Pluck Bureau is a public cryptographic ledger of attested observations – 51 programs that capture signals from the real world, sign them, and publish them to a tamper-evident log.

How Bureau is organized

Programs are categorized by who runs them:

🔴 Red Team (offensive) – 7 programs that actively probe, expose, or extract. Used by journalists, bug-bounty hunters, civil-society researchers, and AI vendor compliance teams testing their own models.
🔵 Blue Team (defensive) – 32 programs that monitor, detect, and respond. Used by election-integrity volunteers, datacenter operators, hospital IT, court systems, and anyone defending a real-world signal from being lied about.
🟣 Red & Blue (dual-use) – 9 programs that flip depending on who runs them (recover keystrokes from thermal selfies if you're red team; sign your SCIF's thermal baseline if you're blue team).

Pick a category in the sidebar to browse just that side, or skip down to "Browse the programs" for the full per-domain directory.

The problem

Many real-world claims are difficult to verify after the fact. An AI vendor may change a model without disclosing it. A cell tower at a protest may capture IMSI identifiers and then disappear before it can be characterized. A drug company may quietly remove a patient record from a clinical trial. A cloud provider may sell "EU-sovereign" compute that runs in Virginia. A warehouse robot may injure a worker, and the manufacturer's account of events comes from logs the manufacturer controls.

The common thread is asymmetric evidence: one party makes a claim, and the other party has no independent record to dispute it. Pluck Bureau provides a shared toolset for capturing those records – a public cryptographic log of attested observations across the signals a phone, sensor, or RF radio can capture.

What it is

Pluck Bureau is 51 programs that share the same shape: an operator captures observations from the real world, signs them cryptographically with their own key, and publishes the signed bundle to Sigstore Rekor – the same public log used to sign open-source software. Once published, the entry is append-only and cannot be retracted. Anyone can verify a Bureau cassette offline with cosign verify-blob.

Bureau began as a set of programs for AI-vendor accountability (Dragnet, Mole, Oath). It now covers cell towers (Stingray), WiFi (Karma), GPS (Celeste), satellites (Cosmos), drones (Icarus), automotive systems (Ignition), industrial control systems (Turbine), smart grids (Meridian), robotaxis (Embodied-Ledger), pharmaceutical supply chains (Counterfeit-Kill), clinical trials (Trial-Seal), election precincts (Election-Day-Watch), and 30 more. The shared design principle is that any claim worth disputing should leave a cryptographic record.

Who uses Pluck Bureau

Bureau is built for operators who need independent, verifiable evidence.

A journalist at ProPublica gathering observations for a story about an AI vendor swapping models mid-quarter without disclosing the change.
An election-integrity volunteer walking a contested precinct on the morning of November 3, 2026, capturing a signed dossier of every machine, RF anomaly, and chain-of-custody handoff.
A small utility in Iowa filing NERC-CIP compliance with cryptographic SCADA observations alongside the standard PDF.
A used-car buyer in Atlanta scanning the VIN of a 2019 Honda Civic to verify the odometer has not been rolled back and the airbag ECU has not been swapped.
An attendee at a public event running a passive Stingray witness on their phone so any rogue tower is captured with a co-signed proof.
A pharmacist verifying that an Ozempic pen received from a wholesaler matches the manufacturer's signed lot record.
An EU AI Act regulator running automated compliance audits – vendors demonstrate conformance via zero-knowledge proofs and Dragnet performs continuous drift checks.

Bureau is intended for situations where one institution owns the primary logs and an independent record is needed.

