ccgx-workflow 1.0.2 → 1.0.4

package/dist/cli.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import cac from 'cac';
 import ansis from 'ansis';
-import { d as diagnoseMcpConfig, i as isWindows, r as readClaudeCodeConfig, f as fixWindowsMcpConfig, w as writeClaudeCodeConfig, a as readCcgConfig, b as initI18n, c as i18n, s as showMainMenu, e as init, g as configMcp, v as version } from './shared/ccgx-workflow.Bq9vAaEw.mjs';
+import { d as diagnoseMcpConfig, i as isWindows, r as readClaudeCodeConfig, f as fixWindowsMcpConfig, w as writeClaudeCodeConfig, a as readCcgConfig, b as initI18n, c as i18n, s as showMainMenu, e as init, g as configMcp, v as version } from './shared/ccgx-workflow.Bl0vlpC_.mjs';
 import 'inquirer';
 import 'ora';
 import 'node:child_process';
@@ -11,6 +11,8 @@ import 'node:url';
 import 'pathe';
 import 'fs-extra';
 import 'smol-toml';
+import 'node:fs';
+import 'node:path';
 import 'i18next';
 
 async function diagnoseMcp() {

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { h as collectSkills } from './shared/ccgx-workflow.Bq9vAaEw.mjs';
-export { j as changeLanguage, F as checkForUpdates, H as collectInvocableSkills, G as compareVersions, l as createDefaultConfig, m as createDefaultRouting, I as generateCommandContent, n as getCcgDir, o as getConfigPath, D as getCurrentVersion, E as getLatestVersion, q as getWorkflowById, p as getWorkflowConfigs, c as i18n, e as init, b as initI18n, x as installAceTool, y as installAceToolRs, J as installSkillCommands, t as installWorkflows, B as migrateToV1_4_0, C as needsMigration, K as parseFrontmatter, a as readCcgConfig, s as showMainMenu, A as uninstallAceTool, z as uninstallWorkflows, u as update, k as writeCcgConfig } from './shared/ccgx-workflow.Bq9vAaEw.mjs';
+import { h as collectSkills } from './shared/ccgx-workflow.Bl0vlpC_.mjs';
+export { j as changeLanguage, F as checkForUpdates, H as collectInvocableSkills, G as compareVersions, l as createDefaultConfig, m as createDefaultRouting, I as generateCommandContent, n as getCcgDir, o as getConfigPath, D as getCurrentVersion, E as getLatestVersion, q as getWorkflowById, p as getWorkflowConfigs, c as i18n, e as init, b as initI18n, x as installAceTool, y as installAceToolRs, J as installSkillCommands, t as installWorkflows, B as migrateToV1_4_0, C as needsMigration, K as parseFrontmatter, a as readCcgConfig, s as showMainMenu, A as uninstallAceTool, z as uninstallWorkflows, u as update, k as writeCcgConfig } from './shared/ccgx-workflow.Bl0vlpC_.mjs';
 import { existsSync, readFileSync, mkdirSync, writeFileSync, statSync, readdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
@@ -986,9 +986,9 @@ function resolveQualityTier(input) {
   return { tier: "triple", source: "default" };
 }
 const PHASE_RUNNER_BUDGET_USD = {
-  fast: 1,
-  triple: 2,
-  debate: 5
+  fast: 50,
+  triple: 100,
+  debate: 250
 };
 function shellSingleQuote(s) {
   return `'${s.replace(/'/g, `'\\''`)}'`;

package/dist/shared/{ccgx-workflow.Bq9vAaEw.mjs → ccgx-workflow.Bl0vlpC_.mjs}

@@ -8,9 +8,11 @@ import { fileURLToPath } from 'node:url';
 import { join, dirname, relative, sep, basename } from 'pathe';
 import fs from 'fs-extra';
 import { parse, stringify } from 'smol-toml';
+import { existsSync, readFileSync } from 'node:fs';
+import { join as join$1 } from 'node:path';
 import i18next from 'i18next';
 
-const version = "1.0.2";
+const version = "1.0.4";
 
 function cmd(id, order, category, name, nameEn, description, descriptionEn, cmdOverride) {
   return {
@@ -291,6 +293,61 @@ function getMcpCommand(command) {
   return [command];
 }
 
