AI governance you can trust. Every decision cryptographically verified, every agent monitored, every action auditable.
Privacy and ethics are not features -- they are the foundation. Every capability is designed with human oversight at its core.
Zero-trust, PQC-secured, AI-governed operations pipeline. Synchronizes Figma design agents, DelusionGuard meltdown scoring, Agentic RAG retrieval, Golden Signals monitoring, K8s PQC-sealed secrets, and burn-rate SLO alerting into one cohesive TypeScript 6.0 system.
KEDA ScaledObject v2 Deployed
0-to-20 replicas with fallback
pnpm ignoredBuiltDependencies
Sharp/esbuild/turbo excluded
Vitest E2E Harnesses
90% coverage KEDA + DelusionGuard
8 Active Agents Deployed
Figma + IaC + RAG + Governance
TypeScript 6.0 beta
Strict mode + noUncheckedIndexedAccess
Zero mocks
Real OpenAI, ChromaDB, OTel
Immutable types
Readonly modifiers prevent mutations
ES2025 features
RegExp.escape, Promise.try, Temporal
Golden Signals converted
Python -> TypeScript
OTel distributed tracing
GCP + OTLP adapters
ML-DSA-65 PQC
Signature verification in CI
Binary Authorization
GKE admission control
Vitest hermetic tests
90% coverage gate
TS7 Go readiness
stableTypeOrdering alignment
Terraform IaC Agent
Multi-cloud drift 0.4/day
247 IaC Resources
Cryptographically verified
Drift Detection Automated
30-minute scan interval
State Locking PQC-Sealed
GCS backend ML-KEM
Production-grade controls mapped to the NewBegin AI NEOops architecture (TypeScript 6.0)
Reads the selected Figma node, builds a full CodexLayer JSON payload with schema v2.0, and persists it via setPluginData. Tracks node geometry, export settings, component IDs, and visibility state.
Computes a real-time meltdown_score analyzing action disempowerment patterns, reality distortion signals, and conversation turn counts. Scores above 0.15 auto-block writes and route to human review.
Scans all text children for PII (email, phone, SSN patterns), leaked API keys, hardcoded secrets, and XSS vectors before persisting annotations. Blocks or redacts detected violations.
Creates color-coded FRAME+TEXT badges positioned above annotated nodes. Supports Pending, Reviewed, Approved, Flagged, and Meltdown states with severity labels (INFO through CRIT).
Every annotation records whether it originated from a human, AI agent, or hybrid source. Tracks agent ID, conversation turns, task type, and links to the DevGPT A10 observability layer.
Exports all annotated layers as structured JSON with summary statistics. Supports POST to arbitrary endpoints for integration with NewBegin AI webhook listeners with HMAC-SHA256 verification.
3-phase operational pipeline: Edge Ingress (Clerk + PQC mTLS), Core Execution (DelusionGuard + parallel governance), and Cryptographic HITL (ML-DSA signed). SRE burn-rate analytics and error budget contracts.
All Kubernetes secrets encrypted at rest using ML-KEM (Kyber) post-quantum key encapsulation. Zero plaintext secrets policy enforced via admission controller with 100% seal ratio monitoring.
NEOops-synchronized: Figma API capabilities mapped to zero-trust agent controls. All 7 agents Active.
| Agent | Figma Endpoint | Zero-Trust Control | OTel Span | Status |
|---|---|---|---|---|
| DesignRetrievalAgent | GET /v1/files/:key | Read-only PAT, team-scoped | figma.api.files.get | active |
| DesignFeedbackAgent | POST /v1/files/:key/comments | HITL approval + ML-DSA signed | figma.api.comments.post | active |
| DesignEventListener | Webhooks (FILE_UPDATE) | HMAC-SHA256 verification | figma.webhook.received | active |
| DesignTokenAgent | Variables API | Drift detection every 30m | figma.tokens.sync | active |
| DelusionGuardAgent | Internal pipeline | meltdown_score < 0.15 gate | gen_ai.meltdown.* | active |
| DesignObservabilityAgent | Usage/analytics | Read-only, Grafana feed | figma.analytics.* | active |
| NEOopsOrchestrator | Internal pipeline | PQC mTLS + K8s sealed secrets | neoops.orchestrate.* | active |
3-phase pipeline: Edge Ingress, Core Execution, Cryptographic HITL
Drop these into your Figma plugin folder, compile main.ts, and run
{
"name": "NewBegin AI Codex Annotator",
"id": "newbegin-ai-codex-annotator-001",
"api": "1.0.0",
"main": "main.js",
"ui": "ui.html",
"editorType": ["figma"],
"networkAccess": {
"allowedDomains": ["*"],
"reasoning": "POST codex-layer JSON to NewBegin AI webhook endpoints, AIOps telemetry"
},
"capabilities": [],
"permissions": [],
"documentAccess": "dynamic-page",
"relaunchButtons": [
{
"command": "annotate",
"name": "NewBegin Annotate",
"multipleSelection": false
}
]
}Toggle status to see how the NewBegin AI CodexLayer v2.0 JSON output changes. Includes agent context, OWASP flags, NEOops phase telemetry, K8s PQC-sealed status, and meltdown scoring.
