Ralph Ultra — 1,000 Iterations (~4-8 hours)

Deep-dive security audit with thorough coverage across all attack vectors.

References

• Severity and triage guidance
• Expert persona descriptions

Instructions

Execution Engine

YOU MUST follow this loop for EVERY iteration:

1. STATE: Read current iteration (start: 1)
2. PHASE: Determine phase from iteration number
3. MIND: Activate appropriate expert persona for phase
4. ACTION: Perform ONE check from current phase
5. VERIFY: Before FAIL — read actual code, check libraries, check DB constraints, check environment. If inconclusive: NEEDS_REVIEW.
6. REPORT: Output iteration result
7. SAVE: Every 50 iterations, update .ralph-report.md
8. INCREMENT: iteration + 1
9. CONTINUE: IF iteration <= 1000 GOTO Step 1
10. FINAL: Generate comprehensive report

Critical rules:

• ONE check per iteration — deep, not wide
• ALWAYS show [ULTRA-X/1000]
• NEVER skip iterations
• CRITICAL findings: immediately flag
• Apply Red Team mindset to EVERY check

Per-Iteration Output

╔══════════════════════════════════════════════════════════════════╗
║ [ULTRA-{N}/1000] Phase {P}: {phase_name}                        ║
║ Mind: {active_expert_persona}                                    ║
╠══════════════════════════════════════════════════════════════════╣
║ Check: {specific_check}                                          ║
║ Target: {file:line / endpoint / system}                          ║
╠══════════════════════════════════════════════════════════════════╣
║ Result: {PASS|FAIL|WARN|N/A}                                     ║
║ Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW}         ║
║ Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO}                        ║
║ CVSS: {score}                                                    ║
╠══════════════════════════════════════════════════════════════════╣
║ Finding: {detailed description}                                  ║
║ Exploit: {proof of concept or "N/A"}                             ║
║ Fix: {specific remediation}                                      ║
╠══════════════════════════════════════════════════════════════════╣
║ Progress: [████████████░░░░░░░░] {N/10}%                         ║
║ Phase: {current}/{8} | ETA: ~{time} remaining                    ║
╚══════════════════════════════════════════════════════════════════╝

Expert Personas

Full persona descriptions in references/personas.md.

Phase Structure (1,000 Iterations)

Phase 1: Reconnaissance (1-100)

• 1-20: Platform sync — auto-detect stack, git sync, hash verification, environment drift
• 21-50: Attack surface — endpoint enumeration, auth mapping, rate limits, exposed ports, WebSocket/SSE
• 51-75: Hidden systems — undeclared services, cron jobs, orphan configs, Docker networks
• 76-100: Environment & docs — variable audit, .env drift, documentation accuracy, scoring

Phase 2: OWASP Top 10 (101-250)

Phase 3: Authentication & Secrets (251-400)

Pre-check: Determine library vs custom crypto before flagging.

• 251-300: Secret detection (API keys, passwords, git history)
• 301-340: JWT security (algorithm, claims, storage, revocation)
• 341-365: OAuth 2.0 (PKCE, redirect URI, state, token exchange)
• 366-385: Admin authentication (brute force, timing, lockout)
• 386-400: Rate limiting (coverage, bypass)

Phase 4: Infrastructure (401-550)

• 401-450: Container security (non-root, readonly, capabilities, limits)
• 451-490: Network security (ports, firewall, isolation, egress)
• 491-515: TLS/SSL (cert validity, ciphers, HSTS)
• 516-535: SSH security (key auth, config hardening)
• 536-550: Database security (SSL, permissions, backups)

Phase 5: Code Quality (551-700)

Pre-check: Check database constraints before flagging race conditions.

• 551-590: Race conditions (TOCTOU, concurrent access, locks)
• 591-630: Business logic (workflow bypass, state manipulation)
• 631-660: Error handling (safe messages, fail-safe defaults)
• 661-690: Resource management (connections, memory, DoS)
• 691-700: Complexity attacks (ReDoS, JSON bombs)

Phase 6: Supply Chain (701-850)

• 701-750: Dependency audit (CVEs, outdated, typosquatting)
• 751-790: Third-party API security (keys, webhooks, rate limits)
• 791-820: Container supply chain (base images, signatures)
• 821-850: CI/CD security (secrets, permissions, pinned actions)

Phase 7: Compliance (851-950)

• 851-885: Privacy compliance (GDPR, data retention, consent)
• 886-915: Security documentation (incident response, policies)
• 916-935: Operational security (access control, change mgmt)
• 936-950: Audit trail (logging completeness, retention)

Phase 8: Final Verification (951-1000)

• 951-970: Critical findings re-verification
• 971-985: Penetration test simulation
• 986-995: Security scorecard generation
• 996-1000: Final report and summary

Auto-Detect (Iteration 1)

1. git rev-parse --show-toplevel, git remote -v
2. Stack: package.json, pyproject.toml, requirements.txt, go.mod, Cargo.toml
3. Infra: Dockerfile, docker-compose.yml, k8s manifests, terraform
4. CI/CD: .github/workflows, .gitlab-ci.yml, .circleci

Report File

On start: rename existing report. Auto-save every 50 iterations.

Parameters

Context Limit Protocol

Checkpoint to .ralph-report.md, output resume command, wait for new session.

When to Use

• Before major release
• Compliance audit preparation
• Security incident investigation
• Deep dive after /ralph-security flags issues