+const VENDOR_MARKETPLACE_KEYS = {
+  codex: "codex@openai-codex",
+  gemini: "gemini@google-gemini"
+};
+function discoverCompanion(vendor, homeDir = homedir()) {
+  const ssotPath = join$1(homeDir, ".claude", "plugins", "installed_plugins.json");
+  if (!existsSync(ssotPath)) return null;
+  let raw;
+  try {
+    raw = JSON.parse(readFileSync(ssotPath, "utf-8"));
+  } catch {
+    return null;
+  }
+  const key = VENDOR_MARKETPLACE_KEYS[vendor];
+  const instances = raw?.plugins?.[key];
+  if (!Array.isArray(instances) || instances.length === 0) return null;
+  const inst = instances[0];
+  const installPath = inst?.installPath;
+  if (typeof installPath !== "string" || !installPath) return null;
+  const companionPath = join$1(installPath, "scripts", `${vendor}-companion.mjs`);
+  if (!existsSync(companionPath)) return null;
+  const version = typeof inst?.version === "string" ? inst.version : "unknown";
+  return { vendor, installPath, companionPath, version };
+}
+function shellQuotePosix(s) {
+  return `'${s.replace(/'/g, "'\\''")}'`;
+}
+function buildBashCommand(loc, options = {}) {
+  const jsonOutput = options.jsonOutput ?? true;
+  const promptPlaceholder = options.promptPlaceholder ?? "%PROMPT%";
+  const heredocDelimiter = options.heredocDelimiter ?? "CCG_PROMPT_EOF";
+  const quotedPath = shellQuotePosix(loc.companionPath);
+  const flags = jsonOutput ? "--json" : "";
+  return [
+    `node ${quotedPath} task ${flags}-p "$(cat <<'${heredocDelimiter}'`,
+    promptPlaceholder,
+    heredocDelimiter,
+    `)"`
+  ].join("\n").replace(/ -p/, " -p").replace(/  +/g, " ").trimEnd();
+}
+function buildPluginMissingFallback(vendor) {
+  const key = VENDOR_MARKETPLACE_KEYS[vendor];
+  return [
+    `# CCG: ${vendor} plugin (${key}) not installed at CCG install time.`,
+    `# Install with: claude plugin install ${key}`,
+    `# Then re-run: npx ccgx-workflow init --skip-prompt --skip-mcp`,
+    `echo 'CCG: ${vendor} plugin not available' >&2 && exit 1`
+  ].join("\n");
+}
+function resolvePluginBashCommand(vendor, options = {}, homeDir) {
+  const loc = discoverCompanion(vendor, homeDir);
+  if (!loc) return buildPluginMissingFallback(vendor);
+  return buildBashCommand(loc, options);
+}
+
 const __filename$2 = fileURLToPath(import.meta.url);
 const __dirname$2 = dirname(__filename$2);
 function findPackageRoot$1(startDir) {
@@ -356,6 +413,18 @@ function injectConfigVariables(content, config) {
   }
   const liteModeFlag = config.liteMode ? "--lite " : "";
   processed = processed.replace(/\{\{LITE_MODE_FLAG\}\}/g, liteModeFlag);
+  if (processed.includes("{{CODEX_BASH_TASK}}")) {
+    processed = processed.replace(/\{\{CODEX_BASH_TASK\}\}/g, resolvePluginBashCommand("codex"));
+  }
+  if (processed.includes("{{CODEX_BASH_TASK_TEXT}}")) {
+    processed = processed.replace(/\{\{CODEX_BASH_TASK_TEXT\}\}/g, resolvePluginBashCommand("codex", { jsonOutput: false }));
+  }
+  if (processed.includes("{{GEMINI_BASH_TASK}}")) {
+    processed = processed.replace(/\{\{GEMINI_BASH_TASK\}\}/g, resolvePluginBashCommand("gemini"));
+  }
+  if (processed.includes("{{GEMINI_BASH_TASK_TEXT}}")) {
+    processed = processed.replace(/\{\{GEMINI_BASH_TASK_TEXT\}\}/g, resolvePluginBashCommand("gemini", { jsonOutput: false }));
+  }
   const mcpProvider = config.mcpProvider || "ace-tool";
   if (mcpProvider === "skip") {
     processed = processed.replace(/,\s*\{\{MCP_SEARCH_TOOL\}\}/g, "");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ccgx-workflow",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Multi-model orchestration for Claude Code. Codex + Gemini parallel collaboration with fresh-context subagent protocols, OS-level process isolation, and Plan-Critic-Verify quality tiers. Successor to ccg-workflow.",
   "type": "module",
   "packageManager": "pnpm@10.17.1",

