Skip to content

Foundry Trust Badges

The Foundry emits artifacts and metadata that can qualify for Sovereign Bazaar trust badges. Badge claims are schema-backed and validated before publication.

Build Output

A Foundry build can contribute evidence for these badge families:

OutputBadgeRequired evidence
Detached signaturesignedsigner, key_id, signature, artifact_digest, attested_at
Rebuild transcript and recipe digestreproducibleartifact_digest, recipe_digest, rebuild_count, builders, attested_at
Static allocation reportno-heapanalysis_tool, report, scope, attested_at
Pledge or syscall policyno-networkpolicy, scope, attested_at
Offline dependency closureair-gap-readyoffline_bundle, dependency_closure, attested_at
Security review reportauditedauditor, report, scope, completed_at

The Bazaar badge truth table defines the claim, proof artifact, validation command, and display status for every badge. Foundry should emit those fields with the registry policy instead of relying on page copy.

Registry Handoff

Publication writes badge metadata into the Bazaar registry:

json
{
  "publisher": {
    "id": "publisher-id",
    "name": "Publisher Name",
    "identity": {
      "mode": "self-published",
      "status": "self-published",
      "key_ids": ["ed25519-key-id"],
      "attested_at": "2026-06-06T00:00:00Z"
    }
  },
  "badges": ["signed", "reproducible"],
  "trust": {
    "signed": {
      "status": "verified",
      "signer": "publisher",
      "key_id": "ed25519-key-id",
      "signature": "ed25519:...",
      "artifact_digest": "cid:v1:blake3:...",
      "attested_at": "2026-06-06T00:00:00Z"
    }
  }
}

The registry validator rejects a package when a claimed badge lacks the evidence keys required by the policy. It also rejects packages without publisher identity: either DID/VC-backed identity or an explicit self-published declaration.

Local Check

Run:

bash
nexus bazaar validate

Then verify the artifact itself:

bash
nexus verify ./artifact.img

For local NPK and Micro image proof paths, nexus verify validates the artifact digest, canonical .bkdl.json evidence, Ed25519 signature, and artifact-backed Variant-CID. Local Bazaar validation then checks the NPK trust badge metadata with:

bash
nexus bazaar validate --local
nexus bazaar verify-cids --local

Micro image bundles are validated with nexus forge validate-bundle and imported with nexus forge import-bundle. Both commands now apply the local bundle trust policy: bundle provenance is required, publisher identity must match the provenance block, the signer key must match the declared publisher keys, a local trust root must authorize the bundle, and local revocation lists can reject publisher IDs, key IDs, Variant-CIDs, or bundle archive hashes. Remote image registry trust remains future Forge work.