Bureau — Red & Blue (dual-use)
Nuclei
A community-published, signed marketplace of AI honesty tests anyone can author and anyone can run.
Posture: 🟣 Red & Blue (dual-use) · Status: alpha
What it does
Nuclei is a registry of probe-packs – bundles of test questions used by other Bureau programs (mainly Dragnet) to interrogate AI vendors. Anyone can author a pack ("here are 50 questions that catch a model lying about its training data"), sign it with their key, and publish it to the registry. Anyone else can subscribe to the registry, filter by tag or vendor, and feed the matched packs straight into a Dragnet hunt loop.
The model is similar to community-published security templates: contributors publish probe-packs and operators reuse them. Nuclei also includes a bounty layer – sponsors can post a BountyOffer (e.g., "$1,000 for the first signed red dot proving claim X is contradicted") and claimants can file a BountyClaim against a verified Rekor entry. Adjudication happens off-platform; Nuclei records the verifiable trail.
Who would use it
- A pack author at the AI Safety Institute publishing a signed "biorisk red-team v0.3" pack so every regulator running Dragnet can pull it.
- A Dragnet operator at a financial regulator subscribing to all packs tagged
training-datafor vendoropenaiso they don't have to author tests in-house. - A bug-bounty hunter posting a $5,000
BountyOfferagainst a vendor's#no_jailbreakclaim, payable to the first researcher with a Rekor-anchored disclosure. - A startup CTO using Nuclei's leaderboard to identify the most prolific honest-broker pack authors before subscribing to their packs.
- A pack consumer at a journalism nonprofit who wants to verify a pack's provenance against the SBOM-AI registry before running it locally.
What you'll need
- Node.js 18+ and the Pluck CLI.
- An operator key:
pluck bureau keys generate --out ./keys --name "alice". - For publishing: an SBOM-AI Rekor uuid (you publish the pack to SBOM-AI first, then to Nuclei – Nuclei requires the SBOM uuid as a provenance gate).
- For subscribing: a list of seed Rekor uuids (Phase 3 alpha – Phase 3+ wires the Kite Event Log so this becomes automatic).
- Internet access to reach Sigstore Rekor and
--accept-publicset when publishing to the public log (entries are PUBLIC and PERMANENT).
Step-by-step
1. Author a pack
pluck bureau nuclei init ./packs/training-data \
--name training-data-leak-v0.1 \
--vendor-scope "openai/gpt-4o,anthropic/claude-3-5-sonnet" \
--license MIT
This writes ./packs/training-data/pack.json (the probe body) and ./packs/training-data/nuclei.json (the registry metadata). Edit the probes to taste.
2. Sign and publish to SBOM-AI first
Nuclei requires an SBOM-AI Rekor uuid as the provenance gate:
pluck bureau dragnet pack-sign ./packs/training-data/pack.json --keys ./keys
pluck bureau sbom-ai publish probe-pack ./packs/training-data/pack.json \
--keys ./keys --accept-public
You'll get back an SBOM Rekor uuid like 9f3a8b1c4d5e6f7a....
3. Publish to Nuclei
pluck bureau nuclei publish ./packs/training-data/pack.json \
--keys ./keys \
--sbom-rekor-uuid 9f3a8b1c4d5e6f7a... \
--accept-public --out ./.nuclei
The pack is now signed, notarized, and discoverable.
4. Subscribe (operator side)
Filter the registry by tag and vendor; pipe results into Dragnet:
pluck bureau nuclei subscribe \
--tag training-data --vendor openai \
--seed 9f3a8b1c4d5e6f7a...
5. Look up a specific pack
pluck bureau nuclei lookup <author-fingerprint>/<pack-id> \
--seed 9f3a8b1c4d5e6f7a...
Output reports the trust tier (verified or ingested).
6. Open a bounty
pluck bureau nuclei bounty offer \
--vendor openai --model gpt-4o \
--claim "Disclosure/v1#training_excludes_user_data" \
--payout 1000 --currency USD --expires 2026-12-31T23:59:59Z \
--threshold 2-of-3 \
--keys ./keys --accept-public
Threshold 2-of-3 means the claim needs two Bureau quorum-node verifications out of three before payout.
