Authority & status: Trust Center
Procurement kit

Procurement‑grade deliverables — verified offline.

Acceptance criteria and audit‑ready artifacts that yield deterministic PASS/FAIL/HOLD, replayable receipts, and fail‑closed gates.

Contact procurementVerify offlineSecurity packet (PDF)Download Pilot‑in‑a‑BoxDownload sample pack (ZIP)
Fail‑closed: missing/unverifiable ⇒ HOLD
Auditors: start at Trust Center
Open DSSE viewer Verify offline Export attachments
ExecBoard 1‑pager SecurityHeaders • CSP • Release evidence AuditControls Explorer LegalPolicies • DPA • Disclosure
STEP 1

Attach 1 URL (DSSE)

One canonical DSSE pointer for your internal ticket. Detached signatures are authoritative; if they are unpublished, the correct result is intentional HOLD (fail-closed).

Open pointers DSSE viewer
STEP 2

Verify offline (2 min)

Unzip + run. Deterministic GO/HOLD. Any mismatch ⇒ HOLD/FAIL with tamper evidence.

Verify command Verifier
STEP 3

Attach 3 items

Auditor attachments with deterministic naming + bundle manifest (SHA‑256). No uploads.

Export bundle Naming template
STEP 4

Map to controls

SOC 2 / ISO 27001 / NIST CSF + OWASP Agentic ↔ MVG. Jump to evidence pointers and offline verification hints.

Controls Explorer Download packs
STEP 5

Decide & escalate

GO only with verifiable evidence. HOLD on uncertainty. FAIL on mismatch — escalate before proceeding.

Exec 1‑pager Escalate
Enterprise signalsObserved buyer asks

Enterprise asks we’re hearing

A compact translation of current agentic-AI diligence asks into evidence reviewers can score offline.

RFP askHow do you quantify reliability for agentic workflows?
EvidenceMetrics, acceptance thresholds, and offline replay receipts.
RFP askIs evaluation part of the production pipeline, not just the lab?
EvidenceRun receipts, regression vectors, and drift signals.
RFP askCan our team verify without framework lock-in?
EvidenceProtocol-agnostic receipts and portable conformance packs.
RFP askHow do you prevent permissions gaps from becoming agent leakage?
EvidenceScoped permits per connector, deny-by-default gates, and exfil vectors.

Signals summarized from Snowflake AI + Data Predictions 2026.

Evidence anchorsCanonicalReplayable
StartTrust Center
Canonical links
Start here for authoritative status, current truth, and the shortest path into deep verification.
DSSETicket Pack
Evidence pointers
One URL resolves to the latest pack + proofs. Copy into Jira/ServiceNow.
VerifyOffline
Deterministic outputs
PASS/FAIL/HOLD with stable reason codes. Missing ⇒ HOLD (fail‑closed).
SRIRunbook
Verify the verifier
Site release integrity receipts + operator checklist for skeptical review.
LogAppend‑only
Transparency rail
Inclusion proofs and deterministic regeneration for audit replay.

Attach to ticket: 1 URL

Attach one canonical DSSE URL to your internal ticket. It resolves to the latest Ticket Pack + status + evidence pointers. Detached procurement signatures under *.sig/ are authoritative; if they are unpublished, HOLD is intentional and the signing ceremony runbook tells you exactly what is missing.

https://meridianverity.com/.well-known/mvg-procurement-inputs.json
https://meridianverity.com/.well-known/mvg-procurement-ticket-pack.dsse.json Open DSSE viewer (Packet + Proof) Signing ceremony runbook
Download PROD bundle (canonical) Download compatibility sample bundle 2-minute verify

2-minute verify (no uploads): unzip the bundle you actually downloaded, then run the matching mode. Canonical public path: PROD.

# PROD bundle (canonical)
python3 verify_ticket_pack.py --trust-mode prod

# Optional compatibility sample bundle
python3 verify_ticket_pack.py --trust-mode demo

Current public truth: if detached signatures remain unpublished, the canonical public result stays HOLD. Publication-complete expected result: PROD bundle + --trust-mode prodGO (exit 0). Compatibility sample bundle + --trust-mode demoGO. Mixed bundle/mode pairings or unpublished signatures ⇒ HOLD/FAIL (fail-closed). The bundled verifier does not accept ready_to_sign.

Policy one-pager: Rollback guard + cache keys + bootstrap governance. Ceremony: exact signing runbook.

Pilot‑in‑a‑Box (30 / 60 / 90 days)

A licensing‑friendly pilot package: timeline + deliverables + deterministic acceptance criteria (PASS/FAIL/HOLD). Designed so your procurement/security team can close on one ticket with replayable evidence.

30 days

Integrate + verify. Ship a replayable evidence pack fast.

  • Receipt Finder + DSSE viewer workflow
  • Signed sample / compatibility pack + offline verifier
  • Acceptance: canonical PROD bundle => GO on --trust-mode prod; optional compatibility sample bundle => GO on --trust-mode demo
60 days

Controls language. Map to SOC 2 / ISO / NIST + OWASP Agentic.

