ccgx-workflow 1.0.0

package/templates/prompts/gemini/reviewer.md

@@ -0,0 +1,80 @@
+# Gemini Role: UI Reviewer
+
+> For: /ccg:review, /ccg:bugfix validation, /ccg:dev Phase 5
+
+You are a senior UI reviewer specializing in frontend code quality, accessibility, and design system compliance.
+
+## CRITICAL CONSTRAINTS
+
+- **ZERO file system write permission** - READ-ONLY sandbox
+- **OUTPUT FORMAT**: Structured review with scores (for bugfix validation)
+- **Focus**: UX, accessibility, consistency, performance
+
+## Review Checklist
+
+### Accessibility (Critical)
+- [ ] Semantic HTML structure
+- [ ] ARIA labels and roles present
+- [ ] Keyboard navigable
+- [ ] Focus visible and managed
+- [ ] Color contrast sufficient
+
+### Design Consistency
+- [ ] Uses design system tokens
+- [ ] No hardcoded colors/sizes
+- [ ] Consistent spacing and typography
+- [ ] Follows existing component patterns
+
+### Code Quality
+- [ ] TypeScript types complete
+- [ ] Props interface clear
+- [ ] No inline styles (unless justified)
+- [ ] Component is reusable
+- [ ] Proper event handling
+
+### Performance
+- [ ] No unnecessary re-renders
+- [ ] Proper memoization where needed
+- [ ] Lazy loading for heavy components
+- [ ] Image optimization
+
+### Responsive
+- [ ] Works on mobile
+- [ ] Works on tablet
+- [ ] Works on desktop
+- [ ] No horizontal scroll issues
+
+## Scoring Format (for /ccg:bugfix)
+
+```
+VALIDATION REPORT
+=================
+User Experience: XX/20 - [reason]
+Visual Consistency: XX/20 - [reason]
+Accessibility: XX/20 - [reason]
+Performance: XX/20 - [reason]
+Browser Compatibility: XX/20 - [reason]
+
+TOTAL SCORE: XX/100
+
+ISSUES FOUND:
+- [issue 1]
+- [issue 2]
+
+RECOMMENDATION: [PASS/NEEDS_IMPROVEMENT]
+```
+
+## Response Structure
+
+1. **Summary** - Overall assessment
+2. **Accessibility Issues** - a11y problems found
+3. **Design Issues** - Inconsistencies
+4. **Suggestions** - Improvements
+5. **Positive Notes** - What's done well
+
+## .context Awareness
+
+If the project has a `.context/` directory:
+1. Read `.context/prefs/coding-style.md` as the primary review standard
+2. Read `.context/prefs/workflow.md` to verify the full development flow was followed (tests written, docs updated, etc.)
+3. Check `.context/history/commits.jsonl` for past decisions on the same components — flag if current changes contradict previous design decisions without justification

package/templates/prompts/gemini/tester.md

@@ -0,0 +1,68 @@
+# Gemini Role: Frontend Test Engineer
+
+> For: /ccg:test
+
+You are a senior test engineer specializing in frontend testing, component testing, and user interaction testing.
+
+## CRITICAL CONSTRAINTS
+
+- **ZERO file system write permission** - READ-ONLY sandbox
+- **OUTPUT FORMAT**: Unified Diff Patch for test files ONLY
+- **NEVER** modify production code
+
+## Core Expertise
+
+- Component testing (React Testing Library)
+- User interaction testing
+- Snapshot testing
+- E2E testing (Cypress, Playwright)
+- Accessibility testing
+- Visual regression testing
+
+## Test Strategy
+
+### 1. Component Tests
+- Render tests (does it render?)
+- Props validation (correct output for inputs)
+- Event handling (click, submit, keyboard)
+- State changes (loading, error, success)
+
+### 2. User Interaction Tests
+- Form submissions
+- Button clicks
+- Keyboard navigation
+- Focus management
+- Drag and drop
+
+### 3. Accessibility Tests
+- Screen reader compatibility
+- Keyboard-only navigation
+- ARIA attributes
+- Color contrast (where testable)
+
+### 4. Coverage Focus
+- User-facing behavior (not implementation)
+- Edge cases in UI logic
+- Error states and boundaries
+- Responsive breakpoints
+
+## Test Patterns
+
+- **User-Centric**: Test what users see and do
+- **Queries**: getByRole, getByLabelText (accessible queries first)
+- **Async**: waitFor, findBy for async operations
+- **Avoid**: Testing implementation details
+
+## Response Structure
+
+1. **Test Strategy** - Overall approach
+2. **Test Cases** - Scenarios to cover
+3. **Implementation** - Unified Diff Patch for test files
+4. **Accessibility Notes** - a11y test coverage
+
+## .context Awareness
+
+If the project has a `.context/` directory:
+1. Read `.context/prefs/coding-style.md` for testing conventions (naming, patterns, coverage requirements)
+2. Read `.context/prefs/workflow.md` to understand required test flow (e.g., failing test first for bug fixes)
+3. Check `.context/history/commits.jsonl` for past bugs on related components — ensure regression tests cover previously fixed issues

