diff --git a/Cargo.lock b/Cargo.lock
index 0d717e1be..e55e8acf0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -353,9 +353,9 @@ dependencies = [
 
 [[package]]
 name = "astral-tokio-tar"
-version = "0.6.1"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ce73b17c62717c4b6a9af10b43e87c578b0cac27e00666d48304d3b7d2c0693"
+checksum = "3c23f3af104b40a3430ccb90ed5f7bd877a8dc5c26fc92fde51a22b40890dcf9"
 dependencies = [
  "filetime",
  "futures-core",
@@ -1194,7 +1194,7 @@ version = "3.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fde0e0ec90c9dfb3b4b1a0891a7dcd0e2bffde2f7efed5fe7c9bb00e5bfb915e"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1297,6 +1297,16 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "crate-git-revision"
+version = "0.0.6"
+source = "git+https://github.com/stellar/crate-git-revision?branch=dirty-untracked-files#43cb856d8f136c1cb5b9ab232e441b9fd776e849"
+dependencies = [
+ "serde",
+ "serde_derive",
+ "serde_json",
+]
+
 [[package]]
 name = "crc32fast"
 version = "1.5.0"
@@ -1978,7 +1988,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -2752,7 +2762,7 @@ dependencies = [
  "libc",
  "percent-encoding",
  "pin-project-lite",
- "socket2 0.5.10",
+ "socket2 0.6.0",
  "system-configuration",
  "tokio",
  "tower-service",
@@ -4286,7 +4296,7 @@ dependencies = [
  "quinn-udp",
  "rustc-hash 2.1.1",
  "rustls",
- "socket2 0.5.10",
+ "socket2 0.6.0",
  "thiserror 2.0.18",
  "tokio",
  "tracing",
@@ -4323,9 +4333,9 @@ dependencies = [
  "cfg_aliases",
  "libc",
  "once_cell",
- "socket2 0.5.10",
+ "socket2 0.6.0",
  "tracing",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -4686,7 +4696,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.4.15",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -4699,7 +4709,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.9.4",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -4757,7 +4767,7 @@ dependencies = [
  "security-framework 3.4.0",
  "security-framework-sys",
  "webpki-root-certs 0.26.11",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -5382,7 +5392,7 @@ dependencies = [
  "chrono",
  "clap",
  "clap_complete",
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (git+https://github.com/stellar/crate-git-revision?branch=dirty-untracked-files)",
  "csv",
  "directories",
  "dotenvy",
@@ -5400,6 +5410,7 @@ dependencies = [
  "indexmap 2.11.0",
  "itertools 0.10.5",
  "keyring",
+ "libc",
  "mockito",
  "num-bigint",
  "open",
@@ -5465,7 +5476,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08582c2c21bd3f7b737bcb76db9d4ca473f8349d65f8952a50eeed8823f44aef"
 dependencies = [
  "arbitrary",
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "ethnum",
  "num-derive",
  "num-traits",
@@ -5565,7 +5576,7 @@ checksum = "bdc156a0183eb584e57d45f63f3bd7023165980131d6eecc939fe5cda2490c63"
 dependencies = [
  "arbitrary",
  "bytes-lit",
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "ctor",
  "derive_arbitrary",
  "ed25519-dalek",
@@ -5859,7 +5870,7 @@ version = "0.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ee1832fb50c651ad10f734aaf5d31ca5acdfb197a6ecda64d93fcdb8885af913"
 dependencies = [
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "data-encoding",
 ]
 
@@ -5870,7 +5881,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97e1a364048067bfcd24e6f1a93bba43eeb79c16b854596c841c3e8bab0bfa0c"
 dependencies = [
  "clap",
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "data-encoding",
  "serde",
  "serde_json",
@@ -5884,7 +5895,7 @@ version = "0.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "084afcb0d458c3d5d5baa2d294b18f881e62cc258ef539d8fdf68be7dbe45520"
 dependencies = [
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "data-encoding",
  "heapless",
 ]
@@ -5899,7 +5910,7 @@ dependencies = [
  "base64 0.22.1",
  "cfg_eval",
  "clap",
- "crate-git-revision",
+ "crate-git-revision 0.0.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "escape-bytes",
  "ethnum",
  "hex",
@@ -6101,7 +6112,7 @@ dependencies = [
  "getrandom 0.3.3",
  "once_cell",
  "rustix 1.0.8",
- "windows-sys 0.52.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
diff --git a/cmd/crates/soroban-test/tests/it/build.rs b/cmd/crates/soroban-test/tests/it/build.rs
index 1863af976..aaa749e15 100644
--- a/cmd/crates/soroban-test/tests/it/build.rs
+++ b/cmd/crates/soroban-test/tests/it/build.rs
@@ -594,12 +594,24 @@ fn get_entries(fixture_path: &Path, outdir: &Path) -> Vec<ScMetaEntry> {
         Limits::none(),
     ))
     .filter(|entry| match entry {
-        // Ignore the meta entries that the SDK embeds that capture the SDK and
-        // Rust version, since these will change often and are not really
-        // relevant to this test.
+        // Ignore SDK-embedded keys (rsver, rssdkver) and stellar-cli-embedded
+        // build-record keys (bldbkd, bldimg, bldopt_*, source_*) — these
+        // change often and aren't what these tests are asserting on.
         Ok(ScMetaEntry::ScMetaV0(ScMetaV0 { key, .. })) => {
             let key = key.to_string();
-            !matches!(key.as_str(), "rsver" | "rssdkver")
+            !matches!(
+                key.as_str(),
+                "rsver"
+                    | "rssdkver"
+                    | "bldbkd"
+                    | "bldimg"
+                    | "bldopt_manifest_path"
+                    | "bldopt_package"
+                    | "bldopt_profile"
+                    | "bldopt_optimize"
+                    | "source_repo"
+                    | "source_rev"
+            )
         }
         _ => true,
     })
diff --git a/cmd/soroban-cli/Cargo.toml b/cmd/soroban-cli/Cargo.toml
index f44337204..0dd6933e1 100644
--- a/cmd/soroban-cli/Cargo.toml
+++ b/cmd/soroban-cli/Cargo.toml
@@ -127,8 +127,11 @@ whoami = "1.5.2"
 serde_with = "3.11.0"
 rustc_version = "0.4.1"
 
+[target.'cfg(unix)'.dependencies]
+libc = "0.2"
+
 [build-dependencies]
-crate-git-revision = "0.0.6"
+crate-git-revision = { git = "https://github.com/stellar/crate-git-revision", branch = "dirty-untracked-files" }
 serde.workspace = true
 thiserror.workspace = true
 
diff --git a/cmd/soroban-cli/src/commands/container/mod.rs b/cmd/soroban-cli/src/commands/container/mod.rs
index 08203095d..6d025cac4 100644
--- a/cmd/soroban-cli/src/commands/container/mod.rs
+++ b/cmd/soroban-cli/src/commands/container/mod.rs
@@ -1,7 +1,7 @@
 use crate::commands::global;
 
 pub(crate) mod logs;
-mod shared;
+pub(crate) mod shared;
 pub(crate) mod start;
 pub(crate) mod stop;
 
diff --git a/cmd/soroban-cli/src/commands/contract/build.rs b/cmd/soroban-cli/src/commands/contract/build.rs
index ad0012e8a..ddfe5fcf5 100644
--- a/cmd/soroban-cli/src/commands/contract/build.rs
+++ b/cmd/soroban-cli/src/commands/contract/build.rs
@@ -19,7 +19,7 @@ use stellar_xdr::curr::{Limited, Limits, ScMetaEntry, ScMetaV0, StringM, WriteXd
 #[cfg(feature = "additional-libs")]
 use crate::commands::contract::optimize;
 use crate::{
-    commands::{global, version},
+    commands::{container::shared::Args as ContainerArgs, contract::build_docker, global, version},
     print::Print,
     wasm,
 };
@@ -95,8 +95,102 @@ pub struct Cmd {
     #[arg(long, conflicts_with = "out_dir", help_heading = "Other")]
     pub print_commands_only: bool,
 
+    /// Build backend.
+    ///
+    /// - `local` (default): build using the host's rust toolchain.
+    /// - `docker`: build inside `docker.io/stellar/stellar-cli:latest`
+    ///   (linux/amd64) using the local docker daemon. The entire build
+    ///   pipeline runs inside the container; the host orchestrates only.
+    ///   The resolved image digest is recorded in contract metadata.
+    /// - `docker=<image>`: build inside the specified image (must have
+    ///   `stellar` as its entrypoint). Pin via
+    ///   `--backend docker=<name>@sha256:...` for fully-reproducible builds.
+    ///
+    /// Aborted docker builds may leave a stopped container; clean with `docker container prune`.
+    #[arg(
+        long,
+        value_name = "BACKEND",
+        default_value = "local",
+        value_parser = parse_backend,
+        help_heading = "Build Backends",
+    )]
+    pub backend: Backend,
+
+    #[command(flatten)]
+    pub container_args: ContainerArgs,
+
+    /// Run cargo via `cargo +<toolchain>` to pin the rust toolchain. Set by
+    /// `verify` from the wasm's `rsver` meta entry; not user-facing.
+    #[arg(skip)]
+    pub rustup_toolchain: Option<String>,
+
     #[command(flatten)]
     pub build_args: BuildArgs,
+
+    #[command(subcommand)]
+    pub action: Option<Action>,
+}
+
+/// Subcommands of `stellar contract build`.
+#[derive(clap::Subcommand, Debug, Clone)]
+pub enum Action {
+    /// Verify a wasm by rebuilding it inside the Docker image recorded in its metadata.
+    Verify(super::verify::Cmd),
+}
+
+/// Build backend selector for `--backend`.
+#[derive(Clone, Debug, Default)]
+pub enum Backend {
+    /// Build with the host's rust toolchain.
+    #[default]
+    Local,
+    /// Build inside a Docker container whose entrypoint is `stellar`.
+    Docker { image: String },
+}
+
+impl Backend {
+    /// Returns the docker image if the backend uses one, else `None`.
+    pub fn docker_image(&self) -> Option<&str> {
+        match self {
+            Self::Docker { image } => Some(image),
+            Self::Local => None,
+        }
+    }
+}
+
+// Pinned by digest rather than `:latest` so that:
+// - the digest is recorded in `bldimg` immediately (no post-pull resolution
+//   that can fail on Apple Silicon docker, where `RepoDigests` is often left
+//   empty after a cross-platform pull),
+// - builds with the default backend are reproducible day-one without the
+//   user having to specify `--backend docker=...@sha256:...` themselves.
+//
+// To bump: `docker pull --platform linux/amd64 stellar/stellar-cli:<tag>`,
+// then read the `Digest:` line.
+const DEFAULT_DOCKER_IMAGE: &str =
+    "docker.io/stellar/stellar-cli@sha256:cb2fc3116a6ace37a77ca6bb88afb4bee57fc746cd556a4373f2c3ee95d4e917";
+
+pub fn parse_backend(s: &str) -> Result<Backend, String> {
+    match s {
+        "local" => Ok(Backend::Local),
+        "docker" => Ok(Backend::Docker {
+            image: DEFAULT_DOCKER_IMAGE.to_string(),
+        }),
+        _ => {
+            if let Some(image) = s.strip_prefix("docker=") {
+                if image.is_empty() {
+                    return Err("docker image cannot be empty; use `--backend docker` for the default image".to_string());
+                }
+                Ok(Backend::Docker {
+                    image: image.to_string(),
+                })
+            } else {
+                Err(format!(
+                    "unknown backend {s:?}; expected `local`, `docker`, or `docker=<image>`"
+                ))
+            }
+        }
+    }
 }
 
