id: claim-ledger-security title: Claim-Ledger Security Triage category: engineering primitive: /goal use_when: A scanner dumped a pile of findings and you want only the ones backed by a runnable repro. verify: Every accepted finding has a PoC that fails before the patch and passes after; an independent verifier re-ran each. tags: [security, maker-checker, executable-evidence] example: ../../../examples/3-claim-ledger-security/artifacts.md
Claim-Ledger Security Triage
Prove-or-dismiss each scanner finding with executable evidence; no finding ships without a runnable repro. Primitive:
/goal· Category:engineering
Defensive / teaching use only. Run PoCs in a local sandbox; never against systems you do not own.
Use when
A scanner reports many "criticals" and you suspect most are false positives. You want a ledger that separates reproduced issues from noise, with evidence for each.
Prompt
Goal: Prove or dismiss every scanner finding on <target> with executable evidence.
Context: The scanner output; a local sandbox of <target>; the patch branch.
Constraints: Defensive only, local sandbox. No finding is "real" without a runnable PoC.
Done-when: Every finding is reproduced (PoC red->green on patch), dismissed, or escalated.
Evidence: A findings ledger + a repro/ folder; an independent verifier re-ran each PoC.
If-blocked: If a PoC cannot be made reliably red, mark the finding dismissed with a reason.
Verify
An independent verifier (not the agent that wrote the PoC) re-runs each repro against the patch: reproduced findings go red-before / green-after; dismissed findings carry a falsifiable reason.
Steps
- Triage each finding into the ledger.
- For candidates, build a sandbox PoC that reliably reproduces the issue.
- Patch, re-run via an independent verifier, and record the verdict.
Notes
In the worked example, 23 raw findings resolved to 9 reproduced / 11 dismissed / 3 escalated — the loop proved 11 were false positives. See claim-ledger security fix.