Docs | SpectraStrike | Nexus | Nyxera Labs

Armory + Universal Runner Execution Fabric

Scope

This document captures Armory registry controls and standardized edge-runner execution behavior.

Armory Workflow

1. Ingest BYOT artifact (tool_name, image_ref, binary payload).
2. Compute immutable digest (sha256).
3. Generate SBOM metadata.
4. Run vulnerability summary pipeline.
5. Generate signing metadata.
6. Require explicit approval before digest becomes execution-authorized.

Standard Runner Workflow

Primary edge runner reference implementation:

• src/runner-go

Standard controls:

1. Verify compact JWS on edge side using Ed25519 (alg=EdDSA).
2. Resolve authorized tool digest from Armory.
3. Enforce exact digest match against manifest.
4. Execute via firecracker microVM contract (simulation in dev/CI, native in hardened runtime).
5. Map output to CloudEvents (stdout, stderr, exit_code, manifest_jws).

QA Controls

• Forged Ed25519 JWS signatures must fail.
• Tampered tool digests must fail.
• Execution output must map to standardized CloudEvents payload.

Current Standardization Status

• Go runner verification path is Ed25519-first.
• Firecracker microVM path is the standard runner backend.
• Wrapper SDK contract remains aligned to telemetry/fingerprint/attestation/signature requirements.

2026 SpectraStrike by Nyxera Labs. All rights reserved.

Docs | SpectraStrike | Nexus | Nyxera Labs