 /// Shared build options for meta and optimization, reused by deploy and upload.
@@ -190,6 +284,13 @@ pub enum Error {
 
     #[error("wasm parsing error: {0}")]
     WasmParsing(String),
+
+    #[error(transparent)]
+    Container(#[from] build_docker::Error),
+
+    // Boxed to break the cycle between verify::Error::Build and build::Error::Verify.
+    #[error(transparent)]
+    Verify(Box<super::verify::Error>),
 }
 
 const WASM_TARGET: &str = "wasm32v1-none";
@@ -208,7 +309,11 @@ impl Default for Cmd {
             out_dir: None,
             locked: false,
             print_commands_only: false,
+            backend: Backend::Local,
+            container_args: ContainerArgs { docker_host: None },
+            rustup_toolchain: None,
             build_args: BuildArgs::default(),
+            action: None,
         }
     }
 }
@@ -216,16 +321,25 @@ impl Default for Cmd {
 impl Cmd {
     /// Builds the project and returns the built WASM artifacts.
     #[allow(clippy::too_many_lines)]
-    pub fn run(&self, global_args: &global::Args) -> Result<Vec<BuiltContract>, Error> {
+    pub async fn run(&self, global_args: &global::Args) -> Result<Vec<BuiltContract>, Error> {
+        if let Some(Action::Verify(verify)) = &self.action {
+            // Box::pin breaks the recursion: verify.run() calls build::Cmd::run()
+            // for the rebuild, so the future would otherwise have infinite size.
+            Box::pin(verify.run(global_args))
+                .await
+                .map_err(|e| Error::Verify(Box::new(e)))?;
+            return Ok(Vec::new());
+        }
         let print = Print::new(global_args.quiet);
         let working_dir = env::current_dir().map_err(Error::GettingCurrentDir)?;
         let metadata = self.metadata()?;
         let packages = self.packages(&metadata)?;
         let target_dir = &metadata.target_directory;
+        let workspace_root = metadata.workspace_root.as_std_path();
 
         // Run build configuration checks (only when actually building)
         if !self.print_commands_only {
-            run_checks(metadata.workspace_root.as_std_path(), &self.profile)?;
+            run_checks(workspace_root, &self.profile)?;
         }
 
         if let Some(package) = &self.package {
@@ -239,9 +353,58 @@ impl Cmd {
         let wasm_target = get_wasm_target()?;
         let mut built_contracts = Vec::new();
 
-        for p in packages {
+        // Detect git state once for the build. Embed source_repo/source_rev
+        // (and per-package source_path) when the workspace is a clean git
+        // checkout with an origin remote; warn (but proceed) otherwise so
+        // users know the wasm won't be reproducible against a public source.
+        let (source_repo, source_rev, git_root) = match detect_git_state(workspace_root) {
+            GitState::Clean { repo, rev, root } => (Some(repo), Some(rev), Some(root)),
+            GitState::Dirty => {
+                print.warnln(
+                    "git working tree has uncommitted changes; source_repo/source_rev/bldopt_* not embedded in contract metadata. Commit changes for a reproducible build.",
+                );
+                (None, None, None)
+            }
+            GitState::NotARepo => (None, None, None),
+        };
+        // Mount the git repo root when available (so cross-workspace path
+        // dependencies and shared repo files are visible inside the
+        // container). Fall back to the cargo workspace root otherwise.
+        let mount_root = git_root.as_deref().unwrap_or(workspace_root);
+
+        // `--backend docker` runs the entire build pipeline (cargo + meta
+        // injection + spec filtering + optional wasm-opt) inside a container
+        // whose entrypoint is `stellar`. The host orchestrates only.
+        if let Backend::Docker { image } = &self.backend {
+            return self
+                .run_docker(
+                    image,
+                    &print,
+                    &packages,
+                    target_dir.as_std_path(),
+                    workspace_root,
+                    mount_root,
+                    git_root.as_deref(),
+                    source_repo.as_deref(),
+                    source_rev.as_deref(),
+                    &wasm_target,
+                )
+                .await;
+        }
+
+        for (i, p) in packages.iter().enumerate() {
+            if i > 0 {
+                // Blank line separating successive contract builds in a workspace.
+                eprintln!();
+            }
             let mut cmd = Command::new("cargo");
             cmd.stdout(Stdio::piped());
+            // `+<toolchain>` is rustup's explicit toolchain selector and overrides
+            // any `rust-toolchain.toml` in the workspace. Set by `verify` from
+            // the wasm's `rsver` meta entry.
+            if let Some(toolchain) = &self.rustup_toolchain {
+                cmd.arg(format!("+{toolchain}"));
+            }
             cmd.arg("rustc");
             if self.locked {
                 cmd.arg("--locked");
@@ -300,7 +463,22 @@ impl Cmd {
                     .join(&self.profile)
                     .join(&file);
 
-                self.inject_meta(&target_file_path)?;
+                let bldopt_manifest_path = git_root.as_deref().and_then(|gr| {
+                    pathdiff::diff_paths(&p.manifest_path, gr)
+                        .map(|p| p.to_string_lossy().into_owned())
+                });
+                self.inject_meta(
+                    &target_file_path,
+                    &ExtraMeta {
+                        bldimg: None,
+                        source_repo: source_repo.clone(),
+                        source_rev: source_rev.clone(),
+                        bldopt_manifest_path,
+                        bldopt_package: Some(p.name.clone()),
+                        bldopt_profile: Some(self.profile.clone()),
+                        bldopt_optimize: self.build_args.optimize,
+                    },
+                )?;
                 Self::filter_spec(&target_file_path)?;
 
                 let final_path = if let Some(out_dir) = &self.out_dir {
@@ -350,6 +528,129 @@ impl Cmd {
         Ok(built_contracts)
     }
 
+    /// Orchestrate a `--backend docker` build: pull the requested
+    /// stellar-cli image and run `stellar contract build` inside it
+    /// against the bind-mounted source. The in-container cli does cargo +
+    /// meta injection + spec filtering + optional wasm-opt itself; the
+    /// host only orchestrates and copies outputs to `--out-dir` if
+    /// requested.
+    #[allow(clippy::too_many_arguments)]
+    async fn run_docker(
+        &self,
+        image: &str,
+        print: &Print,
+        packages: &[Package],
+        target_dir: &Path,
+        workspace_root: &Path,
+        mount_root: &Path,
+        git_root: Option<&Path>,
+        source_repo: Option<&str>,
+        source_rev: Option<&str>,
+        wasm_target: &str,
+    ) -> Result<Vec<BuiltContract>, Error> {
+        // The user's --manifest-path (if any) is a host path; translate to
+        // the in-container `/source/...` form. If absent, fall back to the
+        // workspace root's Cargo.toml.
+        let host_manifest = self
+            .manifest_path
+            .clone()
+            .unwrap_or_else(|| workspace_root.join("Cargo.toml"));
+        let rel = pathdiff::diff_paths(&host_manifest, mount_root)
+            .unwrap_or_else(|| host_manifest.clone());
+        let in_container_manifest = Path::new(build_docker::SOURCE_DIR)
+            .join(rel)
+            .to_string_lossy()
+            .into_owned();
+
+        // TODO(transitional): forward host-detected `source_*` and
+        // `bldopt_*` reproducibility meta as `--meta` entries to the
+        // in-container cli. Released `stellar/stellar-cli` images today
+        // don't auto-inject these on build, so without this pass-through
+        // the resulting wasm would be missing them.
+        //
+        // Once a `stellar/stellar-cli` image carrying this PR's auto-
+        // injection logic is published and adopted as the default, the
+        // in-container cli will set these itself (and its values, being
+        // first in the meta section, take precedence over the user-meta
+        // entries we add here per `find_meta`'s first-match semantics).
+        // At that point, remove this block and let the in-container cli
+        // be the source of truth.
+        let mut meta = self.build_args.meta.clone();
+        if let Some(s) = source_repo {
+            meta.push(("source_repo".to_string(), s.to_string()));
+        }
+        if let Some(s) = source_rev {
+            meta.push(("source_rev".to_string(), s.to_string()));
+        }
+        meta.push(("bldopt_profile".to_string(), self.profile.clone()));
+        if self.build_args.optimize {
+            meta.push(("bldopt_optimize".to_string(), "true".to_string()));
+        }
+        // Per-package fields are only safe to forward when exactly one
+        // package will be built — passing a single value to a multi-package
+        // workspace build would attach the same `bldopt_package` /
+        // `bldopt_manifest_path` to every wasm. For multi-package builds we
+        // skip them and let the in-container cli supply them per-package
+        // (newer images will; older won't).
+        if packages.len() == 1 {
+            let p = &packages[0];
+            meta.push(("bldopt_package".to_string(), p.name.clone()));
+            if let Some(rel) = git_root.and_then(|gr| {
+                pathdiff::diff_paths(&p.manifest_path, gr)
+                    .map(|p| p.to_string_lossy().into_owned())
+            }) {
+                meta.push(("bldopt_manifest_path".to_string(), rel));
+            }
+        }
+
+        let inner = build_docker::InnerBuildArgs {
+            manifest_path: in_container_manifest,
+            package: self.package.as_deref(),
+            profile: &self.profile,
+            features: self.features.as_deref(),
+            all_features: self.all_features,
+            no_default_features: self.no_default_features,
+            optimize: self.build_args.optimize,
+            meta,
+        };
+
+        build_docker::run_in_docker(
+            image,
+            None,
+            self.rustup_toolchain.as_deref(),
+            mount_root,
+            &inner,
+            &self.container_args,
+            print,
+        )
+        .await?;
+
+        // The in-container build wrote its outputs to the bind-mounted
+        // target dir; copy to --out-dir if requested.
+        let mut built = Vec::with_capacity(packages.len());
+        for p in packages {
+            let wasm_name = p.name.replace('-', "_");
+            let file = format!("{wasm_name}.wasm");
+            let target_file_path = target_dir.join(wasm_target).join(&self.profile).join(&file);
+
+            let final_path = if let Some(out_dir) = &self.out_dir {
+                fs::create_dir_all(out_dir).map_err(Error::CreatingOutDir)?;
+                let out_file_path = out_dir.join(&file);
+                fs::copy(&target_file_path, &out_file_path)
+                    .map_err(Error::CopyingWasmFile)?;
+                out_file_path
+            } else {
+                target_file_path
+            };
+
+            built.push(BuiltContract {
+                name: p.name.clone(),
+                path: final_path,
+            });
+        }
+        Ok(built)
+    }
+
     fn features(&self) -> Option<Vec<String>> {
         self.features
             .as_ref()
@@ -417,9 +718,9 @@ impl Cmd {
         cmd.exec()
     }
 
