indifferentketchup/boocode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
524a0deaa102f263a3e69688730d2b764eec5758
boocode/apps/coder/src/conductor/flows/security-review.ts
indifferentketchup 1937af8df9 feat: in-app Orchestrator (Phase 2) — multi-agent conductor 
Brings the deterministic Han-flow conductor into BooCode: launch any read-only
flow from BooChat or BooCoder, watch each agent stream live in a Paseo-style
run pane, get an evidence-disciplined report — on local Qwen, persisted and
resumable. Read-only enforced hard via qwen --approval-mode plan (orchestrator
tasks fail closed if qwen is unavailable; never fall to write-capable native).

Backend (apps/coder): re-homed conductor defs, flow_runs/flow_steps schema,
flow-runner + dispatcher onTaskTerminal hook, restart-resume, runs routes
(launch/list/get/cancel), user-channel WS. Contracts: two flow_run_* frames.
Web: orchestrator pane kind + OrchestratorPane, Workflow button + slash flows
(BooChat/BooCoder parity), FlowLauncherDialog, "New Orchestrator" in the + and
split menus, runs history + export. Plan: openspec/changes/orchestrator.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 15:22:48 +00:00

28 lines
1.4 KiB
TypeScript
Raw Blame History

import type { Spine, StepContext } from '../types.js';
const q = (ctx: StepContext) => String(ctx.input.question);
const repoLine = (ctx: StepContext) => (ctx.input.repoPath ? ` Repo: ${String(ctx.input.repoPath)}.` : '');
/** Han security spine — adversarial security analysis with a proof standard. */
export const securityReview: Spine = {
name: 'security-review',
description: 'adversarial security analysis (exploit-path proof standard)',
angles: [
{
id: 'security',
agent: 'adversarial-security-analyst',
label: 'Security analysis (adversarial-security-analyst)',
task: (ctx) =>
`Find REAL, exploitable vulnerabilities in the target below — each finding needs file:line + a demonstrated exploit path ("attacker can do X because Y leads to Z") or a CVE reference. No theoretical risks; if the evidence standard can't be met, report nothing for that item.${repoLine(ctx)}\n\nTARGET: ${q(ctx)}`,
},
{
id: 'oncall',
agent: 'on-call-engineer',
label: 'Resilience / 3am risks (on-call-engineer)',
minBand: 'medium',
task: (ctx) =>
`Audit the target below for code-level resilience failures that wake someone at 3am — missing timeouts, retries without backoff, catch-and-swallow, unbounded results, blocking I/O in async paths. Cite file:line, name the failure mode.${repoLine(ctx)}\n\nTARGET: ${q(ctx)}`,
},
],
};
Reference in New Issue View Git Blame Copy Permalink