Werner Kasselman
Software engineer and technical author focused on AI agent infrastructure, semantic code search, source verification, and secure systems.
Public Software
- ksmbd mainline fix - smb_grant_oplock() UAF + NULL deref: Use-after-free and NULL dereference in smb_grant_oplock() fixed; merged to mainline (v7.0+, Cc:stable). Surfaced by sqry call-graph analysis (per author); the tool is not named in this commit message, though it is named in the smb2_lock commit.
- ksmbd mainline fix - smb2_lock() leaks + NULL deref: Memory leaks and NULL dereference in smb2_lock() fixed; merged to mainline (v7.0+, Cc:stable). Found via call-graph analysis with sqry.
- homebrew-sqry - Homebrew tap for sqry: Single-formula Homebrew tap (Formula/sqry.rb) installing the four sqry binaries (sqry, sqry-mcp, sqry-lsp, sqryd) on macOS and Linux x86_64/arm64; auto-published from sqry's own release pipeline on every release, kept level with upstream tags.
- sqry-skills - per-agent skills for sqry: MIT-licensed, content-only repo of per-agent skill packages (Claude, Codex, Gemini, Grok, plus a core semantic-search skill) that teach coding agents to drive sqry; uses a resource-delegation design where version-specific tool reference is served live by the sqry-mcp binary as MCP resources rather than baked into the skills.
- sqry - AST-aware semantic code search: Rust semantic code-search engine over tree-sitter ASTs; 36+ language plugins, boolean query language, cross-file relation queries, persistent index, native MCP server; 8,300+ tests; SLSA release attestations; public. (Verified against repo 2026-06-23: 37 sqry-lang-* crates, 9,799 test fns at v5.0.1; the prior '8 plugins / 587 tests' figures were stale.)
- llm-cli-gateway - multi-LLM MCP orchestrator: Production MCP server orchestrating Claude, Codex, Gemini, Grok, Mistral CLIs; node:sqlite, fuzzed parsers, supply-chain hardening; 66 releases; public (v2.5.0).
- agent-assurance-papers - manuscripts + executable proof bundles: Publication-side companion to agent-assurance, holding LaTeX manuscripts and executable proof bundles (chardet-relicense, hello-world, code-derivation-assay) plus the arXiv packaging DAG-TOML workflow; proofs are validated by the sibling spec repo's implementation-DAG, traceability, and review-readiness validators and include multi-LLM review records.
- agent-assurance - DAG-TOML governance spec: Open Apache-2.0 specification for machine-checkable agent planning: dependency DAGs, traceability, review-readiness proofs.
- NVIDIA SkillSpector - two merged wernerkasselman-au security/correctness contributions: Authored two merged PRs into NVIDIA's open-source AI-skill security scanner under the wernerkasselman-au GitHub identity: PR #6 made MCP tool-poisoning checks reachable and bounded build_context reads; PR #133 made LLM finding schemas portable by dropping ge/le bounds and enforcing runtime clamps. Open follow-on PR at verification time: #19 bounded build_context reads and fail-closed oversized-input handling.
- NVIDIA SkillSpector - structured-output schema portability fix (merged): Authored fix merged into NVIDIA/SkillSpector main (PR #133, commit c184c2a, merged 2026-06-22): the LLMFinding and MetaAnalyzerFinding pydantic models emitted JSON-schema minimum/maximum bounds (ge/le) on confidence and start_line, which some structured-output LLM endpoints reject, causing a whole batch to fail. Dropped the bounds and added field_validator clamps (confidence to [0,1], start_line to >=1) so the contract is enforced at runtime while the emitted schema stays portable, with tests asserting the schema is bound-free and the clamps hold. Closes issue #132; approved by maintainer rng1995.
- Cisco AI Defense skill-scanner - API hardening (PR-stage): Authored API scan-boundary hardening for Cisco AI Defense's open-source AI Agent Skills scanner: archive/filesystem resource limits (zip-bomb/DoS defence), hardened API router, loader, scanner, and content extractor, with extensive tests (24 files, +1,186/-210). On contributor fork branch; PR-stage, not yet confirmed merged upstream.
- Upstream Crossplane core - reconciler nil-deref bug report (#7479): Authored crossplane/crossplane issue #7479: root-caused a nil-dereference panic in the package runtime reconciler (internal/controller/pkg/runtime/reconciler.go) when a stale SetImagePullSecret applied ImageConfig ref points at an ImageConfig whose optional registry.authentication.pullSecretRef is gone. Includes self-heal analysis and scope assessment. A Crossplane maintainer (MEMBER) acknowledged it and requested a PR; a nil-safe fix (RuntimeUnhealthy condition + warning event, with regression tests) is self-reported as a PR in the thread.
