core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
4ab578bcd6
molecule-core/org-templates
History
rabbitblood 4ab578bcd6 chore(template): audit crons require PM-routing and GH-issue filing; add UIUX schedule 
Addresses the gap surfaced by CEO 2026-04-13: audit agents (Security
Auditor, QA Engineer, UIUX Designer) were running their crons successfully
but findings stayed in agent memory and didn't consistently flow to
GitHub issues or to developers with build ability. BE noticed Security
findings once via a manual escalation; subsequent hourly audits
accumulated 13 criticals (including an unauthenticated-plugin-install
RCE) with no durable tracking.

Changes:
1. Security Auditor schedule: replace 12h (7 6,18 * * *) with hourly
   (17 * * * *) to match what's actually running in the platform DB.
   Rewrite the prompt with the full body of the runtime cron — git diff
   scoping, gosec/bandit, manual checklist, live API DAST, secrets scan,
   open-PR review.
2. QA Engineer schedule: keep 12h cadence, tighten post-audit routing.
3. UIUX Designer: add a schedule (was previously runtime-only — see #24).
   Uses hourly cadence to match runtime. Accepts Playwright may be
   unavailable (see #23) and falls back to HTML analysis with the
   limitation noted in the deliverable.

All three audit crons now end with an identical FINAL STEP — DELIVERABLE
ROUTING block that makes the post-audit flow MANDATORY:

  a. File a GitHub issue for each CRITICAL / HIGH finding (dedupe first)
  b. delegate_task to PM with a structured summary listing issue numbers;
     PM decides which dev agent picks up which issue
  c. Even on clean cycles, send PM a one-line "clean on SHA X" so audits
     are observable
  d. Memory write becomes a secondary record, not the primary deliverable

Rationale: findings need to flow into the issue tracker (durable, visible
to CEO, part of the PR/issue review feedback loop already in place) and
through PM (who owns cross-team orchestration). Memory-only output is
invisible to everyone except the auditor itself.

Related:
- #23 — UIUX Designer container missing libglib/X11 for Playwright.
  This PR accepts the current limitation; #23 tracks the image fix.
- #24 — template-vs-runtime schedule drift. This PR backfills the template;
  #24 tracks the platform-layer fix for preventing future drift.
- 13 open criticals in Security Auditor memory are out of scope for this
  PR (that's team work once the routing is in place).
2026-04-13 21:25:40 -07:00
..
free-beats-all initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
medo-smoke initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
molecule-dev chore(template): audit crons require PM-routing and GH-issue filing; add UIUX schedule 2026-04-13 21:25:40 -07:00
molecule-worker-gemini initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
reno-stars initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00