Wire the new SOP Phase 4 self-review skill into dev-department defaults
so every dev workspace (Dev Lead, Core Platform, Controlplane, App-Docs,
Infra, SDK + floaters + Triage Operator) picks it up automatically.
The plugin (v1.0.0,
git.moleculesai.app/molecule-ai/molecule-ai-plugin-molecule-skill-five-axis-review)
implements the structured Five-Axis self-review that replaces the
unstructured 'list 3 weakest spots' Phase 4 (canonical SOP doc:
internal/runbooks/dev-sop.md, opened in internal#84).
Per the org-template plugin resolution contract (PR #71, issue #68),
this UNIONs with per-workspace plugins lists. Workspaces can opt out
on a case-by-case basis with the standard '!molecule-skill-five-axis-review'
or '-molecule-skill-five-axis-review' prefix in their own plugins: list.
WHY
Five-Axis self-review on the !external resolver work (internal#77,
PRs #105+#106 of molecule-core) caught three Required-severity issues
that the same author's unstructured 3-weakest pass on the same code
missed: cache validity gap, token persistence in .git/config, misleading
function name post-refactor. The structured pass on PR #107 caught all
three on first read.
Setting the skill as a default rather than per-workspace because every
agent doing substantive change benefits from the structured pass — it's
the default mode of operation, not an opt-in.
REFS
internal#84 — canonical SOP doc with new Phase 4 wording
molecule-core PR #107 — hardening pass driven by the five-axis review
Plugin tag v1.0.0 sha 4835359
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to molecule-ai-org-template-molecule-dev PR #6 (PR-D in the
internal#77 phasing) which removed the dev-lead symlink from the parent
template. Without this update, running the setup script errored out
because it required a symlink that the parent no longer ships.
Changes:
- Default mode: clone parent template only. No sibling clone, no
symlink. The canonical local-e2e test (TestLocalE2E_ExternalDevDepartment)
uses the !external resolver to fetch the dev tree at test runtime —
no filesystem fixture needed.
- --with-symlink flag: keeps the legacy sibling-clone + symlink layout
for the symlink-based regression tests
(TestLocalE2E_DevDepartmentExtraction + TestLocalE2E_FilesDirConsumption).
Script INJECTS the symlink (since parent no longer ships it post-PR #6).
- Updated 'Run tests' guidance: !external test is the canonical e2e;
symlink tests are opt-in regression coverage for the path the resolver
still supports but no production template uses.
VERIFIED LOCALLY 2026-05-08:
- Default mode: clone parent only, layout correct.
- --with-symlink mode: parent + dev-department + injected symlink, layout correct.
- Full TestLocalE2E_* test suite passes against --with-symlink fixture (1.7s).
Refs:
internal#77 — extraction RFC
molecule-ai/molecule-ai-org-template-molecule-dev#6 — PR-D (symlink removal)
task #235 follow-up — finishes the cleanup the PR-D description mentioned
Two follow-ups discovered while pre-flighting local platform spin-up
(internal#77 dev-department extraction):
VALIDATOR (closes task #231)
Previous validate-tree.py used Path.resolve() everywhere — Python's
realpath equivalent that follows symlinks. Caused false positives on
parent template's cross-repo symlink (dev-lead → sibling repo):
validator reported 'resolves outside repo root' even though the
platform's resolveYAMLIncludes (workspace-server/internal/handlers/
org_include.go) accepts the path because filepath.Abs/Rel operate on
path STRINGS, not on the realpath.
Fix: introduce _abs_no_symlink_resolve() helper using os.path.abspath
(string-only) and _is_inside_root() that mirrors Go's filepath.Rel +
HasPrefix idiom. All places where the validator emulates the platform
security check now use these helpers; Path.resolve() is reserved for
cases that need realpath semantics (none currently).
Verified: validator now passes on parent template's dev-lead symlink
(was previously a hard error), still rejects truly-out-of-root
references (e.g. ../../../etc/passwd-style escapes).