package/templates/commands/agents/interface-auditor.md

@@ -99,7 +99,32 @@ phase_files: [<本 phase 修改/新增的相对路径>]
 [{severity: info, category: commit-diff-drift, message: "subject says 'add foo' but git stat 无新建 foo 路径文件 (best-effort 检测，可能误报)"}]
 ```
 
-### 5. Mock 与 ground truth schema 偏差（info/major）
+### 5. Inline plugin Bash 命令拼接（critical，1.0.4 新增）
+
+**目的**：检测模板里有没有手写 inline `node "$(ls .../codex-companion.mjs | head -1)" task -p ...` 命令——绕过 1.0.4 install-time codegen 占位符（`{{CODEX_BASH_TASK}}` / `{{GEMINI_BASH_TASK}}` / `{{CODEX_BASH_TASK_TEXT}}` / `{{GEMINI_BASH_TASK_TEXT}}`），重新引入 v4.4.1 同型的"flag 漂移 + 路径 glob hack"风险。
+
+**为什么这是 critical**：
+
+- inline 拼接给 LLM 自由发挥空间——LLM 看到示例后会**编造**未在示例中出现的 flag（与 v4.4.1 编造 `codex:rescue` 单前缀同型）
+- `ls .../*-companion.mjs | head -1` 在 plugin 多版本 cache 下行为不可预测（installed_plugins.json 才是 SSoT）
+- 跳过 install-time codegen 意味着 plugin 未装时模板**静默坏掉**而不是给出清晰错误
+
+**怎么做**：
+1. 本 phase commit 影响的 `.md` 文件中（仅扫 `templates/commands/**.md`）grep：
+   - `node\s+["'`].*?-companion\.mjs.*?\btask\b.*?-p\b` — inline 命令模式
+   - `\$\(ls\s+.*-companion\.mjs.*head\s+-1\)` — glob hack 模式
+   - `buildPluginBashCommand\s*\(` — TS-helper 伪代码模式（codex 审计提到的"helper opts 漂移"风险）
+2. 命中即 critical，除非该出现位置是：
+   - 1.0.4+ CHANGELOG / migration doc 的"反例对照"段落
+   - `agents/interface-auditor.md` 自身（本 rule 说明）
+   - 测试 fixture（`__tests__/`、`fixtures/`、`*.test.*`）
+
+**critical 例子**：
+```
+[{severity: critical, category: inline-plugin-bash, message: "review.md:58 inline `node ... codex-companion.mjs ... task -p` — 应改用 {{CODEX_BASH_TASK}} install-time codegen 占位符（1.0.4 起）"}]
+```
+
+### 6. Mock 与 ground truth schema 偏差（info/major）
 
 **目的**：测试 mock 数据跟真实 schema 不一致（与 P28 fixtures 协作；本 agent 仅做轻量提示）。
 
@@ -123,14 +148,15 @@ phase_files: [<本 phase 修改/新增的相对路径>]
 2. `git show <commit_hash> --name-only` → phase_files 验证；若 prompt 给的列表跟 git 不一致以 git 为准
 3. 过滤掉非 `.ts` / `.md` / `package.json` 的文件（图片、bin 等不审）
 
-### Step 2: 五项检查并行思考
-对每个 phase 修改文件分别跑 5 项检查的 grep。每条命中产出一个 Finding 候选。
+### Step 2: 六项检查并行思考
+对每个 phase 修改文件分别跑 6 项检查的 grep。每条命中产出一个 Finding 候选。
 
 ### Step 3: 假阳性过滤
 - SSoT 违反：排除测试文件、type union 同名、re-export
 - 半成品：排除 default export、type-only re-export 到 index.ts
 - magic string：排除 CCG 自家 agent 名（白名单）
 - commit drift：用模糊匹配，命中率不高时降级 info
+- inline-plugin-bash：排除 CHANGELOG/migration 反例段、interface-auditor.md 自身说明、测试 fixture
 - mock drift：纯 best-effort，全部标 info severity
 
 ### Step 4: 输出 ≤200 token 摘要
@@ -139,7 +165,7 @@ phase_files: [<本 phase 修改/新增的相对路径>]
 
 ```
 STATUS: complete | error
-FINDINGS: [{severity: critical|major|info, category: ssot-violation|leftover|magic-string-mismatch|commit-diff-drift|mock-drift, message: "<具体证据 + 文件路径 + 行号>"}, ...]
+FINDINGS: [{severity: critical|major|info, category: ssot-violation|leftover|magic-string-mismatch|commit-diff-drift|inline-plugin-bash|mock-drift, message: "<具体证据 + 文件路径 + 行号>"}, ...]
 NOTES: <≤80 字一行总结>
 ```
 

package/templates/commands/review.md

@@ -51,25 +51,44 @@ argument-hint: "[代码或描述] [--adversarial] [--fix [--all] [--auto]] [--ro
 
 **调用语法**（v4.4.2 起 review/verify 路径默认走 Bash 直调）：
 
-**通道 A — Bash 直调 plugin script（v4.4.2 默认，绕开 sonnet wrapper）**：
+**通道 A — Bash 直调 plugin script（默认，绕开 sonnet wrapper）**：
+
+> 1.0.4 起 Bash 命令字符串由 install 时直接渲染（基于 `~/.claude/plugins/installed_plugins.json`
+> 真值源），LLM 只需 copy 整段 + 替换 `%PROMPT%` 即可。**禁止凭印象拼 `node "$(ls ...) | head -1"
+> task -p ...` inline 命令** —— glob hack 在 plugin 多版本 cache 下行为不可预测，且参数漂移
+> 与 v4.4.1 的 195 处错名 bug 同型。
 
