bootproof 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -5,6 +5,10 @@
5
5
 
6
6
  BootProof answers one question: **did this repository actually boot?** Not "did a command run?" Not "did Docker say containers are up?" Not "did an AI agent say it worked?" BootProof inspects a repo, builds an evidence-based run plan, executes only what it can justify, observes real health, and writes a signed attestation for success or failure. No proof, no green check.
7
7
 
8
+ <p align="center">
9
+ <img src="assets/bootproof-supabase-demo.gif" alt="BootProof verifying a Supabase-style stack: infers the boot path, starts services, observes HTTP health, writes a signed attestation" width="900">
10
+ </p>
11
+
8
12
  ---
9
13
 
10
14
  ## The Living Receipt: proof that travels
package/dist/proof.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import type { Attestation, AttestationTrust, ObservedStep, RunPlan, FailureClass, HealthEvidence, VerificationMode, ExternalVerificationClassification } from "./types.js";
2
- export declare const TOOL_ID = "bootproof@0.4.0";
2
+ export declare const TOOL_ID = "bootproof@0.4.1";
3
3
  export type { AttestationTrust } from "./types.js";
4
4
  export type SignerTrustTier = "invalid" | "self" | "known" | "unknown-foreign";
5
5
  export interface SignatureTrustResult {
package/dist/proof.js CHANGED
@@ -5,7 +5,7 @@ import path from "node:path";
5
5
  import { execFileSync } from "node:child_process";
6
6
  import { buildExecutionEnv } from "./exec.js";
7
7
  import { redactJsonValue } from "./redact.js";
8
- export const TOOL_ID = "bootproof@0.4.0";
8
+ export const TOOL_ID = "bootproof@0.4.1";
9
9
  export function gitInfo(repo) {
10
10
  const git = (...args) => {
11
11
  try {
@@ -0,0 +1,83 @@
1
+ # Distribution Kit v2
2
+
3
+ The first launch was never seen. HN auto-kills link posts from new accounts silently; Reddit automod filters new accounts before humans see them. The market has not said no — it has not been asked yet. This kit is the re-ask, through channels with no bouncer at the door.
4
+
5
+ **The one metric for the next 30 days: receipts in the wild that you did not generate.** Target: 10. Everything below exists to move that number.
6
+
7
+ ---
8
+
9
+ ## Part 1 — Recover Hacker News
10
+
11
+ 1. Log out of HN (or set `showdead: yes` in your profile) and view the Show HN post. If it shows [dead], it was auto-killed and zero humans saw it.
12
+ 2. Email the moderators. They are responsive, they vouch legitimate posts from new accounts, and they run a second-chance pool for good posts that sank unfairly.
13
+
14
+ > To: hn@ycombinator.com
15
+ > Subject: New account, Show HN appears auto-killed
16
+ >
17
+ > Hi — I posted a Show HN for my open-source project (link to the post) from a new account and I believe it was caught by the spam filter. It's a runtime verification tool for AI-generated code (github.com/bootproof/bootproof), genuinely my own work, Apache-2.0 licensed. Would appreciate a look — happy to answer anything. Thanks for what you do.
18
+
19
+ 3. Before any repost: (a) the 60-second GIF exists and is the first thing in the README; (b) spend a week leaving genuinely useful comments on other threads so the account has history. Reposting a no-traction story is explicitly allowed.
20
+ 4. Repost Tue–Thu, 14:00–16:00 UK (morning US). Title suggestion — note that plain "BootProof" collides in search with a football-boot bag brand, so lead with the claim, not the name:
21
+ "Show HN: Signed receipts proving my AI agent's code actually runs"
22
+
23
+ ---
24
+
25
+ ## Part 2 — Receipt-First Outreach
26
+
27
+ The mechanic that no other product can copy: the email CONTAINS the proof, about THEIR repo. Process per target, ~20 minutes:
28
+
29
+ 1. `bootproof up <their-repo> --provider local --unsafe-local --receipt`
30
+ 2. Whatever happens is the opening line:
31
+ - Boots clean → attach Living Receipt: "here's signed proof your repo boots from a fresh clone."
32
+ - Honest refusal (like Airbyte) → even better story: "my tool refused to pretend it could boot your stack — here's the signed refusal."
33
+ 3. Send. Short. No ask beyond "curious what you think." Never attach to a repo's issue tracker unless their contributing docs invite tooling discussion — email or their stated contact route only.
34
+
35
+ ### Template A — maintainer publicly weary of AI slop
36
+
37
+ > Subject: Signed proof {repo} boots from a fresh clone (41s) — thought of your AI-slop posts
38
+ >
39
+ > Hi {name} — your writing about the burden of AI-generated {reports/PRs} is half the reason I built this. BootProof boots a repo under supervision and signs what it observed; no observed health signal, no green check. I ran it against {repo}: {one-sentence honest result}. The receipt is attached — it's a single HTML file that re-verifies its own signature in your browser, and visibly collapses if you tamper with a byte (there's a button).
