diff --git a/scripts/check-plain-coverage.mjs b/scripts/check-plain-coverage.mjs
index d6e7a6e..eb260d2 100644
--- a/scripts/check-plain-coverage.mjs
+++ b/scripts/check-plain-coverage.mjs
@@ -36,6 +36,8 @@ const MAIN_PAIRS = [
   { human: 'src/pages/for/mcp.astro',        plain: 'src/pages/plain/mcp.astro' },
   { human: 'src/pages/plans.astro',          plain: 'src/pages/plain/plans.astro' },
   { human: 'src/pages/for/skills.astro',     plain: 'src/pages/plain/skills/index.astro' },
+  { human: 'src/pages/app-store.astro',      plain: 'src/pages/plain/app-store.astro' },
+  { human: 'src/pages/publish.astro',        plain: 'src/pages/plain/publish.astro' },
 ];
 
 // Directory pair checked for strict 1:1 slug correspondence.
diff --git a/src/pages/app-store.astro b/src/pages/app-store.astro
index 568717d..b3e4fcc 100644
--- a/src/pages/app-store.astro
+++ b/src/pages/app-store.astro
@@ -164,44 +164,57 @@ try {
   <div class="wrap">
     <div class="section-head">
       <div class="eyebrow">For builders</div>
-      <h2>Ship an agent app.<br/><em>It's just a manifest.</em></h2>
+      <h2>Ship an agent app.<br/><em>By PR or in your browser.</em></h2>
     </div>
+    <p class="lede" style="max-width:62ch;margin-top:-40px;margin-bottom:32px;">
+      Bring an app you already have. Pilot wraps your existing HTTP API in a thin,
+      signed adapter — the agent-facing interface — and publishes it to the
+      catalogue. Pick the path that fits how you work.
+    </p>
     <div class="feat-grid cols-2">
       <div class="feat">
-        <div class="feat-ix">Manifest</div>
-        <div class="feat-t">Declare your app</div>
+        <div class="feat-ix">No code</div>
+        <div class="feat-t">Publish in your browser</div>
         <div class="feat-d">
-          An agent app is defined by a <code>manifest.json</code>: id,
-          version, the methods it exposes, a sha256-pinned binary, and the
-          grants it requests. No Docker, no Kubernetes — the protocol handles
-          distribution.
+          Describe your app once in the <a href="/publish">publish wizard</a> — id,
+          methods, backend URL, and any auth headers. We generate, sign, and verify
+          the adapter for you, then our team reviews it onto the store. No Go to
+          write, no git, no manifest by hand.
         </div>
+        <a class="btn primary" href="/publish" style="margin-top:18px"
+           data-track="cta_click" data-track-target="publish" data-track-location="builders">Publish your app <span class="arr">→</span></a>
       </div>
       <div class="feat">
-        <div class="feat-ix">Submit</div>
-        <div class="feat-t">One PR to publish</div>
+        <div class="feat-ix">From the CLI</div>
+        <div class="feat-t">Publish by PR</div>
         <div class="feat-d">
-          Sign the manifest, attach the bundle to a GitHub release, and add
-          one entry to <code>catalogue.json</code> by PR. Once merged,
-          <code>pilotctl appstore install &lt;id&gt;</code> works everywhere.
-          See the <a href="/docs/app-store">App Store docs</a>.
+          Prefer git? The <code>pilot-app</code> toolkit turns a
+          <code>pilot.app.yaml</code> into a complete, signed adapter bundle. Open
+          one PR to <code>pilot-protocol/app-template</code>; CI verifies the bundle,
+          a maintainer reviews, and automation releases it and adds the catalogue
+          entry.
         </div>
+        <a class="btn" href="https://github.com/pilot-protocol/app-template" target="_blank" rel="noopener" style="margin-top:18px"
+           data-track="cta_click" data-track-target="toolkit" data-track-location="builders">Get the toolkit <span class="arr">→</span></a>
       </div>
+    </div>
+    <div class="feat-grid cols-2" style="margin-top:24px">
       <div class="feat">
-        <div class="feat-ix">Permissions</div>
-        <div class="feat-t">Agent-granular scope</div>
+        <div class="feat-ix">Verified</div>
+        <div class="feat-t">Signed, checked on every spawn</div>
         <div class="feat-d">
-          Apps declare what they need — network access, file I/O, specific
-          protocols. The agent grants or denies at install time. No ambient
-          authority.
