v1 · open source · AGPL-3.0

Executable bugs, not bug reports.

Capture a failing command into a portable .bug artifact anyone can replay on their machine — same code, same env, same failure.

Star on GitHub npm install -g bugproof

~/projects/api — zsh

bugproof v1

Node.jsPythonRubyGoRustJavaC / C++.NETKotlinNode.jsPythonRubyGoRustJavaC / C++.NETKotlinNode.jsPythonRubyGoRustJavaC / C++.NETKotlin

// the problem

"Works on my machine" is not a bug report.

Filing a backend or CLI bug today is screenshots, copy-pasted stack traces, probably-relevant files, and a best-guess description of how the reporter ran the thing.

Then the maintainer spends hours reconstructing the failure — matching versions, replicating env, guessing at config. Most of that time is wasted.

// the fix

Capture the bug, not the description.

One command produces a single .bug file containing the source snapshot, exact command, env schema, failure fingerprint, and replay metadata.

Another developer runs bugproof replay bug.bug and reproduces the failure deterministically.

Think of it as Git for bugs.

// features

Everything in one portable artifact.

Content-addressable, signable, replayable. Built on native OS primitives so you don't need Docker, a daemon, or root.

One-command capture

Wrap any failing command with `bugproof capture --` and ship the result as a single portable file.

Deterministic replay

Source, env schema, command, and failure fingerprint travel together. Verdict is automatic.

No Docker. No daemon.

Native OS primitives — Linux namespaces, Windows Job Objects, macOS Seatbelt.

Cryptographic signatures

Ed25519 sign/verify built in. Tamper-evident artifacts via keygen, --sign, and verify.

Self-healing replay

--self-heal auto-installs missing npm/pip deps in the sandbox and retries until it can run.

Credential redaction

Pattern-matching + Shannon entropy catch API keys, tokens, and JWTs before the artifact ships.

Multi-language

Auto-detects Node, Python, Ruby, Go, Rust, Java, C/C++, .NET, and Kotlin build context.

Cross-platform

Win ↔ Linux ↔ macOS replay with command/env translation and arch-mismatch guardrails.

// workflow

From failure to fix in one command.

Capture

$ bugproof capture -- npm test

Wraps your command. Snapshots source. Captures env. Redacts secrets. Writes a signed .bug file.

$ bugproof share bug.bug

Send the artifact in a PR, an issue, a Slack DM, or a GitHub Gist. Single file, fully self-contained.

Replay

$ bugproof replay bug.bug

Anyone replays deterministically in an isolated sandbox. Same failure or automatic verdict.

// watch it work

See BugProof in action.

demo.mp4 — bugproof

vimeo

// get started

Install in 10 seconds.

Requires Node.js 18+ and Git. Language toolchains only when your command needs them.

install

$npm install -g bugproof
$bugproof doctor
# ✓ sandbox ready · ✓ git found · ✓ signing keys ok

capture & replay

$bugproof capture -- npm test
$bugproof replay bug_2025.bug --self-heal
$bugproof verify bug_2025.bug --pubkey alice.pub

GitHub Action

Auto-capture flaky CI failures. Download the .bug from the run, replay locally.

- uses: sidinsearch/BugProof/.github/actions/bugproof-action@main
  with:
    command: 'npm test -- --run flaky-suite'
    name: flaky-test-failure

MCP Server for AI agents

Built-in MCP server. Drop into Claude Code, Cursor, or Continue.dev.

{
  "mcpServers": {
    "bugproof": {
      "command": "npx",
      "args": ["-y", "bugproof", "mcp"]
    }
  }
}

Featured on Smol Launch

Recognized as a standout tool by the Smol Launch community.

// ship it

Stop describing bugs. Start shipping them.

Open source, AGPL-3.0. Works on Linux, macOS, and Windows. Built with native OS primitives — no containers, no daemons, no excuses.

github.com/sidinsearch/BugProof npmjs.com/package/bugproof

command to capture

languages detected

containers needed

Ed25519

signatures