Werner Kasselman

Software engineer and technical author focused on AI agent infrastructure, semantic code search, source verification, and secure systems.

Public entity profile generated from evidence nodes marked public only.

Public Software

• ksmbd mainline fix - smb_grant_oplock() UAF + NULL deref: Use-after-free and NULL dereference in smb_grant_oplock() fixed; merged to mainline (v7.0+, Cc:stable). Surfaced by sqry call-graph analysis (per author); the tool is not named in this commit message, though it is named in the smb2_lock commit.
• ksmbd mainline fix - smb2_lock() leaks + NULL deref: Memory leaks and NULL dereference in smb2_lock() fixed; merged to mainline (v7.0+, Cc:stable). Found via call-graph analysis with sqry.
• homebrew-sqry - Homebrew tap for sqry: Single-formula Homebrew tap (Formula/sqry.rb) installing the four sqry binaries (sqry, sqry-mcp, sqry-lsp, sqryd) on macOS and Linux x86_64/arm64; auto-published from sqry's own release pipeline on every release, kept level with upstream tags.
• sqry-skills - per-agent skills for sqry: MIT-licensed, content-only repo of per-agent skill packages (Claude, Codex, Gemini, Grok, plus a core semantic-search skill) that teach coding agents to drive sqry; uses a resource-delegation design where version-specific tool reference is served live by the sqry-mcp binary as MCP resources rather than baked into the skills.
• sqry - AST-aware semantic code search: Rust semantic code-search engine over tree-sitter ASTs; 36+ language plugins, boolean query language, cross-file relation queries, persistent index, native MCP server; 8,300+ tests; SLSA release attestations; public. (Verified against repo 2026-06-23: 37 sqry-lang-* crates, 9,799 test fns at v5.0.1; the prior '8 plugins / 587 tests' figures were stale.)
• llm-cli-gateway - multi-LLM MCP orchestrator: Production MCP server orchestrating Claude, Codex, Gemini, Grok, Mistral CLIs; node:sqlite, fuzzed parsers, supply-chain hardening; 66 releases; public (v2.5.0).
• agent-assurance-papers - manuscripts + executable proof bundles: Publication-side companion to agent-assurance, holding LaTeX manuscripts and executable proof bundles (chardet-relicense, hello-world, code-derivation-assay) plus the arXiv packaging DAG-TOML workflow; proofs are validated by the sibling spec repo's implementation-DAG, traceability, and review-readiness validators and include multi-LLM review records.
• agent-assurance - DAG-TOML governance spec: Open Apache-2.0 specification for machine-checkable agent planning: dependency DAGs, traceability, review-readiness proofs.
• NVIDIA SkillSpector - two merged wernerkasselman-au security/correctness contributions: Authored two merged PRs into NVIDIA's open-source AI-skill security scanner under the wernerkasselman-au GitHub identity: PR #6 made MCP tool-poisoning checks reachable and bounded build_context reads; PR #133 made LLM finding schemas portable by dropping ge/le bounds and enforcing runtime clamps. Open follow-on PR at verification time: #19 bounded build_context reads and fail-closed oversized-input handling.
• NVIDIA SkillSpector - structured-output schema portability fix (merged): Authored fix merged into NVIDIA/SkillSpector main (PR #133, commit c184c2a, merged 2026-06-22): the LLMFinding and MetaAnalyzerFinding pydantic models emitted JSON-schema minimum/maximum bounds (ge/le) on confidence and start_line, which some structured-output LLM endpoints reject, causing a whole batch to fail. Dropped the bounds and added field_validator clamps (confidence to [0,1], start_line to >=1) so the contract is enforced at runtime while the emitted schema stays portable, with tests asserting the schema is bound-free and the clamps hold. Closes issue #132; approved by maintainer rng1995.
• Cisco AI Defense skill-scanner - API hardening (PR-stage): Authored API scan-boundary hardening for Cisco AI Defense's open-source AI Agent Skills scanner: archive/filesystem resource limits (zip-bomb/DoS defence), hardened API router, loader, scanner, and content extractor, with extensive tests (24 files, +1,186/-210). On contributor fork branch; PR-stage, not yet confirmed merged upstream.
• Upstream Crossplane core - reconciler nil-deref bug report (#7479): Authored crossplane/crossplane issue #7479: root-caused a nil-dereference panic in the package runtime reconciler (internal/controller/pkg/runtime/reconciler.go) when a stale SetImagePullSecret applied ImageConfig ref points at an ImageConfig whose optional registry.authentication.pullSecretRef is gone. Includes self-heal analysis and scope assessment. A Crossplane maintainer (MEMBER) acknowledged it and requested a PR; a nil-safe fix (RuntimeUnhealthy condition + warning event, with regression tests) is self-reported as a PR in the thread.

