Foundry Trust Badges
The Foundry emits artifacts and metadata that can qualify for Sovereign Bazaar trust badges. Badge claims are schema-backed and validated before publication.
Build Output
A Foundry build can contribute evidence for these badge families:
| Output | Badge | Required evidence |
|---|---|---|
| Detached signature | signed | signer, key_id, signature, artifact_digest, attested_at |
| Rebuild transcript and recipe digest | reproducible | artifact_digest, recipe_digest, rebuild_count, builders, attested_at |
| Static allocation report | no-heap | analysis_tool, report, scope, attested_at |
| Pledge or syscall policy | no-network | policy, scope, attested_at |
| Offline dependency closure | air-gap-ready | offline_bundle, dependency_closure, attested_at |
| Security review report | audited | auditor, report, scope, completed_at |
The Bazaar badge truth table defines the claim, proof artifact, validation command, and display status for every badge. Foundry should emit those fields with the registry policy instead of relying on page copy.
Registry Handoff
Publication writes badge metadata into the Bazaar registry:
{
"publisher": {
"id": "publisher-id",
"name": "Publisher Name",
"identity": {
"mode": "self-published",
"status": "self-published",
"key_ids": ["ed25519-key-id"],
"attested_at": "2026-06-06T00:00:00Z"
}
},
"badges": ["signed", "reproducible"],
"trust": {
"signed": {
"status": "verified",
"signer": "publisher",
"key_id": "ed25519-key-id",
"signature": "ed25519:...",
"artifact_digest": "cid:v1:blake3:...",
"attested_at": "2026-06-06T00:00:00Z"
}
}
}The registry validator rejects a package when a claimed badge lacks the evidence keys required by the policy. It also rejects packages without publisher identity: either DID/VC-backed identity or an explicit self-published declaration.
Local Check
Run:
nexus bazaar validateThen verify the artifact itself:
nexus verify ./artifact.imgFor local NPK and Micro image proof paths, nexus verify validates the artifact digest, canonical .bkdl.json evidence, Ed25519 signature, and artifact-backed Variant-CID. Local Bazaar validation then checks the NPK trust badge metadata with:
nexus bazaar validate --local
nexus bazaar verify-cids --localMicro image bundles are validated with nexus forge validate-bundle and imported with nexus forge import-bundle. Both commands now apply the local bundle trust policy: bundle provenance is required, publisher identity must match the provenance block, the signer key must match the declared publisher keys, a local trust root must authorize the bundle, and local revocation lists can reject publisher IDs, key IDs, Variant-CIDs, or bundle archive hashes. Remote image registry trust remains future Forge work.