Level
Style

Ultrasafe

Several AI helpers find weak spots before release, fix-and-retry at least three rounds until clean.

Pre-release simulated penetration testing discipline. 8-agent fan-out + ≥3 iteration AND-gate + 3-layer synthesis. Advisory-only v0.1 → blocking v0.2.

Pre-release security attestation discipline distilled from 17-axis cross-domain synthesis. 3-backbone architecture + Hyperbrief routing + Greatpractice promotion + Schneier asymmetry normative grounding.

v0.2.0 🐶 도그푸딩 진행 (advisory mode) v0.2.0 runtime activation: 8 skills + 2 hooks + MCP 5 tools 17-axis deep research 8-agent fan-out runtime ≥3 iteration AND-gate 3-layer synthesis report advisory v0.2.x → blocking v0.3+ Apache-2.0

The problem Ultrasafe solves

What Ultrasafe is

Overview

Outside users finding security problems first is the worst case. AI helpers acting as different kinds of attackers in parallel change the math.

8-agent parallel fan-out + Synthesizer with BFT quorum + 3-layer report + ≥3 iteration AND-gate + advisory→blocking transition.

Pre-release security attestation discipline distilled from 17-axis cross-domain synthesis. 3-backbone (parallel fan-out + retire-barrier synthesis + AND-gate iteration) architecture. Tier A critic patches absorbed. Advisory→blocking transition. Schneier asymmetry normative grounding.

The core idea

Central thesis

Central thesis

Don't hope no one finds the weak spots. Have several AI helpers actively look, fix, repeat until two rounds in a row find nothing new.

Attestation by simulated attack. Schneier asymmetry → finite parallelizable workload. 8 agents × axis × ≥3 iterations.

Representational substitution from single-path verification to multi-path attestation. Schneier asymmetry tractability via finite parallel fan-out. AND-gate falsifiability anchor. 17-axis research minimizes single-domain dependency.

What's in the v0.1.0 cut

v0.1.0 first cut scope

v0.1.0 release artefacts

First release ships design + plan, not the working machinery yet. Working parts come in version 0.2 once false-alarm rate is measured.

v0.1.0 scope: full spec (2544 lines) + plugin manifest. v0.2+ deferred: runtime/schemas/skills/hooks/mcp. Advisory-only by design until FP baseline measured.

v0.1.0 = full spec + plugin manifest. Runtime deferred to v0.2+ per Tier A patch #5 (strict-mode reconciliation requires FP baseline). §13 adoption threshold defines spec-only adoption gate.

When Ultrasafe helps you

How to invoke Ultrasafe

Invocation surfaces + tier mapping

Four common moments when Ultrasafe helps. AI helpers do the looking for you.

Activates via PreToolUse hook on release events or manual /ultrasafe skill. 4 scenarios covering tier × scope matrix.

§10 trigger taxonomy: PreToolUse hook matchers (7 release surfaces) + /ultrasafe explicit invocation. 4 scenarios = representative cross-section of tier × scope matrix.

Quick safety check for a small fix

Tier 1 patch release safety check

Tier 1 patch-scope attestation (lightweight fan-out)

When

When

When

You're about to put out a small fix. Only a little bit of the code changed, and the previous version was already safe.

Right before a patch release (semver Z bump, hotfix, or quick critical patch). Narrow diff, tight schedule, stable prior release, small change footprint.

Tier 1 patch-scope: minimal blast radius, no public surface change. FP-baseline-establishment tier under v0.1.x advisory per §13.5.

What happens

How to activate

Activation + execution profile

  1. When you say 'release this version', Ultrasafe starts on its own.
  2. 3 or 4 AI helpers look at the new code at the same time, checking it from different angles.
  3. They repeat 3 to 5 rounds. Each round, they look at more than half the changed code.
  4. If two rounds in a row find nothing new and everything is improving, the release is OK to go out.
  5. A short report is saved for you to look at if you want.
  1. Tag your patch branch: git tag v2.5.41-patch1 && git push --tags.
  2. The PreToolUse hook auto-fires on git push --tags, or invoke explicitly: /ultrasafe --tier=1.
  3. Tier 1 dispatches 3-4 agents in parallel, weighted toward static analysis (SAST + linting + dep-advisory scan).
  4. Iteration loop: min 3, max 5. Per-iter coverage ≥50% over diff scope; skipped equivalence classes recorded in untested_classes[].
  5. Clean-signal AND gate: regression-free + monotonic + coverage + 2-iter-consecutive. Pass → release proceeds (v0.1 advisory).
  6. Output: OSCAL Assessment Result + Hyperbrief IR card written to reports/ultrasafe-iterations/v2.5.41-patch1/iter-N/.
  1. Trigger: git tag / git push --tags matcher (§10.2 row 1) with semver Z-bump detection, OR explicit /ultrasafe --tier=1.
  2. Fan-out: n=3-4 of 8-agent roster per §3 Tier 1 row. Skipped axes recorded in untested_axes[].
  3. §6.2 AND-gate Tier 1 thresholds: regression_check ∧ EWMA monotone ∧ coverage ≥ 0.5 ∧ consec ≥ 2. Min 3 max 5; budget exhaust → Hyperbrief release_with_risk vs defer.
  4. v0.1.x advisory: stderr + IR write, no non-zero exit on gate fail. v0.2.x blocking gated on §13.5 FP baseline.
  5. Artefacts: reports/ultrasafe-iterations/<tag>/iter-{1..N}/ — OSCAL + Hyperbrief IR + optional §9 Greatpractice micro-rule.

