[feat] Support optional custom scan-only agent role (e.g. OpenClaude via OpenRouter)

[alefricard]

Problem

CCG Workflow currently focuses on Claude as orchestrator, Codex for backend, and Gemini for frontend. This works well for execution, but there is no optional specialist role for repo-wide tactical scanning or security-focused scanning before implementation/review.

Proposed Solution

Add support for an optional custom operational agent role that is scan-only / review-only, for example:

• tactical-scan agent
• security-scan agent

This agent should:

• not write directly to the repository
• return analysis, risks, checklists, and patch suggestions only
• be callable manually and optionally integrated into planning/review flows

Example use cases:

• codebase impact scan after /ccg:plan
• hidden dependency / regression risk scan
• auth/env/config/Docker/CI permission review
• secret exposure / unsafe configuration review

Why this helps

This would expand the current workflow without breaking the existing architecture:

• Claude remains the orchestrator and final reviewer
• Codex and Gemini remain implementation specialists
• the extra agent acts as an independent analysis layer

Suggested scope

Phase 1

Optional tactical scan role

Phase 2

Optional security scan role

Example commands

• /ccg:scan
• /ccg:security-scan
• optional hook after /ccg:plan

Notes

A good first implementation could allow a custom provider/CLI adapter, so tools like OpenClaude (for example via OpenRouter) could be used as an additional scan-only worker.