c/claude-archeflow-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6fa708f8be9da7a9bd54cbe1caba1ffbdd8fe6e
claude-archeflow-plugin/examples/security-review.md
Christian Nennemann a6fa708f8b feat: ArcheFlow — multi-agent orchestration plugin for Claude Code 
Zero-dependency Claude Code plugin using Jungian archetypes as
behavioral protocols for multi-agent orchestration.

- 7 archetypes (Explorer, Creator, Maker, Guardian, Skeptic, Trickster, Sage)
- ArcheHelix: rising PDCA quality spiral with feedback loops
- Shadow detection: automatic dysfunction recognition and correction
- 3 built-in workflows (fast, standard, thorough)
- Autonomous mode: unattended overnight sessions with full visibility
- Custom archetypes and workflows via markdown/YAML
- SessionStart hook for automatic bootstrap
- Examples for feature implementation and security review
2026-04-02 16:37:44 +00:00

2.2 KiB
Raw Blame History

Example: Security Review (Thorough ArcheHelix)

Task

"Review the new file upload endpoint for security issues"

Workflow: thorough (3 cycles max, all reviewers)

Cycle 1

Plan Phase:

  1. Explorer maps the upload flow: multipart parsing → temp storage → virus scan → permanent storage → DB record
  2. Creator identifies review focus areas: file type validation, path traversal, size limits, content-type sniffing

Do Phase: 3. Maker writes security test suite covering all identified vectors

Check Phase (all 4 reviewers, parallel): 4. Guardian: REJECTED

  • CRITICAL: No file extension allowlist — user can upload .php, .sh, .exe
  • CRITICAL: Temp directory uses predictable naming (race condition for symlink attack)
  • WARNING: Missing Content-Disposition header on download (XSS via HTML files)
  1. Skeptic: REJECTED
    • CRITICAL: "What if the virus scanner is down?" — no circuit breaker, uploads just pass through
  2. Sage: APPROVED with warnings
    • WARNING: Upload handler is 200 lines — should be split into validation, storage, and recording
  3. Trickster: REJECTED
    • CRITICAL: Uploaded a 0-byte file with .jpg extension → 500 error (null pointer in image processor)
    • CRITICAL: Uploaded file named ../../etc/passwd → path traversal confirmed

Act: 4 CRITICAL findings. Cycle again.

Cycle 2

After Creator revises and Maker fixes all findings...

  1. Guardian: APPROVED — allowlist active, temp dir uses crypto random, Content-Disposition set
  2. Skeptic: APPROVED — circuit breaker added, uploads rejected when scanner is down
  3. Sage: APPROVED — handler refactored into 3 modules
  4. Trickster: REJECTED
    • WARNING: Unicode filename normalization issue — file\u202e.jpg displays as gpj.elif in some UIs

Act: No CRITICAL. One WARNING from Trickster. Cycle once more.

Cycle 3

  1. Maker adds Unicode normalization for filenames
  2. All reviewers: APPROVED

Act: Merge. Upload endpoint is secure.

Result

  • Path traversal fixed
  • File type allowlist added
  • Virus scanner circuit breaker added
  • Zero-byte file handling added
  • Unicode filename normalization added
  • 3 ArcheHelix cycles, thorough workflow
  • 5 CRITICAL findings caught before production
Reference in New Issue View Git Blame Copy Permalink