Security And Systems Contributions
- Cisco AI Defense skill-scanner - API hardening (PR-stage): Authored API scan-boundary hardening for Cisco AI Defense's open-source AI Agent Skills scanner: archive/filesystem resource limits (zip-bomb/DoS defence), hardened API router, loader, scanner, and content extractor, with extensive tests (24 files, +1,186/-210). On contributor fork branch; PR-stage, not yet confirmed merged upstream.
- Two security fixes merged to the mainline Linux kernel: Two ksmbd fixes (UAF, NULL deref, memory leaks) authored and merged to mainline (v7.0+, Cc:stable); one found via sqry.
- Merged two wernerkasselman-au contributions into NVIDIA's open-source AI-skill security scanner: Authored two merged NVIDIA/SkillSpector PRs under the wernerkasselman-au GitHub identity: PR #6 made MCP tool-poisoning checks reachable and bounded build_context reads; PR #133 fixed structured-output schema portability with runtime clamps.
- Reported NVIDIA SkillSpector Stage 2 LLM resilience issues later fixed upstream: Reported two NVIDIA/SkillSpector Stage 2 LLM resilience defects under the wernerkasselman-au GitHub identity: issue #9 showed that one failed LLM batch could abort the whole meta-analyzer pass and silently fall back to static results, and issue #11 showed that apply_filter could drop findings the LLM never analysed. Both issues were later fixed upstream in PR #32 by nyxst4ck, merged on 2026-06-24; this is issue-discovery credit, not authorship of the fixing commit.
- ksmbd mainline fix - smb_grant_oplock() UAF + NULL deref: Use-after-free and NULL dereference in smb_grant_oplock() fixed; merged to mainline (v7.0+, Cc:stable). Surfaced by sqry call-graph analysis (per author); the tool is not named in this commit message, though it is named in the smb2_lock commit.
- ksmbd mainline fix - smb2_lock() leaks + NULL deref: Memory leaks and NULL dereference in smb2_lock() fixed; merged to mainline (v7.0+, Cc:stable). Found via call-graph analysis with sqry.
- NVIDIA SkillSpector - two merged wernerkasselman-au security/correctness contributions: Authored two merged PRs into NVIDIA's open-source AI-skill security scanner under the wernerkasselman-au GitHub identity: PR #6 made MCP tool-poisoning checks reachable and bounded build_context reads; PR #133 made LLM finding schemas portable by dropping ge/le bounds and enforcing runtime clamps. Open follow-on PR at verification time: #19 bounded build_context reads and fail-closed oversized-input handling.
- NVIDIA SkillSpector - structured-output schema portability fix (merged): Authored fix merged into NVIDIA/SkillSpector main (PR #133, commit c184c2a, merged 2026-06-22): the LLMFinding and MetaAnalyzerFinding pydantic models emitted JSON-schema minimum/maximum bounds (ge/le) on confidence and start_line, which some structured-output LLM endpoints reject, causing a whole batch to fail. Dropped the bounds and added field_validator clamps (confidence to [0,1], start_line to >=1) so the contract is enforced at runtime while the emitted schema stays portable, with tests asserting the schema is bound-free and the clamps hold. Closes issue #132; approved by maintainer rng1995.
Published Writing
- How We Used AI Agents to Security-Audit an Open Source Project: Walks through a two-round AI-agent security audit of Garry Tan's gstack using sqry and llm-cli-gateway, surfacing 30 findings including a HIGH shell injection and a sqry-only mutual-recursion bug; both rounds were cherry-picked upstream with co-author credit.
- What Bunnings' AI chatbot reveals about how retail AI actually works: Black-box probing of Bunnings' Buddy chatbot finds four stacked control layers that restrict intent rather than knowledge, yielding a repeatable context-rebinding workaround; argues it is a legal-compliance architecture, not a security one.
- Cache-Aware Spawning: What Changed in llm-cli-gateway, a Week On: Makes prompt caching first-class across five providers via a structured promptParts shape concatenated in canonical order, plus cache_state:// observability resources that store no conversation text; adds Mistral Vibe as the fifth provider.
- The City-State and the Federation: Two Governance Models for AI Coding Agents: Compares dgov's legal-metaphor agent governance against Werner's DAG-TOML scientific-audit stack, arguing their blind spots are complementary and file-claims/fail-closed gates are load-bearing for the field.
- Why CLI Wrapping Beats API Proxying for Multi-LLM Development: Argues wrapping the claude/codex/gemini CLI binaries as child processes gives multi-LLM development capabilities (real file access, test execution, native session continuity, inherited auth) that API proxies cannot reach, with an honest trade-off list.