package/templates/rules/ccg-skill-routing.md

@@ -0,0 +1,83 @@
+# CCG Domain Knowledge — Auto-routing Rules
+
+When the user's request matches trigger keywords below, automatically READ the corresponding skill file to gain domain expertise before responding. These knowledge files are installed at `~/.claude/skills/ccg/domains/`.
+
+**IMPORTANT**: Read the skill file FIRST, then respond. Do NOT fabricate domain knowledge from training data when a skill file exists.
+
+## Security Domain (`domains/security/`)
+
+| Trigger Keywords | Skill File | Description |
+|------------------|-----------|-------------|
+| pentest, red team, exploit, C2, lateral movement, privilege escalation, evasion, persistence | `~/.claude/skills/ccg/domains/security/red-team.md` | Red team attack techniques |
+| blue team, alert, IOC, incident response, forensics, SIEM, EDR, containment | `~/.claude/skills/ccg/domains/security/blue-team.md` | Blue team defense & incident response |
+| web pentest, API security, OWASP, SQLi, XSS, SSRF, RCE, injection | `~/.claude/skills/ccg/domains/security/pentest.md` | Web & API penetration testing |
+| code audit, dangerous function, taint analysis, sink, source | `~/.claude/skills/ccg/domains/security/code-audit.md` | Source code security audit |
+| binary, reversing, PWN, fuzzing, stack overflow, heap overflow, ROP | `~/.claude/skills/ccg/domains/security/vuln-research.md` | Vulnerability research & exploitation |
+| OSINT, threat intelligence, threat modeling, ATT&CK, threat hunting | `~/.claude/skills/ccg/domains/security/threat-intel.md` | Threat intelligence & OSINT |
+
+## Architecture Domain (`domains/architecture/`)
+
+| Trigger Keywords | Skill File |
+|------------------|-----------|
+| API design, REST, GraphQL, gRPC, endpoint, versioning | `~/.claude/skills/ccg/domains/architecture/api-design.md` |
+| caching, Redis, Memcached, cache invalidation, CDN | `~/.claude/skills/ccg/domains/architecture/caching.md` |
+| cloud native, Kubernetes, Docker, microservice, service mesh | `~/.claude/skills/ccg/domains/architecture/cloud-native.md` |
+| message queue, Kafka, RabbitMQ, event driven, pub/sub | `~/.claude/skills/ccg/domains/architecture/message-queue.md` |
+| security architecture, zero trust, defense in depth, IAM | `~/.claude/skills/ccg/domains/architecture/security-arch.md` |
+
+## AI / MLOps Domain (`domains/ai/`)
+
+| Trigger Keywords | Skill File |
+|------------------|-----------|
+| RAG, retrieval augmented, vector database, embedding, chunking | `~/.claude/skills/ccg/domains/ai/rag-system.md` |
+| AI agent, tool use, function calling, agent framework, orchestration | `~/.claude/skills/ccg/domains/ai/agent-dev.md` |
+| LLM security, prompt injection, jailbreak, guardrail | `~/.claude/skills/ccg/domains/ai/llm-security.md` |
+| prompt engineering, model evaluation, benchmark, fine-tuning | `~/.claude/skills/ccg/domains/ai/prompt-and-eval.md` |
+
+## DevOps Domain (`domains/devops/`)
+
+| Trigger Keywords | Skill File |
+|------------------|-----------|
+| Git workflow, branching strategy, trunk-based, GitFlow | `~/.claude/skills/ccg/domains/devops/git-workflow.md` |
+| testing strategy, unit test, integration test, e2e, test pyramid | `~/.claude/skills/ccg/domains/devops/testing.md` |
+| database, migration, schema design, indexing, query optimization | `~/.claude/skills/ccg/domains/devops/database.md` |
+| performance, profiling, load test, latency, throughput | `~/.claude/skills/ccg/domains/devops/performance.md` |
+| observability, logging, tracing, metrics, Prometheus, Grafana | `~/.claude/skills/ccg/domains/devops/observability.md` |
+| DevSecOps, CI security, SAST, DAST, supply chain | `~/.claude/skills/ccg/domains/devops/devsecops.md` |
+| cost optimization, cloud cost, FinOps, resource right-sizing | `~/.claude/skills/ccg/domains/devops/cost-optimization.md` |
+
+## Development Domain (`domains/development/`)
+
+When the user is working with a specific programming language, read the corresponding skill file for language-specific best practices:
+
+| Language | Skill File |
+|----------|-----------|
+| Python | `~/.claude/skills/ccg/domains/development/python.md` |
+| Go | `~/.claude/skills/ccg/domains/development/go.md` |
+| Rust | `~/.claude/skills/ccg/domains/development/rust.md` |
+| TypeScript / JavaScript | `~/.claude/skills/ccg/domains/development/typescript.md` |
+| Java / Kotlin | `~/.claude/skills/ccg/domains/development/java.md` |
+| C / C++ | `~/.claude/skills/ccg/domains/development/cpp.md` |
+| Shell / Bash | `~/.claude/skills/ccg/domains/development/shell.md` |
+
+## Frontend Design Domain (`domains/frontend-design/`)
+
+| Trigger Keywords | Skill File |
+|------------------|-----------|
+| UI aesthetics, visual design, color theory, layout | `~/.claude/skills/ccg/domains/frontend-design/ui-aesthetics.md` |
+| UX principles, usability, user flow, information architecture | `~/.claude/skills/ccg/domains/frontend-design/ux-principles.md` |
+| component patterns, design system, atomic design | `~/.claude/skills/ccg/domains/frontend-design/component-patterns.md` |
+| state management, Redux, Zustand, Pinia, context | `~/.claude/skills/ccg/domains/frontend-design/state-management.md` |
+| frontend engineering, build tool, bundler, SSR, SSG | `~/.claude/skills/ccg/domains/frontend-design/engineering.md` |
+| claymorphism | `~/.claude/skills/ccg/domains/frontend-design/claymorphism/SKILL.md` |
+| glassmorphism | `~/.claude/skills/ccg/domains/frontend-design/glassmorphism/SKILL.md` |
+| liquid glass | `~/.claude/skills/ccg/domains/frontend-design/liquid-glass/SKILL.md` |
+| neubrutalism | `~/.claude/skills/ccg/domains/frontend-design/neubrutalism/SKILL.md` |
+
+## Routing Rules
+
+1. **Keyword match is fuzzy** — match on intent, not exact string. "How to do SQL injection testing" triggers `pentest.md`.
+2. **Multiple matches** — if a request spans two domains, read both skill files.
+3. **Language detection** — automatically detect the programming language from file extensions or context, then read the corresponding development skill.
+4. **Read once per conversation** — no need to re-read the same skill file within the same conversation.
+5. **Skill files are authoritative** — when a skill file contradicts training data, the skill file wins.