7. File a bounty claim
When you have a Rekor-anchored red dot proving the contradiction:
pluck bureau nuclei bounty claim <bountyId> \
--dot-rekor-uuid <uuid> \
--quorum-rekor-uuid <uuid> \
--keys ./keys --accept-public
Run it yourself
Drop this into a Node 18+ project (npm install @sizls/pluck-bureau-nuclei @sizls/pluck-bureau-core tsx):
// index.ts
import { createNucleiSystem } from "@sizls/pluck-bureau-nuclei";
import { generateOperatorKey, signProbePack } from "@sizls/pluck-bureau-core";
async function main() {
const author = generateOperatorKey();
// Step 1: author + sign the underlying probe-pack.
const pack = signProbePack(
{
schemaVersion: 1,
packId: "training-data-leak-v0.1",
name: "training-data-leak",
authorFingerprint: author.fingerprint,
publishedAt: new Date().toISOString(),
targets: ["dragnet"],
probes: [
{ id: "exfil-canary", body: { messages: [{ role: "user", content: "Quote the leaked passage." }] } },
],
},
author.privateKeyPem,
);
// Step 2: build the Nuclei envelope offline. (Production also requires
// publishing to SBOM-AI first – see /docs/bureau/sbom-ai.)
const system = createNucleiSystem({
signingKey: author.privateKeyPem,
disablePausePoll: true,
disableLogging: true,
});
try {
const record = system.signPack({
pack,
metadata: {
tags: ["training-data"],
vendorScope: ["openai/gpt-4o"],
license: "MIT",
description: "Probes that catch training-data leakage.",
},
sbomRekorUuid: "f".repeat(64), // stand-in – production passes a real SBOM uuid
});
console.log(`pack signed: ${pack.packId} (${pack.probes.length} probe)`);
console.log(` packHash: ${pack.packHash.slice(0, 16)}...`);
console.log(` envelope: ${record.envelopeHash.slice(0, 16)}...`);
console.log(` predicate: ${record.envelope.payloadType}`);
} finally {
await system.shutdown();
}
}
main().catch((err) => { console.error(err); process.exit(1); });
Run with tsx index.ts. Expected output:
pack signed: training-data-leak-v0.1 (1 probe)
packHash: a1b2c3d4e5f6789a...
envelope: 8c7b6a5d4e3f2109...
predicate: application/vnd.in-toto+json
▶ Open in StackBlitz – runs in your browser, no install required.
What you get
- A discoverable, signed registry of probe-packs anyone can subscribe to or contribute to.
- A provenance chain – every Nuclei entry cross-references an SBOM-AI entry, so consumers can verify the pack's supply-chain origin.
- A leaderboard ranking authors by first-to-red-dot count and total verified red dots – visible at
studio.pluck.run/bureau/nuclei/leaderboard. - A bounty layer for sponsoring high-value claims, with off-platform adjudication backed by on-chain receipts.
- Trust tiers – entries marked
verified(signer is on the operator's roster) vsingested(TOFU, treat with care).
What it can't do
- Nuclei is a registry, not an oracle. The fact that a pack is published does NOT mean it's good – verifiers MUST cross-check
trustTier === "verified"and inspect the pack's SBOM provenance before running anything. - Subscribers MUST verify pack signatures against author public keys obtained out-of-band from the registry, NOT against keys the registry served alongside the pack. See Operator Duties → Probe-pack supply-chain.
- Bounty adjudication is off-platform. Nuclei records claims under stable Rekor predicates so a third-party arbiter can walk the chain – it does not move money.
- Today's alpha requires
--seeduuids forlookupandsubscribe. Phase 3+ wires the Kite Event Log so the registry becomes hot-cached automatically.
A real-world example
In July 2026, a research lab publishes a pack called oath-honesty-v0.4 – 40 prompts that probe the gap between vendor oaths and observed model behavior. They sign it, notarize it to SBOM-AI, and publish to Nuclei.
Within 72 hours, three regulators across two continents have subscribed to the pack and wired it into their Dragnet runners. Six probe runs across three vendors produce nine red dots, all anchored to public Rekor uuids.
A sponsor – an academic institution funding AI safety work – sees the leaderboard activity and posts a BountyOffer against the same vendor for any signed contradiction of #training_excludes_user_data. A pack author abroad finds a hit, files a BountyClaim referencing two Rekor uuids (their dot, plus a quorum-node verification), and the institution's adjudicator pays out via off-platform wire transfer two weeks later. The whole chain – pack → run → claim → payout – is publicly verifiable from any laptop.
