Skip to content

Sovereign Bazaar

Signed, reproducible, content-addressed packages. Inspect the recipe. Rebuild the binary.

Philosophy

The Bazaar is not an app store. It is a catalog of verifiable artifacts. Every package carries:

  • Variant-CID — content-addressed identifier
  • Build proof — source, build, artifact, and compiler hashes
  • Trust badges — signed, reproducible, audited, no-heap, no-network
  • Publisher identity — DID/VC-backed or explicitly self-published

Installing Packages

Native Install

bash
nip install <package>

Resolves dependencies, verifies signatures, extracts to /Programs/Nippels/.

Grafting from Foreign Ecosystems

bash
nexus graft pacman:<pkg>
nexus graft nix:<pkg>
nexus graft apt:<pkg>
nexus graft nix hello

Fetches from foreign package managers, converts to NPK, installs via CAS. The two-argument form nexus graft <source> <package> delegates to nip graft <source>:<package>.

Trust Badges

Badges are not free-form marketing labels. The Bazaar registry declares a trust_badges policy, and every package that claims a badge must attach a matching trust evidence object.

BadgeRequired evidence
signedsigner, key id, signature, artifact digest, attestation time
reproducibleartifact digest, recipe digest, rebuild count, builders, attestation time
auditedauditor, report, scope, completion time
no-heapanalysis tool, report, scope, attestation time
no-networkpledge or syscall policy, scope, attestation time
air-gap-readyoffline bundle, dependency closure, attestation time

Validate the seed registry:

bash
nexus bazaar validate
nexus bazaar verify-cids

The validator checks registry shape, allowed badge names, per-package evidence, publisher identity metadata, and digest consistency. Artifact cryptographic verification still happens through nip verify or nexus verify.

verify-cids recomputes the current seed registry CIDs from explicit variant_inputs. Seed entries use input_class="seed-registry-metadata" until the local Forge path emits artifact-backed build inputs.

Registry API

Run the local package registry backend:

bash
nexus bazaar serve --host=127.0.0.1 --port=8787

Then query it:

bash
curl http://127.0.0.1:8787/api/v1/packages
curl 'http://127.0.0.1:8787/api/v1/packages?category=Drivers&tag=Micro&badge=signed'
curl http://127.0.0.1:8787/api/v1/packages/drivers%2Fvirtio-net
curl 'http://127.0.0.1:8787/api/v1/search?q=virtio&limit=5'

The API serves validated registry metadata from packages.json by default. Use --registry <file> for an explicit JSON DB, or --local for the local Forge package registry. The MVP is read-only: publication still goes through Forge/import flows and registry validation.

Regression proof:

bash
nexus bazaar selftest

Publishing

To publish to the Bazaar:

  1. Build reproducibly
  2. Sign with Ed25519 key
  3. Submit build proof and manifest
  4. Pass validation checklist

See Publishing Guide for details.