Foundry Trust Badges
The Foundry emits artifacts and metadata that can qualify for Sovereign Bazaar trust badges. Badge claims are schema-backed and validated before publication.
Build Output
A Foundry build can contribute evidence for these badge families:
| Output | Badge | Required evidence |
|---|---|---|
| Detached signature | signed | signer, key_id, signature, artifact_digest, attested_at |
| Rebuild transcript and recipe digest | reproducible | artifact_digest, recipe_digest, rebuild_count, builders, attested_at |
| Static allocation report | no-heap | analysis_tool, report, scope, attested_at |
| Pledge or syscall policy | no-network | policy, scope, attested_at |
| Offline dependency closure | air-gap-ready | offline_bundle, dependency_closure, attested_at |
| Security review report | audited | auditor, report, scope, completed_at |
The Bazaar badge truth table defines the claim, proof artifact, validation command, and display status for every badge. Foundry should emit those fields with the registry policy instead of relying on page copy.
Registry Handoff
Publication writes badge metadata into the Bazaar registry:
{
"publisher": {
"id": "publisher-id",
"name": "Publisher Name",
"identity": {
"mode": "self-published",
"status": "self-published",
"key_ids": ["ed25519-key-id"],
"attested_at": "2026-06-06T00:00:00Z"
}
},
"badges": ["signed", "reproducible"],
"trust": {
"signed": {
"status": "verified",
"signer": "publisher",
"key_id": "ed25519-key-id",
"signature": "ed25519:...",
"artifact_digest": "cid:v1:blake3:...",
"attested_at": "2026-06-06T00:00:00Z"
}
}
}The registry validator rejects a package when a claimed badge lacks the evidence keys required by the policy. It also rejects packages without publisher identity: either DID/VC-backed identity or an explicit self-published declaration.
Local Check
Run:
nexus bazaar validateThen verify the artifact itself:
nexus verify ./artifact.imgFor the current Micro development local-proof path, nexus verify validates SHA256 digests embedded in the .sig and .proof sidecars and checks the BOM shape. Production Ed25519 artifact signing remains a Forge follow-up.