{
  "schema": "mvg.governance_descriptor@1",
  "issued_utc": "2026-02-21T00:00:00Z",
  "canonical_surface": "https://meridianverity.com/governance/",
  "boundary": {
    "public_safe": true,
    "non_binding_unless_incorporated": true,
    "not_a_certification": true,
    "no_warranties": true,
    "not_legal_advice": true
  },
  "governance": {
    "principle": "Receipts, not promises. Evidence before action.",
    "release_controls": {
      "default_posture": "fail_closed",
      "go_definition": "GO only when evidence is signed, reproducible, and offline-verifiable; otherwise HOLD.",
      "stop_authority": {
        "policy": "Any single designated safety authority may stop a release.",
        "effect": "Stop \u21d2 HOLD (no partial publish).",
        "public_notes": "Role-defined; names withheld (available under NDA for procurement if required)."
      },
      "required_receipts_public": [
        "Ticket Pack DSSE (1 URL) with pinned index/ZIP/verifier hashes",
        "Append-only transparency log + inclusion proof",
        "Security Review Packet (public, redacted)"
      ]
    },
    "escalation": {
      "channels": {
        "security": "mailto:security@meridianverity.com",
        "procurement": "mailto:procurement@meridianverity.com",
        "privacy": "mailto:privacy@meridianverity.com",
        "contact": "mailto:contact@meridianverity.com"
      },
      "pgp": {
        "openpgp4fpr": "94EC8CD8863A2D0CCAF92990B8BF65777FC5A47F",
        "public_key_url": "https://www.meridianverity.com/pgp.asc"
      },
      "routing_policy": "Use published channels. If a message claims to represent MVG but is not from @meridianverity.com, treat as HOLD and report to security@meridianverity.com."
    },
    "incident_response": {
      "policy_url": "https://www.meridianverity.com/legal/security-disclosure/",
      "posture_public": "Coordinated disclosure; severity-based triage. Exploit details and internal runbooks are withheld from public surfaces.",
      "public_receipts_policy": "Public-safe receipts may be published when appropriate (redacted) to support auditability."
    }
  },
  "discovery": {
    "company_descriptor": "https://meridianverity.com/.well-known/mvg-company.json",
    "contact_descriptor": "https://meridianverity.com/.well-known/mvg-contact.json",
    "trust_descriptor": "https://meridianverity.com/.well-known/mvg-trust.json",
    "security_txt": "https://meridianverity.com/.well-known/security.txt",
    "security_review_packet": "https://meridianverity.com/trust/security-review/",
    "site_release_integrity": "https://meridianverity.com/trust/site-release/"
  },
  "anti_phishing": {
    "official_domains": [
      "meridianverity.com",
      "www.meridianverity.com"
    ],
    "allowed_email_domain": "meridianverity.com",
    "fail_closed_policy": "If a message claims to represent MVG but is not from @meridianverity.com (or does not route through published channels), treat as HOLD and report to security@meridianverity.com."
  },
  "signing": {
    "payload_canonicalization_id": "jcs.v1",
    "primary_detached_signature": "/.well-known/mvg-governance.json.asc",
    "dsse_envelope_path": "/.well-known/mvg-governance.dsse.json",
    "authoritative_note": "Signed descriptors are authoritative; web pages are display-only."
  }
}