codebyplan 1.11.2 → 1.13.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebyplan",
-  "version": "1.11.2",
+  "version": "1.13.0",
   "description": "CLI for CodeByPlan — AI-powered development planning and tracking",
   "type": "module",
   "bin": {

package/templates/hooks/README.md

@@ -228,18 +228,6 @@ Denies any `git stash` command (including `git -C <dir> stash` and `git stash po
 
 ---
 
-### `cbp-mcp-worktree-inject.sh` — PreToolUse, matcher `mcp__codebyplan__(update_task|complete_task|complete_round|update_checkpoint)`
-
-Auto-injects `caller_worktree_id` into CodeByPlan MCP mutation calls when it's missing, resolving it via `npx codebyplan resolve-worktree` (with `--fallback-from-branch`). Closes the manual worktree-pinning workaround so MCP writes pass the server-side worktree pre-guard without hand-editing every call.
-
-**Blocks vs warns**: neither — emits an `updatedInput` to add the field when resolvable, otherwise passes the call through unchanged (graceful passthrough preserves backwards-compat).
-
-**Skips when**: the call already carries `caller_worktree_id`, or no worktree can be resolved (both → clean passthrough). A no-op in repos that don't use the CodeByPlan MCP.
-
-**Opt out**: settings.json override removing this entry, or plugin disable.
-
----
-
 ### `cbp-mcp-round-sync.sh` — PostToolUse, matcher `mcp__codebyplan__complete_round`
 
 After a `complete_round` MCP call succeeds, reconciles the round's `files_changed[]` against `git status`: new files in the diff are added (unapproved), and approval records no longer in the diff are flagged `removed_from_diff` (never deleted — lifecycle preserved).
@@ -258,7 +246,7 @@ After a `complete_round` MCP call succeeds, reconciles the round's `files_change
 
 Test suite for the plugin's 10 registered hooks. Runs two passes:
 
-1. **Header check** — every registered hook (`lint-format-on-edit`, `test-coverage-gate`, `pre-commit-quality-gate`, `maestro-yaml-validate`, `notify`, `auto-test-hooks`, `mcp-migration-guard`, `validate-git-stash-deny`, `cbp-mcp-worktree-inject`, `cbp-mcp-round-sync`) carries the required `# Hook:` and `# Purpose:` header comments. `statusline` uses its own `# Claude Code Status Line` marker.
+1. **Header check** — every registered hook (`lint-format-on-edit`, `test-coverage-gate`, `pre-commit-quality-gate`, `maestro-yaml-validate`, `notify`, `auto-test-hooks`, `mcp-migration-guard`, `validate-git-stash-deny`, `cbp-mcp-round-sync`) carries the required `# Hook:` and `# Purpose:` header comments. `statusline` uses its own `# Claude Code Status Line` marker.
 2. **Functional smoke tests** — each hook is invoked with synthetic stdin matching its fast-path / graceful-degrade input; all must exit 0.
 
 Not in `hooks.json` — invoked indirectly via `auto-test-hooks.sh` on hook edits, or directly via `bash ${CLAUDE_PLUGIN_ROOT}/hooks/test-hooks.sh`.

package/templates/hooks/cbp-statusline.mjs

@@ -118,6 +118,7 @@ function main() {
     rate_limits: true,
     repo_pr: true,
     worktree: true,
+    infra_drift: true,
     no_color: false,
   };
   try {
@@ -136,6 +137,7 @@ function main() {
           "rate_limits",
           "repo_pr",
           "worktree",
+          "infra_drift",
         ]) {
           if (typeof parsed.lines[k] === "boolean") cfg[k] = parsed.lines[k];
         }
@@ -374,6 +376,48 @@ function main() {
     }
   }
 
