Merge pull request #70 from Molecule-AI/chore/template-plugin-enrichment

chore(template): wire 9 new guardrail/skill plugins into defaults; PM + Security Auditor get role extras
2026-04-14 13:18:46 -07:00 · 2026-04-14 13:18:46 -07:00 · ea2a872018
commit ea2a872018
parent 4ef0250e75 f3b0b9e572
1 changed files with 39 additions and 9 deletions
--- a/org-templates/molecule-dev/org.yaml
+++ b/org-templates/molecule-dev/org.yaml
@ -11,15 +11,34 @@ defaults:
  # specifies its own `plugins:` list (which REPLACES defaults — not a union;
  # see platform/internal/handlers/org.go ~L345). So any workspace that
  # needs extras must re-list the defaults plus its additions.
+  # Platform union-semantics tracked in #68; until that lands, we list fully.
  #
-  # - ecc:           "Everything Claude Code" guardrails + coding skills
-  #                  (api-design, coding-standards, deep-research, security-review, tdd-workflow)
-  # - molecule-dev:  Molecule AI codebase conventions, past bugs, review-loop
-  # - superpowers:   systematic-debugging, TDD, planning, verification-before-completion
+  # Coding / guardrail essentials:
+  # - ecc:                            "Everything Claude Code" guardrails + coding skills
+  # - molecule-dev:                   Molecule AI codebase conventions, past bugs, review-loop
+  # - superpowers:                    systematic-debugging, TDD, planning, verification-before-completion
+  #
+  # Safety hooks (PreToolUse/PostToolUse/UserPromptSubmit) — universal:
+  # - molecule-careful-bash:          refuse destructive shell (rm -rf, push --force main, DROP TABLE)
+  # - molecule-prompt-watchdog:       inject warnings on destructive user prompts
+  # - molecule-audit-trail:           append every Edit/Write to .claude/audit.jsonl
+  #
+  # Operational memory — keeps agents consistent across sessions/cron ticks:
+  # - molecule-session-context:       auto-load cron learnings + PR/issue counts on SessionStart
+  # - molecule-skill-cron-learnings:  per-tick learning JSONL format (pairs with session-context)
+  #
+  # Docs hygiene:
+  # - molecule-skill-update-docs:     keep architecture / README / edit-history aligned with code
  plugins:
    - ecc
    - molecule-dev
    - superpowers
+    - molecule-careful-bash
+    - molecule-prompt-watchdog
+    - molecule-audit-trail
+    - molecule-session-context
+    - molecule-skill-cron-learnings
+    - molecule-skill-update-docs
  # workspace_dir: not set by default — each agent gets an isolated Docker volume
  # Set per-workspace to bind-mount a host directory as /workspace

@ -54,6 +73,10 @@ workspaces:
    files_dir: pm
    workspace_dir: ${WORKSPACE_DIR}
    canvas: { x: 400, y: 50 }
+    # PM needs workflow-triage (/triage command for PR triage) and workflow-retro
+    # (/retro for weekly retrospectives) on top of defaults. Re-list full set
+    # (REPLACE semantics today — see #68 for the union-proposal).
+    plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, molecule-workflow-triage, molecule-workflow-retro]
    # Auto-link Telegram so the user can talk to PM directly from Telegram.
    # Bot token + chat ID come from pm/.env (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID).
    channels:
@ -84,7 +107,7 @@ workspaces:
        # Research roles extend defaults with browser-automation so they can
        # scrape the live web (product pages, GitHub trending, docs).
        # Per-workspace plugins REPLACE defaults, so re-list the full set.
-        plugins: [ecc, molecule-dev, superpowers, browser-automation]
+        plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation]
        initial_prompt: |
          You just started as Research Lead. Set up silently — do NOT contact other agents.
          1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
@ -97,15 +120,15 @@ workspaces:
          - name: Market Analyst
            role: Market sizing, trends, user research
            files_dir: market-analyst
-            plugins: [ecc, molecule-dev, superpowers, browser-automation]
+            plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation]
          - name: Technical Researcher
            role: AI frameworks and protocol evaluation
            files_dir: technical-researcher
-            plugins: [ecc, molecule-dev, superpowers, browser-automation]
+            plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation]
          - name: Competitive Intelligence
            role: Competitor tracking and feature comparison
            files_dir: competitive-intelligence
-            plugins: [ecc, molecule-dev, superpowers, browser-automation]
+            plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation]

      - name: Dev Lead
        role: Engineering planning and team coordination
@ -213,6 +236,13 @@ workspaces:
            tier: 3
            model: opus
            files_dir: security-auditor
+            # Security Auditor adds three security-critical skills on top of defaults:
+            # - molecule-skill-code-review:          multi-criteria review for security-relevant PRs
+            # - molecule-skill-cross-vendor-review:  adversarial second opinion via non-Claude model
+            #                                        (use ONLY for noteworthy PRs — auth, billing, data)
+            # - molecule-skill-llm-judge:            cheap gate that catches "wrong thing shipped"
+            # REPLACE semantics — re-list the full default set. (See #68 for union proposal.)
+            plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, molecule-skill-code-review, molecule-skill-cross-vendor-review, molecule-skill-llm-judge]
            initial_prompt: |
              You just started as Security Auditor. Set up silently — do NOT contact other agents.
              1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
@ -376,7 +406,7 @@ workspaces:
            # Add browser-automation for live canvas screenshots via Puppeteer
            # (Chrome CDP path, works around the Playwright / libglib gap tracked in #23).
            # Per-workspace plugins REPLACE defaults — re-list the full set.
-            plugins: [ecc, molecule-dev, superpowers, browser-automation]
+            plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation]
            initial_prompt: |
              You just started as UIUX Designer. Set up silently — do NOT contact other agents.
              1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)