Security And Systems Contributions

• Cisco AI Defense skill-scanner - API hardening (PR-stage): Authored API scan-boundary hardening for Cisco AI Defense's open-source AI Agent Skills scanner: archive/filesystem resource limits (zip-bomb/DoS defence), hardened API router, loader, scanner, and content extractor, with extensive tests (24 files, +1,186/-210). On contributor fork branch; PR-stage, not yet confirmed merged upstream.
• Two security fixes merged to the mainline Linux kernel: Two ksmbd fixes (UAF, NULL deref, memory leaks) authored and merged to mainline (v7.0+, Cc:stable); one found via sqry.
• Merged two wernerkasselman-au contributions into NVIDIA's open-source AI-skill security scanner: Authored two merged NVIDIA/SkillSpector PRs under the wernerkasselman-au GitHub identity: PR #6 made MCP tool-poisoning checks reachable and bounded build_context reads; PR #133 fixed structured-output schema portability with runtime clamps.
• Reported NVIDIA SkillSpector Stage 2 LLM resilience issues later fixed upstream: Reported two NVIDIA/SkillSpector Stage 2 LLM resilience defects under the wernerkasselman-au GitHub identity: issue #9 showed that one failed LLM batch could abort the whole meta-analyzer pass and silently fall back to static results, and issue #11 showed that apply_filter could drop findings the LLM never analysed. Both issues were later fixed upstream in PR #32 by nyxst4ck, merged on 2026-06-24; this is issue-discovery credit, not authorship of the fixing commit.
• ksmbd mainline fix - smb_grant_oplock() UAF + NULL deref: Use-after-free and NULL dereference in smb_grant_oplock() fixed; merged to mainline (v7.0+, Cc:stable). Surfaced by sqry call-graph analysis (per author); the tool is not named in this commit message, though it is named in the smb2_lock commit.
• ksmbd mainline fix - smb2_lock() leaks + NULL deref: Memory leaks and NULL dereference in smb2_lock() fixed; merged to mainline (v7.0+, Cc:stable). Found via call-graph analysis with sqry.
• NVIDIA SkillSpector - two merged wernerkasselman-au security/correctness contributions: Authored two merged PRs into NVIDIA's open-source AI-skill security scanner under the wernerkasselman-au GitHub identity: PR #6 made MCP tool-poisoning checks reachable and bounded build_context reads; PR #133 made LLM finding schemas portable by dropping ge/le bounds and enforcing runtime clamps. Open follow-on PR at verification time: #19 bounded build_context reads and fail-closed oversized-input handling.
• NVIDIA SkillSpector - structured-output schema portability fix (merged): Authored fix merged into NVIDIA/SkillSpector main (PR #133, commit c184c2a, merged 2026-06-22): the LLMFinding and MetaAnalyzerFinding pydantic models emitted JSON-schema minimum/maximum bounds (ge/le) on confidence and start_line, which some structured-output LLM endpoints reject, causing a whole batch to fail. Dropped the bounds and added field_validator clamps (confidence to [0,1], start_line to >=1) so the contract is enforced at runtime while the emitted schema stays portable, with tests asserting the schema is bound-free and the clamps hold. Closes issue #132; approved by maintainer rng1995.