Takes about 5 to 10 minutes. The AI usage cost is very small (about a dollar or two).

Expected wall-clock: 5-10 min. Token cost: ~$1-2 per run.

Wall-clock: p50 5-10 min / p95 15 min. Token cost ~$1-2/cycle (Sonnet-class + IR+OSCAL overhead).

Full check for a big new version

Tier 3 major release full fan-out

Tier 3 major-release full-axis attestation + signed evidence chain

When

When

When

You're about to release a big new version to a lot of users. The change list is long, or you need to give your users a written safety promise.

Right before a major release. Breaks backward compat, new public API, long changelog, Tier 3, compliance attestation needed, or RC round.

Tier 3: semver X / breaking / API expansion / compliance attestation / RC cycle. Max blast radius, strictest §6.2 thresholds, full 8-agent fan-out, signed evidence chain mandatory.

What happens

How to activate

Activation + execution profile

  1. When you say 'release this big version', Ultrasafe starts on its own.
  2. All 8 AI helpers look at the new version at the same time. Each one is a different kind of attacker.
  3. They repeat at least 5 rounds (up to 10). They have to look at 90% or more of the code, and at least two helpers have to agree on each finding.
  4. If two rounds in a row find nothing new, the release gets a sealed safety certificate that you can share with your users.
  5. Ultrasafe also writes down what it learned, so you can turn the lessons into permanent rules later.
  1. Explicit: /ultrasafe --tier=3. Or PreToolUse hook on gh release create vX.Y.Z + semver X-bump.
  2. Full 8-agent fan-out (AI/LLM + Web/API + Supply + Crypto + Social + Method/Comp + TM/Lifecycle + Synthesizer). §4 Finding contract + Synthesizer cross-axis correlation + BFT 2f+1 quorum.
  3. Tier 3: min 5 max 10 iter. Coverage ≥90%. Cross-axis confirmation ≥0.5. Agent-diversity ≥50% × 3 dims.
  4. Strict AND-gate: regression-free (3-component) + EWMA monotone + coverage met + 2-iter-consec with ≥50% diversity.
  5. Pass → OSCAL signed (cosign + Rekor proof + Sigstore TSA). Attestation: e.g. 'coverage 90% under OWASP LLM Top 10 v2025.11 + MITRE ATT&CK v15 as of 2026-06-06'.
  6. 3-level Greatpractice tree (macro/mezzo/micro) auto-drafted for human curation.
  1. Trigger: §10.2 rows 2-5 matchers (gh release / npm publish X-bump / helm push / docker push :latest) auto-dispatch Tier 3; or explicit /ultrasafe --tier=3. Optional --compliance-profile pre-loads control-mapping.
  2. Full §3 Tier 3 roster mandatory: all 8 agents (AI/LLM + Web/API + Supply + Crypto + Social + Method/Comp + TM/Lifecycle + Synthesizer) + GTA + DSP cross-cutting on Synthesizer.
  3. §6.2 strict AND-gate: regression_check (3-comp) ∧ EWMA monotone ∧ coverage ≥ 0.9 ∧ consec ≥ 2 ∧ diversity ≥ 0.5 × 3 dims. Min 5 max 10; exhaust → Hyperbrief escalate-forced.
  4. Pass: OSCAL signed via Sigstore keyless OIDC (cosign attest), Rekor v2 inclusion proof, TSA RFC 3161 TS. Concrete: coverage=0.92, axes={...}, iter=7, diversity=0.62. MUST enumerate untested_classes[] + untested_axes[].
  5. §9 Greatpractice 3-level candidate (macro/mezzo/micro) with promotion-readiness scoring. macro requires human; micro auto-merge eligible per §9.4 sniff-test.

Takes 45 to 90 minutes. AI usage cost is bigger here (about $40-60) — all 8 helpers run for several rounds.

Expected wall-clock: 45-90 min. Token cost: ~$40-60 per run (8 agents × 5-10 iters).

