{ "airgapped_kit": { "landing": "https://meridianverity.com/trust/airgap-verifier-kit/", "latest_receipt_dsse": "https://meridianverity.com/downloads2/MVG_Airgapped_Verifier_Kit_PUBLIC_v1.0.3.dsse.json", "latest_zip": "https://meridianverity.com/downloads2/MVG_Airgapped_Verifier_Kit_PUBLIC_v1.0.3.zip" }, "boundary": { "no_patent_license_by_publication": true, "non_binding_unless_incorporated": true, "not_a_certification": true, "not_legal_advice": true, "public_safe": true }, "contact_channels": { "dsse_url": "https://meridianverity.com/.well-known/mvg-contact.dsse.json", "json_url": "https://meridianverity.com/.well-known/mvg-contact.json", "landing": "https://meridianverity.com/trust/contact-channels/" }, "contacts": { "legal": "legal@meridianverity.com", "licensing": "licensing@meridianverity.com", "privacy": "privacy@meridianverity.com", "procurement": "procurement@meridianverity.com", "security": "security@meridianverity.com" }, "deployments": { "bucketize_opslog_pointer_dsse_signature_glob": "/.well-known/mvg-bucketize-opslog.prod.dsse.json.sig/*", "bucketize_opslog_pointer_dsse_url": "/.well-known/mvg-bucketize-opslog.prod.dsse.json", "bucketize_status_latest_url": "/trust/deployments/prod/MVG_BUCKETIZE_STATUS_LATEST.json", "bucketize_status_notes": "Bucket split/part creation evidence (signed status artifact).", "bucketize_status_role": "deploy_transaction", "latest_pointer_url": "https://meridianverity.com/trust/deployments/prod/MVG_DEPLOY_TXN_LATEST.json", "notes": [ "Public deployments evidence rail (PROD). Signed under deploy_transaction role.", "Bucketize opslog DSSE pointer is available for automation." ], "trust_mode": "PROD" }, "expires_utc": "2026-05-28T06:15:32Z", "issued_utc": "2026-02-27T06:15:32Z", "notes": [ "PROD is GO-only: policies are unchanged; required signature material is published.", "For pre-ceremony candidate/staging, use the READY_TO_SIGN channel (fail-closed if anything is missing).", "Receipts, not promises." ], "other_trust_descriptors": { "demo": "/.well-known/mvg-trust.demo.json", "note": "Prod/Demo are cryptographically and operationally separated to prevent trust-root contamination.", "prod": "/.well-known/mvg-trust.prod.json" }, "procurement_automation": { "notes": [ "Designed to plug into internal ticketing/procurement automation pipelines.", "Any missing/invalid signature MUST yield HOLD (fail-closed)." ], "one_input_pointer_dsse_url": "/.well-known/mvg-procurement-inputs.json", "status_pointer_dsse_url": "/.well-known/mvg-status.dsse.json", "ticket_pack_pointer_dsse_url": "/.well-known/mvg-procurement-ticket-pack.prod.dsse.json" }, "roles": { "deploy_transaction": { "keys": [ { "fpr": "AEEDDA89423655600605CEE2C71186016DA8C25F", "label": "MVG PROD OPS SIGNER", "status": "active" } ], "note": "Deploy transaction record role: signs public deploy txn records and pointers under /trust/deployments/prod/.", "threshold": 1 }, "procurement_inputs": { "keys": [ { "fpr": "AEEDDA89423655600605CEE2C71186016DA8C25F", "label": "MVG PROD OPS SIGNER", "status": "active" } ], "note": "Procurement inputs role: signs the procurement 'one-input' DSSE pointer.", "threshold": 1 }, "root_trust": { "keys": [ { "fpr": "4A275036B495085C8BE7B69D9587C80A512C776C", "label": "PROD ROOT 1", "status": "active" }, { "fpr": "EA068B8ED0A8486645830D08FD91897F01A3D7D9", "label": "PROD ROOT 2", "status": "active" }, { "fpr": "7C651C7A7C074C23691AB2197C52EA11A0D42307", "label": "PROD ROOT 3", "status": "active" } ], "note": "Root/Trust role: multi-sig threshold required to authenticate trust descriptor(s) and contact descriptor.", "threshold": 2 }, "site_release": { "keys": [ { "fpr": "70FE48225463D34063E024D9C9E4797A0678908B", "label": "PROD RELEASE