Trust Badges

The Sovereign Bazaar uses schema-backed trust badges. A package may only claim a badge if the registry entry includes a matching evidence object under trust.

Registry Policy

The canonical policy lives in:

text

nexus-forge/registry/packages.json
nexus-forge/registry/trust-badges.schema.json

The registry policy defines:

Allowed badge identifiers
Human-readable labels and descriptions
Required evidence keys for each badge
Publisher identity mode: did-vc or explicit self-published
Package-level validation rules

Badge Truth Table

Badge	Claim	Required evidence	Proof artifact	Validation command	Display status
`signed`	Artifact origin and digest are bound to a signer key.	`signer`, `key_id`, `signature`, `artifact_digest`, `attested_at`	Detached signature plus artifact digest.	`nexus bazaar validate && nexus verify <artifact>`	`seed-attested`
`reproducible`	Independent rebuilds converge on the same Variant-CID.	`artifact_digest`, `recipe_digest`, `rebuild_count`, `builders`, `attested_at`	Recipe digest, rebuild transcript, builder identities, and artifact digest.	`nexus bazaar verify-cids`	`seed-attested`
`audited`	A named audit reviewed the declared source and manifest scope.	`auditor`, `report`, `scope`, `completed_at`	Audit report reference and declared scope.	`nexus bazaar validate`	`seed-attested`
`no-heap`	The declared runtime scope does not allocate from the heap.	`analysis_tool`, `report`, `scope`, `attested_at`	Static allocation analysis report.	`nexus bazaar validate`	`seed-attested`
`no-network`	The declared runtime scope cannot initiate network access.	`policy`, `scope`, `attested_at`	Pledge, capability, or syscall policy reference.	`nexus bazaar validate`	`seed-attested`
`air-gap-ready`	The package can be verified and installed without network access.	`offline_bundle`, `dependency_closure`, `attested_at`	Offline bundle manifest and dependency closure.	`nexus bazaar validate`	`seed-attested`

The same fields are machine-readable in trust_badges.badges. nexus bazaar validate rejects a badge definition that omits its claim, proof artifact, validation command, or display status.

Publisher Identity

Every package must declare a publisher object. The publisher identity is either DID/VC-backed or explicitly marked self-published.

The seed registry uses self-published publisher identity for its development attestations. That is intentionally weaker than DID/VC verification, but it is honest and machine-checkable.

Validation

Run the local registry validator:

bash

nexus bazaar validate

The validator checks that every claimed badge has evidence and that badge evidence contains the keys required by the registry policy. For signed and reproducible, the evidence artifact digest must match the package variant_cid. It also rejects packages that lack publisher identity metadata.

Verification Boundary

Registry validation proves the catalog metadata is internally consistent. It does not replace artifact verification. Consumers should still run:

bash

nexus verify <artifact>

or use the underlying nip verify flow during package installation.

Trust Badges ​

Registry Policy ​

Badge Truth Table ​

Publisher Identity ​