+          Every adapter is sha256-pinned and signed by its publisher. The daemon
+          re-verifies the signature and binary hash each time it spawns the app, so a
+          tampered bundle never runs.
         </div>
       </div>
       <div class="feat">
-        <div class="feat-ix">Distribution</div>
-        <div class="feat-t">Protocol-native</div>
+        <div class="feat-ix">Scoped</div>
+        <div class="feat-t">Agent-granular permissions</div>
         <div class="feat-d">
-          Apps are distributed through the Pilot Protocol itself. No app store
-          servers, no CDN — the network is the distribution layer.
+          Apps declare exactly what they need — network access, file I/O, specific
+          protocols — and the agent grants or denies at install time. No ambient
+          authority.
         </div>
       </div>
     </div>
diff --git a/src/pages/plain/app-store.astro b/src/pages/plain/app-store.astro
new file mode 100644
index 0000000..5a2c175
--- /dev/null
+++ b/src/pages/plain/app-store.astro
@@ -0,0 +1,55 @@
+---
+import PlainLayout from '../../layouts/PlainLayout.astro';
+---
+<PlainLayout title="App Store — Pilot Protocol" description="Agent-native apps on the Pilot Protocol network. Install with one command; publish your own from your browser or by PR." canonical="https://pilotprotocol.network/plain/app-store/">
+
+<h1>The Pilot App Store.</h1>
+
+<p>The App Store is where agents find tools built specifically for them, and where builders publish their own. Every app is an agent-native interface — JSON in, JSON out — discoverable by the agents on the Pilot Protocol network. Install with one command, manage from one namespace, and submit your own apps anytime.</p>
+
+<h2>Install and use an app</h2>
+<ul>
+  <li>Browse the catalogue: <code>pilotctl appstore catalogue</code></li>
+  <li>Inspect before installing: <code>pilotctl appstore view &lt;id&gt;</code></li>
+  <li>Install (the daemon spawns it locally): <code>pilotctl appstore install &lt;id&gt;</code></li>
+  <li>Discover its methods: <code>pilotctl appstore call &lt;id&gt; &lt;ns&gt;.help '&#123;&#125;'</code></li>
+  <li>Call a method: <code>pilotctl appstore call &lt;id&gt; &lt;method&gt; '&lt;json&gt;'</code></li>
+</ul>
+
+<h2>What an app is</h2>
+<ul>
+  <li>A thin, stateless adapter plus a signed manifest.</li>
+  <li>The daemon fetches the bundle, re-verifies its signature and binary sha256 on every spawn, and brokers JSON-in/JSON-out calls over a unix socket.</li>
+  <li>The heavy backend (your API) lives wherever it already runs; the adapter forwards each method to it.</li>
+  <li>Apps declare the permissions they need (network, file I/O, protocols); the agent grants or denies at install. No ambient authority.</li>
+</ul>
+
+<h2>Publish your own app</h2>
+<p>Two flows, same result: a reviewed, signed, catalogued app any agent can install.</p>
+
+<p>Browser (no code):</p>
+<ul>
+  <li>Go to https://pilotprotocol.network/publish</li>
+  <li>Describe your HTTP API: id (io.pilot.&lt;name&gt;), version, methods, backend URL, and any auth headers.</li>
+  <li>The server generates, signs, and verifies the adapter. A reviewer approves it onto the store.</li>
+  <li>No Go, no git, no manifest to write.</li>
+</ul>
+
+<p>PR (from the terminal):</p>
+<ul>
+  <li>Install the toolkit: <code>go install github.com/pilot-protocol/app-template/cmd/pilot-app@latest</code></li>
+  <li>Generate a spec: <code>pilot-app example &gt; pilot.app.yaml</code>, then edit it to point at your API and list your methods.</li>
+  <li>Scaffold and package: <code>pilot-app init -o ./my-app</code>, then <code>make package</code> in the project.</li>
+  <li>Submit: <code>pilot-app submit -C . --prepare /path/to/app-template-fork</code>, then open a PR to pilot-protocol/app-template.</li>
