SoliEstre

hyperbrief-trigger-check

ALWAYS run BEFORE composing any message that asks the user for a decision, approval, or choice. Cheap escalation rubric (4-score + 5 MUST-trigger conditions) that returns one of {AUTONOMOUS_DECIDE, FULL_HYPERBRIEF, MINIMAL_BRIEF, BLOCK_FRAMING}. Triggered by message-intent patterns ('괜찮을까요','할까요','should we','which option','approve','confirm','choose between','OK to') OR by Superscalar opening a write/deploy/send lane OR by inbound Constellation DECISION_REQUEST. Also routes audience-profile commands (tone L<n>.<n>.<n> + term_pairing L<n>.{E|I|N}.{C|D|B|R|A}[!|?]) to the hyperbrief skill for AudienceProfileFallback population. Invokes the full hyperbrief skill ONLY when outcome != AUTONOMOUS_DECIDE. Skip for pure read-only fan-outs.

Code & Development Listed

ultrasafe-crypto-reviewer

Pre-release simulated penetration testing from the cryptography attacker perspective — key management / random source / TLS misuse / signature scheme / constant-time violation / PQC readiness / cryptographic agility envelope. Triggered by Ultrasafe orchestrator (`ultrasafe_run_fanout` MCP tool) when the axis-set includes `usf-crypto`, or by the PreToolUse `ultrasafe-trigger.cjs` hook on publish-equivalent commands (npm publish / pip upload / git push --tags to public). Emits findings via the `ULTRASAFE_FINDING` A2A intent (Constellation §13.16.9), conforming to `schemas/finding.schema.json` with the `perspective.primary = "crypto-reviewer"` variant. Advisory mode in v0.2.x (report-only, no publish block); blocking mode deferred to v0.3+.

ultrasafe-supply-chain-auditor

Pre-release simulated penetration testing from the dependency / SBOM / typosquatting / signing-chain perspective. Invoke as Agent 3 of the Ultrasafe 8-agent fan-out (Ultrasafe.md §15.3) whenever the iteration axis-set includes `usf-supply-chain`, or whenever a release candidate touches dependency manifests (package.json / pyproject.toml / Cargo.toml / go.mod / requirements*.txt / lockfiles / SBOM artifacts / signed-attestation chains). Emits `ULTRASAFE_FINDING` A2A intents (Constellation §13.16, §18.1) with PURL canonical ids, OSV CVE matches, SLSA provenance verdicts, cosign+Rekor attestation chain status, and maintainer-anomaly flags. v0.2.x = advisory mode (report-only, never auto-blocks publish); v0.3+ = blocking gate for deterministic signals only. Maintainer-anomaly findings are always human-gated (Ultrasafe §2.1.3 CT1) regardless of mode.

ultrasafe-synthesizer

Pre-release security testing — retire-barrier fan-out sink. Aggregate the 7 attacker agents' findings (ai-llm / web-api / supply-chain / crypto / social-eng / methodology / threat-model) via BFT quorum 2f+1 cross-axis confirmation, diversity-enforced source independence (perspective × prompt_template_hash × seed 3-tuple distinct ≥ 3), ACH multi-hypothesis matrix, CIM tri-format export (SARIF 2.1.0 + STIX 2.1 + ATT&CK Navigator), then emit 3-layer hybrid synthesis report (OSCAL Assessment Result Layer 1 + Hyperbrief 9-section IR Layer 2 + Greatpractice tree candidate Layer 3) along with the iteration boundary record (resolved / regression / persistent / new 4-set diff + untested_classes[] coverage). Fires automatically at retire-barrier after all 7 attacker findings emit complete. v0.2.x advisory mode — report-only, publish 차단 없음.

ultrasafe-web-api-attacker

Pre-release simulated penetration testing from the OWASP Top 10 / API contract / auth-bypass / SQLi / XSS / SSRF / CSRF / open-redirect / IDOR attacker perspective. Invoke during Ultrasafe ≥3-iteration fan-out when the axis-set includes `usf-web-sast-dast` or `usf-web-infra`, or when a PreToolUse trigger matches a publish-equivalent command (npm publish / pip upload / git push --tags public). Emits `ULTRASAFE_FINDING` A2A intent per finding (Constellation §13.16) with OSCAL-aligned payload + attack-path-graph flat-list candidate. v0.2.x advisory mode — report-only, no publish blocking; blocking promotion deferred to v0.3+.

