Skip to main content

/bluespec.prove

🧪 Turn each detected finding into runnable, defense-only evidence for responsible disclosure.

For every finding the detect map carries, it writes a self-contained advisory and a test that asserts the safe path, so the test fails while the issue is live and passes once the code is fixed.

tip

Blue Spec tests live isolated under .bluespec/, apart from your own suite.

Builds on detect

Prove reads the detect map from /bluespec.detect, so run detect first.

Run it

/bluespec.prove

How it works

It reads the source each finding points at and writes one directory per proven finding under .bluespec/proofs/, holding exactly two files:

FileWhat it is
report.test.mjs (or .cjs)The test. It runs on Poku when your project already uses it, otherwise on the native Node.js runner, so it needs nothing installed.
report.mdA self-contained advisory: severity, impact, how it reproduces, and the run command, readable on its own.

The proofs are always JavaScript, so they stay portable whatever language your project is written in. A README.md index links every proof and gives a single command to run them all.

tip
  • It is optional and autonomous: not one of the five phases, and not part of the tracking chain.
  • It writes only into .bluespec/proofs/ and never touches the phase artifacts or your code, which it only reads.
  • A finding whose test does not reproduce the issue gets no proof, and it tells you to run /bluespec.detect on that spot to reconcile.
  • Running it again reconciles the proofs: a finding that is gone or no longer reproduces has its directory removed.

Defense only, and authorized

Before generating anything, it confirms you are authorized to test the target, and it refuses any request for a working exploit, an attack payload, or detection-evasion. A proof demonstrates the safe behavior, it never emits an attack input.

From proof to disclosure

Each proven finding's two files belong together in a private GitHub Gist to report the vulnerability. They are evidence of a live, undisclosed issue, so keep them out of commits and share them only through that Gist until the maintainers have resolved it.

Closing a finding in the Blue Spec chain is still the job of /bluespec.harden and /bluespec.verify: prove produces evidence, it does not close anything.