 ```
+# 后端审查（codex 视角）
 Bash({
-  command: `node "$(ls ~/.claude/plugins/cache/openai-codex/codex/*/scripts/codex-companion.mjs | head -1)" task -p "<整段 prompt 含 ROLE_FILE + TASK + OUTPUT 要求>" --json`,
+  command: `{{CODEX_BASH_TASK}}`,   ← install 时已渲染为完整命令，含 heredoc 安全 prompt 注入
   description: "Review: backend (codex direct)",
   run_in_background: true,
   timeout: 3600000
 })
 
+# 前端审查（gemini 视角）
 Bash({
-  command: `node "$(ls ~/.claude/plugins/cache/google-gemini/gemini/*/scripts/gemini-companion.mjs | head -1)" task -p "<整段 prompt>" --json`,
+  command: `{{GEMINI_BASH_TASK}}`,
   description: "Review: frontend (gemini direct)",
   run_in_background: true,
   timeout: 3600000
 })
 ```
 
-⛔ **不要**用 `Agent(subagent_type="codex:codex-rescue"|"gemini:gemini-rescue")` —— plugin spawn 走 sonnet wrapper，broker 故障/CLI 空答时 wrapper 可能 silent fallback 自答冒充 cross-vendor 视角（v4.4.2 hotfix 决策，详见 `src/utils/verify-orchestrator.ts:planVerifyWave` `useDirectBashInvocation` 选项）。
+LLM 消费协议：把上面命令字符串里的 `%PROMPT%` 替换为完整 prompt 文本（含 ROLE_FILE 引用 +
+TASK 描述 + OUTPUT 要求），**不要在外面加任何 escape**——heredoc `<<'CCG_PROMPT_EOF'`
+的单引号 delimiter 已保证 `$` / `'` / `"` / `\` 全部按字面量处理。
+
+⛔ **不要**用 `Agent(subagent_type="codex:codex-rescue"|"gemini:gemini-rescue")`：
+
+review/verify 路径输出**直接落地**决策（PR merge / advance / revise / escalate），无下游兜底。
+plugin 经由 `Agent(...)` spawn 时引擎启动 sonnet wrapper 扮演 codex/gemini 客户端，broker 故障 /
+CLI 空答 / auth 过期时 wrapper 受 instruction-tuning 驱动**自答 fabricated cross-vendor 视角**
+（silent fallback），主线无法察觉。Bash 直调消除 wrapper 层，stdout 即真实 plugin 输出。
+
+详见 `src/utils/verify-orchestrator.ts:planVerifyWave` 的 `useDirectBashInvocation` 选项 +
+`src/utils/plugin-bash-codegen.ts`（1.0.4 install-time codegen）。
 
 主线接 stdout JSON（5-50KB），按 plugin --json schema 解析 `result.text` 字段，失败信号：
 - exit code ≠ 0 → loud fail，触发 v1.7.87 标准 2-retry / 5s / 3-attempts 规则
@@ -165,11 +184,21 @@ EOF",
 
 **仅当 `$ARGUMENTS` 含 `--adversarial` 字面量时启动**。否则跳过本阶段。
 
-调用方式（v4.4.2 起 Bash 直调，绕开 sonnet wrapper）：
+调用方式（Bash 直调，绕开 sonnet wrapper）：
 
 ```
 Bash({
-  command: `node "$(ls ~/.claude/plugins/cache/openai-codex/codex/*/scripts/codex-companion.mjs | head -1)" task -p "--adversarial-review
+  command: `{{CODEX_BASH_TASK}}`,   ← 同上，install 时渲染为完整命令
+  description: "Adversarial review (codex direct)",
+  run_in_background: true,
+  timeout: 3600000
+})
+```
+
+把命令里的 `%PROMPT%` 替换为以下完整 prompt 文本（heredoc 已保证字面量传递，不需要 escape）：
+
+```
+--adversarial-review
 
