# MVG Org Signing Service — DSSE/PAE Integration Spec (v23)

This bundle is intended for **enterprise PoC**.

**Goal:** sign a `/verify` DSSE signing request using a **customer‑managed org signer** and return an **org‑anchored DSSE envelope** that `/verify` can validate.

- Private key **0 shipped by MVG**
- **DSSEv1 + PAE**
- Bring‑your‑own trust anchors (bootstrap + trust‑anchor snapshot with optional witness threshold)

## Pluggable signer backend slot

The mock server is structured with a signer backend interface (`providers/`).
- `local`: in-memory Ed25519 keys (PoC)
- `aws-kms`: stub hook (bring your own org signing service / KMS bridge)
- `azure-keyvault`: stub hook

Production: keep keys in KMS/HSM and expose only public materials (bootstrap + snapshot) + DSSE signatures.

## Files
- `MVG_OrgSigner_OpenAPI_v22.yaml` — OpenAPI schema
- `MVG_OrgSigner_curl_examples_v22.md` — copy/paste PoC commands
- `MVG_OrgSigner_MockServer_v22.zip` — local mock server (no deps)
- v21 assets remain available:
  - `MVG_OrgSigner_CLI_v21.zip` (no‑deps CLI)
  - `MVG_OrgSigner_Integration_Spec_v21.md` (full schema notes)

## Minimal flow (high level)
1) `/verify` exports a **DSSE signing request** (`mvg.dsse_signing_request@1`)
2) Your org signer:
   - exposes an org bootstrap public key
   - exposes a DSSE‑signed trust‑anchor snapshot (bootstrap signature + witness co‑signatures optional)
   - signs DSSE PAE for the request payload and returns `signed_report.dsse.json`
3) `/verify` validates:
   - snapshot DSSE using the pinned bootstrap key
   - witness threshold (if present)
   - report DSSE using a signer public key anchored in the snapshot

## Endpoint contract
See `MVG_OrgSigner_OpenAPI_v22.yaml`.

## Quick PoC
See `MVG_OrgSigner_curl_examples_v22.md`.