Why I Built an Adversarial Co-Generation Engine A developer built GAUNTLEX, an adversarial co-generation engine that tests software specifications before code is written, addressing a security gap in legacy modernization at scale. The tool uses two agents—a Builder and a Breaker—running simultaneously on the same spec, with an Arbiter scoring attacks to produce an Adversarial Resilience Score that can block merges if below a threshold. GAUNTLEX is MIT-licensed and integrates with existing model providers, mapping findings to compliance controls like NIST SSDF and OWASP SAMM. I spent a chunk of last year around legacy modernization work — the kind of project where a bank or an insurer is taking twenty years of accumulated code and rebuilding it as modern services, one system at a time. Every one of those systems starts the same way: a PRD or a requirements document says what the business needs, that gets translated into a spec precise enough for an AI to implement, and eventually someone tests what came out. What struck me, watching this happen at scale, wasn't that the code was bad. It was that nobody was testing the thing that actually determined whether the code would be bad: the spec itself — the technical description handed to the model, not the PRD that motivated it. Every security tool I looked at — SAST scanners, DAST tools, even the AI coding assistants themselves — waited until an implementation existed before doing anything adversarial. Attack the code, once it's there. That's the whole industry's model, and it's worked fine for forty years because the volume was always survivable. A team ships a handful of PRs a week, a human reviews them, and eventually a pentest catches whatever slipped through. That math falls apart at modernization scale. When you're regenerating a few million lines of code, you're also generating a few thousand specs, faster than any review process was ever built to absorb. Testing after the fact doesn't just get slower under that load — it quietly stops happening, spec by spec, until the aggregate exposure is enormous and nobody can point to when it happened. So I built GAUNTLEX to test the thing that happens before the code does: the spec. This is also where I want to be precise about a word that gets overloaded. "Spec-driven development" — the broader industry shift toward writing structured, agent-facing specs instead of prompting an AI free-form — is exactly the world GAUNTLEX lives in. But a spec what to build, precise enough for a model to implement and a PRD or requirements doc why it's needed aren't the same artifact, even though people often use "spec" loosely to mean both. GAUNTLEX treats them as two separate inputs on purpose: build intent from the spec itself, business intent pulled in separately from wherever your team actually tracks the why — Jira, Confluence, Aha — via what the product calls the Intent Adapter. The attack surface gets reasoned from both, not just one. Two agents run on the same specification, at the same time. A Builder implements it. A Breaker attacks it, reading only the spec, with no visibility into what the Builder wrote. Neither one waits on the other. By the time the Builder has working code, the Breaker already has a full adversarial test suite derived from the same intent. A third agent, the Arbiter, scores every attack against whatever the Builder actually produced — mitigated, partially mitigated, or missed entirely — and that produces a single number, the Adversarial Resilience Score. Fall below the threshold your team sets 0.80 by default and the merge is blocked automatically, the same way a failing test suite blocks one today. It isn't a new discipline. It's the same discipline, pointed at a gap nobody was covering. gauntlex run --issue SPEC.md --intent PROJ-123 --mode standard Every finding is tied to a real CWE, but more importantly, to the compliance controls an auditor is actually going to ask about — NIST SSDF, OWASP SAMM, SOC 2, ISO 27001. A CWE number is useful to an engineer. It isn't what satisfies a compliance review, and I wanted the report to be useful to both people in that conversation, not just one. Five regulated-industry playbooks — HIPAA, FINRA, PCI DSS, SOC 2, OWASP Top 10 — ship today, each mapped to the actual regulation it's checking against, not a generic scan wearing an industry label. gauntlex setup gauntlex run --issue examples/demo issue.md --mode quick --pretty It's free, MIT licensed, and works with whichever model provider you already use, including fully local through Ollama if you can't send code to an external API at all. I'd genuinely like to hear what it catches in your own repos That's what the GitHub Discussions https://github.com/sanjoy1234/gauntlex/discussions are for.