Wall-clock: p50 45-90 min / p95 2-3 hr. Token ~$40-60/cycle (Opus Synthesizer → $60-90). OIDC+Rekor+TSA ~30-60s. Budget assumes escalation rate <0.1.

Safety check for an outside-part change

Supply-chain axis focused scan

Supply-chain axis targeted scan (SBOM delta + maintainer + reproducibility)

When

When

When

You're about to use a new outside part in your project, or change to a different version of one you already use. Want to make sure it's real and safe before bringing it in.

Bumping a transitive-critical dep or adding a new one. SBOM delta, typosquatting risk, maintainer anomaly, reproducible-build verify, Sigstore attestation check needed.

Single-axis targeted scan on SBOM delta. Scope: dep graph delta + transitive closure k-hop (default 3). Distinct from full-tier release scan.

What happens

How to activate

Activation + execution profile

  1. You change your project to use the new outside part.
  2. An AI helper specialized in outside parts checks five things at once — like 'is this the real version?' and 'is the maker acting strangely?'
  3. Two other helpers (encryption + web) double-check the answers.
  4. Clearly fake or tampered → warns you right away. Maker just looks a little odd → a human reviews. The system never blocks a maker by itself.
  5. A small lesson is saved, like 'always check the part-name spelling before installing'.
  1. Update your dep manifest (package.json / go.mod / Cargo.toml / requirements.txt / Gemfile) to the new pin.
  2. Targeted invocation: /ultrasafe --axis=supply-chain. Or PreToolUse hook fires on dep-manifest push.
  3. SCS runs 5 parallel checks: build tampering · maintainer compromise · typosquatting · transitive path · reproducibility. Emits PURL + attestation chain + maintainer_anomaly_flag.
  4. Cross-axis: Crypto verifies Sigstore sig; Web queries OSV/GHSA. Maintainer anomaly → human (§2.1.3) — system never autonomously blocks a maintainer.
  5. Auto-block on cosign-mismatch / SLSA L0 / OSV CVE exact-match IFF signature-based + FP<1% + fully reversible. Else → Hyperbrief.
  6. Iter: 3 fixed (scan / SBOM rebuild / supply-chain regression). Coverage ≥75% of 5 SCS classes; skips with reason in untested_classes[].
  7. Output: Greatpractice micro-rule candidate. Artefacts at reports/ultrasafe-iterations/pkg:npm/foo@v2-upgrade-2026-06-06/iter-{1..3}/.
  1. Trigger: Stop hook on dep-manifest write (7 manifest types) OR /ultrasafe --axis=supply-chain [--depth=k]. §10.3 modify-surface trigger (distinct from §10.2 release-surface).
  2. SCS primary + Crypto + Web/API auxiliary (n=3). SCS internal 5 sub-check parallel: SLSA verify · OSSF + GH event anomaly · Levenshtein+visual-confusable on top-100 · k-hop BFS w/ malicious-path scoring · deterministic-rebuild diff.
  3. SCS per-pkg schema: {purl, attestation_chain[], maintainer_anomaly_flag, slsa_level, sigstore_inclusion_proof, transitive_path_score, reproducibility_delta}. §5.2 retire-barrier cross-axis matrix.
  4. Auto-block (§7.3 v0.1.x supply-chain opt-in strict): {cosign_mismatch ∨ SLSA L0 ∨ OSV CVE exact} ∧ signature-derived ∧ FP<0.01 ∧ reversible. Maintainer-anomaly excluded per §2.1.3 invariant.
  5. 3 iters fixed (scan+delta / SBOM rebuild w/ hermetic / regression against §6.5 oscillation registry). Coverage ≥0.75. untested_classes[] MUST cite §6.3 reason taxonomy.
  6. Artefacts: §9 micro-rule (pre-install spell-check / hermetic-build invariant / k-hop transitive audit). Path: reports/ultrasafe-iterations/pkg:npm/.../iter-{1..3}/ with OSCAL + IR.

Takes 10 to 15 minutes. AI usage cost is small (about $3-5).

Expected wall-clock: 10-15 min. Token cost: ~$3-5 per run (n=3 agents, 3 iters).

Wall-clock: p50 10-15 / p95 30 min. Token ~$3-5/cycle. SBOM rebuild dominates at >500 transitive deps; hermetic-build absent → reproducibility downgrades to advisory + auto-records untested w/ infra-unavailable.

Make sure a fix really worked

Post-fix regression verification round

Post-fix regression verification (3-component check + oscillation registry)

When

When

When

Right after you fix a problem Ultrasafe found earlier. 3 things to confirm: (1) original problem really gone, (2) same problem not lurking next door, (3) fix didn't break something else.

Post-fix verification after prior Ultrasafe finding. Verify: (1) PoC no longer triggers, (2) no neighbor exposes same vuln class, (3) no unrelated-invariant regression.

