Transparency log
An append-only Merkle transparency log of every attestation. You can audit Vega without trusting it.
Verify in one command
The vega CLI does every check below for you. It verifies the signature against a key you already trust (from your trusted-public-keys, never one fetched from the cache), validates the signed tree head and the build's inclusion proof, and re-derives the NAR hash:
nix run github:Ad-Astra-Computing/vega-agent#vega -- verify /nix/store/<hash>-name
It reports the signature scope (shared, scoped, or an upstream mirror) and exits non-zero if any check fails. The endpoints below are the same proofs, for auditing by hand.
Verify from an AI coding agent (MCP)
AI coding agents pull in dependencies; vega mcp lets an agent prove a build before it installs or runs it. It starts a local, read-only Model Context Protocol server over stdio. Its verification tools do the same independent checks as vega verify — signature against a key you trust (your trusted-public-keys, or --public-key), the signed tree head and inclusion proof, and re-deriving the NAR hash from the fetched bytes — while the reproduction tool reports the cache's recorded reproduction status. It is read-only and never holds a credential; a hostile cache is bounded by response-size, timeout, and scan caps.
It exposes four tools. Three take a single target (a /nix/store path, a store-path hash, or <hash>.narinfo); the fourth assesses a whole change:
vega_verify— independently verifies the target and returns the checked facts (signature scope, transparency-log inclusion, re-derived NAR hash).vega_risk— an allow / warn / deny gate an agent or CI can act on, with proof-backed reason codes (for exampleNO_TRANSPARENCY_RECORD,STH_SIGNATURE_INVALID,INCLUSION_PROOF_FAILED) and suggested next actions (build_locally,request_reproduction).vega_reproduce— a read-only query of whether Vega has independently reproduced the target (reproducible,uncorroborated,mirrored,diverged, orunknown), with the count of agreeing builders. It never rebuilds: it suggestsvega difffor a local check rather than spending compute.vega_assess_change— takes the set of storepathsa change adds (already resolved, e.g. theaddedarray fromvega gate --json) and rolls each path's proof-backed verdict up into one allow / warn / deny for the whole change, with a per-path breakdown. Read-only: it resolves and builds nothing, and is bounded per call so it cannot monopolize the server. The matching CLI isvega assess.
Wire it into an MCP client (Claude Code, Cursor, and others) by pointing the client at the command over stdio:
{
"mcpServers": {
"vega": { "command": "vega", "args": ["mcp"] }
}
}
If vega is not on the agent's PATH, use nix run github:Ad-Astra-Computing/vega-agent#vega -- mcp as the command. Verification runs on your machine against a key you trust, not on Vega's say-so.
Example output
Each tool returns a compact JSON object of checked facts, never a prose judgement. vega_risk wraps the same proofs in an actionable gate. A fully reproduced shared-tier build allows:
{
"verdict": "allow",
"tier": "shared",
"reasonCodes": ["SHARED_REPRODUCED", "TRANSPARENCY_LOG_INCLUDED"],
"proofs": {
"storePath": "/nix/store/h1p9v…-hello-2.12.1",
"narHash": "sha256:1q1n…",
"signature": { "ok": true, "keyName": "vega-cache-1", "scope": "shared" },
"transparency": {
"found": true, "index": 1142, "sthVerified": true,
"leafHashOk": true, "inclusionOk": true, "bindingOk": true, "scanned": 1143
},
"narHashVerified": true,
"verified": true
},
"nextActions": []
}
A build that is correctly signed but not yet in the transparency log denies, naming the reason and the next steps an agent can take (the proofs object carries the same fields, with verified: false):
{
"verdict": "deny",
"tier": "shared",
"reasonCodes": ["NO_TRANSPARENCY_RECORD"],
"proofs": { "signature": { "ok": true, "scope": "shared" }, "transparency": { "found": false }, "narHashVerified": true, "verified": false },
"nextActions": ["request_reproduction", "build_locally"]
}
Endpoints
Fetch the signed tree head, then verify inclusion and consistency proofs:
curl https://vega-cache.dev/log/sth
curl https://vega-cache.dev/log/proof/inclusion/<i>
curl "https://vega-cache.dev/log/proof/consistency?first=<m>&second=<n>"
A human view lives at vega-cache.dev/log.
What the proofs guarantee
- Signed tree head: the log's size and Merkle root, signed by the published Vega key.
- Inclusion proof: that a specific narinfo Vega served is actually in the log.
- Consistency proof: that the log only ever grew, never rewrote history.
The hashing follows the Certificate Transparency Merkle tree: leaf SHA-256(0x00 || data), node SHA-256(0x01 || left || right).
Build status and badges
Every output has a status page at /status/<hash> (the 32-character store-path hash) summarizing where it stands:
- reproducible: promoted to the globally-trusted shared cache, independently reproduced and agreed.
- diverged: independent builds disagreed on the output, so it is not promoted (see Reproducibility).
- uncorroborated: attested, but not yet independently reproduced or agreed.
- mirrored: served from the upstream cache (
cache.nixos.org), not Vega-attested. - unknown: no record in Vega.
An embeddable, color-coded status badge lives at /badge/<hash>.svg. When the Vega GitHub App is installed on a repository, each attested commit also gets a check that links to the output's status page.