From f3b0b9e5725c11a9eb1f7b38e0377321fa4741ac Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Tue, 14 Apr 2026 13:07:05 -0700 Subject: [PATCH] chore(template): wire 9 new guardrail/skill plugins into defaults; PM + Security Auditor get role extras MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #63 just merged 12 new modular plugins (split from a single guardrails bundle) and the audit pipeline (Security/UIUX/QA crons) is now producing PRs continuously. Time to wire the new plugins into the molecule-dev template so every workspace + every cron tick benefits. ## Defaults — universal additions (was 3, now 9) - molecule-careful-bash — refuse rm -rf, push --force main, DROP TABLE - molecule-prompt-watchdog — warn on destructive user prompts - molecule-audit-trail — append every Edit/Write to .claude/audit.jsonl - molecule-session-context — auto-load cron learnings + PR/issue counts on SessionStart - molecule-skill-cron-learnings — per-tick learning JSONL format (pairs with session-context) - molecule-skill-update-docs — keep architecture/README/edit-history aligned Kept: ecc, molecule-dev, superpowers. ## Per-role overrides - PM: defaults + molecule-workflow-triage + molecule-workflow-retro (the /triage and /retro slash commands match PM's coordination role) - Security Auditor: defaults + molecule-skill-code-review + molecule-skill-cross-vendor-review + molecule-skill-llm-judge (security PRs benefit from multi-criteria review, adversarial cross-vendor second opinion, and an LLM-judge gate that catches "agent shipped the wrong thing") - Research Lead + 3 researchers + UIUX Designer: defaults + browser-automation (existing override; just synced to the new default set) Other 5 dev roles (Dev Lead, BE, FE, DevOps, QA) inherit defaults — the new universal set is rich enough for them; code-review skill is a runtime opt-in if Dev Lead decides per-PR. ## REPLACE-semantics verbosity `platform/internal/handlers/org.go:~345` treats per-workspace plugins as REPLACE not UNION. Every override has to re-list the 9 defaults to add 1 extra. Tracked as #68 with a union-proposal; once that lands the per-role lists shrink to just the additions. ## Test plan - [x] YAML valid (`python -c "import yaml; yaml.safe_load(...)"`) - [x] defaults.plugins count = 9 - [ ] After merge + re-import: every workspace's /configs/plugins/ contains the full set; PM has /triage and /retro commands; Security Auditor can invoke cross-vendor-review on its findings. --- org-templates/molecule-dev/org.yaml | 48 +++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/org-templates/molecule-dev/org.yaml b/org-templates/molecule-dev/org.yaml index 82b278b4..849f8b99 100644 --- a/org-templates/molecule-dev/org.yaml +++ b/org-templates/molecule-dev/org.yaml @@ -11,15 +11,34 @@ defaults: # specifies its own `plugins:` list (which REPLACES defaults — not a union; # see platform/internal/handlers/org.go ~L345). So any workspace that # needs extras must re-list the defaults plus its additions. + # Platform union-semantics tracked in #68; until that lands, we list fully. # - # - ecc: "Everything Claude Code" guardrails + coding skills - # (api-design, coding-standards, deep-research, security-review, tdd-workflow) - # - molecule-dev: Molecule AI codebase conventions, past bugs, review-loop - # - superpowers: systematic-debugging, TDD, planning, verification-before-completion + # Coding / guardrail essentials: + # - ecc: "Everything Claude Code" guardrails + coding skills + # - molecule-dev: Molecule AI codebase conventions, past bugs, review-loop + # - superpowers: systematic-debugging, TDD, planning, verification-before-completion + # + # Safety hooks (PreToolUse/PostToolUse/UserPromptSubmit) — universal: + # - molecule-careful-bash: refuse destructive shell (rm -rf, push --force main, DROP TABLE) + # - molecule-prompt-watchdog: inject warnings on destructive user prompts + # - molecule-audit-trail: append every Edit/Write to .claude/audit.jsonl + # + # Operational memory — keeps agents consistent across sessions/cron ticks: + # - molecule-session-context: auto-load cron learnings + PR/issue