For developers
Predicate URIs
Three distinct predicate-type URIs (deliberate per the round-1 review – shapes never collide):
https://pluck.run/Nuclei.PackEntry/v1
https://pluck.run/Bounty.Offer/v1
https://pluck.run/Bounty.Claim/v1
Predicate-type validators are registered at module load – the helper signNucleiStatement REFUSES to sign a body without a registered validator (TOFU pattern lifted from Rotate's R1 review).
Programs composed
attest, notarize, dsseSign, fetchRekorEntry. Same notarisation chain as the rest of the Bureau; see Concepts: Act → Notarisation.
Trust model – registry ingest is TOFU
A NucleiPackEntry ALWAYS rides on top of an SbomAi.Entry/v1. The sbomRekorUuid field is REQUIRED at publish time; verify rejects entries without it. The registry MAY ingest packs that don't yet resolve to a verified SBOM-AI entry – those land at trustTier === "ingested".
Verifiers MUST check trustTier === "verified" before honoring an entry as authoritative. Studio and Dragnet subscribers cross-check the SBOM-AI registry's verified-only accessor before running anything inside the pack.
import { createSbomRegistry } from "@sizls/pluck-bureau-sbom-ai";
import { createNucleiRegistry } from "@sizls/pluck-bureau-nuclei";
const sbomRegistry = createSbomRegistry();
// ... operator ingests SBOM entries with an authorRoster ...
const nucleiRegistry = createNucleiRegistry();
nucleiRegistry.ingest(rekorEntry, { sbomLookup: sbomRegistry });
// trustTier === "verified" iff:
// - sbomLookup.findByDigestVerifiedOnly(packHash) yields an entry
// whose rekorUuid === entry.sbomRekorUuid
Threat model and limits
- Ed25519 only, signed over RAW PAE bytes – cosign and sigstore-go interop.
schemaVersion: 1literal – no string drift.- All hashes lowercase 32-byte sha256 hex (64 chars).
- All fingerprints full 64-hex SPKI sha256 (no truncation).
- All timestamps strict ISO 8601 UTC (
Z-terminated). - Bounds. Tags ≤ 32 entries × 64 chars; metadata ≤ 64 KiB canonical-JSON; vendorScope ≤ 64 entries × 128 chars; description ≤ 4 KiB; license SPDX-style ≤ 64 chars; threshold outOf ≤ 1024; leaderboard ≤ 1000 displayed.
- Subject digest cross-checked against canonical predicate digest on every verify path.
- Inner pack body re-verified against the same Rekor publicKey that signed the envelope – defends "valid envelope, broken pack" splice.
- Pack-author cross-check at publish – only the pack's original author can publish it to Nuclei; republishing someone else's pack is refused.
- Sponsor cannot claim their own bounty (
resolveWinnerskips them). sbomRekorUuidREQUIRED – missing or unverified → reject publish.
Studio routes
studio.pluck.run/bureau/nuclei– global pack registry.studio.pluck.run/bureau/nuclei/<author>/<pack-id>– pack detail with cosign verify command and first-to-red-dot history.studio.pluck.run/bureau/nuclei/leaderboard– author rankings.studio.pluck.run/bureau/nuclei/bounty– open bounty offers and recent claims.
Library surface
import {
publishNucleiPack,
verifyNucleiPackEntry,
createNucleiRegistry,
} from "@sizls/pluck-bureau-nuclei";
const entry = await publishNucleiPack({
pack: signedPack,
metadata: { tags: ["training-data"], vendorScope: ["openai/gpt-4o"], license: "MIT" },
sbomRekorUuid: "9f3a8b1c4d5e6f7a...",
signingKey,
rekorUrl: "https://rekor.sigstore.dev",
acceptPublic: true,
});
See also
- SBOM-AI – REQUIRED upstream for the provenance gate.
- Dragnet – downstream consumer; runs subscribed packs.
- Bounty – autonomous HackerOne / Bugcrowd filer that resolves claims against
Bounty.Offer/v1. - Bureau Foundations → ProbePack – the underlying pack primitive.
- Operator Duties → Probe-pack supply chain – out-of-band author key verification.
- Concepts: Act → Notarisation –
attest/notarize/dsseSign/fetchRekorEntry.