Multi-agent security review running daily in production: architecture and findings

Architecture details

The security agent runs on a daily cron via launchd. It receives a diff of recent commits plus full codebase access. It checks against a structured vulnerability checklist that includes:

• IDOR
• Auth bypasses
• Injection vectors
• Secrets exposure
• Overly permissive routes

The agent files findings as P0/P1/P2 tasks in the work queue. A separate coding agent picks them up, fixes them, commits the changes, and deploys.

Coordination challenges and solutions

After 3 weeks running in production, the most interesting coordination challenge was conflict between the security agent and coding agent. Security flags something, coding fixes it, but then introduces a pattern in the next commit that security hasn't reviewed yet.

The solution implemented: daily-only runs (not per-commit) plus a "reviewed_through" marker so findings have commit context.

Performance observations

Claude was noted as unusually good at distinguishing "this looks vulnerable" from "this is definitely exploitable in this context." The false positive rate stayed manageable.

The system is part of a larger multi-agent setup at ultrathink.art that includes design, coding, marketing, ops, social, and the dedicated security agent.