LOCAL E2E SETUP SCRIPT (DX win)
New .molecule-ci/scripts/local-e2e-setup.sh — bootstraps the
/tmp/local-e2e-deploy/ sibling-clone fixture used by
workspace-server's TestLocalE2E_* tests. Idempotent (pulls latest)
with --fresh to wipe and re-clone. Exits non-zero with diagnostics
if the parent template's dev-lead symlink is missing or broken
(catches stale parent-template clones from before PR #5).
Refs:
internal#77 — extraction RFC
task #231 — validator-vs-platform symlink semantics
Hongming GO 2026-05-08 ('go' on the 3 pre-spin-up optimizations)
Phase 3c-2 of internal#77 (dev-department extraction).
What this commit lands:
- 27 dev-tree workspace folders + teams/{core-platform,controlplane,
app-docs,infra,sdk,documentation-specialist,triage-operator,dev}.yaml
composition layer (extracted via git filter-repo).
- 6 commits of git history preserved for the dev paths (subset of
parent's 11 — only commits that touched dev paths kept).
- 17 orphaned folders from parent template DROPPED at extract time
(backend-engineer{,-2,-3}, frontend-engineer{,-2,-3}, qa-engineer{,-2,-3},
security-auditor{,-2}, platform-engineer, devops-engineer, sre-engineer,
offensive-security-engineer, devrel-engineer, triage-operator-2,
uiux-designer). These were not reachable from any teams/*.yaml
!include chain in the parent.
- dev-department.yaml roots populated to point at teams/dev.yaml.
- teams/dev.yaml gains triage-operator as a direct child (Q2). Q1
doc-spec is already transitively under dev-lead via app-docs sub-team
(teams/app-docs.yaml children include documentation-specialist.yaml),
so no additional include needed there.
- Validator improvements (Phase 3b refinements):
* Registers files_dir-declared workspace folders from !include'd
team yamls (was missing — *-lead workspaces previously orphaned).
* Deduplicates inline files_dir registration after !include path
has already registered the same folder.
* Filesystem scan now treats system-prompt.md / initial-prompt.md
as workspace markers (workspace.yaml is optional in transitional
shape).
* --strict flag (or MOLECULE_VALIDATE_TREE_STRICT=1) makes
cross-tree '..' refs hard-fail instead of warn. Phase 3c-3 will
flip the CI gate to --strict once atomization removes them.
Validator state on this commit (default mode):
filesystem workspace folders : 28
reachable from manifest : 28
orphans : 0
cross-tree '..' refs : 20 [WARN]
duplicate-parent claims : 0
OK — tree is clean
The 20 cross-tree '..' refs are the transitional teams/<sub-team>.yaml
shape pre-atomization (Phase 3c-3 lifts each *-lead workspace into a
folder containing its sub-team children, dissolving teams/ entirely).
Refs:
internal#77 — extraction RFC
Hongming GO 2026-05-08 + 'approved keep going' 2026-05-08
SOP Phase 3c-2 — task #228
Combines:
- HEAD (this branch): dev tree extracted from molecule-ai-org-template-molecule-dev
via git filter-repo, preserving 6 of 11 parent commits that touched dev paths.
- dev-dept main (a21212d): initial scaffold — validator, dev-department.yaml,
CI gate, README explaining subtree contract.
Phase 3c-2 of internal#77 (dev-department extraction).
Approved by Hongming 2026-05-08.
# Conflicts:
# .gitattributes
Initial scaffold for the dev-department subtree repo. No workspace
content yet — that lands in Phase 3c-2 (extract dev tree with git
history from molecule-ai-org-template-molecule-dev).
Files:
- dev-department.yaml manifest with defaults + category_routing,
empty roots: [] (gets populated by extract).
