diff --git a/src/codeforerunner/release_surfaces.json b/src/codeforerunner/release_surfaces.json
index 0bd06ff..c32e2c3 100644
--- a/src/codeforerunner/release_surfaces.json
+++ b/src/codeforerunner/release_surfaces.json
@@ -46,6 +46,15 @@
       "version_source": { "file": "plugins/codex/marketplace.json", "kind": "json_path", "selector": ["marketplace", "version"] },
       "validations": ["check_versions", "validate_codex_marketplace", "tag_matches_version"]
     },
+    {
+      "name": "socket-badge",
+      "kind": "badge",
+      "registry": "README.md Socket badge (https://badge.socket.dev/npm/package/codeforerunner/{version}; Socket has no latest endpoint, so the URL is version-pinned and bumped by scripts/bump-version.sh)",
+      "auth_mode": "none",
+      "workflow": null,
+      "version_source": { "file": "README.md", "kind": "regex", "selector": "https://badge\\.socket\\.dev/npm/package/codeforerunner/([^)]+)" },
+      "validations": ["check_versions"]
+    },
     {
       "name": "installer-shim-sh",
       "kind": "installer_shim",
diff --git a/src/codeforerunner/release_surfaces.py b/src/codeforerunner/release_surfaces.py
index 49f98f0..cf9a9ee 100644
--- a/src/codeforerunner/release_surfaces.py
+++ b/src/codeforerunner/release_surfaces.py
@@ -20,7 +20,13 @@
 from pathlib import Path
 
 KINDS = frozenset(
-    {"package_registry", "container_registry", "plugin_marketplace", "installer_shim"}
+    {
+        "package_registry",
+        "container_registry",
+        "plugin_marketplace",
+        "installer_shim",
+        "badge",
+    }
 )
 AUTH_MODES = frozenset({"oidc", "github_token", "pat", "none"})
 VERSION_SOURCE_KINDS = frozenset({"toml_path", "json_path", "regex"})
diff --git a/tests/test_release_surfaces.py b/tests/test_release_surfaces.py
index 8f53ae6..d299391 100644
--- a/tests/test_release_surfaces.py
+++ b/tests/test_release_surfaces.py
@@ -59,6 +59,18 @@ def test_version_sources_resolve_and_agree_in_this_checkout():
     assert len(set(versions.values())) == 1, f"version drift across surfaces: {versions}"
 
 
+def test_socket_badge_surface_is_registered_and_reads_readme_version():
+    badge = rs.get("socket-badge")
+    assert badge.kind == "badge"
+    assert badge.version_source["file"] == "README.md"
+    # Reads the version segment of the Socket badge URL straight from README,
+    # so a stale badge pin diverging from the canonical version is caught by
+    # the version-parity check above.
+    assert rs.read_surface_version(badge, REPO_ROOT) == rs.read_surface_version(
+        rs.get("pypi"), REPO_ROOT
+    )
+
+
 def test_read_surface_version_detects_drift(tmp_path):
     # Build a fake checkout where pyproject and package.json disagree; the
     # manifest-driven reader must surface two distinct values.