Skip to main content

/bluespec.plan

🛡️ Turn what detect found into a defense plan: for each finding, the fix to apply.

Depends on detect

Plan works only from what /bluespec.detect already mapped, so run detect first.

Run it

/bluespec.plan

How it works

This phase continues from detect. Detect already found what your system does and the risk each thing carries, so the plan does not repeat the risk, it decides what to do about it. Plan never reads the code, which forces every fix to point at something detect actually detected. Each planned fix carries a priority and the charter principle it upholds. For example:

  • File uploads (Priority: Critical)
    • Upholds: III. All input is untrusted until validated.
    • Fix: check the file's real type and size, rename it on save, and store uploads where they cannot be run as code.

From there, you have a prioritized list of fixes, each tied to a finding and ready for the next phase to apply.

tip
  • It builds entirely on detect. If a file or worry was never mapped, it tells you to run /bluespec.detect on it first.
  • Running it again updates the plan: done fixes drop off, new ones come in.
  • The defense plan lives in .bluespec/memory/plan.md.

Next

Apply the plan: /bluespec.harden.