c/claude-archeflow-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6fa708f8be9da7a9bd54cbe1caba1ffbdd8fe6e
claude-archeflow-plugin/examples/security-review.md
Christian Nennemann a6fa708f8b feat: ArcheFlow — multi-agent orchestration plugin for Claude Code 
Zero-dependency Claude Code plugin using Jungian archetypes as
behavioral protocols for multi-agent orchestration.

- 7 archetypes (Explorer, Creator, Maker, Guardian, Skeptic, Trickster, Sage)
- ArcheHelix: rising PDCA quality spiral with feedback loops
- Shadow detection: automatic dysfunction recognition and correction
- 3 built-in workflows (fast, standard, thorough)
- Autonomous mode: unattended overnight sessions with full visibility
- Custom archetypes and workflows via markdown/YAML
- SessionStart hook for automatic bootstrap
- Examples for feature implementation and security review
2026-04-02 16:37:44 +00:00

59 lines
2.2 KiB
Markdown
Raw Blame History

# Example: Security Review (Thorough ArcheHelix)
## Task
"Review the new file upload endpoint for security issues"
## Workflow: thorough (3 cycles max, all reviewers)
### Cycle 1
**Plan Phase:**
1. Explorer maps the upload flow: multipart parsing → temp storage → virus scan → permanent storage → DB record
2. Creator identifies review focus areas: file type validation, path traversal, size limits, content-type sniffing
**Do Phase:**
3. Maker writes security test suite covering all identified vectors
**Check Phase (all 4 reviewers, parallel):**
4. Guardian: REJECTED
- CRITICAL: No file extension allowlist — user can upload .php, .sh, .exe
- CRITICAL: Temp directory uses predictable naming (race condition for symlink attack)
- WARNING: Missing Content-Disposition header on download (XSS via HTML files)
5. Skeptic: REJECTED
- CRITICAL: "What if the virus scanner is down?" — no circuit breaker, uploads just pass through
6. Sage: APPROVED with warnings
- WARNING: Upload handler is 200 lines — should be split into validation, storage, and recording
7. Trickster: REJECTED
- CRITICAL: Uploaded a 0-byte file with `.jpg` extension → 500 error (null pointer in image processor)
- CRITICAL: Uploaded file named `../../etc/passwd` → path traversal confirmed
**Act:** 4 CRITICAL findings. Cycle again.
### Cycle 2
After Creator revises and Maker fixes all findings...
4. Guardian: APPROVED — allowlist active, temp dir uses crypto random, Content-Disposition set
5. Skeptic: APPROVED — circuit breaker added, uploads rejected when scanner is down
6. Sage: APPROVED — handler refactored into 3 modules
7. Trickster: REJECTED
- WARNING: Unicode filename normalization issue — `file\u202e.jpg` displays as `gpj.elif` in some UIs
**Act:** No CRITICAL. One WARNING from Trickster. Cycle once more.
### Cycle 3
8. Maker adds Unicode normalization for filenames
9. All reviewers: APPROVED
**Act:** Merge. Upload endpoint is secure.
## Result
- Path traversal fixed
- File type allowlist added
- Virus scanner circuit breaker added
- Zero-byte file handling added
- Unicode filename normalization added
- 3 ArcheHelix cycles, thorough workflow
- 5 CRITICAL findings caught before production
Reference in New Issue View Git Blame Copy Permalink