molecule-core

History

Hongming Wang 45e4eb0be3 feat(plugin): split compliance-posture into 3 plugins (#256 ) Closes #256. Per CEO direction, shipping three separate opt-in plugins instead of one bundled "compliance-posture" — keeps installs granular so a workspace that only wants CVE scanning doesn't carry OWASP policy or append-only audit retention. - plugins/molecule-compliance/ — wraps compliance.py (OWASP OA-01 prompt injection + OA-03 excessive agency). Skill: owasp-agentic. - plugins/molecule-audit/ — wraps audit.py (EU AI Act Art. 12/13/17 append-only JSONL log, SIEM-friendly). Skill: ai-act-audit-log. - plugins/molecule-security-scan/ — wraps security_scan.py (Snyk or pip-audit CVE gate on skill requirements.txt). Skill: skill-cve-gate. Each plugin ships a manifest + one SKILL.md with: - When to install / when to skip - Configuration shape (config.yaml blocks) - Anti-patterns to avoid - Cross-references to the other two plugins so an operator can reason about the full compliance surface All three wrap code that already exists in workspace-template/builtin_tools/ — no Python changes. Install per workspace via POST /workspaces/:id/plugins {"source":"builtin://molecule-<name>"}. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 14:15:25 -07:00
..
skills/owasp-agentic	feat(plugin): split compliance-posture into 3 plugins (#256 )	2026-04-15 14:15:25 -07:00
plugin.yaml	feat(plugin): split compliance-posture into 3 plugins (#256 )	2026-04-15 14:15:25 -07:00

Hongming Wang 45e4eb0be3 feat(plugin): split compliance-posture into 3 plugins (#256 )

Closes #256. Per CEO direction, shipping three separate opt-in plugins
instead of one bundled "compliance-posture" — keeps installs granular
so a workspace that only wants CVE scanning doesn't carry OWASP policy
or append-only audit retention.

- plugins/molecule-compliance/        — wraps compliance.py (OWASP OA-01
  prompt injection + OA-03 excessive agency). Skill: owasp-agentic.
- plugins/molecule-audit/              — wraps audit.py (EU AI Act Art.
  12/13/17 append-only JSONL log, SIEM-friendly). Skill: ai-act-audit-log.
- plugins/molecule-security-scan/      — wraps security_scan.py (Snyk or
  pip-audit CVE gate on skill requirements.txt). Skill: skill-cve-gate.

Each plugin ships a manifest + one SKILL.md with:
- When to install / when to skip
- Configuration shape (config.yaml blocks)
- Anti-patterns to avoid
- Cross-references to the other two plugins so an operator can reason
  about the full compliance surface

All three wrap code that already exists in workspace-template/builtin_tools/
— no Python changes. Install per workspace via
POST /workspaces/:id/plugins {"source":"builtin://molecule-<name>"}.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-15 14:15:25 -07:00

skills/owasp-agentic

feat(plugin): split compliance-posture into 3 plugins (#256 )

2026-04-15 14:15:25 -07:00

plugin.yaml

feat(plugin): split compliance-posture into 3 plugins (#256 )

2026-04-15 14:15:25 -07:00