counts on SessionStart + # - molecule-skill-cron-learnings: per-tick learning JSONL format (pairs with session-context) + # + # Docs hygiene: + # - molecule-skill-update-docs: keep architecture / README / edit-history aligned with code plugins: - ecc - molecule-dev - superpowers + - molecule-careful-bash + - molecule-prompt-watchdog + - molecule-audit-trail + - molecule-session-context + - molecule-skill-cron-learnings + - molecule-skill-update-docs # workspace_dir: not set by default — each agent gets an isolated Docker volume # Set per-workspace to bind-mount a host directory as /workspace @@ -54,6 +73,10 @@ workspaces: files_dir: pm workspace_dir: ${WORKSPACE_DIR} canvas: { x: 400, y: 50 } + # PM needs workflow-triage (/triage command for PR triage) and workflow-retro + # (/retro for weekly retrospectives) on top of defaults. Re-list full set + # (REPLACE semantics today — see #68 for the union-proposal). + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, molecule-workflow-triage, molecule-workflow-retro] # Auto-link Telegram so the user can talk to PM directly from Telegram. # Bot token + chat ID come from pm/.env (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID). channels: @@ -84,7 +107,7 @@ workspaces: # Research roles extend defaults with browser-automation so they can # scrape the live web (product pages, GitHub trending, docs). # Per-workspace plugins REPLACE defaults, so re-list the full set. - plugins: [ecc, molecule-dev, superpowers, browser-automation] + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation] initial_prompt: | You just started as Research Lead. Set up silently — do NOT contact other agents. 1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull) @@ -97,15 +120,15 @@ workspaces: - name: Market Analyst role: Market sizing, trends, user research files_dir: market-analyst - plugins: [ecc, molecule-dev, superpowers, browser-automation] + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation] - name: Technical Researcher role: AI frameworks and protocol evaluation files_dir: technical-researcher - plugins: [ecc, molecule-dev, superpowers, browser-automation] + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation] - name: Competitive Intelligence role: Competitor tracking and feature comparison files_dir: competitive-intelligence - plugins: [ecc, molecule-dev, superpowers, browser-automation] + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation] - name: Dev Lead role: Engineering planning and team coordination @@ -213,6 +236,13 @@ workspaces: tier: 3 model: opus files_dir: security-auditor + # Security Auditor adds three security-critical skills on top of defaults: + # - molecule-skill-code-review: multi-criteria review for security-relevant PRs + # - molecule-skill-cross-vendor-review: adversarial second opinion via non-Claude model + # (use ONLY for noteworthy PRs — auth, billing, data) + # - molecule-skill-llm-judge: cheap gate that catches "wrong thing shipped" + # REPLACE semantics — re-list the full default set. (See #68 for union proposal.) + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, molecule-skill-code-review, molecule-skill-cross-vendor-review, molecule-skill-llm-judge] initial_prompt: | You just started as Security Auditor. Set up silently — do NOT contact other agents. 1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull) @@ -376,7 +406,7 @@ workspaces: # Add browser-automation for live canvas screenshots via Puppeteer # (Chrome CDP path, works around the Playwright / libglib gap tracked in #23). # Per-workspace plugins REPLACE defaults — re-list the full set. - plugins: [ecc, molecule-dev, superpowers, browser-automation] + plugins: [ecc, molecule-dev, superpowers, molecule-careful-bash, molecule-prompt-watchdog, molecule-audit-trail, molecule-session-context, molecule-skill-cron-learnings, molecule-skill-update-docs, browser-automation] initial_prompt: | You just started as UIUX Designer. Set up silently — do NOT contact other agents. 1. Clone the repo: git clone https://github.com/${GITHUB_REPO}.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)