How it's organized

The 51 programs split into seven domain groups plus a composite-dossier track:

AI Vendor Honesty (14 programs) – Dragnet, Tripwire, Oath, Fingerprint, Nuclei, SBOM-AI, Rotate, Mole, Whistle, Bounty, Custody, Refuse, AVAP, Acoustic-Scribe.
RF Substrate (5) – Raven and four programs that ride it: Stingray (IMSI catchers), Karma (WiFi evil twins), Celeste (GPS spoofing), Cosmos (satellite ghost ships and ghost flights).
Cyberphysical (8) – Knob (Bluetooth), Icarus (drones), Ignition (cars), Turbine (industrial control), Meridian (smart grid), Embodied-Ledger (robots and AVs), Sigil (RFID/NFC), Hive (IoT pairings).
Side-channel and Physical Model Identity (5) – Power-Ledger, Tempest-Witness, Ember, Thermal-Afterglow, Magneto-Air.
Social, Cognitive, and Civic (6) – Press-Pipe, Coordinated, Evidence-Locker, Counterfeit-Kill, Market-Honest, Trial-Seal.
Distributed Trust (3) – Citizen-Ledger, Gossip, Policy-Auction.
Moonshots, research-grade (6) – QKD-Witness, LiDAR-Whisper, Neuro-Consent, Cosmic-Drift, Graviton-Ghost, Cherenkov-Witness.
Composite Dossiers (1) – Election-Day-Watch (the first meta-dossier – composes 7 programs into a single court-admissible cassette per precinct per election day).

Full directory with one-line descriptions and links is at the bottom of this page.

Getting started

Shell

# Install
npm install -g @sizls/pluck-cli

# Generate an operator key (atomic write, 0700 dir, 0600 private key)
pluck bureau keys generate --out ~/.pluck/keys

# Try a program – no hardware needed for in-memory demos
pluck bureau dragnet --help
pluck bureau stingray demo
pluck bureau election-day-watch demo

# List all 51 programs
pluck bureau --help

After the demo runs, look at the output JSON – that's the cassette format every other Bureau program produces. Verify it offline with no Pluck server, no API key, no account:

Shell

pluck bureau verify <bundle-dir>

That's the whole loop: capture, sign, verify. Every program in the Bureau is some variation on those three steps.

What makes Bureau different

Cryptographic, not server-trusted. Every observation is verifiable offline by anyone with cosign. No Pluck server is in the trust path. If pluck.run disappears tomorrow, every signed cassette ever published still verifies.
Composes existing programs. New dossiers are built by combining existing programs rather than introducing new envelope formats. Election-Day-Watch composes seven other programs into a single per-precinct dossier.
Sigstore-compatible. Every signature is PureEdDSA over the canonical-JSON digest – the wire shape cosign, sigstore-go, and sigstore-python already expect. No vendor lock-in, no bespoke tooling.
Honest about limits. Every program documents what it can't do as prominently as what it can. The threat model is published. The kill-switch is published. The failure modes are published.

Browse the programs

AI Vendor Honesty

The 14 programs that started the Bureau. Each turns a vendor commitment, a model release, or a developer-side observation into a Rekor-anchored predicate.

Dragnet – Scheduled probe-pack execution against a target AI vendor. Each contradiction is published to Rekor.
Tripwire – JS-layer interceptor that attests every outbound LLM request locally.
Oath – Vendor-hosted commitment endpoint at /.well-known/pluck-oath.json. Other programs verify claims against it.
Fingerprint – Active model-swap detection with signed before-and-after cassettes.
Nuclei – Signed probe-pack registry; community-authored templates for AI compliance testing.
SBOM-AI – Sigstore-anchored AI supply-chain registry for model cards, MCP servers, and probe-packs.
Rotate – Signing-key compromise response with re-witness ledger.
Mole – Adversarial training-data extraction probes for detecting memorization of copyrighted content.
Whistle – Anonymous AI-whistleblower intake routed to ProPublica, Bellingcat, 404Media, and EFF Press.
Bounty – Automated HackerOne/Bugcrowd filer. Converts Dragnet observations into signed report packets.
Custody – Browser-extension chain-of-custody for AI conversations with WebAuthn-bound captures.
Refuse – Personal do-not-train attestation. Sign a canary; prove training-set inclusion when it leaks.
AVAP – AI Vulnerability Auction Protocol. Vendors stake to delay disclosure; civil society stakes to release.
Acoustic-Scribe – Keystroke and coil-whine workload recovery with attested capture.

