Plugin

signum

Name: signum
Author: heurema

Run an evidence-driven dev pipeline: turn tasks into verifiable contracts via codebase scans, implement changes with lint/test/repair loops, audit diffs using 3 independent AI models, then bundle self-contained proof packages for CI verification.

npx claudepluginhub heurema/signum

Component Overview

Commands

Agents

Component Details

Commands (13)

init

/init

Bootstrap project context (project.intent.md and project.glossary.json) from an existing codebase using deterministic scan + LLM synthesis + interactive editing. Use --harness to scaffold additional repo-level harness docs.

Init Command Redirect

/10-init-command-redirect

If the user's task is using Signum init command syntax instead of a feature request - for example:

Phase 4: PACK

/100-phase-pack

**Goal:** Bundle all artifacts into a self-contained, verifiable proof package (schema v4.8) with embedded artifact contents.

Display to the user:

If the user's task is exactly `explain` (case-insensitive), do NOT run the pipeline. Instead, output this JSON and stop:

Setup

/60-setup

Use the Bash tool to prepare the workspace (in PROJECT_ROOT):

Phase 1: CONTRACT

/70-phase-contract

**Goal:** Transform the user's request into a verifiable contract.

Phase 2: EXECUTE

/80-phase-execute

**Goal:** Implement code changes according to the contract.

signum

/00-header

Evidence-driven development pipeline with multi-model code review. Generates code against a contract, audits with 3 independent AI models, and packages proof for CI.

Error Handling

/120-error-handling

- If any phase fails catastrophically (agent error, required file missing after agent run), **STOP** immediately and report: what phase failed, what file is missing, and what the user should do next.

Archive Mode

/30-archive-mode

If the user's task starts with `archive` (case-insensitive), do NOT run the pipeline. Instead, archive a completed contract.

Close Mode

/40-close-mode

If the user's task starts with `close` (case-insensitive), do NOT run the pipeline. Instead, mark a contract as closed (abandoned, no proofpack).

Project Resolution

/50-project-resolution

Before setup, determine the correct project directory. The pipeline MUST run in the target project's root, not an unrelated session CWD.

Agents (5)

contractor

/contractor

Parses a user feature request into a structured contract.json. Scans codebase for scope signals and risk assessment. Read-only -- never writes code files, only generates contract.json.

engineer

/engineer

Implements code changes according to a contract.json specification. The ONLY agent in Signum that writes code. Includes a repair loop: generate -> check -> fix -> check (max 3 attempts).

init-synthesizer

/init-synthesizer

Synthesizes project.intent.md and project.glossary.json from deterministic scan signals. Uses ranked source hierarchy and explicit-only Non-Goals extraction. Emits per-section evidence comments and confidence annotations. Read-only — never writes files directly (presents draft for user confirmation).

reviewer-claude

/reviewer-claude

Semantic code reviewer using Claude Opus. Part of the multi-model audit panel. Analyzes diff against contract for bugs, security issues, and logic errors. Read-only -- never modifies code.

synthesizer

/synthesizer

Combines multi-model review results into a consensus verdict. Reads review outputs from Claude, Codex, and Gemini, plus mechanic report. Applies deterministic synthesis rules to produce final audit decision. Read-only -- never modifies code.

README

Signum — deterministic proof gate for agentic development

Signum

A deterministic proof gate for agentic software development.

Signum helps teams use AI coding agents more safely by turning every change into a contract-driven, auditable workflow.

Instead of trusting that an agent “probably did the right thing”, Signum asks for evidence:

What was the contract?
What changed?
Which checks passed?
What risks were found?
What artifacts prove the result?
Is this safe enough to merge?

At the end, Signum produces a proofpack: a structured evidence bundle that CI and humans can inspect.

Why Signum?

AI agents can move fast, but fast changes need reliable boundaries.

Signum adds a release-style verification layer around agentic work:

Contract-first execution — define intent, scope, and acceptance criteria before implementation.
Deterministic checks — validate what can be checked without relying on model judgment.
Policy scanning — catch risky code patterns, dependency changes, secrets, and incomplete work.
Proofpack output — package evidence into a structured artifact.
GitHub-ready CI gate — make merge decisions easier to review.

Signum is not a replacement for engineering judgment. It is a guardrail system that makes agentic changes easier to inspect, reproduce, and trust.