Published Writing

• How We Used AI Agents to Security-Audit an Open Source Project: Walks through a two-round AI-agent security audit of Garry Tan's gstack using sqry and llm-cli-gateway, surfacing 30 findings including a HIGH shell injection and a sqry-only mutual-recursion bug; both rounds were cherry-picked upstream with co-author credit.
• What Bunnings' AI chatbot reveals about how retail AI actually works: Black-box probing of Bunnings' Buddy chatbot finds four stacked control layers that restrict intent rather than knowledge, yielding a repeatable context-rebinding workaround; argues it is a legal-compliance architecture, not a security one.
• Cache-Aware Spawning: What Changed in llm-cli-gateway, a Week On: Makes prompt caching first-class across five providers via a structured promptParts shape concatenated in canonical order, plus cache_state:// observability resources that store no conversation text; adds Mistral Vibe as the fifth provider.
• The City-State and the Federation: Two Governance Models for AI Coding Agents: Compares dgov's legal-metaphor agent governance against Werner's DAG-TOML scientific-audit stack, arguing their blind spots are complementary and file-claims/fail-closed gates are load-bearing for the field.
• Why CLI Wrapping Beats API Proxying for Multi-LLM Development: Argues wrapping the claude/codex/gemini CLI binaries as child processes gives multi-LLM development capabilities (real file access, test execution, native session continuity, inherited auth) that API proxies cannot reach, with an honest trade-off list.
• The Code Question grep Can't Answer: Introduces sqry, an AST-based code-search tool that parses code as a unified cross-language graph to answer who-calls-what; contrasts it with grep, embedding search, ast-grep, CodeQL and Sourcegraph, and argues AI assistants need structural data.
• The Codex Review Gate: How We Made AI Agents Review Each Other's Work: Describes the most-used Verivus Labs pattern: submit work to Codex/Gemini/Claude via llm-cli-gateway and iterate to unconditional approval, with fullAuto giving Codex workspace access to verify rather than guess, extended into consensus and red/blue-team cycles.
• DAG TOML: How I Turned Four Months of Code-Review Pain into a Machine-Checkable Planning Format (Medium): Medium cross-post of the dev.to DAG-TOML piece: a ~2,400-document review archive yields six failure categories, fixed by TOML DAG plans plus a validator that recomputes and refutes every derived claim.
• DAG TOML: How I Turned Four Months of Code-Review Pain into a Machine-Checkable Planning Format: Mines a ~2,400-document review archive into six failure categories and introduces DAG-TOML: plans as TOML DAGs with a validator that recomputes every derived claim; cross-posted to Medium.
• The Format I Make Agents Author In: A Working Guide to DAG-TOML: A working guide to the DAG-TOML draft spec (schema 0.1.0, Apache-2.0): the narrative/structure split, the seven document kinds, the IJB six-primitive substrate, the three review pillars, and the move from flat files to a SurrealDB runtime.
• Here's what stopped breaking, when you make LLM agents author in two formats: Argues each unit of agent work should produce narrative (Markdown), structure (TOML DAG with machine-checkable invariants), and evidence; defends TOML over YAML/JSON and traces the three review pillars to failure data.
• llm-cli-gateway 2.0.0: the quiet supply-chain release that matters: Frames the 2.0.0 release as hardening: drops the better-sqlite3 native-module install chain for Node's built-in node:sqlite behind one adapter, removing an install-time supply-chain risk class at the cost of requiring Node >=24.4.0.

Career And Awards

• Senior Staff Systems Architect, Cloud Infrastructure Systems Engineering - ServiceNow: Senior Staff Systems Architect in ServiceNow cloud infrastructure systems engineering since 2023; public resume source notes architecture work for one of the world's largest SaaS platforms and two ServiceNow UTG Llama Awards.
• Principal Enterprise Architect (Freelance) - QBCC & QLD Department of Education: Created the QBCC Digital Services Reference Architecture and EA repository (incorporating the QLD Digital Economy Strategy), and delivered a ServiceNow future-state analysis and roadmap for the QLD Department of Education.
• Citrix Business Development Manager (contract) - Fujitsu Oceania: Built the Fujitsu-Citrix partnership and the TTU @ Fujitsu sales motion, growing weighted first-year order-value pipeline from AU$484K (May) to AU$5.011M (November 2022).
• Enterprise Solutions Architect / Team Lead, Solution Architecture - City of Gold Coast: Led a team of 7 to 14 solution architects delivering citywide ICT programs on Azure and AWS for Australia's second-largest local government (3,200+ staff); delivered the City's first Virtual Council Meeting in two weeks at the onset of COVID.
• Principal Systems Administrator, Data Centre & Cloud - Public Safety Business Agency (Qld): Technical leadership for operations across Azure, AWS, VMware (vSphere and Horizon), enterprise servers and SAN supporting Queensland's police, fire and emergency services; technical lead for the data protection and recovery tender and HP OneView rollout.
• IT Infrastructure Team Lead - MidCoast Water: End-to-end infrastructure for a utility serving 40,000 households: vSphere 6.0 and Active Directory upgrades, ADFS, SharePoint build for EPM, and technical lead for the EMC Unity all-flash array implementation.
• UTG Llama Award Q1/2025 - ServiceNow: Awarded by Deeps Sidhu for resolving SPP AU regulated-market customer issues and taking ownership of Hyperscalers program work beyond direct responsibility.
• UTG Llama Award Q2/2024 - ServiceNow: Awarded by Bill Schuller for preparing and reviewing the Singapore GovTech engagement material that established the foundation for ServiceNow's Isolated Cloud Offerings stakeholder communication.
• Oceania Hub Award - Fujitsu: Awarded for the TTU @ Fujitsu mini-site supporting the Fujitsu-Citrix partnership sales motion.
• Delivering Results Australian Subsidiary Award - Microsoft: Microsoft Australia subsidiary recognition received during the Lead Technology Strategist (Account CTO) tenure.
• Master of Networking and Systems Administration - Charles Sturt University: Master of Networking and Systems Administration conferred by Charles Sturt University on 2008-04-10; qualification verified through the CSU alumni qualification-verification service.

Profile Links

• https://dev.to/wernerk_au
• https://github.com/wernerk
• https://kasselman.com.au/werner
• https://medium.com/@wernerk
• https://wernerkasselman.substack.com
• https://www.linkedin.com/in/wernerkasselman
• https://x.com/wernerk_au