From 4ab578bcd6441c2c81a518c31e3ee0b94ea3d52c Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Mon, 13 Apr 2026 21:25:40 -0700 Subject: [PATCH] chore(template): audit crons require PM-routing and GH-issue filing; add UIUX schedule MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses the gap surfaced by CEO 2026-04-13: audit agents (Security Auditor, QA Engineer, UIUX Designer) were running their crons successfully but findings stayed in agent memory and didn't consistently flow to GitHub issues or to developers with build ability. BE noticed Security findings once via a manual escalation; subsequent hourly audits accumulated 13 criticals (including an unauthenticated-plugin-install RCE) with no durable tracking. Changes: 1. Security Auditor schedule: replace 12h (7 6,18 * * *) with hourly (17 * * * *) to match what's actually running in the platform DB. Rewrite the prompt with the full body of the runtime cron — git diff scoping, gosec/bandit, manual checklist, live API DAST, secrets scan, open-PR review. 2. QA Engineer schedule: keep 12h cadence, tighten post-audit routing. 3. UIUX Designer: add a schedule (was previously runtime-only — see #24). Uses hourly cadence to match runtime. Accepts Playwright may be unavailable (see #23) and falls back to HTML analysis with the limitation noted in the deliverable. All three audit crons now end with an identical FINAL STEP — DELIVERABLE ROUTING block that makes the post-audit flow MANDATORY: a. File a GitHub issue for each CRITICAL / HIGH finding (dedupe first) b. delegate_task to PM with a structured summary listing issue numbers; PM decides which dev agent picks up which issue c. Even on clean cycles, send PM a one-line "clean on SHA X" so audits are observable d. Memory write becomes a secondary record, not the primary deliverable Rationale: findings need to flow into the issue tracker (durable, visible to CEO, part of the PR/issue review feedback loop already in place) and through PM (who owns cross-team orchestration). Memory-only output is invisible to everyone except the auditor itself. Related: - #23 — UIUX Designer container missing libglib/X11 for Playwright. This PR accepts the current limitation; #23 tracks the image fix. - #24 — template-vs-runtime schedule drift. This PR backfills the template; #24 tracks the platform-layer fix for preventing future drift. - 13 open criticals in Security Auditor memory are out of scope for this PR (that's team work once the routing is in place). --- org-templates/molecule-dev/org.yaml | 149 +++++++++++++++++++++++----- 1 file changed, 124 insertions(+), 25 deletions(-) diff --git a/org-templates/molecule-dev/org.yaml b/org-templates/molecule-dev/org.yaml index 9e938ef3..a1a2d3fe 100644 --- a/org-templates/molecule-dev/org.yaml +++ b/org-templates/molecule-dev/org.yaml @@ -193,31 +193,66 @@ workspaces: 5. Use commit_memory to save security patterns and concerns 6. Wait for tasks from Dev Lead. schedules: - - name: Security audit (every 12h) - cron_expr: "7 6,18 * * *" + - name: Hourly security audit + cron_expr: "17 * * * *" prompt: | - Recurring security audit. Be thorough and incremental. + Recurring hourly security audit. Be thorough on recently changed code. - 1. Pull latest: cd /workspace/repo && git pull - 2. Check what you audited last time: use search_memory("security audit") to recall prior findings - 3. See what changed since last audit: git log --oneline --since="12 hours ago" - 4. For each changed file, do a full security review: - - SQL injection (parameterized queries, not fmt.Sprintf) - - Path traversal (any endpoint accepting file paths) - - Missing access control (every endpoint must check permissions) - - Secrets leaking into logs, errors, or responses - - Command injection (shell exec with user input) - - XSS (user content rendered in canvas) - 5. Check for open PRs: cd /workspace/repo && gh pr list --state open - Review each open PR for security issues - 6. Record your findings to memory: - Use commit_memory with key "security-audit-latest" and value containing: - - Date and commit hash audited up to - - Files reviewed - - Issues found (or "clean") - - Areas that need deeper review next time - 7. If you find issues, report to Dev Lead via delegate_task with file:line references - 8. If clean, still record what you checked so next audit covers new ground + 1. SETUP: + cd /workspace/repo && git pull 2>/dev/null || true + LAST_SHA=$(cat /tmp/last-security-audit-sha 2>/dev/null || git rev-parse HEAD~48 2>/dev/null || echo '') + CURRENT=$(git rev-parse HEAD) + CHANGED=$(git diff --name-only $LAST_SHA $CURRENT 2>/dev/null) + + 2. STATIC ANALYSIS on changed files: + - Go: gosec -quiet + - Python: bandit -ll + + 3. MANUAL REVIEW of every changed file: + - SQL injection (fmt.Sprintf in DB queries vs $1/$2 params) + - Path traversal (filepath.Join without validation) + - Missing auth on new HTTP handlers + - Secret leakage in logs/errors/responses + - Command injection (exec.Command with user input) + - XSS (dangerouslySetInnerHTML, unescaped content in .tsx) + + 4. LIVE API CHECKS against http://host.docker.internal:8080: + - CanCommunicate bypass: POST /workspaces//a2a + - CORS: verify Access-Control-Allow-Origin on a cross-origin request + - Rate limit headers on /health + + 5. SECRETS SCAN: last 20 commits grepped for token patterns + (sk-ant, sk-or, api_key= etc.) excluding test files. + + 6. OPEN-PR REVIEW: + gh pr list --repo Molecule-AI/molecule-monorepo --state open --json number + For each: gh pr diff | grep '^+' for injection / exec / unsafe patterns. + + 7. RECORD commit SHA: + echo $CURRENT > /tmp/last-security-audit-sha + + === FINAL STEP — DELIVERABLE ROUTING (MANDATORY every cycle) === + + a. For each CRITICAL or HIGH finding, FILE A GITHUB ISSUE: + - Dedupe first: gh issue list --repo Molecule-AI/molecule-monorepo --search "" --state open + - If not already open: gh issue create --repo Molecule-AI/molecule-monorepo + --title "security(): " + --body with severity, file:line, concrete repro (curl or code), proposed fix, related issues + - Capture the issue number for the PM summary below. + + b. delegate_task to PM (workspace id: see `list_peers` for "PM") with a summary: + - Audit timestamp + SHA range audited + - Counts by severity (critical / high / medium / low / clean) + - List of GH issue numbers filed this cycle + - Top recommendation + PM decides which dev agent picks up each issue. + + c. If NOTHING critical or high this cycle: STILL delegate_task to PM with a + one-line "clean, audited , no new findings" so the audit is observable. + Memory write is a secondary record, not the primary deliverable. + + d. Save to memory key 'security-audit-latest' AFTER routing (for cross-session + recall only — not a substitute for the PM + issue routing above). enabled: true - name: QA Engineer role: Testing, quality assurance, test automation @@ -261,8 +296,20 @@ workspaces: - Files with missing test coverage - Quality issues found - Areas to investigate deeper next time - 9. If you find issues, report to Dev Lead via delegate_task - 10. If all clean, still record what was checked so next audit covers new ground + === FINAL STEP — DELIVERABLE ROUTING (MANDATORY every cycle) === + + a. For each failing test, build break, or coverage regression: FILE A GITHUB ISSUE: + - Dedupe: gh issue list --repo Molecule-AI/molecule-monorepo --search "" --state open + - If new: gh issue create --title "qa: " --body with failure log, commit SHA, + reproducer command, suspected file:line, proposed approach + - Capture issue numbers for the PM summary. + + b. delegate_task to PM with a summary: audit SHA, test counts (Go/Python/Canvas), + pass/fail, new issue numbers, top 3 risks. PM routes to dev. + + c. If all clean: delegate_task to PM with "qa clean on SHA " so the audit is observable. + + d. Save to memory key 'qa-audit-latest' as a secondary record only. enabled: true - name: UIUX Designer role: User flow design, visual design review, interaction patterns, accessibility @@ -280,3 +327,55 @@ workspaces: - /workspace/repo/canvas/src/components/SidePanel.tsx 5. Use commit_memory to save: dark zinc theme (zinc-900/950 bg, zinc-300/400 text, blue-500/600 accents, border-zinc-700/800) 6. Wait for tasks from Dev Lead. + schedules: + - name: Hourly UI/UX audit with live screenshots + cron_expr: "11 * * * *" + prompt: | + Hourly UX audit of the live Molecule AI canvas. Prefer real screenshots; + if the container sandbox prevents Chromium (see #23), fall back to HTML + analysis and note the limitation in the deliverable. + + 1. SETUP PLAYWRIGHT (best-effort — continue on failure): + pip install -q playwright 2>/dev/null || true + playwright install chromium --with-deps 2>/dev/null || \ + playwright install chromium 2>/dev/null || true + + 2. ATTEMPT SCREENSHOTS: + Write a small playwright script to http://host.docker.internal:3000 + capturing: home / empty state, create-workspace modal, full canvas, + viewport at 1280px. If library deps are missing, skip to step 3 and + note "screenshots unavailable" in the PM report. + + 3. HTML / CSS ANALYSIS (always runs): + - curl http://host.docker.internal:3000 — verify build ID / HTML size + - Grep shipped JS chunks for 'window.alert|window.confirm|window.prompt' + (should be 0 — ConfirmDialog replaces them) + - cd /workspace/repo/canvas && grep-check: every .tsx using hooks has + 'use client' as its first line + - Inspect any recently-changed .css / .tsx for light-theme regressions + (hard zinc-900/950 bg mandate — no #fff, #f4f4f5 backgrounds) + + 4. USER-FLOW SANITY: + - Workspace creation modal fields + submit path + - Canvas node positioning and edges + - Side-panel chat input and send + - Toolbar tooltips + - Responsive layout at 1280px + + === FINAL STEP — DELIVERABLE ROUTING (MANDATORY every cycle) === + + a. For each CRITICAL (broken flow, inaccessible control, theme regression): + FILE A GITHUB ISSUE: + - Dedupe: gh issue list --repo Molecule-AI/molecule-monorepo --search "ui OR ux OR theme" --state open + - gh issue create --title "ui: " --body with file:line, screenshot link (if available), + expected vs actual, dark-theme rule cited. + + b. delegate_task to PM with summary: build ID audited, screenshots count, + violation counts by severity, new issue numbers, top 3 recommended + improvements. PM routes to Frontend Engineer. + + c. If clean: delegate_task to PM with "ui clean on build " so the audit + is observable. + + d. Save to memory key 'uiux-audit-latest' as a secondary record only. + enabled: true