# MVG Org Signing Service (Mock) — curl examples (v23)

These examples are designed for a **copy/paste internal PoC**.

## 0) Start the mock server (local)

```bash
node server.mjs --port 8080 --provider local
# or: --provider aws-kms | azure-keyvault (stubs)
```

## 1) Export a signing request from MVG `/verify`

On `https://meridianverity.com/verify/`:
- verify a sample pack (PASS)
- click **Download signing request**
- save it as `signing_request.json`

## 2) Fetch org anchors + sign the report via HTTP

```bash
mkdir -p out
BASE_URL="http://localhost:8080"

curl -s "$BASE_URL/v1/bootstrap-public" -o out/org_bootstrap_public.json
curl -s "$BASE_URL/v1/trust-anchor-snapshot" -o out/org_trust_anchor_snapshot.dsse.json

curl -s \
  -H "content-type: application/json" \
  --data @signing_request.json \
  "$BASE_URL/v1/sign-report" \
  -o out/signed_report.dsse.json
```

## 3) Verify anchored PASS in-browser

On `https://meridianverity.com/verify/` → **Org signer (anchored)**:
- upload `out/org_bootstrap_public.json`
- upload `out/org_trust_anchor_snapshot.dsse.json`
- upload `out/signed_report.dsse.json`
- click **Verify org‑anchored** → PASS

## 4) Single-call bundle (optional)

```bash
curl -s \
  -H "content-type: application/json" \
  --data @signing_request.json \
  "$BASE_URL/v1/demo/bundle" \
  -o out/bundle.json
```

This response contains `{bootstrap_public, trust_anchor_snapshot_dsse, signed_report_dsse}` for convenience.