# MVG Org Signer (Strict Template) — curl examples (v23.5)

This document shows a *big-tech intake friendly* flow:
**signing request → org signing service → signed report DSSE → upload to /verify → anchored PASS**.

## 0) Start the mock server

```bash
node server.mjs --port 8080 --backend local --allow-alias alias/mvg-report-signer
```

Health + OpenAPI:

```bash
curl -s http://localhost:8080/healthz | jq .
curl -s http://localhost:8080/openapi.yaml | head
curl -s http://localhost:8080/v1/policy | jq .
```

## 1) Sign a report (STRICT)

Assume you have a signing request JSON from MeridianVerity /verify:
`HALTSEAL_signing_request.json`

Send it to the strict endpoint with an **Idempotency-Key** header:

```bash
IDEMP=$(uuidgen | tr '[:upper:]' '[:lower:]')
curl -sS -X POST http://localhost:8080/v1/sign-report-strict \
  -H "content-type: application/json" \
  -H "Idempotency-Key: $IDEMP" \
  --data @HALTSEAL_signing_request.json \
  | tee signing_response.json | jq .
```

Extract the DSSE envelope:

```bash
jq -c '.signed_report_dsse' signing_response.json > signed_report.dsse.json
```

## 2) Verify in browser

Go to:
- https://meridianverity.com/verify/

In **Org signer (anchored)**:
- upload `org_bootstrap_public.json`
- upload `org_trust_anchor_snapshot.dsse.json`
- upload `signed_report.dsse.json`
- click **Verify org‑anchored** → PASS

## 3) Idempotency behavior (expected)

Replaying the same request with the same Idempotency-Key MUST return the same response:

```bash
curl -sS -X POST http://localhost:8080/v1/sign-report-strict \
  -H "content-type: application/json" \
  -H "Idempotency-Key: $IDEMP" \
  --data @HALTSEAL_signing_request.json | jq '.audit_receipt.request_hash_sha256'
```

If you change any field that affects the request hash and reuse the same Idempotency-Key,
the server returns **409 Conflict**.

## 4) Key alias policy

If `kms.key_alias` is not allowlisted, the server returns **403**.