-    fn inject_meta(&self, target_file_path: &PathBuf) -> Result<(), Error> {
+    fn inject_meta(&self, target_file_path: &PathBuf, extra: &ExtraMeta) -> Result<(), Error> {
         let mut wasm_bytes = fs::read(target_file_path).map_err(Error::ReadingWasmFile)?;
-        let xdr = self.encoded_new_meta()?;
+        let xdr = self.encoded_new_meta(extra)?;
         wasm_gen::write_custom_section(&mut wasm_bytes, META_CUSTOM_SECTION_NAME, &xdr);
 
         // Deleting .wasm file effectively unlinking it from /release/deps/.wasm preventing from overwrite
@@ -468,7 +769,7 @@ impl Cmd {
         fs::write(target_file_path, new_wasm).map_err(Error::WritingWasmFile)
     }
 
-    fn encoded_new_meta(&self) -> Result<Vec<u8>, Error> {
+    fn encoded_new_meta(&self, extra: &ExtraMeta) -> Result<Vec<u8>, Error> {
         let mut new_meta: Vec<ScMetaEntry> = Vec::new();
 
         // Always inject CLI version
@@ -478,6 +779,42 @@ impl Cmd {
         });
         new_meta.push(cli_meta_entry);
 
+        // Reproducible-build meta. `rsver` (rustc version) is recorded by
+        // soroban-sdk itself; here we add `bldimg` when --backend docker
+        // was used, and source_repo/source_rev when the workspace was a
+        // clean git checkout.
+        let kvs = [
+            ("bldimg", extra.bldimg.as_deref()),
+            ("source_repo", extra.source_repo.as_deref()),
+            ("source_rev", extra.source_rev.as_deref()),
+            (
+                "bldopt_manifest_path",
+                extra.bldopt_manifest_path.as_deref(),
+            ),
+            ("bldopt_package", extra.bldopt_package.as_deref()),
+            ("bldopt_profile", extra.bldopt_profile.as_deref()),
+            (
+                "bldopt_optimize",
+                if extra.bldopt_optimize {
+                    Some("true")
+                } else {
+                    None
+                },
+            ),
+        ];
+        for (k, v) in kvs {
+            let Some(v) = v else { continue };
+            let key: StringM = k
+                .to_string()
+                .try_into()
+                .map_err(|e| Error::MetaArg(format!("{k} is an invalid metadata key: {e}")))?;
+            let val: StringM = v
+                .to_string()
+                .try_into()
+                .map_err(|e| Error::MetaArg(format!("{v} is an invalid metadata value: {e}")))?;
+            new_meta.push(ScMetaEntry::ScMetaV0(ScMetaV0 { key, val }));
+        }
+
         // Add args provided meta
         for (k, v) in self.build_args.meta.clone() {
             let key: StringM = k
@@ -570,8 +907,120 @@ impl Cmd {
             }
         }
 
-        print.checkln("Build Complete\n");
+        print.checkln("Build Complete");
+    }
+}
+
+/// Extra meta entries to embed in the wasm's `contractmetav0` custom section.
+/// `cliver` is always embedded (separately). `rsver` is embedded by soroban-sdk.
+#[derive(Default, Debug, Clone)]
+struct ExtraMeta {
+    /// `bldimg`: fully-qualified container image used to build (e.g.
+    /// `docker.io/stellar/stellar-cli@sha256:...`). Set when `--backend
+    /// docker`; injected by the in-container cli via `--meta bldimg=...`,
+    /// not by this struct (which is only used on the local code path).
+    bldimg: Option<String>,
+    /// `source_repo`: HTTPS URL of the workspace's git origin remote.
+    /// Set only when the workspace is a clean git checkout.
+    source_repo: Option<String>,
+    /// `source_rev`: full SHA of the workspace's git HEAD commit.
+    /// Set only when the workspace is a clean git checkout.
+    source_rev: Option<String>,
+    /// `bldopt_manifest_path`: package's `Cargo.toml` path relative to the
+    /// git repo root. Set only when the workspace is a clean git checkout.
+    bldopt_manifest_path: Option<String>,
+    /// `bldopt_package`: cargo package name being built.
+    bldopt_package: Option<String>,
+    /// `bldopt_profile`: cargo profile (e.g. `release`).
+    bldopt_profile: Option<String>,
+    /// `bldopt_optimize`: present (with value `true`) iff `--optimize` was used.
+    bldopt_optimize: bool,
+}
+
+enum GitState {
+    NotARepo,
+    Dirty,
+    Clean {
+        repo: String,
+        rev: String,
+        root: PathBuf,
+    },
+}
+
+fn detect_git_state(workspace_root: &Path) -> GitState {
+    let in_repo = Command::new("git")
+        .arg("-C")
+        .arg(workspace_root)
+        .args(["rev-parse", "--git-dir"])
+        .output()
+        .map(|o| o.status.success())
+        .unwrap_or(false);
+    if !in_repo {
+        return GitState::NotARepo;
+    }
+    let dirty = Command::new("git")
+        .arg("-C")
+        .arg(workspace_root)
+        .args(["status", "--porcelain"])
+        .output()
+        .map(|o| !o.stdout.is_empty())
+        .unwrap_or(true);
+    if dirty {
+        return GitState::Dirty;
     }
+    let Some(repo) = git_output(workspace_root, &["remote", "get-url", "origin"])
+        .as_deref()
+        .and_then(remote_to_https)
+    else {
+        return GitState::Dirty;
+    };
+    let Some(rev) = git_output(workspace_root, &["rev-parse", "HEAD"]) else {
+        return GitState::Dirty;
+    };
+    let Some(root) =
+        git_output(workspace_root, &["rev-parse", "--show-toplevel"]).map(PathBuf::from)
+    else {
+        return GitState::Dirty;
+    };
+    GitState::Clean { repo, rev, root }
+}
+
+fn git_output(workspace_root: &Path, args: &[&str]) -> Option<String> {
+    let out = Command::new("git")
+        .arg("-C")
+        .arg(workspace_root)
+        .args(args)
+        .output()
+        .ok()?;
+    out.status
+        .success()
+        .then(|| String::from_utf8_lossy(&out.stdout).trim().to_string())
+        .filter(|s| !s.is_empty())
+}
+
+/// Convert a git remote URL to a canonical `https://...` form.
+fn remote_to_https(url: &str) -> Option<String> {
+    let url = url.trim();
+    let canonical = if url.starts_with("https://") || url.starts_with("http://") {
+        url.to_string()
+    } else if let Some(rest) = url.strip_prefix("git@") {
+        let (host, path) = rest.split_once(':')?;
+        format!("https://{host}/{path}")
+    } else if let Some(rest) = url.strip_prefix("ssh://git@") {
+        format!("https://{rest}")
+    } else if let Some(rest) = url.strip_prefix("ssh://") {
+        format!("https://{rest}")
+    } else if let Some(rest) = url.strip_prefix("git://") {
+        format!("https://{rest}")
+    } else {
+        return None;
+    };
+    Some(
+        canonical
+            .strip_suffix(".git")
+            .unwrap_or(&canonical)
+            .to_string(),
+    )
 }
 
