End-to-End AI Development Workflow: A Multi-Agent Collaborative Code Review and Security Audit System

This article introduces the simple-workflow plugin based on Claude Code, which automates the entire process from ticket management to multi-agent code review, security audit, and automatic PR creation, demonstrating the practical application of long-running AI agents in software development. Built on the Harness framework, this system addresses the context loss issue of single-point AI tools and drives the transformation of AI-powered software development paradigms.

The software development field is undergoing an AI-driven transformation, but most AI tools remain at the "single-point assistance" level. Developers need to switch tools frequently, leading to context loss and limited efficiency improvement. A true transformation requires systematic workflow reconstruction, enabling AI to coordinate multi-agents, manage the complete process, and maintain cross-session context continuity. The simple-workflow project is the practice of this vision.

simple-workflow is a Claude Code plugin based on the Harness framework, which is designed specifically for long-running AI agents and provides strict context management and cross-session learning capabilities. The system includes four core modules:

• Ticket Management Module: Receives, classifies, and prioritizes development tasks, integrates Jira/GitHub Issues to synchronize status;
• Multi-Agent Code Review Module: Introduces multiple specialized review agents covering dimensions such as code style and architecture design;
• Security Audit Module: Identifies code security vulnerabilities and risks, integrates static analysis tools and AI reasoning;
• Automatic PR Creation Module: Packages the reviewed code into a PR, generates a description document, and assigns reviewers.

The multi-agent architecture is the core design concept of the system, which decomposes complex tasks into specialized agents:

• Coordination Agent: Responsible for task allocation and result aggregation, breaks down large tasks into professional agents and integrates outputs;
• Professional Agents: Include code style, architecture, performance, security, and testing agents, each focusing on specific review dimensions; Agents communicate via a structured message protocol, and the coordination agent ensures correct information flow, avoiding duplication or omission.

The Harness framework provides powerful context management capabilities:

• Strict Context Management: Structurally stores intermediate results, decision history, and external dependencies to ensure agents get the required information and avoid context overflow;
• Cross-Session Continuity: Supports state persistence, allowing workflows to progress across multiple interactions, and agents learn and improve from past sessions;
• Knowledge Accumulation Mechanism: Automatically records problem patterns, best practices, and team preferences to form a knowledge base, improving review quality and team adaptability.

The security audit module practices the "shift-left security" concept, identifying and fixing security issues early in development, combining multiple technologies:

• Static Application Security Testing (SAST): Integrates leading static analysis tools to scan for known vulnerabilities;
• Dependency Vulnerability Scanning: Checks for vulnerabilities in third-party libraries and recommends upgrades or replacements;
• AI Semantic Analysis: Identifies complex business logic vulnerabilities (e.g., permission bypass, race conditions);
• Secret Detection: Scans for sensitive information leaks;
• Compliance Check: Evaluates code compliance with standards like OWASP Top10 and CWE; The output includes a list of issues, risk assessment, repair suggestions, and reference resources.

After passing the review, the system automatically completes the PR creation process:

• Generate PR Description: Based on code changes and review history, including change motivation, implementation details, and test results;
• Select Reviewers: Intelligently recommend based on code domain and team members' professional directions;
• Link Tickets: Establish a connection between the PR and the original ticket, update status;
• Run CI/CD: Trigger continuous integration to ensure no existing functions are broken;
• Notify Relevant Personnel: Notify the team of the new PR creation via the messaging system; This automation reduces developers' administrative burden, allowing them to focus on creative work.

Practical Recommendations:

• Gradual Adoption: Start with a single module and expand gradually;
• Customize Agents: Customize review agents according to the team's tech stack;
• Human-AI Collaboration: Use AI as a supplement, retain human final decision-making power;
• Continuous Optimization: Review results, collect team feedback to adjust standards;
• Security Boundaries: Clarify AI permissions, sensitive operations require manual review; Future Outlook: As multi-agent collaboration and context management technologies mature, more intelligent task decomposition, precise review suggestions, and seamless human-AI collaboration will be achieved, driving fundamental improvements in software development efficiency and quality.