core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

chore(org): wire molecule-compliance + molecule-audit + molecule-freeze-scope (closes #322)

Browse Source 
Config-only YAML. CI green on all 6 checks (E2E cancel = run-supersession pattern). Adds missing plugin wiring: Security Auditor→compliance+audit, Backend→compliance, QA→compliance, DevOps→freeze-scope. Closes #322.
This commit is contained in:
Hongming Wang 2026-04-15 21:13:26 -07:00 committed by GitHub
parent bf7614750a
commit 2eec33a279
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
org-templates/molecule-dev/org.yaml
View File

@ -567,7 +567,11 @@ workspaces:
# just at Security Auditor's 12h cron. Catches supply-chain
# deps + secret patterns before they reach PR review.
# #310: molecule-skill-llm-judge — self-gate before PR review.
plugins: [molecule-hitl, molecule-skill-code-review, molecule-security-scan, molecule-skill-llm-judge]
# #322: molecule-compliance — OA-03 excessive-agency cap; Backend
# Engineer is the highest tool-call-volume role (platform PRs,
# migrations, API changes) so a hard cap is a concrete guard
# against runaway loops during large refactors.
plugins: [molecule-hitl, molecule-skill-code-review, molecule-security-scan, molecule-skill-llm-judge, molecule-compliance]
initial_prompt: |
You just started as Backend Engineer. Set up silently — do NOT contact other agents.
1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
@ -599,7 +603,11 @@ workspaces:
# destructive infra ops is the point.
# #280: molecule-skill-code-review — self-review rubric for
# Dockerfiles, CI workflows, infra scripts before PR.
plugins: [molecule-hitl, molecule-skill-code-review]
# #322: molecule-freeze-scope — lock edits to infra/** during
# risky operations (CI migrations, fly secret rotations, image
# rebuilds). Plugin was an orphan for 3 weekly audits; DevOps
# is the natural home.
plugins: [molecule-hitl, molecule-skill-code-review, molecule-freeze-scope]
# #247: notify on build-break — DevOps routes CI failures + infra
# alerts via Telegram so they're not invisible until morning review.
channels:
@ -676,12 +684,18 @@ workspaces:
# builtin_tools/security_scan.py — gosec/bandit/etc
# - molecule-hitl (#266): @requires_approval before filing critical issues
# so false-positives don't spam the tracker
# - molecule-compliance (#322): OWASP Top 10 for Agentic Applications — active
# enforcement on Security Auditor's own tool calls
# - molecule-audit (#322): immutable JSON-Lines audit log (EU AI Act Art 12/13/17)
# — Security Auditor owns the report generation path
plugins:
- molecule-skill-code-review
- molecule-skill-cross-vendor-review
- molecule-skill-llm-judge
- molecule-security-scan
- molecule-hitl
- molecule-compliance
- molecule-audit
# #246: notify on critical findings — Security Auditor pushes HIGH+
# severity alerts via Telegram so they're not invisible until next
# manual memory check.
@ -796,7 +810,11 @@ workspaces:
files_dir: qa-engineer
# QA reviews test coverage + runs llm-judge on whether test
# deliverables actually match acceptance criteria. Issue #133.
plugins: [molecule-skill-code-review, molecule-skill-llm-judge]
# #322: molecule-compliance — OA-01 prompt-injection detection
# (in detect mode, not block) catches adversarial test payloads
# before they slip into production. OA-03 excessive-agency caps
# prevent runaway test loops.
plugins: [molecule-skill-code-review, molecule-skill-llm-judge, molecule-compliance]
initial_prompt: |
You just started as QA Engineer. Set up silently — do NOT contact other agents.
1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)