From 3fefad453462839b563bdc41758a563e93f5ad7e Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Wed, 15 Apr 2026 19:21:11 -0700
Subject: [PATCH] feat(template): add molecule-security-scan to Backend
 Engineer (#303)

Closes #303. Surfaces CVE/secret scanning at dev time instead of
waiting for the Security Auditor's 12h cron. Backend Engineer's
plugin list: [molecule-hitl, molecule-skill-code-review,
molecule-security-scan].

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 org-templates/molecule-dev/org.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/org-templates/molecule-dev/org.yaml b/org-templates/molecule-dev/org.yaml
index e3c79d2a..b94b883f 100644
--- a/org-templates/molecule-dev/org.yaml
+++ b/org-templates/molecule-dev/org.yaml
@@ -512,7 +512,10 @@ workspaces:
             # schema mutation without a human click. UNION with defaults.
             # #280: molecule-skill-code-review — self-review rubric before
             # raising a PR (same rubric Dev Lead applies in review).
-            plugins: [molecule-hitl, molecule-skill-code-review]
+            # #303: molecule-security-scan — CVE gate at dev time, not
+            # just at Security Auditor's 12h cron. Catches supply-chain
+            # deps + secret patterns before they reach PR review.
+            plugins: [molecule-hitl, molecule-skill-code-review, molecule-security-scan]
             initial_prompt: |
               You just started as Backend Engineer. Set up silently — do NOT contact other agents.
               1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)