# SCITT Bridge (export-only)

This directory provides a **bridge/export view** of MVG’s evidence artifacts into the **SCITT “Signed Statement” mental model**.

**Important:** this is **export-only**:
- MVG artifacts (PGP + DSSE pointers + chain) remain the **authoritative** evidence format.
- This bridge does **not** submit anything to any external service.
- The export is **not a COSE encoding**. It’s a deterministic JSON mapping that SCITT tooling teams can convert/wrap if they choose.

## Files

- `MVG_SCITT_EXPORT_PROD.json` — export bundle derived from PROD pointers  
- `MVG_SCITT_EXPORT_DEMO.json` — export bundle derived from DEMO pointers  

Each export bundle is generated from:
- `/.well-known/mvg-procurement-inputs.*.dsse.json` (one-input pointer)
- `/.well-known/mvg-status.*.dsse.json` (status aggregator pointer)

## 1:1 mapping table (MVG → SCITT concepts)

| SCITT concept (consumer view) | MVG source (authoritative) | Field / rule |
|---|---|---|
| **Issuer** | Signature on the pointer / record | In MVG today: PGP `.asc` / `.sig/*` is primary. DSSE signatures are optional. Issuer identity = verified signing key fingerprint(s). |
| **Time** | DSSE payload | `issued_utc` (and optionally `expires_utc`) |
| **Subject name** | DSSE payload | `subject[0].name` (URL/path of the canonical MVG record) |
| **Subject digest** | DSSE payload | `subject[0].digest.sha256` |
| **Policy / statement type** | DSSE payload | `predicateType` (stable identifier of what is being asserted) |
| **Artifact digest** | DSSE payload | `predicate.sha256` (digest of the canonical record) |
| **References** | Canonical MVG record (`subject[0].name`) | Export enumerates URL-like values under the record (inputs, pointers, receipts, indexes) |
| **Receipt / transparency** (optional) | DSSE payload `predicate.*` | MVG models optional signals under `predicate.witness` and `predicate.anchoring`. These map cleanly to “receipt-like attachments” in SCITT mental model. |

## Receipt “export slot” (optional)

SCITT defines a **Receipt** as a transparency proof that a Signed Statement was registered.

MVG supports two compatible directions:

- **A) MVG-native receipt-like attachments**  
  Witness countersign / head-chain / opslog pointers can be exported as receipt-like attachments.

- **B) External transparency service (later, optional)**  
  If an org chooses, the same MVG statement digest can be registered in a SCITT ledger / timestamp service and the resulting receipt can be attached.  
  (This repo intentionally stays *offline-first*; this is a future optional add-on.)

## Consumer guidance (Big Tech pipeline)

If you already consume MVG via the **one-input contract** (`/.well-known/mvg-procurement-inputs.json`), this bridge export is purely additive:
- It helps SCITT/COSE tooling teams read MVG statements as “Signed Statements”
- without requiring MVG to migrate schemas or add online dependencies.