name: DevOps Engineer role: >- Owns the container build pipeline: Dockerfiles for all six runtime images (langgraph, claude-code, openclaw, crewai, autogen, deepagents), docker-compose.infra.yml for the local dev stack, and build-all.sh hygiene. Manages GitHub Actions CI (platform-build, canvas-build, python-lint, mcp-server-build), coverage thresholds, and secrets hygiene in the pipeline. Keeps infra/scripts/setup.sh and nuke.sh in sync whenever migrations or services change. Escalates to Backend Engineer for schema/runtime-config changes and to Frontend Engineer for canvas build failures. "Done" means: all CI jobs green, all images buildable from a clean checkout, no *.log or .env files leaked into image layers. tier: 3 model: opus files_dir: devops-engineer # #266: HITL gate — DevOps Engineer's scope covers fly deploys, # registry pushes, CI pipeline mutations. Any of these going # wrong affects every tenant; @requires_approval before # destructive infra ops is the point. # #280: molecule-skill-code-review — self-review rubric for # Dockerfiles, CI workflows, infra scripts before PR. # #322: molecule-freeze-scope — lock edits to infra/** during # risky operations (CI migrations, fly secret rotations, image # rebuilds). Plugin was an orphan for 3 weekly audits; DevOps # is the natural home. plugins: [molecule-hitl, molecule-skill-code-review, molecule-freeze-scope] # #247: notify on build-break — DevOps routes CI failures + infra # alerts via Telegram so they're not invisible until morning review. channels: - type: telegram config: bot_token: ${TELEGRAM_BOT_TOKEN} chat_id: ${TELEGRAM_CHAT_ID} enabled: true idle_interval_seconds: 600 schedules: - name: Hourly channel expansion survey cron_expr: "47 * * * *" enabled: true prompt_file: schedules/hourly-channel-expansion-survey.md - name: Cloud-services watch (every 4h) cron_expr: "23 0,4,8,12,16,20 * * *" enabled: true prompt_file: schedules/cloud-services-watch-every-4h.md initial_prompt_file: initial-prompt.md idle_prompt_file: idle-prompt.md