+  <li>CI verifies the bundle; a maintainer reviews; on merge, automation releases it and adds the catalogue entry.</li>
+</ul>
+
+<h2>Requirements to publish</h2>
+<ul>
+  <li>An existing HTTP API the adapter can forward to. CLI/binary apps are coming soon.</li>
+  <li>A valid email for submission and review notifications (browser flow).</li>
+  <li>Secrets are never collected; operators supply them at install time.</li>
+  <li>Every submission is reviewed before it appears in the store.</li>
+</ul>
+
+</PlainLayout>
diff --git a/src/pages/plain/publish.astro b/src/pages/plain/publish.astro
new file mode 100644
index 0000000..a7a41d7
--- /dev/null
+++ b/src/pages/plain/publish.astro
@@ -0,0 +1,52 @@
+---
+import PlainLayout from '../../layouts/PlainLayout.astro';
+---
+<PlainLayout title="Publish an app — Pilot Protocol" description="Publish your existing HTTP API on the Pilot Protocol app store. Describe it once; we generate, sign, and verify an agent-first adapter." canonical="https://pilotprotocol.network/plain/publish/">
+
+<h1>Publish an app.</h1>
+
+<p>Bring your existing HTTP API. Describe it once and Pilot generates, signs, and verifies an agent-first adapter for it, then a reviewer publishes it to the app store. You do not upload code, and your secrets stay yours.</p>
+
+<h2>Two ways to publish</h2>
+<ul>
+  <li>Browser wizard (no code): https://pilotprotocol.network/publish</li>
+  <li>By PR (from the terminal): the pilot-app toolkit plus one pull request to pilot-protocol/app-template.</li>
+</ul>
+
+<h2>Browser wizard steps</h2>
+<ul>
+  <li>Email: where we send your submission confirmation and the review decision.</li>
+  <li>Identity: app id (io.pilot.&lt;name&gt;), version (semver), and a one-line description.</li>
+  <li>Backend: the app type (HTTP API; CLI/binary is coming soon), the backend base URL, and any auth headers. Header values may use $&#123;TOKEN&#125; placeholders that the operator supplies at install — never stored in the app.</li>
+  <li>Methods: each method an agent can call — name (&lt;ns&gt;.&lt;verb&gt;), HTTP route, latency class (fast under 5s, medium up to 15s, slow up to 1 minute), description, and parameters.</li>
+  <li>Listing: display name, description, license, and categories for the store page.</li>
+  <li>Vendor: who you are, how autonomous agents should use the app, and the list of capabilities.</li>
+  <li>Review and submit: the server builds, signs, and verifies the adapter and stores it for review.</li>
+</ul>
+
+<h2>Publish by PR</h2>
+<ul>
+  <li>Install: <code>go install github.com/pilot-protocol/app-template/cmd/pilot-app@latest</code></li>
+  <li>Spec: <code>pilot-app example &gt; pilot.app.yaml</code>, then edit it.</li>
+  <li>Validate: <code>pilot-app validate</code></li>
+  <li>Scaffold: <code>pilot-app init -o ./my-app</code></li>
+  <li>Package (build, sha256-pin, sign, tar): <code>make package</code></li>
+  <li>Verify locally (optional): <code>pilot-app verify io.pilot.&lt;id&gt;-&lt;ver&gt;.tar.gz</code></li>
+  <li>Submit: <code>pilot-app submit -C . --prepare /path/to/app-template-fork</code>, commit submissions/&lt;id&gt;/, and open a PR to pilot-protocol/app-template.</li>
+</ul>
+
+<h2>What happens after you submit</h2>
+<ul>
+  <li>CI verifies the bundle on the PR. (Browser flow: the server already built and verified it.)</li>
+  <li>A maintainer reviews. On approval, automation releases the bundle on pilot-protocol/catalog and adds the catalogue entry.</li>
+  <li>Then any agent can install it: <code>pilotctl appstore install &lt;your.id&gt;</code></li>
+</ul>
+
+<h2>Requirements</h2>
+<ul>
+  <li>An existing HTTP API. CLI/binary apps are coming soon.</li>
+  <li>A valid email (browser flow) for the confirmation and the review decision.</li>
+  <li>You confirm you have the right to publish the app and agree to the Terms and Acceptable Use Policy.</li>
+</ul>
+
+</PlainLayout>