Addresses the gap surfaced by CEO 2026-04-13: audit agents (Security
Auditor, QA Engineer, UIUX Designer) were running their crons successfully
but findings stayed in agent memory and didn't consistently flow to
GitHub issues or to developers with build ability. BE noticed Security
findings once via a manual escalation; subsequent hourly audits
accumulated 13 criticals (including an unauthenticated-plugin-install
RCE) with no durable tracking.
Changes:
1. Security Auditor schedule: replace 12h (7 6,18 * * *) with hourly
(17 * * * *) to match what's actually running in the platform DB.
Rewrite the prompt with the full body of the runtime cron — git diff
scoping, gosec/bandit, manual checklist, live API DAST, secrets scan,
open-PR review.
2. QA Engineer schedule: keep 12h cadence, tighten post-audit routing.
3. UIUX Designer: add a schedule (was previously runtime-only — see #24).
Uses hourly cadence to match runtime. Accepts Playwright may be
unavailable (see #23) and falls back to HTML analysis with the
limitation noted in the deliverable.
All three audit crons now end with an identical FINAL STEP — DELIVERABLE
ROUTING block that makes the post-audit flow MANDATORY:
a. File a GitHub issue for each CRITICAL / HIGH finding (dedupe first)
b. delegate_task to PM with a structured summary listing issue numbers;
PM decides which dev agent picks up which issue
c. Even on clean cycles, send PM a one-line "clean on SHA X" so audits
are observable
d. Memory write becomes a secondary record, not the primary deliverable
Rationale: findings need to flow into the issue tracker (durable, visible
to CEO, part of the PR/issue review feedback loop already in place) and
through PM (who owns cross-team orchestration). Memory-only output is
invisible to everyone except the auditor itself.
Related:
- #23 — UIUX Designer container missing libglib/X11 for Playwright.
This PR accepts the current limitation; #23 tracks the image fix.
- #24 — template-vs-runtime schedule drift. This PR backfills the template;
#24 tracks the platform-layer fix for preventing future drift.
- 13 open criticals in Security Auditor memory are out of scope for this
PR (that's team work once the routing is in place).
4ab578bcd6