feat(template): add molecule-security-scan to Backend Engineer (#303)

Closes #303. Surfaces CVE/secret scanning at dev time instead of waiting for the Security Auditor's 12h cron. Backend Engineer's plugin list: [molecule-hitl, molecule-skill-code-review, molecule-security-scan]. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 19:21:11 -07:00 · 2026-04-15 19:21:11 -07:00 · 3fefad4534
commit 3fefad4534
parent 84d5e395d4
1 changed files with 4 additions and 1 deletions
--- a/org-templates/molecule-dev/org.yaml
+++ b/org-templates/molecule-dev/org.yaml
@ -512,7 +512,10 @@ workspaces:
            # schema mutation without a human click. UNION with defaults.
            # #280: molecule-skill-code-review — self-review rubric before
            # raising a PR (same rubric Dev Lead applies in review).
-            plugins: [molecule-hitl, molecule-skill-code-review]
+            # #303: molecule-security-scan — CVE gate at dev time, not
+            # just at Security Auditor's 12h cron. Catches supply-chain
+            # deps + secret patterns before they reach PR review.
+            plugins: [molecule-hitl, molecule-skill-code-review, molecule-security-scan]
            initial_prompt: |
              You just started as Backend Engineer. Set up silently — do NOT contact other agents.
              1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)