# MVG Attachment Naming Convention Spec (Public)

**Version:** v1.0.0  
**Status:** Public‑safe, informational. **Non‑binding unless incorporated into a fully executed agreement.**

## Purpose
Provide a deterministic, low‑friction naming convention for attachments generated by MVG offline verifiers so Security, Legal, Procurement, and Audit can reconcile artifacts without ambiguity (including when artifacts are printed to PDF).

This convention is intentionally simple:
- Human‑legible
- Ticket‑system friendly
- Deterministic (keyed by a single verifier‑computed identifier)

## Definitions
- **Approval ID:** A deterministic identifier computed by an MVG offline verifier from verified inputs. It is printed in the audit summary and included in JSON receipts.
- **ApprovalShort:** A short code derived from the Approval ID for easy filename matching. It is printed alongside the Approval ID.

## Canonical filenames
Use the same **`<ApprovalShort>`** across attachments that belong to the same verification run:

1. `MVG_AuditSummary_<ApprovalShort>.pdf`  
   One‑page print summary from the verifier (PASS/FAIL/HOLD + identifiers + boundary language).

2. `MVG_CountersignedApproval_<ApprovalShort>.json`  
   A countersigned internal approval receipt (ticket‑bound, threshold‑evaluated) when applicable.

3. `MVG_KitSupplyChainReceipt_<ApprovalShort>.json`  
   Air‑gapped kit supply‑chain verification receipt (includes kit SHA‑256 + keyring snapshot hash + commitments/headchain verdicts).

## Rules
- ASCII filenames only.
- Use underscores (`_`) and hyphens (`-`) only; **avoid spaces**.
- Do **not** modify or “pretty‑format” `<ApprovalShort>`.
- If your internal process requires adding a ticket reference, keep `<ApprovalShort>` intact. Example (optional internal convention):
  - `MVG_AuditSummary_<ApprovalShort>__JIRA-12345.pdf`

## Reconciliation checklist (offline)
- The PDF print summary contains **Approval ID** and **ApprovalShort**.
- JSON receipts contain the same **Approval ID** and usually embed the same **ApprovalShort** in the suggested attachment names.
- Auditors can replay verification offline by re‑running the verifier with the same artifacts and comparing the Approval ID and hashes.

## Boundary language
- Outputs are informational and **non‑binding unless signed**.
- Public materials do not grant any patent license (**no license by publication**).
- Verifiers are not compliance certifications and do not constitute legal advice.