Search everything...

Stats

Actions

Available In

forgeproof

Name: forgeproof
Author: ryanjmichie-git

By ryanjmichie-git

Converts GitHub issues into working code with cryptographically signed provenance bundles. Every file edit, design decision, and test result is recorded in a tamper-evident Ed25519 hash chain. The .rpack bundle lets reviewers verify AI-generated code was not altered after creation — no external services, no API keys, pure local cryptography.

npx claudepluginhub ryanjmichie-git/forgeproof-plugin --plugin forgeproof

Popularity

Stars

Above avg

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Skills4

forgeproof-push

/forgeproof-push

Push a ForgeProof branch and open a pull request with provenance metadata embedded in the PR description. Use after running /forgeproof to create a PR from the generated code. Triggers on "push forgeproof", "create PR from forgeproof", or "open pull request with provenance".

forgeproof-reset

/forgeproof-reset

Clean up ForgeProof local state for an issue or all issues. Deletes provenance chains, bundles, ephemeral keys, and optionally branches. Use when you need to re-run ForgeProof on an issue or clean up after testing. Triggers on "reset forgeproof", "clean up forgeproof", or "forgeproof reset".

forgeproof-verify

/forgeproof-verify

Verify a ForgeProof provenance bundle (.rpack file). Use when the user asks to "verify a bundle", "check provenance", "validate an rpack", "verify forgeproof", or wants to confirm that AI-generated code has not been tampered with since signing. Supports verifying bundles from other repositories or PRs.

forgeproof

/forgeproof

Create provenance-tracked code from a GitHub issue with a cryptographically signed audit trail. Use when the user asks to "forgeproof an issue", "create a provenance bundle", "generate auditable code from an issue", or wants cryptographically signed proof of AI-generated work. Supports Python, TypeScript/JavaScript, and Go projects. Invoke with an issue number or without one to browse assigned issues.

Hooks1

Event Hooks

Bash

File writes

2 hooks across 2 events

Stats

Version1.0.1

ReleasedMay 12, 2026

LanguagePython

Stars1

MaintenanceExcellent

LicenseMIT

Last CommitMay 12, 2026

AddedApr 23, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Available In

forgeproof-plugin1

Safety Signals

Caution

Executes bash commands

Hook triggers when Bash tool is used

Modifies files

Hook triggers on file write and edit operations

README

ForgeProof

Turn GitHub issues into working code with cryptographically signed provenance bundles.

When you invoke ForgeProof, Claude reads a GitHub issue, extracts requirements, plans an implementation, writes code and tests, then packages everything into a tamper-evident .rpack bundle. The bundle proves what was done, why, and that nothing was altered after signing.

Install

In Claude Code:

/plugin marketplace add anthropics/claude-plugins-community
/plugin install forgeproof@claude-community
/reload-plugins

Or browse interactively: run /plugin, go to the Discover tab, search for forgeproof, press Enter, and choose your install scope.

Prefer the CLI? Same commands without the leading slash:

claude plugin marketplace add anthropics/claude-plugins-community
claude plugin install forgeproof@claude-community

Requirements

Python 3.11+ (stdlib only — no pip dependencies)
OpenSSH 8.0+ (provides ssh-keygen for Ed25519 signing)
GitHub CLI (gh) authenticated to your account — install

Verify your setup:

/forgeproof preflight

Supported Languages

ForgeProof auto-detects your project's language and toolchain:

Language	Config file	Test runner	Linter
Python	`pyproject.toml`, `setup.cfg`	pytest	ruff, flake8
TypeScript/JavaScript	`package.json`	jest, vitest, mocha	eslint
Go	`go.mod`	go test	golangci-lint

Usage

Generate code from an issue

/forgeproof 42

Runs the full pipeline: fetch issue → extract requirements → plan → generate code → run tests → sign .rpack bundle. You'll be asked to approve the plan before code generation begins.

Browse your assigned issues instead:

/forgeproof

Push to a PR

/forgeproof-push

Creates a git branch and opens a pull request with the provenance summary embedded in the PR description.

Verify a bundle

/forgeproof-verify .forgeproof/issue-42.rpack

Checks the Ed25519 signature, hash chain integrity, and artifact hashes. Reports whether the bundle has been tampered with.

Clean up state

/forgeproof-reset 42

Removes provenance chains, bundles, ephemeral keys, and branches for a specific issue. Use --all to clean everything.

Re-running on the same issue

ForgeProof handles re-runs gracefully. Running /forgeproof 42 again will:

Clean up the previous chain and bundle (via --force)
Delete and recreate the local branch
Push with --force-with-lease if the remote branch exists
Update the existing PR instead of creating a duplicate

How It Works

ForgeProof operates in four phases:

Parse & Plan — Fetches the GitHub issue, extracts structured requirements (REQ-1, REQ-2, ...), scans the repo, and proposes a plan. Waits for your approval.
Generate — Writes implementation and tests. Every file edit and decision is logged to a SHA-256 hash chain with Ed25519 signatures.
Evaluate — Runs your project's test suite and linter. Maps results back to requirements. Attempts one auto-fix if something fails.
Package — Builds the .rpack provenance bundle: manifest, artifact hashes, requirement coverage, decision log, and a root Ed25519 signature. The ephemeral private key is deleted after signing.

The .rpack Bundle

The .rpack file is a JSON document containing:

Issue metadata — number, title, URL
Requirements — extracted from the issue, with coverage status
Artifacts — every file created or modified, with SHA-256 hashes
Decisions — why Claude chose each approach
Evaluation — test results, lint results, coverage percentage
Signature — Ed25519 signature over a root digest of all the above

The evaluation status is one of:

pass — all requirements covered, all tests pass
partial — some requirements uncovered or tests failing (details included)
fail — critical failures

Bundles are always produced regardless of status. The status tells reviewers whether to trust the bundle at a glance.

Security Model

Ephemeral keys — a new Ed25519 keypair is generated per bundle. The private key is deleted after signing. The public key is embedded in the .rpack for self-contained verification.
Tamper evidence — modifying any field in the bundle, any block in the chain, or any artifact file causes verification to fail.
No external data transmission — all data stays local. ForgeProof only calls gh CLI (which uses your existing GitHub auth) and ssh-keygen.

Privacy

ForgeProof stores provenance data locally in the .forgeproof/ directory at your project root. No data is sent to external servers beyond what gh CLI sends to GitHub (issue reads, PR creation). No telemetry, no analytics, no third-party services.

Troubleshooting

"No chain found for issue N" — Run /forgeproof N first to initialize the chain.

View full README on GitHub

forgeproof

Popularity

What's Inside

Confidence

README

ForgeProof

Install

Requirements

Supported Languages

Usage

Generate code from an issue

Push to a PR

Verify a bundle

Clean up state

Re-running on the same issue

How It Works

The .rpack Bundle

Security Model

Privacy

Troubleshooting

Similar Plugins

fullstack-dev-skills

ecc

godot-skills

nature-skills

octo

claude-buddy

ForgeProof

Install

Requirements

Supported Languages

Usage

Generate code from an issue

Push to a PR

Verify a bundle

Clean up state

Re-running on the same issue

How It Works

The .rpack Bundle

Security Model

Privacy

Troubleshooting

Popularity

Health & Quality

Similar Plugins

fullstack-dev-skills

ecc

godot-skills

nature-skills

octo

claude-buddy