RF Substrate

The wireless transparency layer. Raven is the substrate every other RF program rides on.

Raven – Passive RF spectrum chain-of-custody. The substrate underlying every Bureau RF program.
Stingray – IMSI-catcher and rogue-base-station detector. Real towers remain consistent across observers; Stingrays equivocate.
Karma – WiFi beacon attestation and evil-twin contradiction observatory.
Celeste – GPS/GNSS spoof and time-source tamper attestor.
Cosmos – Satellite ACARS/AIS/Iridium/Inmarsat physical-fingerprint vs. identity ledger.

Cyberphysical

Anchors commands, calibrations, and physical-layer fingerprints across the systems that move atoms.

Knob – Bluetooth pairing-integrity attestor (BLE plus Classic).
Icarus – Drone command-and-control authentication ledger.
Ignition – Automotive CAN/UDS/ECU integrity Bureau.
Turbine – SCADA/Modbus/OPC-UA/DNP3/BACnet command attestor for utilities, water, pharma.
Meridian – Smart-meter, smart-grid, and PMU integrity Bureau.
Embodied-Ledger – Robot, AV, and drone motor-command and sensor-frame attestation.
Sigil – RFID/NFC tag-cloning and EMV replay observatory.
Hive – LoRaWAN/Zigbee/Z-Wave/Thread/Matter pairing forensics.

Side-channel and Physical Model Identity

These programs fingerprint a running workload from outside the host using physical side-channels independent of the API layer.

Power-Ledger – DPA-style power side-channel attestation.
Tempest-Witness – EM-emanation AI workload fingerprinting from RTL-SDR/HackRF captures.
Ember – Multi-modal EM, power, thermal, and acoustic side-channel attestor for AI inference.
Thermal-Afterglow – IR-camera attestation of recently-pressed keys and server-room thermal anomalies.
Magneto-Air – Air-gap covert-channel detection from GMR sensors and smartphone magnetometers.

Bureau-grade chain-of-custody for journalism, elections, courts, supply chains, markets, and clinical trials.

Press-Pipe – Auto-press-kit and ProPublica/Bellingcat handoff with signed citation graph.
Coordinated – Cross-platform coordinated-inauthentic-behavior observatory.
Evidence-Locker – Court-admissible deepfake detection and expert-witness AI disclosure.
Counterfeit-Kill – Physical-object Fingerprint for pharma, luxury goods, and conflict minerals.
Market-Honest – Algorithmic-trade attestation and market-maker Dragnet.
Trial-Seal – Clinical-trial data integrity and FDA submission custody.

Distributed Trust

Extends Pluck from a single-operator tool into a peer-to-peer mesh. The mesh removes any reliance on Pluck Inc. as a trust anchor.

Citizen-Ledger – Self-sovereign personal record chain where the individual is the cryptographic root and institutions countersign.
Gossip – Operator-to-operator signed observation peering with Sybil-resistant co-signing.
Policy-Auction – Zero-knowledge policy-compliance markets for regulators and vendors.

Moonshots, research-grade

Six programs that depend on specialized hardware, novel physical models, or research-grade tooling.

QKD-Witness – BB84 QKD attestation and post-quantum migration ledger.
LiDAR-Whisper – Remote keystroke and speech recovery from window vibrations via consumer LIDAR.
Neuro-Consent – BCI command and visual-stimulus prompt-injection attestation.
Cosmic-Drift – Cosmic-ray bitflip detection as supply-chain attestation.
Cherenkov-Witness – Datacenter neutron flux as tamper-evident location fingerprint.
Graviton-Ghost – Gravitational-wave detector co-incidence as cosmic timestamp ground truth.

Composite Dossiers

The first meta-dossier track – programs that compose other programs into a single court-admissible bundle.

Election-Day-Watch – Composes 7 programs (Stingray, Karma, Celeste, Custody, Coordinated, Evidence-Locker, Press-Pipe) into a single signed cassette per precinct per election day.