40
+ >
41
+ > There's also a CI gate so agent PRs can't merge without an observed boot. If it's useless to you, that's a data point I want too. Either way — thanks for the writing.
42
+
43
+ ### Template B — repo you already tested (Airbyte-class)
44
+
45
+ > Subject: Your repo, cryptographically refusing to lie about itself
46
+ >
47
+ > Hi — I built a runtime verifier and {repo} was one of my test cases. It {booted clean in Xs / correctly refused: your documented path needs {abctl/kind/helm}, and my tool declines to pretend a bare command is enough}. Signed receipt attached; it verifies itself offline. Sharing because the result is genuinely about your project, not mine. Would value 60 seconds of your reaction.
48
+
49
+ ### Template C — agent-tool authors (Claude Code hooks, agent frameworks)
50
+
51
+ > Subject: A Stop-hook that makes agents hand over signed proof their work runs
52
+ >
53
+ > Hi — I wrote a hook for {tool}: when the agent claims "done," it boots the workspace under supervision and prints a signed verdict before the human reviews anything. Fails closed. One-liner config attached, receipt from a real run attached. If this fits your examples/integrations page, it's MIT — take it. If it's a bad fit, one line saying why helps me more than silence.
54
+
55
+ ### First ten targets
56
+
57
+ 1. Daniel Stenberg (curl) — has documented at length the burden of AI-generated junk reports. Template A.
58
+ 2. Seth Larson (Python security) — has written publicly about AI-generated security reports. Template A.
59
+ 3. The Airbyte team — you already have the honest-refusal receipt. Template B.
60
+ 4–6. Every other repo in your test fixtures with a real maintainer. Template B — these are pre-written by work you already did.
61
+ 7–8. Authors of the two most active Claude Code hook/plugin collections and awesome-lists (find via github.com/topics/claude-code). Template C.
62
+ 9–10. Two authors of recent posts/threads complaining about AI PR slop — search "AI generated pull requests" on HN/lobste.rs from the last month; the authors of the top two write-ups. Template A, referencing their specific post.
63
+
64
+ Ship 2 per evening for a week. Log every send + result in [`OUTREACH_LOG.md`](../OUTREACH_LOG.md) — that log becomes your next Show HN ("What happened when I sent signed proof to 10 maintainers").
65
+
66
+ ---
67
+
68
+ ## Part 3 — Permissionless channels
69
+
70
+ - **GitHub Actions Marketplace**: publish receipt-gate. A form, not a lottery. Requires: repo public ✅, v1 tag ✅, branding block in action.yml ✅. This is the single highest-leverage hour on this list.
71
+ - **Repo topics**: added to both repos (ai-agents, ci, attestation, supply-chain, claude-code, verification, github-actions, sbom, ed25519, runtime-verification).
72
+ - **Awesome-list PRs**: awesome-actions, awesome-claude-code, awesome-ai-agents. A PR is a contribution, not a promotion; new accounts are not penalized.
73
+ - **dev.to / Hashnode write-up**: "My AI agent now hands me signed receipts" — the launch-kit Show HN body, expanded, GIF embedded. New authors are not filtered; posts rank in Google for months.
74
+ - **X/Bluesky without followers**: don't broadcast — quote-reply into active AI-code-slop threads with the tamper-demo GIF. Replies ride the host thread's audience; follower count irrelevant.
75
+ - **lobste.rs**: invite-only; one of your Part 2 replies is likely to be a user. Asking a warm contact for an invite is normal there.
76
+
77
+ ---
78
+
79
+ ## Part 4 — The math
80
+
81
+ A Show HN is one lottery ticket: high variance, one draw, bouncer at the door. Ten receipt-first emails are ten independent draws at a far higher hit rate with zero gatekeeping, and every reply compounds: a user, a quote for the README, a lobste.rs invite, an issue filed by a stranger. The front page is not the start of distribution; it's the victory lap after receipts already exist in the wild.
82
+
83
+ Rule for the log: a non-reply is `absence_of_signal`, not `rejected`. Fail closed on claims, never on morale.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "bootproof",
3
- "version": "0.4.0",
3
+ "version": "0.4.1",
4
4
  "description": "The honest run button for repos. Boots unfamiliar code when it safely can, tells the truth when it cannot, and signs proof of what happened.",
5
5
  "license": "Apache-2.0",
6
6
  "type": "module",
@@ -28,12 +28,18 @@
28
28
  "url": "git+https://github.com/bootproof/bootproof.git"
29
29
  },
30
30
  "keywords": [
31
- "devtools",
32
- "onboarding",
33
- "docker",
34
- "run",
35
31
  "attestation",
36
- "reproducibility"
32
+ "runtime-verification",
33
+ "ai-agents",
34
+ "claude-code",
35
+ "ci",
36
+ "signed",
37
+ "receipt",
38
+ "proof",
39
+ "health-check",
40
+ "supply-chain",
41
+ "provenance",
42
+ "verification"
37
43
  ],
38
44
  "engines": {
39
45
  "node": ">=20.11"