**Requirements:**
+- Caller-supplied **IPFS store** (`PolicyDocumentIpfsStore`) — no bundled IPFS client
+- Encryption options when using encrypted submit mode (`PolicyAnchorEncryptionOptions`)
+- XRPL account with NFToken issuance rights for minting the policy anchor NFT
+
 ## XRPL Payment Memos
 
 Every XRPL payment submitted via the Trust Gateway includes an `mpcp/grant-id` memo field. This provides a lightweight on-chain audit trail linking each payment to its PolicyGrant — even without a full policy document anchor.

docs/implementation/l1-ecosystem-evaluation.md

@@ -39,7 +39,7 @@ Adding a second rail is a protocol-level decision. It requires:
 | Identity | `did:xrpl` | On-ledger DID method; XLS-70 Credentials for grant liveness |
 | Offline friendliness | Strong | Trust Bundle + signature verification; no chain client needed |
 | Tooling | Good | `xrpl.js`, testnet faucet, well-documented |
-| MPCP integration | Deep | Anchor adapters, DID resolver, XLS-70 credential revocation, stablecoin profile, golden vectors |
+| MPCP integration | Deep | Anchor adapters, DID resolver, NFT policy anchoring, XLS-70 credential revocation, stablecoin profile, golden vectors |
 
 **Assessment:** Production-ready for MPCP v1.0. No gaps.
 

docs/implementation/verifier.md

@@ -21,7 +21,7 @@ If any check fails, verification fails with a specific reason.
 | SBA | Signature valid; expiresAt not passed; sessionId, policyHash match |
 | SBA → decision | Budget not exceeded; rail, asset, destination in allowlists |
 | Settlement | Amount, rail, destination, asset match SBA constraints |
-| anchorRef | If present on PolicyGrant, format validated (`hcs:{topicId}:{seq}`) |
+| anchorRef | If present on PolicyGrant, format validated (`hcs:{topicId}:{seq}` or `xrpl:nft:{tokenId}`) |
 
 ## Usage
 
@@ -102,7 +102,7 @@ Settlement bundles for development and conformance testing may include `sbaPubli
 
 ## Dispute Verification
 
-When a settlement is disputed, `verifyDisputedSettlement` runs full chain verification plus optional policy anchor verification. If the PolicyGrant has an `anchorRef` (e.g., to Hedera HCS), the anchor can be checked to confirm the policy document was published before the settlement.
+When a settlement is disputed, `verifyDisputedSettlement` runs full chain verification plus optional policy anchor verification. If the PolicyGrant has an `anchorRef` (e.g., to Hedera HCS or XRPL NFT), the anchor can be checked to confirm the policy document was published before the settlement.
 
 See [Dispute Resolution](https://github.com/mpcp-protocol/mpcp-spec/blob/main/docs/guides/dispute-resolution.md) for the guide.
 

docs/implementation/xrpl-stablecoin-profile.md

@@ -26,7 +26,7 @@ Policies using this profile must include:
 - `allowedAssets`: Array of `{ kind: "IOU", currency: string, issuer: string }`
 - `destinationAllowlist` (in SBA): XRPL account addresses allowed as payment destinations
 - `maxAmountMinor`, `expiresAt` per standard MPCP
-- `anchorRef` (optional): on-chain policy document anchor (`hcs:{topicId}:{seq}`)
+- `anchorRef` (optional): on-chain policy document anchor (`hcs:{topicId}:{seq}` or `xrpl:nft:{tokenId}`)
 
 ## Wallet Expectations
 

docs/reference/sdk.md

@@ -36,7 +36,7 @@ const grant = createPolicyGrant({
   allowedAssets: [{ kind: "IOU", currency: "RLUSD", issuer: "rIssuer" }],
   expiresAt: "2030-12-31T23:59:59Z",
   // Optional: on-chain anchor reference for this policy document
-  // anchorRef: "hcs:0.0.12345:42"
+  // anchorRef: "hcs:0.0.12345:42" | "xrpl:nft:ABC123..."
 });
 
 // Signed (requires MPCP_POLICY_GRANT_SIGNING_PRIVATE_KEY_PEM — returns null if not set)

docs/reference/service-api.md

@@ -67,15 +67,19 @@ Publish a policy document to a ledger and return an `anchorRef` for use in Polic
 
 ```typescript
 // Hedera HCS (requires MPCP_HCS_POLICY_TOPIC_ID, MPCP_HCS_OPERATOR_ID, MPCP_HCS_OPERATOR_KEY)
-const result = await anchorPolicyDocument(policyDoc, { rail: "hedera-hcs" });
-// result.anchorRef: "hcs:{topicId}:{sequenceNumber}"
+const hcs = await anchorPolicyDocument(policyDoc, { rail: "hedera-hcs" });
+// hcs.anchorRef: "hcs:{topicId}:{sequenceNumber}"
+
+// XRPL NFT — policy document anchoring (encrypted doc → IPFS URI on NFToken; mint completed by policy authority)
+const nft = await anchorPolicyDocument(policyDoc, { rail: "xrpl-nft" /* + encryption / ipfs options */ });
+// nft.anchorRef: "xrpl:nft:{tokenId}"
 ```
 
-Supported rail: **`hedera-hcs`** (policy document anchoring).
+Supported rails for **policy document** anchoring: **`hedera-hcs`**, **`xrpl-nft`**.
 
-> **Removed / superseded:** The former `xrpl-nft` rail (NFTokenMint/Burn for policy anchors) is no longer supported. **Grant liveness** (whether a grant is still valid) is handled separately via **XLS-70** `CredentialCreate` / `CredentialDelete` on XRPL — not via policy `anchorRef`.
+> **Grant liveness** (whether a grant is still valid) is **not** defined by burning the policy anchor NFT. Use **XLS-70** `CredentialCreate` / `CredentialDelete` on XRPL for credential-based grant revocation. Policy `anchorRef` (HCS or XRPL NFT) remains the tamper-evident **policy document** anchor only.
 
-The returned `anchorRef` can be stored on the PolicyGrant (`grant.anchorRef`) to provide on-chain auditability of the **policy document** (HCS).
+The returned `anchorRef` can be stored on the PolicyGrant (`grant.anchorRef`) to provide on-chain auditability of the **policy document**.
 
 ---