Governance • Public

Governance

A procurement-friendly governance surface: what we do, how releases are stopped, how to escalate, and how incidents are handled. This page is intentionally high-level (public-safe). Signed descriptors are authoritative; pages are display-only.

What we do

We build fail‑closed safety infrastructure for high-risk automation: if evidence is missing or unverifiable, the correct output is HOLD (not GO). Review is designed to be offline, reproducible, and ticket-friendly.

Offline verifier Procurement flow

Who can stop a release

Any single designated safety authority may stop a release. Default posture is conservative: uncertainty ⇒ HOLD. Production rails remain fail‑closed until required signatures and evidence are published.

Site-release integrity Transparency log

Escalation path

Use published channels. If a message claims to represent MVG but is not from @meridianverity.com, treat it as HOLD and report.

security@ procurement@ security.txt

Incident response posture

Coordinated disclosure and severity-based triage. We publish public-safe receipts where appropriate and keep exploit details and internal runbooks private.

Security disclosure Security review packet Contact descriptor Safety incident response

Governance descriptor (receipt)

Machine-readable governance surface. Detached signature: /.well-known/mvg-governance.json.asc. Missing or placeholder ⇒ HOLD (fail‑closed by design). Pages are display-only.

HOLD

Checking publication…

sha256:— sha256:—

Open JSON Open .asc Open DSSE envelope Signing & audit runbook

Offline verify: gpg --verify .well-known/mvg-governance.json.asc .well-known/mvg-governance.json

Expected: Good signature (pinned fingerprint). Missing/invalid ⇒ HOLD.

Disclosure scope (public-safe)

Names, key-ceremony details, internal network topology, and incident runbooks are intentionally withheld. Procurement can request the KYB packet under NDA if required.