Build Pipeline
The Foundry pipeline turns a recipe into a signed image and publication metadata.
Current implementation status: the CLI has a Micro development local-proof path that emits an artifact and verifies sidecars. The full production pipeline described below remains planned until recipe resolution, dependency closure, production signing, CAS publish, and registry publication are wired together.
Stages
| Stage | Output |
|---|---|
| Resolve | Dependency tree and Variant-CIDs |
| Build | Image or package artifact |
| Sign | Detached Ed25519 signature |
| Attest | BOM, recipe digest, and ProvChain proof |
| Validate | Registry trust badge metadata |
Dry Run
Use a dry run to inspect the planned build without producing an artifact:
nexus build --edition=mech --arch=aarch64 --dry-runDevelopment Local Proof
Use the Micro local-proof path to produce one verifiable development artifact:
nexus build --edition=micro --arch=x86_64 --local-proof
nexus verify ~/.nexus/artifacts/nexus-micro-x86_64.imgThis path uses the checked-in demo image builder and writes a bootable image plus .sig, .bom.json, and .proof sidecars. nexus verify checks that the development signature and proof digests match the artifact and that the BOM parses with the expected artifact metadata.
This is not the production Forge pipeline. It does not yet compute artifact-backed Variant-CIDs, resolve package dependencies, publish to CAS, or write package entries into the Bazaar registry.
Trust Metadata
When an artifact is published to the Bazaar, the pipeline must write badge evidence into the package entry. Run:
nexus bazaar validatebefore publishing the registry update.