Post-fix regression iter on tracked finding's commit-ref. Scope: repair-locus + k-hop neighborhood + widening invariants. §6.5 oscillation registry tracks repair→regress cycles ≥2 to detect meta-defects requiring structural redesign.

What happens

How to activate

Activation + execution profile

  1. The next round starts on its own as soon as the fix is in.
  2. A fresh AI helper tries the original attack one more time. This time it should fail.
  3. Another helper looks at the nearby code to check for the same kind of weak spot sneaking in from a different direction.
  4. A third helper checks that the fix didn't accidentally break some other rule that was already protecting you.
  5. All 3 checks pass → fix confirmed. Any fails → human review requested (recurring problems usually need a deeper change, not another quick fix).
  1. Iter N+1 auto-fires on fix-commit landing. Baseline pinned to iter N's commit SHA + catalog versions.
  2. §6.2(a) 3-component: (a) PoC retest MUST fail; (b) neighborhood scan via call-graph 1-2 hop; (c) invariant widening via mutation testing.
  3. All 3 pass → regression_check.all_pass = true ✓. Strict: no new HIGH-severity from the fix.
  4. Any fail → §6.5 meta-defect oscillation. Hyperbrief IR auto-strips defer, forces escalate.
  5. Example: SQL injection → parameterized-query fix; iter 2 PoC blocked + neighbor sites covered + input-validation invariant held; iter 3 no new XSS surface. Clean ✓.
  6. Output: Greatpractice micro-rule (e.g. 'parameterized-query acceptance test for new endpoints'). Path: reports/ultrasafe-iterations/<tag>/iter-{N..N+3}/.
  1. Trigger: Stop hook on repair-branch commit (Fixes: trailer or repair_locus file-overlap), auto-dispatches iter N+1 with baseline pin to iter N SHA + catalog manifest. Explicit: /ultrasafe --regression-of=ULTRASAFE-<id>.
  2. §6.2(a) 3-component + falsifiability: (a) PoC retest by fresh agent (diversity invariant), MUST fail. (b) k-hop call-graph BFS + CWE-grouped signature match for alt paths to same equiv class. (c) Mutation-testing on fix delta vs held-invariant set; passing mutations indicate over-tightness/side-effect.
  3. Pass: regression_check.all_pass iff all 3 clean ∧ no new HIGH absent in iter N. Strict — no severity-lifting compensation (NEW HIGH ≠ CLOSED HIGH even at parity).
  4. Fail: any component fail → §6.5 oscillation_registry + cycle-counter++. cycle≥2 → meta-defect class, IR options forcibly reduced to {apply_redesign, escalate}. cycle≥3 → structural-redesign A2A intent dispatch.
  5. Canonical: CWE-89 at /api/users?q= → parameterized-query + canonicalization. Iter 2: PoC blocked at prepared-stmt ✓; 5 adjacent query sites use new helper ✓; 12 mutations on sanitize fn, 0 pass WAF invariants ✓. Iter 3: synthesizer cross-checks stored-XSS — contextually-safe ✓.
  6. Artefacts: §9 micro-rule CWE-keyed (e.g. CWE-89 → param-query gate). Path: reports/ultrasafe-iterations/<tag>/iter-{N..N+3}/ + OSCAL delta + IR + oscillation_registry update if applicable.

Takes 15-20 min per round. Cost already counted in the calling release-tier budget.

Expected wall-clock: 15-20 min per round. Token cost rolls into calling tier's budget.

Wall-clock per iter: p50 15-20 / p95 30 min (mutation-test dominates w/ large invariant set; k-hop BFS dominates dense call-graph). Token amortizes into caller tier. §6.5 promotion → structural-redesign A2A → extra ~$2-3 IR-emission cycle outside tier envelope.

Where to read more if you want the details

Read the full spec

Read the specification

The full design is on the public code-sharing website GitHub. It is 13 chapters plus 3 short add-on sections (appendices), and it covers everything: how the 8 AI helpers divide up the work, what each helper's report looks like, when 3 or more rounds of checking is actually enough, and what Ultrasafe does NOT cover yet. The 17 research areas that fed into the design are published too — about 14,000 lines of text across 17 research notes, 17 pattern-summary files, and 3 overall summary files.

Ultrasafe.md = v0.1.0 spec (2544 lines). reports/2026-06-05-ultrasafe-research/ = research backing (~14000 lines).

Ultrasafe.md = v0.1.0 spec. reports/2026-06-05-ultrasafe-research/ = 17-axis research backing (~14000 lines). §13 adoption + §12 roadmap + appendix C 4 PARTIAL gaps.

Ultrasafe.md (the full design document, 2,544 lines) →