what a badge is allowed to say

Tiers, stated exactly.

A badge never overstates. T1–T3 mean a verifier of a different kind re-executed the checkable claims. T0 is not a verification and is rendered in neutral grey, never a verified shape or colour: it says only that a signed artifact existed at a time. The bright line runs between T0 and everything above it.

T3 · proof-carryingverified

A certificate the open kernel checks. Your method never leaves your machine. The strongest and most private tier.

T2 · receipt-verifiedverified

Claims and pinned inputs public; the method is a sealed container re-executed under a verification-only license. Protection is legal + sandbox, not cryptographic secrecy from the operator.

T1 · fully openverified

Everything public, re-executable by anyone end to end.

T0 · attested onlyattested

Signed but NOT re-executed. Identity and timestamp only. Never badged as verified.

The full trust analysis per tier is on the threat-model page.