Reviewer index (canonical)
This page is the one canonical reviewer path. It is designed to prevent drift: follow signed receipts, not scattered HTML. Missing proof never yields silent PASS.
Current machine-readable production pointer phase: READY_TO_SIGN. Public reviewer status remains HOLD until detached signatures and publication proofs are complete.
Single-source reviewer navigation. If any page text conflicts with a signed receipt, treat it as HOLD and follow the receipt.
/.well-known/mvg-prod.json (+ .asc) is the single signed production pointer.
Determine state from signature validity (fail‑closed):
missing ⇒ HOLD; invalid ⇒ FAIL; valid signature ⇒ proceed to verify referenced receipts offline.
site_release_verification_keyring_url = /trust/site-release/latest/pgp.asc
· security_contact_encryption_key_url = /pgp.asc
· security.txt
1) Confirm the signed production pointer
Single signed entrypoint. Treat missing or unverifiable signatures as HOLD (fail‑closed).
Verify (example): gpg --verify mvg-prod.json.asc mvg-prod.json
2) Resolve key roles (no drift questions)
Separate “verification keys” from “encrypted security contact keys”. Roles are named and fixed.
site_release_verification_keyring_url = /trust/site-release/latest/pgp.asc
security_contact_encryption_key_url = /pgp.asc
3) Verify the site release (audit‑grade)
Canonical surface: /trust/site-release/latest/. Verifier output is deterministic (PASS/HOLD/FAIL).
If anything is missing or inconsistent, treat it as HOLD and follow the signed receipts under /.well-known.
Human pages are display‑only
The authoritative truth surface is the set of signed receipts (JSON + detached signatures) under /.well-known and /trust/site-release/latest/releases/.
This page improves reviewer coherence but does not replace receipts.