 fn serialize_command(cmd: &Command) -> String {
@@ -845,4 +1294,43 @@ mod tests {
             "shlex round-trip failed: {raw_arg:?} not found as a single token in {tokens:?}"
         );
     }
+
+    #[test]
+    fn remote_to_https_normalizes_common_forms() {
+        let cases = [
+            ("https://github.com/x/y", "https://github.com/x/y"),
+            ("https://github.com/x/y.git", "https://github.com/x/y"),
+            ("http://example.com/x/y.git", "http://example.com/x/y"),
+            ("git@github.com:x/y.git", "https://github.com/x/y"),
+            ("ssh://git@github.com/x/y.git", "https://github.com/x/y"),
+            ("ssh://git.example.com/x/y", "https://git.example.com/x/y"),
+            ("git://github.com/x/y.git", "https://github.com/x/y"),
+        ];
+        for (input, want) in cases {
+            assert_eq!(
+                remote_to_https(input).as_deref(),
+                Some(want),
+                "input: {input}"
+            );
+        }
+        assert_eq!(remote_to_https("notaurl"), None);
+    }
+
+    #[test]
+    fn parse_backend_cases() {
+        assert!(matches!(parse_backend("local"), Ok(Backend::Local)));
+        let parsed = parse_backend("docker").unwrap();
+        match parsed {
+            Backend::Docker { image } => assert_eq!(image, DEFAULT_DOCKER_IMAGE),
+            other @ Backend::Local => panic!("expected Docker, got {other:?}"),
+        }
+        let parsed = parse_backend("docker=quay.io/foo/bar:tag").unwrap();
+        match parsed {
+            Backend::Docker { image } => assert_eq!(image, "quay.io/foo/bar:tag"),
+            other @ Backend::Local => panic!("expected Docker, got {other:?}"),
+        }
+        assert!(parse_backend("docker=").is_err());
+        assert!(parse_backend("docker-all").is_err());
+        assert!(parse_backend("nonsense").is_err());
+    }
 }
diff --git a/cmd/soroban-cli/src/commands/contract/build_docker.rs b/cmd/soroban-cli/src/commands/contract/build_docker.rs
new file mode 100644
index 000000000..9b03a9b00
--- /dev/null
+++ b/cmd/soroban-cli/src/commands/contract/build_docker.rs
@@ -0,0 +1,500 @@
+//! `--backend docker` build backend.
+//!
+//! Runs the entire `stellar contract build` pipeline inside a container
+//! whose entrypoint is `stellar` (the official `stellar/stellar-cli`
+//! image, or any user-supplied image with the same shape). The host
+//! orchestrates only — pull, set up bind mounts, run, stream logs.
+//!
+//! The host CLI's version is irrelevant: whatever cli is in the image is
+//! what builds the wasm and what records `cliver` / `rsver` / source meta
+//! into the wasm. The host injects `bldimg` (the pulled image's resolved
+//! digest) via the inner cli's `--meta` mechanism — no new flags.
+//!
+//! For `verify`, the recorded `bldimg` is pulled (so the same cli runs)
+//! and `RUSTUP_TOOLCHAIN` is set from the wasm's `rsver` so the rust
+//! toolchain matches whatever the original build used.
+//!
+//! User-supplied images must:
+//! - Have `stellar` as their entrypoint
+//! - Have `rustup` available with the `wasm32v1-none` target installed
+//!   (preflight-checked before the build runs)
+
+use std::path::Path;
+
+use bollard::{
+    models::ContainerCreateBody,
+    query_parameters::{
+        CreateContainerOptions, CreateImageOptions, LogsOptions, RemoveContainerOptions,
+        StartContainerOptions, WaitContainerOptions,
+    },
+    service::HostConfig,
+    Docker,
+};
+use futures_util::{StreamExt, TryStreamExt};
+
+use crate::{
+    commands::container::shared::{Args as ContainerArgs, Error as ContainerError},
+    print::Print,
+};
+
+const PLATFORM: &str = "linux/amd64";
+/// Where the workspace gets bind-mounted inside the container. Matches the
+/// official `stellar/stellar-cli` image's `WORKDIR`. Cargo writes its
+/// target directory under this path, so the host reads the wasm via the
+/// same bind mount — no separate `/target` mount needed.
+pub const SOURCE_DIR: &str = "/source";
+const REGISTRY_DIR: &str = "/usr/local/cargo/registry";
+
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+    #[error("cannot connect to docker daemon; is it running? ({0})")]
+    RuntimeNotRunning(ContainerError),
+
+    #[error("pulling docker image {image}: {source}")]
+    ImagePull {
+        image: String,
+        source: bollard::errors::Error,
+    },
+
+    #[error("inspecting docker image {image}: {source}")]
+    ImageInspect {
+        image: String,
+        source: bollard::errors::Error,
+    },
+
+    #[error("docker image {image} has no repository digest. Either pin via --backend docker=<registry>/<image>@sha256:..., or remove any locally-built image at this tag (`docker rmi {image}`) and let the default re-pull")]
+    NoDigest { image: String },
+
+    #[error("pulling docker image {image}: daemon reported error: {message}")]
+    PullDaemonError { image: String, message: String },
+
+    #[error("build failed inside docker container (exit {0})")]
+    BuildExit(i64),
+
+    #[error("docker run: {0}")]
+    Runtime(#[from] bollard::errors::Error),
+
+    #[error("resolving CARGO_HOME: {0}")]
+    CargoHome(std::io::Error),
+}
+
+/// Forwarded host build args used to construct the inner
+/// `stellar contract build` invocation. `manifest_path` is expected to
+/// already be in container-relative form (`/source/...`). `meta` holds both
+/// the user's `--meta` entries and any host-detected entries (e.g.
+/// `source_repo`, `source_rev`, `bldopt_*`) that are forwarded as
+/// transitional pass-throughs while the published cli image catches up.
+pub struct InnerBuildArgs<'a> {
+    pub manifest_path: String,
+    pub package: Option<&'a str>,
+    pub profile: &'a str,
+    pub features: Option<&'a str>,
+    pub all_features: bool,
+    pub no_default_features: bool,
+    pub optimize: bool,
+    pub meta: Vec<(String, String)>,
+}
+
+/// Pull the image (if needed), then run the in-container
+/// `stellar contract build --backend local --meta bldimg=<digest>` against
+/// the bind-mounted source. Returns the resolved image digest for the host
+/// to record.
+///
+/// `rsver` is `None` for fresh builds and `Some(<wasm's rsver>)` for verify;
+/// when set, `RUSTUP_TOOLCHAIN` inside the container is pinned to that
+/// toolchain so rustup-managed cargo uses the matching rust version.
+#[allow(clippy::too_many_arguments)]
+pub async fn run_in_docker(
+    image: &str,
+    pre_resolved: Option<&str>,
+    rsver: Option<&str>,
+    mount_root: &Path,
+    inner: &InnerBuildArgs<'_>,
+    container_args: &ContainerArgs,
+    print: &Print,
+) -> Result<String, Error> {
+    let docker: Docker = container_args
+        .connect_to_docker(print)
+        .await
+        .map_err(Error::RuntimeNotRunning)?;
+
+    let resolved = if let Some(r) = pre_resolved {
+        r.to_string()
+    } else {
+        // Skip the pull when the image is already local. For digest-pinned
+        // references the digest is immutable, so a present image is the
+        // image. This also sidesteps a bollard quirk where pulling an
+        // already-present digest-pinned image surfaces the daemon's
+        // "cannot overwrite digest" event as a stream error.
+        if docker.inspect_image(image).await.is_err() {
+            pull_image(&docker, image, print).await?;
+        }
+        resolve_image_digest(&docker, image).await?
+    };
+
+    print.infoln(format_inner_cmd(inner, &resolved));
+    run_inner_build(&docker, &resolved, inner, rsver, mount_root).await?;
+
+    Ok(resolved)
+}
+
+async fn run_inner_build(
+    docker: &Docker,
+    image: &str,
+    inner: &InnerBuildArgs<'_>,
+    rsver: Option<&str>,
+    mount_root: &Path,
+) -> Result<(), Error> {
+    let cargo_home = home::cargo_home().map_err(Error::CargoHome)?;
+    let binds = vec![
+        format!("{}:{}", mount_root.display(), SOURCE_DIR),
+        format!("{}:{}", cargo_home.join("registry").display(), REGISTRY_DIR),
+    ];
+
+    let mut env = vec![
+        format!("SOURCE_DATE_EPOCH={}", source_date_epoch(mount_root)),
+        "CARGO_TERM_COLOR=always".to_string(),
+    ];
+    if let Some(t) = rsver {
+        env.push(format!("RUSTUP_TOOLCHAIN={t}"));
+    }
+
+    // Override the image's entrypoint with a small shim that ensures the
+    // wasm target is installed for the active rust toolchain, then exec's
+    // `stellar`. Two reasons:
+    //
+    // - When `RUSTUP_TOOLCHAIN=<rsver>` selects a toolchain other than the
+    //   image's default (typical at verify time), the image's pre-installed
+    //   `wasm32v1-none` target is associated with the *other* toolchain,
+    //   not the selected one — `cargo build --target=wasm32v1-none` would
+    //   fail. `rustup target add` is idempotent (and quick, when the target
+    //   is already present) so always running it is safe.
+    // - The official `stellar/stellar-cli` image's stock entrypoint is a
+    //   wrapper script that launches dbus + gnome-keyring before exec-ing
+    //   `stellar`; that setup is irrelevant for `contract build` and dbus
+    //   refuses to start when the container runs as a host UID with no
+    //   `/etc/passwd` entry. Skipping it keeps the host UID mapping intact.
+    //
+    // TODO: remove this entrypoint override once
+    // https://github.com/stellar/stellar-cli/issues/2545 is implemented and
+    // the published image's entrypoint installs the wasm target itself
+    // (and doesn't drag dbus/gnome-keyring into the contract-build path).
+    let entrypoint = vec![
+        "sh".to_string(),
+        "-c".to_string(),
+        "rustup --quiet target add wasm32v1-none && exec stellar \"$@\"".to_string(),
+    ];
+    let argv = build_inner_argv(inner, image);
+
+    let config = ContainerCreateBody {
+        image: Some(image.to_string()),
+        entrypoint: Some(entrypoint),
+        cmd: Some(argv),
+        env: Some(env),
+        working_dir: Some(SOURCE_DIR.to_string()),
+        user: current_uid_gid(),
+        attach_stdout: Some(true),
+        attach_stderr: Some(true),
+        host_config: Some(HostConfig {
+            binds: Some(binds),
+            auto_remove: Some(false),
+            ..Default::default()
+        }),
+        ..Default::default()
+    };
+
+    let container_id = docker
+        .create_container(None::<CreateContainerOptions>, config)
+        .await?
+        .id;
+
+    let result = stream_and_wait(docker, &container_id).await;
+
+    let _ = docker
+        .remove_container(
+            &container_id,
+            Some(RemoveContainerOptions {
+                force: true,
+                ..Default::default()
+            }),
+        )
+        .await;
+
+    result
+}
+
+async fn stream_and_wait(docker: &Docker, container_id: &str) -> Result<(), Error> {
+    docker
+        .start_container(container_id, None::<StartContainerOptions>)
+        .await?;
+
+    let mut log_stream = docker.logs(
+        container_id,
+        Some(LogsOptions {
+            follow: true,
+            stdout: true,
+            stderr: true,
+            ..Default::default()
+        }),
+    );
+    while let Some(item) = log_stream.next().await {
+        let s = item?.to_string();
+        let s = s.trim_end_matches('\n');
+        if !s.is_empty() {
+            eprintln!("{s}");
+        }
+    }
+
+    let mut wait_stream = docker.wait_container(container_id, None::<WaitContainerOptions>);
+    let mut exit_code: i64 = 0;
+    while let Some(res) = wait_stream.next().await {
+        match res {
+            Ok(r) => exit_code = r.status_code,
+            Err(bollard::errors::Error::DockerContainerWaitError { code, .. }) => exit_code = code,
+            Err(e) => return Err(Error::Runtime(e)),
+        }
+    }
+    if exit_code != 0 {
+        return Err(Error::BuildExit(exit_code));
+    }
+    Ok(())
+}
+
+/// Build the argv passed via `cmd`. The image's entrypoint is overridden
+/// to `sh -c '<script>' "$@"`, so the first element is the `$0` placeholder
+/// for sh; the rest become `stellar`'s actual args (since `<script>` ends
+/// in `exec stellar "$@"`).
+///
+/// We deliberately do not pass `--backend local` here: the in-container cli
+/// may be a release that predates this PR and doesn't know about `--backend`.
+/// Its default behavior (build locally) is what we want anyway. `bldimg` is
+/// forwarded as a `--meta` entry (an existing flag) so the in-container
+/// build records it in the wasm meta — without depending on any new flags
+/// from this PR. The presence of `bldimg` itself signals a docker build;
+/// no separate `bldbkd` field is needed.
+fn build_inner_argv(inner: &InnerBuildArgs<'_>, image: &str) -> Vec<String> {
+    let mut argv: Vec<String> = vec![
+        "sh".to_string(), // $0 placeholder for the entrypoint's `sh -c`
+        "contract".to_string(),
+        "build".to_string(),
+        "--manifest-path".to_string(),
+        inner.manifest_path.clone(),
+        "--profile".to_string(),
+        inner.profile.to_string(),
+        "--locked".to_string(),
+        "--meta".to_string(),
+        format!("bldimg={image}"),
+    ];
+    if let Some(p) = inner.package {
+        argv.push("--package".to_string());
+        argv.push(p.to_string());
+    }
+    if let Some(f) = inner.features {
+        argv.push("--features".to_string());
+        argv.push(f.to_string());
+    }
+    if inner.all_features {
+        argv.push("--all-features".to_string());
+    }
+    if inner.no_default_features {
+        argv.push("--no-default-features".to_string());
+    }
+    if inner.optimize {
+        argv.push("--optimize".to_string());
+    }
+    for (k, v) in &inner.meta {
+        argv.push("--meta".to_string());
+        argv.push(format!("{k}={v}"));
+    }
+    argv
+}
+
+fn format_inner_cmd(inner: &InnerBuildArgs<'_>, image: &str) -> String {
+    // Skip the `$0` placeholder when displaying.
+    build_inner_argv(inner, image)
+        .into_iter()
+        .skip(1)
+        .collect::<Vec<_>>()
+        .join(" ")
+}
+
+/// Pull `image` (by tag or by digest) on `linux/amd64`. Daemon-reported
+/// errors in the pull event stream are surfaced as `PullDaemonError`.
+pub(super) async fn pull_image(
+    docker: &Docker,
+    image: &str,
+    print: &Print,
+) -> Result<(), Error> {
+    let mut stream = docker.create_image(
+        Some(CreateImageOptions {
+            from_image: Some(image.to_string()),
+            platform: PLATFORM.to_string(),
+            ..Default::default()
+        }),
+        None,
+        None,
+    );
+    let mut first = true;
+    while let Some(item) = stream.try_next().await.map_err(|e| Error::ImagePull {
+        image: image.to_string(),
+        source: e,
+    })? {
+        if let Some(detail) = item.error_detail {
+            return Err(Error::PullDaemonError {
+                image: image.to_string(),
+                message: detail.message.unwrap_or_else(|| "unknown".to_string()),
+            });
+        }
+        if let Some(status) = item.status {
+            if status.contains("Pulling from")
+                || status.contains("Digest")
+                || status.contains("Status")
+            {
+                if first {
+                    print.infoln(status);
+                    first = false;
+                } else {
+                    print.blankln(status);
+                }
+            }
+        }
+    }
+    Ok(())
+}
+
+/// Returns a fully-qualified `<registry>/<path>@sha256:<digest>` reference
+/// for embedding in `bldimg`. If `image` already contains an `@sha256:...`
+/// reference, it's used directly. Otherwise we fall back to inspecting the
+/// local image's `RepoDigests` after pull. (For the default image we ship
+/// a digest-pinned reference, so this fallback is rare.)
+pub(super) async fn resolve_image_digest(
+    docker: &Docker,
+    image: &str,
+) -> Result<String, Error> {
+    let canonical = fully_qualify(strip_tag(image));
+    let digest = if let Some(d) = sha256_digest(image) {
+        d.to_string()
+    } else {
+        docker
+            .inspect_image(image)
+            .await
+            .map_err(|e| Error::ImageInspect {
+                image: image.to_string(),
+                source: e,
+            })?
+            .repo_digests
+            .unwrap_or_default()
+            .into_iter()
+            .find_map(|d| sha256_digest(&d).map(str::to_string))
+            .ok_or_else(|| Error::NoDigest {
+                image: image.to_string(),
+            })?
+    };
+    Ok(format!("{canonical}@{digest}"))
+}
+
+fn sha256_digest(image: &str) -> Option<&str> {
+    let (_, after) = image.rsplit_once('@')?;
+    after.starts_with("sha256:").then_some(after)
+}
+
+fn strip_tag(image: &str) -> &str {
+    let no_digest = image.split_once('@').map_or(image, |(name, _)| name);
+    match no_digest.rfind('/') {
+        Some(slash) => match no_digest[slash + 1..].rfind(':') {
+            Some(colon) => &no_digest[..slash + 1 + colon],
+            None => no_digest,
+        },
+        None => match no_digest.rfind(':') {
+            Some(colon) => &no_digest[..colon],
+            None => no_digest,
+        },
+    }
+}
+
+fn fully_qualify(name: &str) -> String {
+    let has_registry = name
+        .split_once('/')
+        .is_some_and(|(host, _)| host.contains('.') || host.contains(':') || host == "localhost");
+    if has_registry {
+        name.to_string()
+    } else if name.contains('/') {
+        format!("docker.io/{name}")
+    } else {
+        format!("docker.io/library/{name}")
+    }
+}
+
+#[allow(clippy::unnecessary_wraps)]
+#[cfg(unix)]
+fn current_uid_gid() -> Option<String> {
+    Some(format!("{}:{}", unsafe { libc::getuid() }, unsafe {
+        libc::getgid()
+    }))
+}
+
+#[cfg(not(unix))]
+fn current_uid_gid() -> Option<String> {
+    None
+}
+
+/// Best-effort SOURCE_DATE_EPOCH from the workspace's HEAD commit time;
+/// falls back to `"0"` when not in a git repo.
+fn source_date_epoch(mount_root: &Path) -> String {
+    std::process::Command::new("git")
+        .arg("-C")
+        .arg(mount_root)
+        .args(["log", "-1", "--format=%ct"])
+        .output()
+        .ok()
+        .filter(|o| o.status.success())
+        .map(|o| String::from_utf8_lossy(&o.stdout).trim().to_string())
+        .filter(|s| !s.is_empty())
+        .unwrap_or_else(|| "0".to_string())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn sha256_digest_cases() {
+        assert_eq!(sha256_digest("name"), None);
+        assert_eq!(sha256_digest("name:tag"), None);
+        assert_eq!(sha256_digest("name@md5:abc"), None);
+        assert_eq!(sha256_digest("name@sha256:abc"), Some("sha256:abc"));
+        assert_eq!(
+            sha256_digest("host:5000/name:tag@sha256:abc"),
+            Some("sha256:abc")
+        );
+    }
+
+    #[test]
+    fn strip_tag_cases() {
+        assert_eq!(strip_tag("rust"), "rust");
+        assert_eq!(strip_tag("rust:latest"), "rust");
+        assert_eq!(strip_tag("rust@sha256:abc"), "rust");
+        assert_eq!(strip_tag("rust:latest@sha256:abc"), "rust");
+        assert_eq!(
+            strip_tag("docker.io/library/rust:latest"),
+            "docker.io/library/rust"
+        );
+        assert_eq!(strip_tag("host:5000/myimage:v1"), "host:5000/myimage");
+    }
+
+    #[test]
+    fn fully_qualify_cases() {
+        assert_eq!(fully_qualify("rust"), "docker.io/library/rust");
+        assert_eq!(fully_qualify("myorg/myimage"), "docker.io/myorg/myimage");
+        assert_eq!(
+            fully_qualify("docker.io/library/rust"),
+            "docker.io/library/rust"
+        );
+        assert_eq!(
+            fully_qualify("quay.io/myorg/myimage"),
+            "quay.io/myorg/myimage"
+        );
+        assert_eq!(fully_qualify("host:5000/myimage"), "host:5000/myimage");
+        assert_eq!(fully_qualify("localhost/myimage"), "localhost/myimage");
+    }
+}
diff --git a/cmd/soroban-cli/src/commands/contract/deploy/wasm.rs b/cmd/soroban-cli/src/commands/contract/deploy/wasm.rs
index 6a51b3a07..ea1164a7d 100644
--- a/cmd/soroban-cli/src/commands/contract/deploy/wasm.rs
+++ b/cmd/soroban-cli/src/commands/contract/deploy/wasm.rs
@@ -74,6 +74,18 @@ pub struct Cmd {
     /// Package to build when auto-building without --wasm
     #[arg(long, help_heading = "Build Options", conflicts_with = "wasm_src")]
     pub package: Option<String>,
+    /// Build backend; see `stellar contract build --help` for values.
+    #[arg(
+        long,
+        value_name = "BACKEND",
+        default_value = "local",
+        value_parser = build::parse_backend,
+        help_heading = "Build Options",
+        conflicts_with = "wasm_src",
+    )]
+    pub backend: build::Backend,
+    #[command(flatten)]
+    pub container_args: crate::commands::container::shared::Args,
     #[command(flatten)]
     pub build_args: build::BuildArgs,
 }
@@ -182,7 +194,7 @@ impl Cmd {
             return Err(Error::BuildOnlyNotSupported);
         }
 
