Social trust

Trust specific builders directly, scoped and revocable, and get a personalized cache that serves only what your own trust graph resolves.

Beyond the globally-trusted shared tier, Vega lets you trust individual builders. It is opt-in and scoped: you decide whose builds you accept and for which packages, and Vega serves you a personalized view signed with a key only you trust.

Trust a builder

With the vega CLI (after vega login):

vega trust add alice               # trust alice for all her builds
vega trust add bob --package hello # limit bob's blast radius to the 'hello' package
vega trust list
vega trust remove alice

The subject is a GitHub login (or numeric id). Trust edges are revocable and do not propagate: trusting alice does not trust whoever alice trusts. The --package scope is a blast-radius limit matched against the build's store-path name (which the builder chooses), not a hard package barrier.

Your personalized substituter

vega view prints a nix.conf snippet for your own view:

vega view --format nix-conf

extra-substituters = https://vega-cache.dev/u/<token>
extra-trusted-public-keys = <your-view-key> <shared-key>

The /u/<token> substituter serves the globally-trusted shared cache, plus any binding your trust graph resolves. For a path not in the shared tier, Vega checks the builders you trust; if a trusted builder (in scope) attested it, and the trusted builders for that path do not disagree among themselves, Vega re-signs that one binding with your own per-consumer view key. That key signs only your view, so a binding resolved for you is never trusted by anyone else, and a builder you do not trust can never reach you. The token is opaque; rotate it any time from the dashboard (rotation instantly revokes the old one).

The dashboard

vega dashboard opens your private dashboard in the browser. It exchanges the credential you already hold from vega login for a 60-second login code, so the long-lived credential never enters the browser, and the browser redeems the code for a 1-hour session. The dashboard shows your standing (outputs attested, independently corroborated, diverged), your trust edges, and your view-token substituter, with a button to rotate the token. Pass --no-open to print the sign-in URL instead of opening a browser.