- The Code Question grep Can't Answer: Introduces sqry, an AST-based code-search tool that parses code as a unified cross-language graph to answer who-calls-what; contrasts it with grep, embedding search, ast-grep, CodeQL and Sourcegraph, and argues AI assistants need structural data.
- The Codex Review Gate: How We Made AI Agents Review Each Other's Work: Describes the most-used Verivus Labs pattern: submit work to Codex/Gemini/Claude via llm-cli-gateway and iterate to unconditional approval, with fullAuto giving Codex workspace access to verify rather than guess, extended into consensus and red/blue-team cycles.
- DAG TOML: How I Turned Four Months of Code-Review Pain into a Machine-Checkable Planning Format (Medium): Medium cross-post of the dev.to DAG-TOML piece: a ~2,400-document review archive yields six failure categories, fixed by TOML DAG plans plus a validator that recomputes and refutes every derived claim.
- DAG TOML: How I Turned Four Months of Code-Review Pain into a Machine-Checkable Planning Format: Mines a ~2,400-document review archive into six failure categories and introduces DAG-TOML: plans as TOML DAGs with a validator that recomputes every derived claim; cross-posted to Medium.
- The Format I Make Agents Author In: A Working Guide to DAG-TOML: A working guide to the DAG-TOML draft spec (schema 0.1.0, Apache-2.0): the narrative/structure split, the seven document kinds, the IJB six-primitive substrate, the three review pillars, and the move from flat files to a SurrealDB runtime.
- Here's what stopped breaking, when you make LLM agents author in two formats: Argues each unit of agent work should produce narrative (Markdown), structure (TOML DAG with machine-checkable invariants), and evidence; defends TOML over YAML/JSON and traces the three review pillars to failure data.
- llm-cli-gateway 2.0.0: the quiet supply-chain release that matters: Frames the 2.0.0 release as hardening: drops the better-sqlite3 native-module install chain for Node's built-in node:sqlite behind one adapter, removing an install-time supply-chain risk class at the cost of requiring Node >=24.4.0.
Career And Awards
- Senior Staff Systems Architect, Cloud Infrastructure Systems Engineering - ServiceNow: Senior Staff Systems Architect in ServiceNow cloud infrastructure systems engineering since 2023; public resume source notes architecture work for one of the world's largest SaaS platforms and two ServiceNow UTG Llama Awards.
- Principal Enterprise Architect (Freelance) - QBCC & QLD Department of Education: Created the QBCC Digital Services Reference Architecture and EA repository (incorporating the QLD Digital Economy Strategy), and delivered a ServiceNow future-state analysis and roadmap for the QLD Department of Education.
- Citrix Business Development Manager (contract) - Fujitsu Oceania: Built the Fujitsu-Citrix partnership and the TTU @ Fujitsu sales motion, growing weighted first-year order-value pipeline from AU$484K (May) to AU$5.011M (November 2022).
- Enterprise Solutions Architect / Team Lead, Solution Architecture - City of Gold Coast: Led a team of 7 to 14 solution architects delivering citywide ICT programs on Azure and AWS for Australia's second-largest local government (3,200+ staff); delivered the City's first Virtual Council Meeting in two weeks at the onset of COVID.
- Principal Systems Administrator, Data Centre & Cloud - Public Safety Business Agency (Qld): Technical leadership for operations across Azure, AWS, VMware (vSphere and Horizon), enterprise servers and SAN supporting Queensland's police, fire and emergency services; technical lead for the data protection and recovery tender and HP OneView rollout.
- IT Infrastructure Team Lead - MidCoast Water: End-to-end infrastructure for a utility serving 40,000 households: vSphere 6.0 and Active Directory upgrades, ADFS, SharePoint build for EPM, and technical lead for the EMC Unity all-flash array implementation.
- UTG Llama Award Q1/2025 - ServiceNow: Awarded by Deeps Sidhu for resolving SPP AU regulated-market customer issues and taking ownership of Hyperscalers program work beyond direct responsibility.
- UTG Llama Award Q2/2024 - ServiceNow: Awarded by Bill Schuller for preparing and reviewing the Singapore GovTech engagement material that established the foundation for ServiceNow's Isolated Cloud Offerings stakeholder communication.
- Oceania Hub Award - Fujitsu: Awarded for the TTU @ Fujitsu mini-site supporting the Fujitsu-Citrix partnership sales motion.
- Delivering Results Australian Subsidiary Award - Microsoft: Microsoft Australia subsidiary recognition received during the Lead Technology Strategist (Account CTO) tenure.
- Master of Networking and Systems Administration - Charles Sturt University: Master of Networking and Systems Administration conferred by Charles Sturt University on 2008-04-10; qualification verified through the CSU alumni qualification-verification service.