ACTIVE", "status": "active" }, { "fpr": "1F7F1CD7A1AF6EA978949973C23DAAEDC798D319", "label": "PROD RELEASE STAGED", "status": "staged" } ], "note": "Site Release role: signs manifests/headchains/feeds/attestations under multi-sig directories.", "threshold": 1 }, "status_aggregate": { "keys": [ { "fpr": "AEEDDA89423655600605CEE2C71186016DA8C25F", "label": "MVG PROD OPS SIGNER", "status": "active" } ], "note": "Status aggregate role: signs MVG status aggregator artifacts and DSSE pointers.", "threshold": 1 } }, "schema": "mvg.trust_descriptor@2", "schema_version": "2.0.0", "self": { "dsse_signature_note": "DSSE is optional; PGP (.asc / .sig) is the primary signature surface.", "dsse_url": "/.well-known/mvg-trust.dsse.json", "json_signature_url": "/.well-known/mvg-trust.prod.json.asc", "json_url": "/.well-known/mvg-trust.prod.json", "note": "Signatures are detached ASCII armor files under .sig/.asc. Verifiers MUST enforce thresholds.", "sig_dir": "/.well-known/mvg-trust.prod.json.sig/" }, "site_release": { "evidence_bundle_url": "/trust/site-release/latest/releases/MVG_SiteRelease_Evidence_Bundle_MVG-SITE-PROD-20260227.3.zip", "feed_sig_dir": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_FEED.json.sig/", "feed_signature_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_FEED.json.asc", "feed_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_FEED.json", "headchain_sig_dir": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_HEADCHAIN_MVG-SITE-PROD-20260227.3.json.sig/", "headchain_signature_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_HEADCHAIN_MVG-SITE-PROD-20260227.3.json.asc", "headchain_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_HEADCHAIN_MVG-SITE-PROD-20260227.3.json", "integrity_policy": { "fail_closed": true, "note": "Unsigned/partial publication MUST be treated as HOLD. Missing required signatures MUST be HOLD." }, "key_lifecycle_policy_url": "/trust/site-release/latest/policy/MVG_KEY_LIFECYCLE_POLICY_v1.json", "latest_manifest_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json", "latest_site_release_id": "MVG-SITE-PROD-20260227.3", "manifest_sig_dir": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json.sig/", "manifest_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json", "pinned_site_release_signing_fingerprint": "70FE48225463D34063E024D9C9E4797A0678908B", "pubkey_fingerprint": "DEC99F1CF78053D348005695B5F524661B9C66D0", "pubkey_url": "/trust/site-release/latest/pgp.asc", "publish_txn_record_url": "/trust/site-release/latest/releases/MVG_PUBLISH_TXN_RECORD_MVG-SITE-PROD-20260227.3_v1.json", "release_test_attestation_policy": "required", "release_test_attestation_sig_dir": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_TEST_ATTESTATION_MVG-SITE-PROD-20260227.3_v1.json.sig/", "release_test_attestation_signature_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_TEST_ATTESTATION_MVG-SITE-PROD-20260227.3_v1.json.asc", "release_test_attestation_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_TEST_ATTESTATION_MVG-SITE-PROD-20260227.3_v1.json", "rollover_policy": { "headchain_dual_sign": { "enforced_by": "headchain.key_rollover_entry", "rule": "If HEADCHAIN.issued_utc <= key_rollover.dual_sign_required_until_utc then require OLD+NEW signatures for HEADCHAIN (bridge window). After that UTC, NEW-only is allowed (subject to key status)." }, "schema": "mvg.key_rollover_policy@1" }, "signature_url": "/trust/site-release/latest/releases/MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json.asc", "site_release_root": "/trust/site-release/latest" }, "standards": { "canonical_surface": "https://meridianverity.com/standards/", "pinned_artifact_signing_fingerprint": "6075A8FD8EDBD3FC2B9108324933EB1FE08BCFF8", "zenodo_record": "https://zenodo.org/records/18623859" }, "trust_mode": "PROD" }