Annotation Status
Badge Preview
Agent Context
NEOops Status
{
"schemaVersion": "2.0.0",
"nodeId": "42:108",
"nodeName": "Hero/CTA Button",
"nodeType": "INSTANCE",
"status": "approved",
"severity": "info",
"annotations": [
{
"text": "Needs contrast check on dark theme",
"author": "human",
"createdAt": "2026-02-19T10:00:00.000Z",
"agentGenerated": false
},
{
"text": "Accessibility audit passed",
"author": "newbegin-agent",
"createdAt": "2026-02-19T10:15:00.000Z",
"agentGenerated": true
}
],
"metadata": {
"width": 240,
"height": 48,
"x": 320,
"y": 580,
"exportSettings": [
"PNG",
"SVG"
],
"componentId": "12:34",
"childCount": 3,
"visible": true,
"locked": false,
"blendMode": "PASS_THROUGH"
},
"agentContext": {
"source": "hybrid",
"agentId": "newbegin-design-agent-v1",
"conversationTurns": 4,
"taskType": "review",
"meltdownScore": 0.02,
"delusionGuardPassed": true,
"hitlRequired": false
},
"owasp": {
"piiDetected": false,
"secretsDetected": false,
"injectionRisk": false,
"xssVectors": []
},
"neoops": {
"phase": 2,
"pqcMtlsVerified": true,
"k8sSecretsPqcSealed": true,
"burnRateStatus": "nominal",
"circuitBreakerState": "closed"
},
"timestamp": "2026-02-19T14:30:00.000Z",
"signature": null
}Canonical request path through the NEOops zero-trust control plane (TypeScript 6.0 / es2025)
PHASE 1: EDGE INGRESS & AUTHENTICATION User --> Clerk Identity Edge (zero-trust verify) --> PQC mTLS Termination (Envoy + ML-KEM / Kyber) --> Lua Rate-Limiter (Redis token bucket, anti-DoW) --> K8s Secrets (PQC-sealed) [ACTIVE] PHASE 2: CORE EXECUTION & GOVERNANCE GATES Payload --> Orchestrator (Vercel/GCP API Gateway) --> DelusionGuardAgent (meltdown_score) --> Parallel: Hallucination | Sycophancy | Quantum Anomaly FAST PATH: meltdown_score <= 0.15 AND no OWASP flags --> FULFILL TIER 3: meltdown_score > 0.15 --> Circuit Breaker trips --> Shadow LLM (Self-Check GPT) --> GuardrailAgent PHASE 3: CRYPTOGRAPHIC HUMAN-IN-THE-LOOP Vercel --> 202 PENDING_HUMAN_REVIEW (async webhook, prevents 504) SHA-256 --> signDecision(traceId + status + timestamp + payloadHash) Operator --> ML-DSA (Dilithium) digital signature --> Immutable, non-repudiable audit trail (SHA-256 verified) OBSERVABILITY OTel spans (gen_ai.meltdown.*, figma.analytics.*) --> Prometheus --> SLI Recording Rules (5m, 1h, 30m, 6h) --> Burn-Rate Alerts: 14.4x PAGE | 3x TICKET --> Alertmanager --> PagerDuty / ServiceNow
SLO/SLI definitions synchronized with burn-rate analytics and PQC controls
histogram_quantile(0.95, rate(envoy_pqc_mtls_duration_seconds_bucket[5m]))histogram_quantile(0.99, rate(gen_ai_meltdown_score[5m]))job:gen_ai_evaluations:error_rate1h > (14.4 * 0.001)job:gen_ai_evaluations:error_rate6h > (3 * 0.001)1 - (sum(rate(gen_ai_evaluations_total{outcome='meltdown_rejected'}[30d])) / sum(rate(gen_ai_evaluations_total[30d])))sum(rate(hitl_mldsa_sign_total{result='approved'}[5m])) / sum(rate(hitl_mldsa_sign_total[5m]))k8s_secrets_pqc_sealed_ratio{namespace='newbegin-ai'}rate(figma_webhook_hmac_pass_total[5m]) / rate(figma_webhook_total[5m])Execute an agent request through the NewBegin AI NEOops control plane
Submit a request to see the agent response
5-phase Clerk + OTel + DelusionGuard pipeline adapted for Vercel serverless. NEOops-synchronized: PQC mTLS, K8s PQC-sealed secrets, burn-rate SLO-gated.
Submit a request to run the 5-phase governance pipeline
NEOops Grafana feed | figma.analytics.* | neoops.orchestrate.* | Auto-refresh 15s