molecule-ai/molecule-core
39
0
Fork 2
Code Issues 38 Pull Requests 25 Actions 5 Packages Projects Releases Wiki Activity
e502003c74
molecule-core/org-templates/molecule-dev/cp-security/schedules/security-scan.md
rabbitblood 4e61ac88c3 feat(template): restructure molecule-dev org template to 39-agent hierarchy 
Comprehensive rewrite of the Molecule AI dev team org template:

- Rename agents to {team}-{role} convention (e.g., core-be, cp-lead, app-qa)
- Add 5 new team leads: Core Platform Lead, Controlplane Lead, App & Docs Lead, Infra Lead, SDK Lead
- Add new roles: Release Manager, Integration Tester, Technical Writer, Infra-SRE, Infra-Runtime-BE, SDK-Dev, Plugin-Dev
- Delete triage-operator and triage-operator-2 (leads own triage now)
- Set default model to MiniMax-M2.7, tier 3, idle_interval_seconds 900
- Update org.yaml category_routing to new agent names
- Add orchestrator-pulse schedules for all leads (*/5 cron)
- Add pick-up-work schedules for engineers (*/15 cron)
- Add qa-review schedules for QA agents (*/15 cron)
- Add security-scan schedules for security agents (*/30 cron)
- Add release-cycle and e2e-test schedules for Release Manager and Integration Tester
- Update marketing agents with web search MCP and media generation capabilities
- All schedule prompts reference Molecule-AI/internal for PLAN.md and known-issues.md
- Un-ignore org-templates/molecule-dev/ in .gitignore for version tracking

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-20 00:43:15 -07:00

871 B
Raw Blame History

IMPORTANT: Check Molecule-AI/internal repo for roadmap (PLAN.md), known issues (known-issues.md), runbooks before starting work.

Recurring security audit. Be thorough and incremental.

  1. SETUP: Pull latest. Track last audit SHA.
  2. STATIC ANALYSIS: gosec (Go), bandit (Python) on changed files.
  3. MANUAL REVIEW: SQL injection, path traversal, missing auth, secret leakage, command injection, XSS, timing-safe comparisons.
  4. LIVE API CHECKS: CanCommunicate bypass, CORS, rate limits. DAST teardown after.
  5. SECRETS SCAN: last 20 commits for token patterns.
  6. OPEN-PR REVIEW: Check diffs for injection/exec/unsafe patterns.
  7. RECORD commit SHA.

DELIVERABLE ROUTING (MANDATORY): a. File GitHub issues for CRITICAL/HIGH findings. b. delegate_task to team lead with summary. c. If clean: report "clean, audited <SHA_RANGE>". d. Save to memory "security-audit-latest".