hyperbrief

Use AFTER hyperbrief-trigger-check returns FULL_HYPERBRIEF or MINIMAL_BRIEF. Generates the 8-section decision-delegation brief (JSON IR + deterministic MD/HTML render) and emits a paired Constellation DECISION_REQUEST + HyperbriefCard envelope. MUST run when (a) escalation_sum >= 4, (b) any MUST-trigger fires (irreversibility>=2 / cross-module blast radius / external-party notification / resource threshold / supersedes prior decision), (c) Superscalar fan-out gate just opened a write/deploy/send lane, (d) Constellation A2A DECISION_REQUEST is inbound for response. SKIP when trigger-check returned AUTONOMOUS_DECIDE or BLOCK_FRAMING.

superscalar

Use BEFORE dispatching multiple sub-agents in parallel (Agent tool fan-outs, Workflow.parallel/pipeline, multi-lane Edit operations). Consult the issue_width formula to bound concurrency, apply the cost-benefit gate to decide spawn-vs-inline, honor the irreversibility barrier (write/deploy/send retire-gated), enforce in-order retire, and respect the v0.4 nested-repo worktree limitation. **v0.4.1 §3.1 Hyperbrief interlock** — for write/deploy/send lanes that pass the cost-benefit gate, also invoke `hyperbrief-trigger-check` (4-score escalation + 5 MUST-trigger); on FULL_HYPERBRIEF pause the lane and emit Constellation `DECISION_REQUEST + HyperbriefCard`, await `ack_tier='decided'`; read-only lanes are exempt by construction. Especially relevant when the work shape is "audit / cross-dimension consistency / handover-grade output" — where Entry 06's A/B measurement showed Arm B (discipline) catches the contradictions Arm A (naïve max-parallel) leaves silently unresolved.

ultrasafe-social-engineer

Pre-release security testing — simulated penetration from the social-engineering / human-factor attacker perspective. Use when the Ultrasafe orchestrator dispatches Agent 5 of the 8-agent fan-out at iteration N (`usf-social-eng` axis 포함 시), or when a publish-equivalent command triggers the PreToolUse hook and the `social-engineer` role is in the active axis set. Scans for phishing surface (credential prompts, OAuth UX traps), docs leak (README/CHANGELOG/commit messages exposing OPSEC slips, internal hostnames, sample tokens), human-factor exploitation (Cialdini 6 × Hadnagy 9 × FBI 8-elicitation cross-tuple), and A2A inbound Spotlighting bypass attempts. Emits findings via `ULTRASAFE_FINDING` Constellation intent (§13.16) — advisory mode in v0.2.x (report-only, publish 차단 없음). SKIP when iteration ≤ 0 (no baseline) or when axis-set excludes `usf-social-eng`.

ultrasafe-threat-model-lifecycle

Pre-release simulated penetration testing from the threat modeling (STRIDE/PASTA) + incident lifecycle + disclosure timing attacker perspective. Invoke as one of 8 attackers in Ultrasafe fan-out runtime when a publish-equivalent action (npm publish / pip upload / git push --tags to public / release-gate trigger) is approaching, OR when orchestrator dispatches ULTRASAFE_RUN_FANOUT with role=threat-model-lifecycle, OR when SECURITY_DISCLOSURE_INTAKE/MPCVD_COORDINATION inbound requires lifecycle-timing review. Emits ULTRASAFE_FINDING via Constellation §13.16 (advisory mode in v0.2.x — report-only, no publish blocking). Output tone is lifecycle-systematic — every finding traces to a named threat-model element (STRIDE letter or PASTA stage) and an incident-lifecycle phase (prepare/detect/contain/eradicate/recover/lessons).

constellation-a2a-emit

Emit a targeted A2A message to a Constellation board agent through the MCP server. Use when you need to delegate a task, send a report, or relay a message to another agent on the live board. Honors the §13.16.10 pre-send probe (probe before emit), the §13.16.9 A2A-intent allowlist, and the §13.13 ack tier semantics. For one-shot sessions that need ack confirmation, pair with `a2a_wait_ack`.

constellation-board

Read the live Constellation board state — channels, agents, current/done/planned tracks, decisions, A2A history. Use when you need to know what other agents are doing, whether a key is registered, what the current operating modes are, or to inspect message history before composing an outbound. Calls the MCP server's `board_state_get` / `agent_list_get` / `board_history_tail` tools.

constellation-start

Start the Constellation live board — spawns the WebSocket server (constellation/reference/runtime/server.cjs) and the local bridge (local-bridge.cjs) on configured ports. Use when the user wants to bring the live board online for a new project, restart the board after a crash, or verify the board is reachable. NOT a model-invoked skill — invoke via `/constellation-start` user command.