- .molecule-ci/scripts/validate-tree.py
orphan / reachability lint. Walks manifest
→ roots → recursive children + !include,
compares against filesystem, reports
orphans + cross-tree '..' refs + duplicate
parents + missing workspace.yaml. Exits
non-zero on any violation. Stdlib only +
PyYAML.
- .github/workflows/validate.yml
CI gate runs the validator on every PR +
push to main/staging. Pinned action SHAs
per saved memory feedback_pin_third_party_actions.
- README.md explains subtree contract: parent template
must symlink the dev-department under a
short name (e.g. `dev`), workspace
files_dir paths inside this repo use the
symlink prefix, this repo is NOT directly
importable as a standalone org template.
- .gitignore ignore .env (per-workspace secrets are
populated by platform import, never
committed).
- .gitattributes force LF on shell/Python/YAML.
Verified locally:
- empty tree → "OK — tree is clean", exit 0.
- cross-tree `..` fixture → exit 1, FAIL with reported violation.
- orphan fixture → exit 1, FAIL with reported orphan folder.
Refs:
- internal#77 (extraction RFC, Phase 1+2 done as comment 1886)
- molecule-core#102 (symlink-resolution contract pinned by tests)
- Hongming GO 2026-05-08 ("you own this feature and repos, start")
- SOP Phase 3b — task #223
Every persona's initial-prompt.md starts with `git clone https://github.com/Molecule-AI/<repo>.git`
which now hard-fails because the GitHub org was suspended on 2026-05-06. This
blocks every fresh agent at boot.
Changes:
- All 49 persona initial-prompt.md files: rewrite clone URLs to
https://git.moleculesai.app/molecule-ai/<repo>.git, and switch the
in-URL token from \${GITHUB_TOKEN} to \${GITEA_TOKEN} (matches the
env-var contract documented in SHARED_RULES.md after the gh→tea migration).
- 4 schedule files (landingpage-check, landingpage-seo-check,
daily-changelog) — same rewrite.
- org.yaml defaults block (3 refs + the 'if [ -n "\$GITHUB_TOKEN" ]'
guard renamed to GITEA_TOKEN to match the new var).
- SHARED_RULES.md DOCUMENTATION_POLICY full-policy URL.
- documentation-specialist/system-prompt.md: reframed the org-profile
table row (was 'renders on github.com/Molecule-AI', now noted as
the now-suspended org page kept for reference).
Scope per Task #168: non-Go-module URL refs only. No go.mod / go.sum
in this repo, so this PR is complete coverage for this repo.
After this lands every persona will boot with a working clone again.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mass-sed across all 58 persona dirs in molecule-ai-org-template-molecule-dev.
Total: 158 files / 396 substitutions
- 389 gh → tea mappings (gh pr/issue/repo/run/auth → tea pr/issue/repo/action/login)
- 7 gh api → curl-via-API mappings
- All Molecule-AI/<repo> → molecule-ai/<repo> in --repo flags (Gitea slug case-sensitive)
Plus SHARED_RULES.md migration callout block + tea install snippet:
- Tea v0.9.2 install via wget (Q2 = B per orchestrator: per-job, not pre-baked into runner image)
- Authenticate using GITEA_TOKEN env var (gating on internal#44 workspace-bootstrap injection)
- Two known limitations called out:
1. GITEA_TOKEN required for tea/curl auth (internal#44 pending)
2. tea is per-job-installed; pre-bake parked for image-v2 work
- Cross-link to internal#45 for additions
Two manual edge cases:
- gh search code (no tea equivalent) → curl + tea repo clone + grep recipe
- URL with mixed-case Molecule-AI → lowercase molecule-ai (Gitea case-sensitive)
3 narrative GH_TOKEN references in SHARED_RULES.md intentionally preserved
(describe an env var name, not commands).
Q1=A (mega-PR) per orchestrator dispatch 2026-05-07T09:50:08.
Refs: molecule-ai/internal#45, molecule-ai/internal#44 (GITEA_TOKEN dep)