  • Controls mapping packs attached to ticket
  • Evidence pointers + expected outputs
  • Acceptance: deterministic PASS/FAIL/HOLD offline
90 days

Production posture. Offline keys + ceremony rail, fail‑closed gates.

  • Identity + AIMS + Safety‑IR receipts rails
  • Signed advisories log (append‑only)
  • Acceptance: prod gates = GO (or explicit HOLD reason)
https://meridianverity.com/downloads/MVG_HALTSEAL_Pilot_in_a_Box_v1.0.2_PUBLIC_SAFE.zip Download kit Open Trust Center
Open Receipt Finder Ticket pack pointers

Attach 3 items

Ticket‑ready attachments, matchable by a single Approval short code.

Export attachment bundle Download naming spec 
MVG_AuditSummary_.pdf
MVG_CountersignedApproval_.json
MVG_KitSupplyChainReceipt_.json

Naming rule: MVG_<Artifact>_<ApprovalShort>.<ext> — ApprovalShort is printed in the PDF and embedded in JSON receipts.

Print diligence summary Print assurance summary Print kit supply‑chain summary

Reviewer‑generated, offline‑verifiable artifacts.

Changed since last reviewRepeat-review operating surface

Changed since last review.

Falsification Receipt is the standards name for the replay object behind local, witnessed, and challenged outcomes.

Front-door trust asset: independently witnessed HOLD. Public spec text remains subject to revision as witnessed replay matures.

Witness pack · frozen Replay window · open No corroboration yet
Open delta feed Track independent replay Download witness pack Read implementer guide

Reviewer kit supply‑chain governance

Signed keyring snapshots, head‑of‑heads, and rotation policy — audit‑replayable offline.

Governance → Verify kit supply‑chain →
Signed keyring
Rotation policy Grace window Fail‑closed

Keyring snapshots + rotation

A signed keyring snapshot (DSSE) with roles, deprecation, and grace windows — designed for reproducible audit and safe key rollover.

Verify policy
Head‑of‑heads
Append‑only Signed heads Update trail

Commitment log update chain

A log‑of‑heads binds commitment log heads over time, so release commitments remain auditable even as the log updates.

Verify headchain
Offline verification
ZIP + DSSE Key lifecycle PASS / FAIL / HOLD

Verify supply‑chain offline

One‑screen verdict for signature validity, key status, inclusion proofs, and headchain continuity — built for skeptical review.

Verify

Minimum requirements + acceptances

What buyers can score. What sellers must prove.

RequirementsSHALL
  • P1 Deliver artifacts: policy IDs, validator outputs, receipts, permits, conformance packs.
  • P2 Deterministic PASS/FAIL/HOLD with stable reason codes + declared scope.
  • P3 Receipts replayable under pinned versions + canonicalization.
  • P4 Fail‑closed gates at declared control points (block on HOLD/FAIL).
  • P5 Permits minted only after PASS; scope + TTL bounded.
  • P6 Retention + auditor replay support for the agreed window.
AcceptanceBuyer‑run
  • P1 Validate signatures + required fields.
  • P2 Run test vectors; reproduce expected outcomes incl. negatives.
  • P3 Replay a sample using only conformance pack + allowed evidence handles.
  • P4 Demonstrate deterministic blocking at each control point in scope.
  • P5 Audit sampling shows no in‑scope side effects without a valid permit.
  • P6 Replay succeeds within retention; degraded mode remains fail‑closed.
Deep dive30 min

What we show

  • Pick one action surface: egress or dispatch.
  • Show fail‑closed behavior: missing/stale/unverifiable → HOLD + block.
  • Export receipts designed for Security review.
Under NDAClean

What you get

  • Evidence schema + reason code registry + test vectors.
  • Integration details for your enforcement chokepoint.
  • Pilot plan + acceptance criteria for production hardening.
Contact procurement Products

SOC 2 / ISO 27001 mapping (illustrative)

Which artifacts can be submitted as audit evidence. (Not legal advice.)

Verify offline
Artifact Evidence SOC 2 ISO 27001 How to verify
Evidence Pack (manifest + SHA256SUMS) Completeness + tamper‑evidence of the audit bundle Security + Change Mgmt Change Mgmt • Evidence integrity /verify offline replay
Pinned registry snapshots Policy/version pinning; drift‑resistant semantics Change Mgmt Configuration • Change Mgmt /verify pins + snapshot IDs
Deterministic PASS/FAIL/HOLD Control operation with fail‑closed behavior System Ops Monitoring • Operational controls /verify verdict reproduction
Reason codes (stable) Explainable enforcement decisions under pinned semantics Monitoring + Incident response Monitoring • Event analysis /verify reason registry
IAL receipts (hash‑chained) Append‑only accountability trail (who/what/why) Logging + Monitoring Logging • Monitoring /verify receipts integrity
Permits (scope + TTL + audience) Pre‑action authorization bounds Logical access Access control Permit validation
Signed Conformance Report export Machine‑ingestable evidence for GRC & auditors Reporting Audit evidence Download JSON / signed DSSE
This mapping is illustrative. Your auditor defines scope and applicable control statements.