-        let built_contracts = self.resolve_contracts(global_args)?;
+        let built_contracts = self.resolve_contracts(global_args).await?;
 
         // When --wasm-hash is used, no built contracts are returned.
         // Deploy directly with the hash.
@@ -259,7 +271,7 @@ impl Cmd {
         Ok(())
     }
 
-    fn resolve_contracts(
+    async fn resolve_contracts(
         &self,
         global_args: &global::Args,
     ) -> Result<Vec<build::BuiltContract>, Error> {
@@ -279,10 +291,12 @@ impl Cmd {
         // Neither provided: auto-build
         let build_cmd = build::Cmd {
             package: self.package.clone(),
+            backend: self.backend.clone(),
+            container_args: self.container_args.clone(),
             build_args: self.build_args.clone(),
             ..build::Cmd::default()
         };
-        let contracts = build_cmd.run(global_args).map_err(|e| match e {
+        let contracts = build_cmd.run(global_args).await.map_err(|e| match e {
             build::Error::Metadata(_) => Error::NotInCargoProject,
             other => other.into(),
         })?;
@@ -316,6 +330,10 @@ impl Cmd {
                     ignore_checks: self.ignore_checks,
                     build_only: is_build,
                     package: None,
+                    backend: build::Backend::Local,
+                    container_args: crate::commands::container::shared::Args {
+                        docker_host: None,
+                    },
                     build_args: build::BuildArgs::default(),
                 }
                 .execute(config, quiet, no_cache)
@@ -370,6 +388,7 @@ impl Cmd {
             }
             get_remote_wasm_from_hash(&client, &wasm_hash).await?
         };
+        warn_if_mainnet_wasm_not_reproducible(&raw_wasm, &network.network_passphrase, &print);
         let entries = soroban_spec_tools::contract::Spec::new(&raw_wasm)?.spec;
         let res = soroban_spec_tools::Spec::new(entries.clone().as_slice());
         let constructor_params = if let Ok(func) = res.find_function(CONSTRUCTOR_FUNCTION_NAME) {
@@ -472,6 +491,53 @@ fn build_create_contract_tx(
     Ok(tx)
 }
 
