feat: ArcheFlow — multi-agent orchestration plugin for Claude Code
Zero-dependency Claude Code plugin using Jungian archetypes as behavioral protocols for multi-agent orchestration. - 7 archetypes (Explorer, Creator, Maker, Guardian, Skeptic, Trickster, Sage) - ArcheHelix: rising PDCA quality spiral with feedback loops - Shadow detection: automatic dysfunction recognition and correction - 3 built-in workflows (fast, standard, thorough) - Autonomous mode: unattended overnight sessions with full visibility - Custom archetypes and workflows via markdown/YAML - SessionStart hook for automatic bootstrap - Examples for feature implementation and security review
This commit is contained in:
58
examples/security-review.md
Normal file
58
examples/security-review.md
Normal file
@@ -0,0 +1,58 @@
|
||||
# Example: Security Review (Thorough ArcheHelix)
|
||||
|
||||
## Task
|
||||
"Review the new file upload endpoint for security issues"
|
||||
|
||||
## Workflow: thorough (3 cycles max, all reviewers)
|
||||
|
||||
### Cycle 1
|
||||
|
||||
**Plan Phase:**
|
||||
1. Explorer maps the upload flow: multipart parsing → temp storage → virus scan → permanent storage → DB record
|
||||
2. Creator identifies review focus areas: file type validation, path traversal, size limits, content-type sniffing
|
||||
|
||||
**Do Phase:**
|
||||
3. Maker writes security test suite covering all identified vectors
|
||||
|
||||
**Check Phase (all 4 reviewers, parallel):**
|
||||
4. Guardian: REJECTED
|
||||
- CRITICAL: No file extension allowlist — user can upload .php, .sh, .exe
|
||||
- CRITICAL: Temp directory uses predictable naming (race condition for symlink attack)
|
||||
- WARNING: Missing Content-Disposition header on download (XSS via HTML files)
|
||||
5. Skeptic: REJECTED
|
||||
- CRITICAL: "What if the virus scanner is down?" — no circuit breaker, uploads just pass through
|
||||
6. Sage: APPROVED with warnings
|
||||
- WARNING: Upload handler is 200 lines — should be split into validation, storage, and recording
|
||||
7. Trickster: REJECTED
|
||||
- CRITICAL: Uploaded a 0-byte file with `.jpg` extension → 500 error (null pointer in image processor)
|
||||
- CRITICAL: Uploaded file named `../../etc/passwd` → path traversal confirmed
|
||||
|
||||
**Act:** 4 CRITICAL findings. Cycle again.
|
||||
|
||||
### Cycle 2
|
||||
|
||||
After Creator revises and Maker fixes all findings...
|
||||
|
||||
4. Guardian: APPROVED — allowlist active, temp dir uses crypto random, Content-Disposition set
|
||||
5. Skeptic: APPROVED — circuit breaker added, uploads rejected when scanner is down
|
||||
6. Sage: APPROVED — handler refactored into 3 modules
|
||||
7. Trickster: REJECTED
|
||||
- WARNING: Unicode filename normalization issue — `file\u202e.jpg` displays as `gpj.elif` in some UIs
|
||||
|
||||
**Act:** No CRITICAL. One WARNING from Trickster. Cycle once more.
|
||||
|
||||
### Cycle 3
|
||||
|
||||
8. Maker adds Unicode normalization for filenames
|
||||
9. All reviewers: APPROVED
|
||||
|
||||
**Act:** Merge. Upload endpoint is secure.
|
||||
|
||||
## Result
|
||||
- Path traversal fixed
|
||||
- File type allowlist added
|
||||
- Virus scanner circuit breaker added
|
||||
- Zero-byte file handling added
|
||||
- Unicode filename normalization added
|
||||
- 3 ArcheHelix cycles, thorough workflow
|
||||
- 5 CRITICAL findings caught before production
|
||||
Reference in New Issue
Block a user