+  // ============================================================
+  // LINE 7 — Infra drift (monorepo feat branches behind main)
+  // ============================================================
+  // Only the codebyplan monorepo (templates/ present) on a feat branch can carry
+  // stale .claude/ infra. No fetch — counts against the cached origin/main only.
+  if (shouldShow("INFRA_DRIFT", cfg.infra_drift)) {
+    if (
+      BRANCH.startsWith("feat/") &&
+      fs.existsSync(
+        path.join(root, "packages", "codebyplan-package", "templates")
+      )
+    ) {
+      let behind = 0;
+      try {
+        behind = parseInt(
+          execFileSync(
+            "git",
+            [
+              "-C",
+              root,
+              "rev-list",
+              "--count",
+              "HEAD..origin/main",
+              "--",
+              ".claude",
+              "packages/codebyplan-package/templates",
+            ],
+            { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }
+          ).trim(),
+          10
+        );
+      } catch {
+        behind = 0;
+      }
+      if (Number.isFinite(behind) && behind > 0) {
+        out.push(
+          `${C.YELLOW}⚠ infra ${behind} behind${C.RST} ${C.DIM}→ /cbp-refresh-infra${C.RST}`
+        );
+      }
+    }
+  }
+
   process.stdout.write(out.length ? out.join("\n") + "\n" : "");
 }
 

package/templates/hooks/cbp-statusline.py

@@ -80,7 +80,8 @@ def main():
     # ---- Config: line toggles + no_color -------------------------------------
     cfg = {
         "identity": True, "context": True, "cost": True,
-        "rate_limits": True, "repo_pr": True, "worktree": True, "no_color": False,
+        "rate_limits": True, "repo_pr": True, "worktree": True,
+        "infra_drift": True, "no_color": False,
     }
     try:
         with open(os.path.join(root, ".codebyplan", "statusline.json"), "r", encoding="utf-8") as fh:
@@ -90,7 +91,7 @@ def main():
                 cfg["no_color"] = parsed["no_color"]
             lines = parsed.get("lines")
             if isinstance(lines, dict):
-                for k in ["identity", "context", "cost", "rate_limits", "repo_pr", "worktree"]:
+                for k in ["identity", "context", "cost", "rate_limits", "repo_pr", "worktree", "infra_drift"]:
                     if isinstance(lines.get(k), bool):
                         cfg[k] = lines[k]
     except Exception:
@@ -321,6 +322,27 @@ def main():
             l6 += " %s%s%s" % (DIM, wt_path_disp, RST)
             out.append(l6)
 
+    # ===== LINE 7 — Infra drift (monorepo feat branches behind main) =====
+    # Only the codebyplan monorepo (templates/ present) on a feat branch can carry
+    # stale .claude/ infra. No fetch — counts against the cached origin/main only.
+    if should_show("INFRA_DRIFT", cfg["infra_drift"]):
+        if branch.startswith("feat/") and os.path.isdir(
+            os.path.join(root, "packages", "codebyplan-package", "templates")
+        ):
+            behind = 0
+            try:
+                res = subprocess.run(
+                    ["git", "-C", root, "rev-list", "--count", "HEAD..origin/main",
+                     "--", ".claude", "packages/codebyplan-package/templates"],
+                    stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, text=True,
+                )
+                if res.returncode == 0:
+                    behind = int(res.stdout.strip() or "0")
+            except Exception:
+                behind = 0
+            if behind > 0:
+                out.append("%s⚠ infra %d behind%s %s→ /cbp-refresh-infra%s" % (YELLOW, behind, RST, DIM, RST))
+
     sys.stdout.write(("\n".join(out) + "\n") if out else "")
 
 

package/templates/hooks/cbp-statusline.sh

@@ -15,7 +15,7 @@
 #
 # DISPLAY OPTIONS (team-shared, committed)
 #   .codebyplan/statusline.json -> { "lines": {identity,context,cost,rate_limits,
-#                                    repo_pr,worktree}, "no_color": bool }
+#                                    repo_pr,worktree,infra_drift}, "no_color": bool }
 #
 # ENV-VAR OVERRIDES (env > config > default)
 #   CBP_STATUSLINE_HIDE_IDENTITY=1     suppress line 1 (folder, branch, model, effort, …)
@@ -24,6 +24,7 @@
 #   CBP_STATUSLINE_HIDE_RATE_LIMITS=1  suppress line 4 (5h / 7d rate limits)
 #   CBP_STATUSLINE_HIDE_REPO_PR=1      suppress line 5 (repo host/owner/name, PR)
 #   CBP_STATUSLINE_HIDE_WORKTREE=1     suppress line 6 (worktree name/branch/path)
+#   CBP_STATUSLINE_HIDE_INFRA_DRIFT=1  suppress line 7 (.claude infra commits behind main)
 #   CBP_STATUSLINE_NO_COLOR=1          strip all ANSI colour codes (also honoured by $NO_COLOR)
 #
 # TEST SEAMS (no effect in normal use)
@@ -104,7 +105,7 @@ eval "$(echo "$INPUT" | jq -r '
 
