Workspace, owner and export identity
The manifest must identify the governed workspace and the exported surface cleanly enough to be validated later.
NORNR
Technical specification for one signed trust export.
NORNR / Trust Manifest spec
Technical surfaceA trust manifest is one signed export, not a marketing scorecard.
This page documents the public NORNR Trust Manifest shape in cold terms: what it must contain, how it versions, what provenance it carries and how another party should validate it.
Required structure
The manifest should be minimal, portable and verifiable.
It exists to carry trust posture outside NORNR without forcing another team to trust NORNR blindly.
Verification level and score posture
The level should communicate what evidence exists, not invent confidence that the underlying artifacts do not support.
References to proof, review and finance artifacts
The manifest should point to the packet family around the governed lane, not replace it.
Version and origin metadata
Versioning, schema identity and export timestamp should make replay and validation deterministic.
Verification rules
The verifier should check structure, provenance and packet references.
The trust manifest becomes meaningful only when another party can validate it against a public contract.
Validate against the public schema
The manifest must conform to the published contract at export time.
Check version and export timestamp
Version and timestamp should survive every shared copy of the manifest.
Confirm referenced packets are present and coherent
The manifest is only as strong as the proof, review and finance artifacts it points toward.