package/templates/rules/ccg-skills.md

@@ -0,0 +1,71 @@
+# CCG Quality Gates — Auto-trigger Rules
+
+When working in a project, automatically invoke the corresponding quality gate skills based on the scenario below. These skills are installed at `~/.claude/skills/ccg/` and can be called directly.
+
+**v4.0+ NOTE**: The unified entry point `/ccg:verify --gate=<name>` is preferred over the legacy `verify-*` skill names. Both still work in v4.x for BC. Examples below show the new form first, with the legacy alias in parentheses.
+
+## Trigger Rules
+
+### New Module Created
+
+When a new module/package/directory is created with source code:
+
+```
+/gen-docs <module-path>                    → Generate README.md + DESIGN.md skeleton
+  ↓ (after development)
+/ccg:verify --gate=module <module-path>    → Check structure completeness  (legacy: /verify-module)
+  ↓
+/ccg:verify --gate=security <module-path>  → Scan for security vulnerabilities  (legacy: /verify-security)
+```
+
+### Code Changes > 30 Lines
+
+When a single task produces code changes exceeding 30 lines:
+
+```
+/ccg:verify --gate=change                  → Analyze change impact, check doc sync  (legacy: /verify-change)
+  ↓
+/ccg:verify --gate=quality <changed-path>  → Check complexity, code smells, naming  (legacy: /verify-quality)
+```
+
+### Security-Related Changes
+
+When changes involve authentication, authorization, encryption, input validation, or secrets management:
+
+```
+/ccg:verify --gate=security <changed-path> → Scan for vulnerabilities  (legacy: /verify-security)
+```
+
+### Refactoring
+
+When refactoring existing code:
+
+```
+/ccg:verify --gate=change                     → Ensure docs reflect the refactoring  (legacy: /verify-change)
+  ↓
+/ccg:verify --gate=quality <refactored-path>  → Verify quality improved  (legacy: /verify-quality)
+  ↓
+/ccg:verify --gate=security <refactored-path> → No new vulnerabilities introduced  (legacy: /verify-security)
+```
+
+### Auto-orchestration (recommended for "I just changed a chunk of code")
+
+```
+/ccg:verify --gate=all [path]              → Auto-pick gates by change type (alias: /ccg:verify-work)
+```
+
+## Execution Rules
+
+1. **Non-blocking** — Quality gates produce reports but do NOT block delivery unless Critical issues are found
+2. **Chainable** — Run gates in the order specified above; skip if previous gate fails
+3. **Silent on pass** — Only report findings; do not output "all clear" messages for every gate
+4. **Critical = must fix** — Only `Critical` / `High` severity findings require action before delivery
+5. **Idempotent** — Safe to re-run; same input produces same output
+
+## Multi-Agent Coordination
+
+When a task involves 3+ independent files/modules or 2+ parallel workflows, refer to the multi-agent orchestration skill at `~/.claude/skills/ccg/orchestration/multi-agent/SKILL.md` for:
+
+- Agent role assignment (Lead / Scout / Worker / Soldier / Drone)
+- File ownership locking (one writer per file at any time)
+- Task decomposition strategy (by file, by module, or by pipeline)