+/// On mainnet, warn if the wasm is missing the meta entries that indicate
+/// a reproducible build (`bldimg`, `cliver`, `rsver`, `source_repo`,
+/// `source_rev`, `bldopt_*`). `bldimg` is the docker-build marker — its
+/// presence indicates the wasm was built inside a recorded image; its
+/// absence means a local build with no image to verify against. Skipped on
+/// other networks. Best-effort: parse failures are silently ignored.
+fn warn_if_mainnet_wasm_not_reproducible(
+    wasm_bytes: &[u8],
+    network_passphrase: &str,
+    print: &Print,
+) {
+    if network_passphrase != crate::config::network::passphrase::MAINNET {
+        return;
+    }
+    let Ok(spec) = soroban_spec_tools::contract::Spec::new(wasm_bytes) else {
+        return;
+    };
+    let required = [
+        "bldimg",
+        "cliver",
+        "rsver",
+        "source_repo",
+        "source_rev",
+        "bldopt_manifest_path",
+        "bldopt_package",
+        "bldopt_profile",
+    ];
+    let missing: Vec<&str> = required
+        .iter()
+        .filter(|k| {
+            !spec.meta.iter().any(|e| {
+                let crate::xdr::ScMetaEntry::ScMetaV0(crate::xdr::ScMetaV0 { key, .. }) = e;
+                key.to_string() == **k
+            })
+        })
+        .copied()
+        .collect();
+    if missing.is_empty() {
+        return;
+    }
+    print.warnln(format!(
+        "the wasm being deployed is missing reproducibility meta entries: {missing:?}. \
+         The deployed wasm may not be independently verifiable. To make it reproducible, \
+         build with `stellar contract build --backend docker` in a clean git repository."
+    ));
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/cmd/soroban-cli/src/commands/contract/info/shared.rs b/cmd/soroban-cli/src/commands/contract/info/shared.rs
index b06d6eb4d..183ce9dca 100644
--- a/cmd/soroban-cli/src/commands/contract/info/shared.rs
+++ b/cmd/soroban-cli/src/commands/contract/info/shared.rs
@@ -122,7 +122,7 @@ pub async fn fetch(args: &Args, print: &Print) -> Result<Fetched, Error> {
     // Check if a local WASM file path is provided
     if let Some(path) = &args.wasm {
         // Read the WASM file and return its contents
-        print.infoln("Loading contract spec from file...");
+        print.infoln("Loading contract from file...");
         let wasm_bytes = wasm::Args { wasm: path.clone() }.read()?;
         return Ok(Fetched {
             contract: Contract::Wasm { wasm_bytes },
@@ -148,9 +148,7 @@ pub async fn fetch(args: &Args, print: &Print) -> Result<Fetched, Error> {
             .verify_network_passphrase(Some(&network.network_passphrase))
             .await?;
 
-        print.globeln(format!(
-            "Downloading contract spec for wasm hash: {wasm_hash}"
-        ));
+        print.globeln(format!("Downloading contract for wasm hash: {wasm_hash}"));
         let wasm_bytes = get_remote_wasm_from_hash(&client, &hash).await?;
         Ok(Fetched {
             contract: Contract::Wasm { wasm_bytes },
@@ -164,7 +162,7 @@ pub async fn fetch(args: &Args, print: &Print) -> Result<Fetched, Error> {
             contract_id.resolve_contract_id(&args.locator, &network.network_passphrase)?;
         let derived_address =
             xdr::ScAddress::Contract(ContractId(xdr::Hash(contract_id.0))).to_string();
-        print.globeln(format!("Downloading contract spec: {derived_address}"));
+        print.globeln(format!("Downloading contract: {derived_address}"));
         let res = wasm::fetch_from_contract(&contract_id, network).await;
         if let Some(ContractIsStellarAsset) = res.as_ref().err() {
             return Ok(Fetched {
diff --git a/cmd/soroban-cli/src/commands/contract/mod.rs b/cmd/soroban-cli/src/commands/contract/mod.rs
index 294a6d1b0..602e10797 100644
--- a/cmd/soroban-cli/src/commands/contract/mod.rs
+++ b/cmd/soroban-cli/src/commands/contract/mod.rs
@@ -3,6 +3,7 @@ pub mod arg_parsing;
 pub mod asset;
 pub mod bindings;
 pub mod build;
+pub mod build_docker;
 pub mod deploy;
 pub mod extend;
 pub mod fetch;
@@ -16,6 +17,7 @@ pub mod read;
 pub mod restore;
 pub mod spec_verify;
 pub mod upload;
+pub mod verify;
 
 use crate::{commands::global, print::Print, utils::deprecate_message};
 
@@ -164,7 +166,7 @@ impl Cmd {
             Cmd::Asset(asset) => asset.run(global_args).await?,
             Cmd::Bindings(bindings) => bindings.run().await?,
             Cmd::Build(build) => {
-                build.run(global_args)?;
+                build.run(global_args).await?;
             }
             Cmd::Extend(extend) => extend.run(global_args).await?,
             Cmd::Alias(alias) => alias.run(global_args)?,
diff --git a/cmd/soroban-cli/src/commands/contract/upload.rs b/cmd/soroban-cli/src/commands/contract/upload.rs
index 203da3cc3..f1ecc7fd3 100644
--- a/cmd/soroban-cli/src/commands/contract/upload.rs
+++ b/cmd/soroban-cli/src/commands/contract/upload.rs
@@ -56,6 +56,18 @@ pub struct Cmd {
     /// Package to build when --wasm is not provided
     #[arg(long, help_heading = "Build Options", conflicts_with = "wasm")]
     pub package: Option<String>,
+    /// Build backend; see `stellar contract build --help` for values.
+    #[arg(
+        long,
+        value_name = "BACKEND",
+        default_value = "local",
+        value_parser = build::parse_backend,
+        help_heading = "Build Options",
+        conflicts_with = "wasm",
+    )]
+    pub backend: build::Backend,
+    #[command(flatten)]
+    pub container_args: crate::commands::container::shared::Args,
     #[command(flatten)]
     pub build_args: build::BuildArgs,
 }
@@ -135,7 +147,7 @@ impl Cmd {
             return Err(Error::BuildOnlyNotSupported);
         }
 
-        let wasm_paths = self.resolve_wasm_paths(global_args)?;
+        let wasm_paths = self.resolve_wasm_paths(global_args).await?;
 
         for wasm_path in &wasm_paths {
             let res = self
@@ -172,16 +184,18 @@ impl Cmd {
         self.upload_wasm(&wasm_path, config, quiet, no_cache).await
     }
 