 请对以下代码变更进行敌对视角审查：
 
@@ -184,14 +213,11 @@ Bash({
 你的任务：
 1. 找出前两轮**未发现或低估**的安全/性能/正确性漏洞
 2. 假设代码作者刻意误导，挑刺
-3. 输出格式：[Critical-Adversarial] / [Major-Adversarial] 列表，每条标'为什么前两轮没发现'" --json`,
-  description: "Adversarial review (codex direct)",
-  run_in_background: true,
-  timeout: 3600000
-})
+3. 输出格式：[Critical-Adversarial] / [Major-Adversarial] 列表，每条标"为什么前两轮没发现"
 ```
 
-⛔ 不用 `Agent(subagent_type="codex:codex-rescue")` —— v4.4.2 决策：review/verify 路径绕开 sonnet wrapper，避免 silent fallback 冒充 adversarial 视角。
+⛔ 不用 `Agent(subagent_type="codex:codex-rescue")`：review/verify 路径输出直接落地，silent fallback
+风险（sonnet wrapper 受 instruction-tuning 自答冒充 adversarial 视角）不可接受。详见前文「通道 A」段。
 
 收到 stdout JSON 后解析 `result.text` 字段保留待阶段 3 综合。stdout 空或 exit≠0 → 走标准 2-retry 规则。
 

package/templates/scripts/ccg-phase-runner-launcher.mjs

@@ -152,7 +152,7 @@ Required:
 
 Optional:
   --tier <fast|triple|debate>   Quality tier; maps to --max-budget-usd
-                                (fast=1, triple=2, debate=5). Default: triple.
+                                (fast=50, triple=100, debate=250). Default: triple.
   --max-budget-usd <N>          Override per-call budget cap.
   --grace-ms <N>                SIGTERM->SIGKILL grace (default 5000).
 
@@ -193,7 +193,13 @@ function writeState(workdir, jobId, state) {
 // production phase-runner spawn).
 // ---------------------------------------------------------------------------
 
-const TIER_BUDGET = { fast: 1.0, triple: 2.0, debate: 5.0 }
+// v1.0.3: ×50 raise after user feedback. PoC D3 baseline (fast=$1 / triple=$2
+// / debate=$5) was tuned for "p90 + 50% margin" of *single phase* spawns, but
+// real autonomous runs hit the cap on edge cases ($1.034 over $1) — tight
+// enough to surface as failures rather than runaway loops. Raising to 50/100/
+// 250 keeps the runaway-loop guardrail intact (a stuck loop blows >$1000 fast)
+// while removing the false-positive failure mode for legitimately complex phases.
+const TIER_BUDGET = { fast: 50.0, triple: 100.0, debate: 250.0 }
 
 function buildClaudeArgs({ promptFile, workdir, tier, maxBudgetUsd }) {
   const budget = maxBudgetUsd ?? TIER_BUDGET[tier]

package/templates/scripts/repatch-gemini-plugin.mjs

@@ -132,6 +132,16 @@ const PATCHES = [
     match: /(spawnSync\(command,\s*\[name\],\s*\{\s*encoding:\s*"utf8",\s*stdio:\s*"pipe")(\s*\})/,
     replace: '$1, windowsHide: true$2',
   },
+  {
+    id: "P-9",
+    file: "lib/acp-client.mjs",
+    description: "JSON-RPC error swallowing (reject with bare {code,message} → caller sees '[object Object]')",
+    // Guard: any patched marker present
+    guard: /CCG P-9 patch/,
+    // Match: the bare reject(message.error) inside the response branch
+    match: /(if \(message\.error\) \{\s*\r?\n\s*)pending\.reject\(message\.error\);(\s*\r?\n\s*\} else \{)/,
+    replace: `$1// CCG P-9 patch: wrap JSON-RPC error object in Error instance.\n          // Without this, callers doing \`e instanceof Error ? e.message : String(e)\`\n          // get "[object Object]" — losing real error info (auth-expired, broker-dead,\n          // parse-error, etc). See .ccg-migration/PLUGIN-PATCHES.md P-9.\n          const _err = message.error;\n          const _wrapped = Object.assign(\n            new Error(typeof _err === "object" && _err !== null && _err.message\n              ? String(_err.message)\n              : String(_err)),\n            {\n              jsonrpcCode: typeof _err === "object" && _err !== null ? _err.code : undefined,\n              jsonrpcData: typeof _err === "object" && _err !== null ? _err.data : undefined,\n            },\n          );\n          pending.reject(_wrapped);$2`,
+  },
 ];
 
 let applied = 0;