Welcome to Vanilla Breeze
This bell pulls live notifications from /go/notify/messages — the same contract documented at /docs/concepts/service-contracts/. Static articles like this one are the no-JS / no-backend fallback.
data-trust
Verification tier indicator on page-info badges. Runtime-computed state showing whether page content matches its cryptographic signature.
Overview
The data-trust attribute represents the verification tier of a rendered page — whether the DOM content matches its cryptographic signature. It is set by the <page-info> component at runtime on the .page-info-badge element; authors do not set it directly.
For declaring how content was made (human, AI-assisted, AI-generated, etc.), use data-provenance. The two attributes answer different questions:
data-provenanceis a claim by the author about how the content was produced — unverifiable on its own.data-trustis a result computed at runtime — it changes based on whether the signature verifies.
Verification Tiers
| Token | Meaning | Badge color |
|---|---|---|
undeclared |
No provenance or signature metadata present | Neutral |
declared |
Provenance claimed in meta tags; no verification attempted | Warning (soft) |
domain-anchored |
Public key reachable at the author's domain (/.well-known/content-keys/…) |
Info |
verified |
DOM content matches the cryptographic signature | Success |
failed |
Signature present but content does not match — page may have been modified since signing | Error |
key-unavailable |
Signature present but the key URL is unreachable | Neutral |
What verification does and does not prove
Verification proves:
- The signable content has not been altered since the author signed it.
- The signature was made by whoever controls the key at the author-key URL.
- The key is hosted on the same domain as the page (domain anchoring).
Verification does not prove:
- That the content is accurate or factual.
- That the author is who they claim to be.
- That AI wasn't used (only
data-provenanceaddresses that, and it's self-reported). - That the signing key hasn't been compromised.
Reading the tier in JavaScript
Listen for the page-info:verified event to be notified when verification completes:
Verification event
document.addEventListener('page-info:verified', (e) => { console.log(e.detail.status); // 'verified' | 'failed' | 'key-unavailable' | 'declared' | 'undeclared' console.log(e.detail.tier); // 0 | 1 | 2 | 3});See also
data-provenance— how content was made (authorship)data-review— what review the content receiveddata-status— content publication state<page-info>— the component that computes and displays verification