-    fn resolve_wasm_paths(&self, global_args: &global::Args) -> Result<Vec<PathBuf>, Error> {
+    async fn resolve_wasm_paths(&self, global_args: &global::Args) -> Result<Vec<PathBuf>, Error> {
         if let Some(wasm) = &self.wasm {
             Ok(vec![wasm.clone()])
         } else {
             let build_cmd = build::Cmd {
                 package: self.package.clone(),
+                backend: self.backend.clone(),
+                container_args: self.container_args.clone(),
                 build_args: self.build_args.clone(),
                 ..build::Cmd::default()
             };
-            let contracts = build_cmd.run(global_args).map_err(|e| match e {
+            let contracts = build_cmd.run(global_args).await.map_err(|e| match e {
                 build::Error::Metadata(_) => Error::NotInCargoProject,
                 other => other.into(),
             })?;
diff --git a/cmd/soroban-cli/src/commands/contract/verify.rs b/cmd/soroban-cli/src/commands/contract/verify.rs
new file mode 100644
index 000000000..aecd7dd4e
--- /dev/null
+++ b/cmd/soroban-cli/src/commands/contract/verify.rs
@@ -0,0 +1,221 @@
+use std::fs;
+use std::path::PathBuf;
+
+use clap::Parser;
+use sha2::{Digest, Sha256};
+use soroban_spec_tools::contract::{self, Spec};
+use stellar_xdr::curr::{ScMetaEntry, ScMetaV0};
+
+use super::build;
+use super::info::shared::{self, fetch, Contract, Fetched};
+use crate::commands::container::shared::Args as ContainerArgs;
+use crate::commands::global;
+use crate::print::Print;
+
+/// Verify a wasm by rebuilding it and comparing bytes.
+///
+/// All cdylib contracts in the workspace are rebuilt; verification succeeds
+/// if any rebuilt artifact is byte-identical to the input. The user is
+/// responsible for checking out the matching commit before running.
+///
+/// Backend selection from meta:
+/// - `bldimg` present: rebuild inside that image (with `RUSTUP_TOOLCHAIN`
+///   pinned to the wasm's `rsver` so the rust version matches whatever the
+///   original build used).
+/// - `bldimg` absent: rebuild locally with the host's rust toolchain pinned
+///   via `cargo +<rsver>`. Best-effort — local builds depend on environment
+///   factors (system libs, env vars) that aren't captured in meta.
+#[derive(Parser, Debug, Clone)]
+#[group(skip)]
+pub struct Cmd {
+    #[command(flatten)]
+    pub common: shared::Args,
+
+    #[command(flatten)]
+    pub container_args: ContainerArgs,
+}
+
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+    #[error(transparent)]
+    Shared(#[from] shared::Error),
+    #[error(transparent)]
+    Spec(#[from] contract::Error),
+    #[error(transparent)]
+    Build(#[from] build::Error),
+    #[error("stellar asset contract has no source to verify")]
+    StellarAssetContract,
+    #[error("required '{0}' meta entry not found in contract; rebuild the wasm with `stellar contract build --backend docker` to make it verifiable")]
+    MissingMeta(&'static str),
+    #[error("verification failed: none of the rebuilt artifacts ({}) match original ({expected})", produced.iter().map(|(n, h)| format!("{n}={h}")).collect::<Vec<_>>().join(", "))]
+    Mismatch {
+        expected: String,
+        produced: Vec<(String, String)>,
+    },
+    #[error("reading rebuilt wasm: {0}")]
+    ReadingRebuilt(std::io::Error),
+}
+
+impl Cmd {
+    #[allow(clippy::too_many_lines)]
+    pub async fn run(&self, global_args: &global::Args) -> Result<(), Error> {
+        let print = Print::new(global_args.quiet);
+
+        let Fetched { contract, .. } = fetch(&self.common, &print).await?;
+        let wasm_bytes = match contract {
+            Contract::Wasm { wasm_bytes } => wasm_bytes,
+            Contract::StellarAssetContract => return Err(Error::StellarAssetContract),
+        };
+        let original_hash = hex::encode(Sha256::digest(&wasm_bytes));
+        let spec = Spec::new(&wasm_bytes)?;
+        let cliver = find_meta(&spec.meta, "cliver").ok_or(Error::MissingMeta("cliver"))?;
+        let bldimg = find_meta(&spec.meta, "bldimg");
+        let rsver = find_meta(&spec.meta, "rsver").ok_or(Error::MissingMeta("rsver"))?;
+        let bldopt_manifest_path = find_meta(&spec.meta, "bldopt_manifest_path");
+        let bldopt_package = find_meta(&spec.meta, "bldopt_package");
+        let bldopt_profile = find_meta(&spec.meta, "bldopt_profile");
+        let bldopt_optimize = find_meta(&spec.meta, "bldopt_optimize").is_some();
+
+        // Bldopts are best-effort: warn about missing ones and fall back to
+        // the build command's defaults so verify still tries to rebuild.
+        let missing_bldopts: Vec<&str> = [
+            ("bldopt_manifest_path", bldopt_manifest_path.is_some()),
+            ("bldopt_package", bldopt_package.is_some()),
+            ("bldopt_profile", bldopt_profile.is_some()),
+        ]
+        .into_iter()
+        .filter_map(|(k, present)| (!present).then_some(k))
+        .collect();
+        if !missing_bldopts.is_empty() {
+            print.warnln(format!(
+                "wasm meta is missing build option entries: {missing_bldopts:?}. \
+                 The build may not be reproducible — defaults will be used for missing options."
+            ));
+        }
+
+        print.blankln(format!("Original wasm hash: {original_hash}"));
+        print.blankln(format!("stellar-cli version: {cliver}"));
+        print.blankln(format!("rust version: {rsver}"));
+        if let Some(b) = &bldimg {
+            print.blankln(format!("Docker image: {b}"));
+        }
+        if let Some(p) = &bldopt_manifest_path {
+            print.blankln(format!("Manifest path: {p}"));
+        }
+        if let Some(p) = &bldopt_package {
+            print.blankln(format!("Package: {p}"));
+        }
+        if let Some(p) = &bldopt_profile {
+            print.blankln(format!("Profile: {p}"));
+        }
+        if bldopt_optimize {
+            print.blankln("Optimize: true");
+        }
+
+        let backend = match bldimg {
+            Some(image) => build::Backend::Docker { image },
+            None => build::Backend::Local,
+        };
+
+        // Resolve the manifest path relative to the cwd's git top-level so
+        // verify works from anywhere inside the checkout.
+        let manifest_path = bldopt_manifest_path.map(|s| {
+            let p = PathBuf::from(&s);
+            if p.is_absolute() {
+                p
+            } else if let Some(root) = git_top_level() {
+                root.join(p)
+            } else {
+                p
+            }
+        });
+
+        let build_cmd = build::Cmd {
+            manifest_path,
+            package: bldopt_package,
+            profile: bldopt_profile.unwrap_or_else(|| build::Cmd::default().profile),
+            backend,
+            container_args: self.container_args.clone(),
+            rustup_toolchain: Some(rsver),
+            build_args: build::BuildArgs {
+                optimize: bldopt_optimize,
+                ..build::BuildArgs::default()
+            },
+            ..build::Cmd::default()
+        };
+        let built = build_cmd.run(global_args).await?;
+
+        // Hash every rebuilt artifact and find one that matches.
+        let mut produced = Vec::with_capacity(built.len());
+        let mut matched = None;
+        for c in &built {
+            let bytes = fs::read(&c.path).map_err(Error::ReadingRebuilt)?;
+            let hash = hex::encode(Sha256::digest(&bytes));
+            if matched.is_none() && hash == original_hash {
+                matched = Some(c.name.clone());
+            }
+            produced.push((c.name.clone(), hash));
+        }
+
+        // For multi-contract workspaces, separate the per-contract build
+        // output from the final verdict with a blank line.
+        if built.len() > 1 {
+            eprintln!();
+        }
+        if let Some(name) = matched {
+            print.checkln(format!(
+                "Verified: rebuilt {name} wasm matches {original_hash}"
+            ));
+            Ok(())
+        } else {
+            Err(Error::Mismatch {
+                expected: original_hash,
+                produced,
+            })
+        }
+    }
+}
+
+fn git_top_level() -> Option<PathBuf> {
+    let out = std::process::Command::new("git")
+        .args(["rev-parse", "--show-toplevel"])
+        .output()
+        .ok()?;
+    out.status
+        .success()
+        .then(|| PathBuf::from(String::from_utf8_lossy(&out.stdout).trim()))
+}
+
+fn find_meta(meta: &[ScMetaEntry], key: &str) -> Option<String> {
+    meta.iter().find_map(|entry| {
+        let ScMetaEntry::ScMetaV0(ScMetaV0 { key: k, val }) = entry;
+        (k.to_string() == key).then(|| val.to_string())
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn entry(key: &str, val: &str) -> ScMetaEntry {
+        ScMetaEntry::ScMetaV0(ScMetaV0 {
+            key: key.to_string().try_into().unwrap(),
+            val: val.to_string().try_into().unwrap(),
+        })
+    }
+
+    #[test]
+    fn find_meta_returns_value_for_exact_key() {
+        let meta = vec![
+            entry("bldimg2", "wrong"),
+            entry("cliver", "v1"),
+            entry("bldimg", "img@sha256:abc"),
+        ];
+        assert_eq!(find_meta(&meta, "cliver"), Some("v1".to_string()));
+        assert_eq!(
+            find_meta(&meta, "bldimg"),
+            Some("img@sha256:abc".to_string())
+        );
+        assert_eq!(find_meta(&meta, "missing"), None);
+    }
+}
diff --git a/draft-specification.md b/draft-specification.md
new file mode 100644
index 000000000..80a91ac86
--- /dev/null
+++ b/draft-specification.md
@@ -0,0 +1,213 @@
+## Preamble
+
+```
+SEP: 0000
+Title: Soroban Contract Build Reproducibility and Verification
+Author: Leigh McCulloch <@leighmcculloch>
+Status: Draft
+Created: 2026-05-01
+Updated: 2026-05-01
+Version: 0.1.0
+Discussion: TBD
+```
+
+## Simple Summary
+
+Standardize the metadata embedded in Soroban contract wasm artifacts so that any third party can reproducibly rebuild a contract from source and verify the on-chain artifact byte-for-byte against the claimed source.
+
+This SEP describes a *rebuild-based* verification path. It is complementary to [SEP-55](https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0055.md), which describes an *attestation-based* path (relying on signed evidence from a trusted CI environment instead of an independent rebuild). The two approaches address the same trust question with different operational and trust trade-offs; a single wasm can carry meta supporting either, both, or neither.
+
+## Dependencies
+
+- [SEP-46](https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0046.md) — Contract Meta. Defines the `contractmetav0` Wasm custom section that this SEP populates with reproducibility entries.
+- [SEP-55](https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0055.md) — Soroban Smart Contracts Build Verification (informative). Defines an attestation-based verification mechanism. SEP-55 also defines a `source_repo` meta key.
+
+## Motivation
+
+Today, when a contract is deployed to mainnet, the on-chain artifact is opaque bytes. A user wishing to evaluate the contract has no programmatic way to confirm that those bytes were built from a particular source tree. Anyone *can* rebuild a contract and compare hashes, but the build environment — host OS, container image, rust toolchain version, cargo features, profile, manifest path — is not recorded anywhere on-chain or in the wasm itself. Without a standard set of inputs to the rebuild, two well-intentioned verifiers can produce different bytes from the same source and reach different conclusions.
+
+This SEP closes that gap by:
+
+1. Defining a stable set of meta entries that build tooling embeds in every reproducible build — enough information that a verifier can stand up a matching build environment.
+2. Defining a deterministic verification algorithm — rebuild from the recorded environment, sha256, compare.
+
+[SEP-55](https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0055.md) addresses the same trust question via a different mechanism: the build CI signs an attestation, and verifiers check the attestation rather than rebuilding. Rebuild-based verification (this SEP) requires no trust in a particular CI but demands a deterministic build environment; attestation-based verification (SEP-55) accepts trust in the attesting CI but demands no rebuild. The two are not mutually exclusive — a builder can publish meta supporting both, and a verifier can pick whichever path best fits their threat model.
+
+## Abstract
+
+A reproducible Soroban contract build embeds a set of meta entries in the wasm's `contractmetav0` custom section — the toolchain version (`rsver`), the build cli's identity (`cliver`), the container image used (`bldimg`), the source repository and commit (`source_repo`, `source_rev`), and the per-package build options (`bldopt_*`). A verifier reads those entries, reconstructs the build environment, rebuilds, and compares the resulting wasm's sha256 to the original. This SEP defines the entries and the algorithm; it does not prescribe specific tooling.
+
+## Specification
+
+### 1. Build meta entries
+
+A reproducible build embeds the following entries in the wasm's `contractmetav0` custom section. Each entry is a `ScMetaEntry::ScMetaV0` with a UTF-8 `key` and UTF-8 `val`. Values that fail their format regex below are not considered conformant.