How it works

Signum follows a simple flow:

Contract → Execute → Audit → Pack → CI Gate

1. Contract

A change starts with a contract: the requested outcome, boundaries, risks, and acceptance criteria.

2. Execute

The implementation runs against the contract. Signum keeps the work tied to the original intent.

3. Audit

Signum runs deterministic checks and policy scans. Optional reviewer tools can add additional review signals.

4. Pack

Signum creates a proofpack: a structured evidence bundle containing the contract, diff, checks, audit summary, and decision metadata.

5. CI Gate

GitHub Actions can validate the proofpack and expose the result as a merge gate.

What Signum produces

The .signum/ directory is a structured registry/state/archive namespace; normal runs do not create root artifact files or root runtime dirs directly in the root .signum/ folder.

Normal runs do not create root runtime dirs like .signum/reviews/.
resume checks use the registry first, with root .signum/contract.json only as a legacy import signal.

A Signum run writes canonical artifacts under:

.signum/contracts/<contractId>/

Typical artifacts include:

contract.json
contract-engineer.json
contract-policy.json
combined.patch
execute_log.json
mechanic_report.json
policy_scan.json
holdout_report.json
audit_summary.json
proofpack.json

The most important output is:

proofpack.json

This is the evidence bundle used by CI and reviewers.

Quick start

Requirements

Signum expects a minimal local toolchain (>= v4.18.0):

bash
git
jq
python3

Initialize a project

Use the canonical init command:

/signum:init --harness

For Claude Code usage, install the Claude Code CLI according to your environment.

Optional reviewer tools may be used when available, but Signum keeps deterministic checks separate from model-based review.

Run local deterministic checks

bash scripts/run-deterministic-tests.sh

Run clean-room smoke

bash scripts/run-cleanroom-smoke.sh

For a deeper pre-publish check:

SIGNUM_CLEANROOM_FULL=1 bash scripts/run-cleanroom-smoke.sh

Validate a proofpack

python3 scripts/validate_proofpack.py \
  .signum/contracts/<contractId>/proofpack.json \
  --repo-root .

GitHub CI gate

Signum includes a GitHub Actions template for validating proofpacks in CI.

The CI path is intentionally deterministic:

no hidden background work;
no required external AI reviewer;
no secrets needed for deterministic tests;
pinned GitHub Actions refs;
fixed Ubuntu runner label;
clean-room smoke coverage.

The high-risk PR intake gate is intentionally strict. PRs touching sensitive paths such as workflows, scripts, command orchestration, or policy logic may require maintainer review or override.

Safety model

Signum separates three kinds of evidence.

Deterministic evidence

Checks that can run without model judgment:

proofpack validation;
policy scanner;
DSL runner validation;
artifact path guards;
command renderer parity;
clean-room smoke tests.

Model-assisted review

Optional reviewer outputs can be included when available, but they are treated as review signals, not as the only source of truth.

Human review

Large or high-risk changes still require human judgment. Signum makes that review easier by packaging the relevant evidence.

Policy scanner

View full README on GitHub

Similar Plugins

sdlc-wizard

SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd

Stats

Version4.21.0

Stars16

Forks2

MaintenanceExcellent

LicenseMIT

AddedMar 28, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Safety Signals

Caution

Uses power tools

Uses Bash, Write, or Edit tools

Help us improve

Share bugs, ideas, or general feedback.

Back to Plugins

Signum — deterministic proof gate for agentic development

Signum

A deterministic proof gate for agentic software development.

Signum helps teams use AI coding agents more safely by turning every change into a contract-driven, auditable workflow.

Instead of trusting that an agent “probably did the right thing”, Signum asks for evidence:

What was the contract?
What changed?
Which checks passed?
What risks were found?
What artifacts prove the result?
Is this safe enough to merge?

At the end, Signum produces a proofpack: a structured evidence bundle that CI and humans can inspect.

Why Signum?

AI agents can move fast, but fast changes need reliable boundaries.

Signum adds a release-style verification layer around agentic work:

Contract-first execution — define intent, scope, and acceptance criteria before implementation.
Deterministic checks — validate what can be checked without relying on model judgment.
Policy scanning — catch risky code patterns, dependency changes, secrets, and incomplete work.
Proofpack output — package evidence into a structured artifact.
GitHub-ready CI gate — make merge decisions easier to review.

