forked from molecule-ai/molecule-core
2dbb608723
Closes #266 and #275. Per-role install matrix matching the per-tick #266 triage comment. ## Added plugins | Role | Plugin | Rationale | |---|---|---| | Backend Engineer | molecule-hitl | Scope includes destructive DB migrations + runtime config changes — @requires_approval stops unattended agents from shipping prod schema mutations. | | DevOps Engineer | molecule-hitl | Scope covers fly deploys + registry pushes + CI pipeline mutations — @requires_approval before destructive infra ops. | | Security Auditor | molecule-hitl | Gates public issue filing for critical findings; prevents false-positive spam of the tracker. | | Security Auditor | molecule-security-scan | Primary consumer of gosec/bandit/CVE scanning via builtin_tools/security_scan.py. Security Auditor system prompt already expects to run these tools; this wires them. | ## Per-PR #71 semantics Each workspace's `plugins:` UNIONs with `defaults.plugins` — these additions don't drop any existing plugin. Security Auditor's list went from 3 → 5; Backend + DevOps Engineer now have a role-specific list layered on top of defaults. ## NOT adding (yet) Dev Lead / Research Lead / Technical Researcher / QA Engineer / UIUX Designer / PM / Documentation Specialist — none have destructive ops scope in the role description. If you want belt-and-suspenders HITL coverage I can extend this PR; leaving narrow for now. ## Test plan - [x] YAML parses cleanly (python3 -c 'import yaml; yaml.safe_load(...)') - [x] Three edited roles' plugins lists verified by walk-script - [ ] Next org re-import activates the plugins on each workspace container - [ ] Agents invoke request_approval / security_scan from their system prompts after re-import Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| free-beats-all | ||
| medo-smoke | ||
| molecule-dev | ||
| molecule-worker-gemini | ||
| reno-stars | ||