+
+| key | description | format regex |
+|---|---|---|
+| `cliver` | Build cli version + git rev. | `^\d+\.\d+\.\d+(-[A-Za-z0-9.+-]+)?#([0-9a-f]{40}(-dirty)?)?$` |
+| `rsver` | Resolved rustc version used for the build. | `^\d+\.\d+\.\d+(-[A-Za-z0-9.+-]+)?$` |
+| `bldimg` | Fully-qualified container image used for the build, pinned by digest. Required for builds claiming `docker`-class reproducibility; absent for host-local builds. | `^[^@\s]+@sha256:[0-9a-f]{64}$` |
+| `source_repo` | HTTPS URL of the source repository's origin. Recorded only when the working tree was clean at build time. | `^https?://\S+$` |
+| `source_rev` | Full 40-char SHA-1 of the source commit (`HEAD`). Recorded only when the working tree was clean at build time. | `^[0-9a-f]{40}$` |
+| `bldopt_manifest_path` | Path to the package's `Cargo.toml` relative to the repository root. | `^([^/\s]+/)*Cargo\.toml$` |
+| `bldopt_package` | Cargo package name being built. | `^[A-Za-z][A-Za-z0-9_-]*$` |
+| `bldopt_profile` | Cargo profile (e.g. `release`). | `^[A-Za-z][A-Za-z0-9_-]*$` |
+| `bldopt_optimize` | Present and equal to `true` iff post-build wasm optimization (`wasm-opt`) was applied. | `^true$` |
+
+Tooling may inject additional, application-specific entries; verifiers ignore unrecognized keys.
+
+### 2. Build classes
+
+A wasm's reproducibility class is determined by the meta entries present:
+
+- **Class A — container-pinned**: all of `cliver`, `rsver`, `bldimg`, `source_repo`, `source_rev`, `bldopt_manifest_path`, `bldopt_package`, `bldopt_profile` are present and conformant. The build is reproducible to the bytes of `bldimg`'s pulled image content; verification produces identical bytes on any host with a working docker daemon and access to the registry.
+- **Class B — host best-effort**: all of `cliver`, `rsver`, `source_repo`, `source_rev`, `bldopt_manifest_path`, `bldopt_package`, `bldopt_profile` are present and conformant; `bldimg` is absent. The build was performed on the host with a non-containerized toolchain. Verification is best-effort and may produce different bytes on different hosts due to environment differences not captured in meta.
+- **Class C — non-reproducible**: any required entry above is absent. Verification cannot be claimed.
+
+Tooling deploying to mainnet should warn when a wasm is Class B or C.
+
+### 3. Verification algorithm
+
+Given an on-chain or offline wasm `W`, a verifier produces a verification result as follows:
+
+1. Compute `sha256(W)` → `original_hash`.
+2. Parse `W`'s `contractmetav0` section. Extract the entries listed in §1.
+3. Determine the build class per §2. If Class C, verification fails: the wasm carries insufficient meta to be reproduced.
+4. Source acquisition is the verifier's responsibility. The verifier ensures a checkout of `source_repo` at commit `source_rev` is available before invoking the rebuild; this SEP does not mandate a clone strategy.
+5. Reconstruct the build environment:
+   - For Class A: pull `bldimg` (digest-pinned, so deterministic) and run the rebuild inside that container with the source checkout bind-mounted in. The rust toolchain inside the container MUST be the version recorded in `rsver` (e.g. via the `RUSTUP_TOOLCHAIN` environment variable when rustup is the in-image toolchain manager).
+   - For Class B: use the host rust toolchain pinned to `rsver` (e.g. via `cargo +<rsver>` when rustup is the host toolchain manager).
+6. In the reconstructed environment, perform a cargo build of the recorded package. The build MUST:
+   - target `wasm32v1-none`,
+   - use `--locked` (so `Cargo.lock` is honored verbatim),
+   - use the package's `Cargo.toml` at `bldopt_manifest_path`,
+   - target package `bldopt_package`,
+   - use cargo profile `bldopt_profile`,
+   - apply `wasm-opt` post-build optimization iff `bldopt_optimize` is present and equal to `true`,
+   - and otherwise use cargo defaults (no extra features, default dependency resolution, etc.).
+7. Locate the rebuilt wasm artifact for `bldopt_package` and compute its sha256 → `rebuilt_hash`.
+8. Verification succeeds iff `rebuilt_hash == original_hash`.
+
+In a workspace with multiple cdylib packages, a verifier MAY rebuild all packages and search for any rebuilt artifact whose hash matches `original_hash`; this accommodates cases where the recorded `bldopt_package` cannot be honored verbatim.
+
+## Limitations
+
+- This SEP makes the *build* reproducible. It does not make the *source* trustworthy. Verification proves the deployed bytes match a particular source tree; whether that source is correct, audited, or non-malicious is an orthogonal concern.
+- Class B (host best-effort) verification is environment-dependent. Two verifiers may legitimately disagree.
+- Verifiers depend on the integrity of the docker image registry hosting `bldimg` and on the integrity of the source host (`source_repo`). Compromise of either invalidates the verification.
+- The current `cliver` regex permits three legacy install-path renderings (clean sha, dirty sha, empty rev). A future revision of this SEP will narrow that regex once cli build tooling normalizes the rendering.
+
+## Design Rationale
+
+**Why digest-pin `bldimg`?** A registry tag is mutable; a content digest is not. A verifier pulling a digest is guaranteed to receive the same bytes the original builder used. Recording a tag would punt the reproducibility question to the registry's mutable state.
+
+**Why allow Class B at all?** Mandating containers would lock out builders without a working daemon (CI environments without privileged docker, restricted corporate networks, hobbyists on locked-down machines). A best-effort tier with explicit "may not match" semantics is more useful than no record at all, provided consumers understand the tier difference.
+
+**Why record `rsver`?** Cargo's wasm output is sensitive to rustc version. Without recording the toolchain, two verifiers on different default toolchains would legitimately produce different bytes from the same source. Recording `rsver` lets each verifier pin to the exact version the original build used (typically via `cargo +<rsver>` on hosts, or `RUSTUP_TOOLCHAIN` inside containers).
+
+**Why does this SEP not define a verification result format?** Verification is a continuous activity and verifiers vary in audience, storage, and tooling preferences. Mandating a schema would over-constrain implementations whose only obligation, from this SEP's point of view, is to follow §3 faithfully. Verifiers are free to publish however suits them; consumers that aggregate across verifiers can adapt to each verifier's format.
+
+**Why have both this SEP and SEP-55?** They answer overlapping but distinct questions. SEP-55 (attestation-based) answers "did a particular trusted CI compile this wasm from this source?" — useful when the verifier is willing to trust the CI provider's signing infrastructure and wants to skip the cost of rebuilding. This SEP (rebuild-based) answers "does this source, compiled with the recorded environment, produce these exact bytes?" — useful when the verifier wants no third-party trust assumption beyond the source host and the container image registry. A wasm that carries meta supporting both gives consumers maximum flexibility; a verifier picks the path matching their threat model.
+
+**Source-repo format alignment with SEP-55.** SEP-55 defines `source_repo` as `github:<user>/<repo>`. This SEP defines it as an HTTPS URL — the form already produced by existing build tooling. Both SEPs are draft and a future revision should converge on a single format (or define independent keys) to avoid ambiguity. Until then, tooling consuming `source_repo` should be tolerant of either form and able to derive a clone URL from each.
+
+**Why `bldopt_*` per-field rather than a single struct?** Meta entries are flat key-value strings. Encoding a struct (e.g. JSON) in a single value is opaque to consumers that just want one field; flat keys are inspectable with grep.
+
+## Security Concerns
+
+- **Source-host trust.** `source_repo` is a URL the verifier fetches from; a compromised host (or an attacker between verifier and host) can serve a different commit at the recorded `source_rev`. SHA-1 collisions in git are not considered practical at the time of writing but verifiers SHOULD prefer hosts that publish signed tags or commit signatures where available.
+- **Container-image trust.** A digest pin is integrity-protective only as long as the digest references a valid manifest at the registry. Registry compromise (or image deletion) breaks verification.
+- **Verifier compromise.** A verifier can publish false-positive attestations. Consumers SHOULD weigh attestations by verifier reputation and aggregate from multiple independent verifiers.
+- **Verifier non-determinism.** A verifier MUST itself be reproducible (pinned cli version, pinned base OS). A drifting verifier produces noise that consumers cannot distinguish from genuine build divergence.
+- **Meta tampering.** A malicious builder could publish a wasm with deceptive `source_repo`/`source_rev` claims that don't reproduce. Verification's value is precisely catching this case — a non-matching rebuild is a positive signal that the meta is wrong.
+- **What this does not protect against.** This SEP says nothing about the soundness of the source itself. Verified builds are necessary but not sufficient for trust.
+
+## Changelog
+
+* `v0.1.0` - Initial draft.
+
+## Appendix A: Example Implementations
+
+The following implementations demonstrate the spec in practice. They are illustrative, not normative — any tool that produces conformant meta and any verifier that follows §3 satisfies this SEP.
+
+### A.1. `stellar` CLI (build and verify)
+
+The Stellar Development Foundation's `stellar` command-line tool implements both meta-embedding (at build time) and the §3 verification algorithm (via a `verify` subcommand).
+
+**Producing a Class A wasm:**
+
+```
+$ stellar contract build --backend docker
+ℹ Pulling from stellar/stellar-cli
+   Digest: sha256:cb2fc3...
+ℹ contract build --manifest-path /source/contracts/foo/Cargo.toml --profile release --locked --meta bldimg=docker.io/stellar/stellar-cli@sha256:cb2fc3...
+   Compiling foo v…
+✅ Build Complete
+
+$ stellar contract info meta --wasm target/wasm32v1-none/release/foo.wasm
+cliver=26.0.0#abc1234567890abcdef1234567890abcdef12345
+rsver=1.83.0
+bldimg=docker.io/stellar/stellar-cli@sha256:cb2fc3...
+source_repo=https://github.com/user/my-contract
+source_rev=abc1234567890abcdef1234567890abcdef12345
+bldopt_manifest_path=contracts/foo/Cargo.toml
+bldopt_package=foo
+bldopt_profile=release
+```
+
+**Verifying a deployed contract:**
+
+```
+$ stellar contract build verify --contract-id CXXX… --network mainnet
+ℹ Loading contract from network...
+ℹ Loading meta from contract...
+   Original wasm hash: 9f86d081…
+   stellar-cli version: 26.0.0#abc1234…
+   rust version: 1.83.0
+   Docker image: docker.io/stellar/stellar-cli@sha256:cb2fc3...
+   Manifest path: contracts/foo/Cargo.toml
+   Package: foo
+   Profile: release
+ℹ contract build --manifest-path /source/contracts/foo/Cargo.toml --profile release --locked --meta bldimg=...
+   Compiling foo v…
+✅ Build Complete
+✅ Verified: rebuilt foo wasm matches 9f86d081…
+```
+
+In the docker case, the `verify` subcommand pulls `bldimg` and runs the build inside it, setting `RUSTUP_TOOLCHAIN=<rsver>` so the in-container rust matches the recorded version. In the local case, it invokes `cargo +<rsver>` against the host toolchain.
+
+### A.2. CI-driven verification at scale (`contract-verifications`)
+
+The `stellar-experimental/contract-verifications` repository ([link](https://github.com/stellar-experimental/contract-verifications)) is one example of running §3 in CI. It runs a daily GitHub Actions job that walks an upstream wasm corpus, performs §3 against each entry using `stellar contract build verify`, and publishes per-wasm JSON records under version control.
+
+A minimal sketch of the same pattern:
+
+```yaml
+name: verify
+on:
+  schedule: [{ cron: '0 6 * * *' }]
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: curl -sSf https://soroban.stellar.org/install | sh
+      - run: |
+          for wasm in wasms/*.wasm; do
+            hash=$(sha256sum "$wasm" | cut -d' ' -f1)
+            test -f "results/$hash.json" && continue   # idempotency
+            stellar contract build verify --wasm "$wasm" \
+              | tee "results/$hash.json"
+          done
+      - run: git add results/ && git commit -m "verify run" && git push
+```
+
+A verifier following this pattern in production should:
+
+- pin their own verifier-tool version so their results are themselves reproducible, and disclose that version alongside each result;
+- record the original wasm sha256, the rebuilt sha256, and the verification outcome at a minimum;
+- avoid mutating published results — re-running a verification produces a new record rather than overwriting an existing one;
+- skip wasms already verified by the same verifier at the same tool version (idempotency).
+
+The choice of storage, scheduling, and record format is left to the verifier; conformance to §3 is the only thing that makes results comparable across verifiers.