Signum is not a replacement for engineering judgment. It is a guardrail system that makes agentic changes easier to inspect, reproduce, and trust.

How it works

Signum follows a simple flow:

Contract → Execute → Audit → Pack → CI Gate

1. Contract

A change starts with a contract: the requested outcome, boundaries, risks, and acceptance criteria.

2. Execute

The implementation runs against the contract. Signum keeps the work tied to the original intent.

3. Audit

Signum runs deterministic checks and policy scans. Optional reviewer tools can add additional review signals.

4. Pack

Signum creates a proofpack: a structured evidence bundle containing the contract, diff, checks, audit summary, and decision metadata.

5. CI Gate

GitHub Actions can validate the proofpack and expose the result as a merge gate.

What Signum produces

The .signum/ directory is a structured registry/state/archive namespace; normal runs do not create root artifact files or root runtime dirs directly in the root .signum/ folder.

Normal runs do not create root runtime dirs like .signum/reviews/.
resume checks use the registry first, with root .signum/contract.json only as a legacy import signal.

A Signum run writes canonical artifacts under:

.signum/contracts/<contractId>/

Typical artifacts include:

contract.json
contract-engineer.json
contract-policy.json
combined.patch
execute_log.json
mechanic_report.json
policy_scan.json
holdout_report.json
audit_summary.json
proofpack.json

The most important output is:

proofpack.json

This is the evidence bundle used by CI and reviewers.

Quick start

Requirements

Signum expects a minimal local toolchain (>= v4.18.0):

bash
git
jq
python3

Initialize a project

Use the canonical init command:

/signum:init --harness

For Claude Code usage, install the Claude Code CLI according to your environment.

Optional reviewer tools may be used when available, but Signum keeps deterministic checks separate from model-based review.

Run local deterministic checks

bash scripts/run-deterministic-tests.sh

Run clean-room smoke

bash scripts/run-cleanroom-smoke.sh

For a deeper pre-publish check:

SIGNUM_CLEANROOM_FULL=1 bash scripts/run-cleanroom-smoke.sh

Validate a proofpack

python3 scripts/validate_proofpack.py \
  .signum/contracts/<contractId>/proofpack.json \
  --repo-root .

GitHub CI gate

Signum includes a GitHub Actions template for validating proofpacks in CI.

The CI path is intentionally deterministic:

no hidden background work;
no required external AI reviewer;
no secrets needed for deterministic tests;
pinned GitHub Actions refs;
fixed Ubuntu runner label;
clean-room smoke coverage.

The high-risk PR intake gate is intentionally strict. PRs touching sensitive paths such as workflows, scripts, command orchestration, or policy logic may require maintainer review or override.

Safety model

Signum separates three kinds of evidence.

Deterministic evidence

Checks that can run without model judgment:

proofpack validation;
policy scanner;
DSL runner validation;
artifact path guards;
command renderer parity;
clean-room smoke tests.

Model-assisted review

Optional reviewer outputs can be included when available, but they are treated as review signals, not as the only source of truth.

Human review

Large or high-risk changes still require human judgment. Signum makes that review easier by packaging the relevant evidence.

signum

Component Overview

Component Details

Commands (13)

Agents (5)

README

Signum

Why Signum?

How it works

1. Contract

2. Execute

3. Audit

4. Pack

5. CI Gate

What Signum produces

Quick start

Requirements

Initialize a project

Run local deterministic checks

Run clean-room smoke

Validate a proofpack

GitHub CI gate

Safety model

Deterministic evidence

Model-assisted review

Human review

Policy scanner

Similar Plugins

sdlc-wizard

Help us improve

Help us improve

signum

Component Overview

Component Details

Commands (13)

Agents (5)

README

Signum

Why Signum?

How it works

1. Contract

2. Execute

3. Audit

4. Pack

5. CI Gate

What Signum produces

Quick start

Requirements

Initialize a project

Run local deterministic checks

Run clean-room smoke

Validate a proofpack

GitHub CI gate

Safety model

Deterministic evidence

Model-assisted review

Human review

Policy scanner

Similar Plugins

sdlc-wizard

Help us improve

pact

claude-codex

customgpt-claude-quadruple-verification

ceo-quality-controller-agent

sdlc-core