# MVG Receipt Ticket Binding Spec (Public-safe) — v1.0.0

This spec defines how to **bind a verification approval to an internal ticket** (JIRA / ServiceNow / etc.)
so the ticket ID becomes part of the signed countersignature payload.

## Where it lives
Ticket binding is embedded in the **countersign payload**:
- `payload.ticket.system` (string)
- `payload.ticket.id` (string)
- `payload.ticket.url` (string, optional)
- `payload.ticket_binding_sha256` (string, optional convenience)

Because the ticket object is inside the **signed payload**, it is cryptographically bound to:
- the base receipt (`base_receipt_sha256`), and
- the approver’s signature.

## Normalization rules
Verifiers should treat `(system, id)` as the canonical binding tuple.
- `system` examples: `JIRA`, `ServiceNow`, `Other`
- `id` examples: `SEC-1234`, `RISK-7781`
- `url` is optional and informational.

## Consistency checks (for threshold policies)
If an org policy requires ticket binding:
- every counted signer must include a non-empty `ticket.id`
- all counted signers must bind the **same** `(system, id)` tuple

## Notes
- The verifier does **not** call any ticketing APIs.
- Ticket URLs are not dereferenced; the verifier remains fully offline.