Verifiable Compliance Attestation (VCA) MVP

This is a holding page + minimal implementation of a vendor-neutral, machine-verifiable attestation identifier. It exists to preserve the strategy and provide working endpoints.

What the authority would mandate

A standardized format for an attestation identifier
A standardized verification method (keys + signature verification)
A fail-closed intake rule: missing/unverifiable/expired/revoked → incomplete

The authority does not endorse a vendor. Any issuer can comply with the format + verification method.

Well-known verification endpoints

GET  /.well-known/vca/keys.json
GET  /.well-known/vca/status/{vca_id}.json
HEAD /.well-known/vca/status/{vca_id}.json

These endpoints are the only public surface area this MVP commits to.

Dev-only issuance

POST /v1/issue
POST /v1/verify

Issuance exists only to demonstrate a complete loop locally.

Repo README contains the full rationale and next-step gate.