 # ---- Config: line toggles + no_color from .codebyplan/statusline.json --------
 CFG_IDENTITY=true; CFG_CONTEXT=true; CFG_COST=true
-CFG_RATE_LIMITS=true; CFG_REPO_PR=true; CFG_WORKTREE=true; CFG_NO_COLOR=false
+CFG_RATE_LIMITS=true; CFG_REPO_PR=true; CFG_WORKTREE=true; CFG_INFRA_DRIFT=true; CFG_NO_COLOR=false
 CBP_CFG="$CBP_ROOT/.codebyplan/statusline.json"
 if [ -f "$CBP_CFG" ] && command -v jq >/dev/null 2>&1; then
   # Use `!= false` / `== true` (NOT jq `//`): the `//` operator treats an explicit
@@ -117,6 +118,7 @@ if [ -f "$CBP_CFG" ] && command -v jq >/dev/null 2>&1; then
     "CFG_RATE_LIMITS=\(.lines.rate_limits != false)",
     "CFG_REPO_PR=\(.lines.repo_pr != false)",
     "CFG_WORKTREE=\(.lines.worktree != false)",
+    "CFG_INFRA_DRIFT=\(.lines.infra_drift != false)",
     "CFG_NO_COLOR=\(.no_color == true)"
   ' "$CBP_CFG" 2>/dev/null)"
 fi
@@ -401,3 +403,21 @@ if should_show WORKTREE "$CFG_WORKTREE"; then
     printf "%b\n" "$L6"
   fi
 fi
+
+# ============================================================
+# LINE 7 — Infra drift (monorepo feat branches behind main)
+# ============================================================
+# Only the codebyplan monorepo (templates/ present) on a feat branch can carry
+# stale .claude/ infra. No fetch — counts against the cached origin/main only.
+if should_show INFRA_DRIFT "$CFG_INFRA_DRIFT"; then
+  case "$BRANCH" in
+    feat/*)
+      if [ -d "$CBP_ROOT/packages/codebyplan-package/templates" ]; then
+        BEHIND="$(git -C "$CBP_ROOT" rev-list --count HEAD..origin/main -- .claude packages/codebyplan-package/templates 2>/dev/null)"
+        if [ -n "$BEHIND" ] && [ "$BEHIND" -gt 0 ] 2>/dev/null; then
+          printf "%b\n" "${YELLOW}⚠ infra ${BEHIND} behind${RST} ${DIM}→ /cbp-refresh-infra${RST}"
+        fi
+      fi
+      ;;
+  esac
+fi

package/templates/hooks/cbp-test-coverage-gate.sh

@@ -64,6 +64,14 @@ while IFS= read -r FILE; do
     continue
   fi
 
+  # Skip files under a __tests__/ directory — fixtures, helpers, setup, and
+  # other test infrastructure are imported by the test files that exercise
+  # them; requiring a dedicated .test.ts for a fixture is nonsensical.
+  if echo "$FILE" | grep -qE '/__tests__/'; then
+    SKIPPED=$((SKIPPED + 1))
+    continue
+  fi
+
   # Skip infrastructure / generated / config files (generic skips — harmless if user doesn't have these dirs)
   if echo "$FILE" | grep -qE '^\.claude/|^docs/|^supabase/|\.config\.|\.json$|\.md$|\.ya?ml$|\.sh$|\.scss$|\.css$'; then
     continue

package/templates/hooks/cbp-test-hooks.sh

@@ -207,48 +207,6 @@ else
   fi
 fi
 
-# --- cbp-mcp-worktree-inject.sh ---
-
-if [ ! -f "$HOOKS_DIR/cbp-mcp-worktree-inject.sh" ]; then
-  test_result "cbp-mcp-worktree-inject.sh present" "passed" "missing"
-else
-  test_result "cbp-mcp-worktree-inject.sh present" "passed" "passed"
-
-  FIRST_LINE=$(head -1 "$HOOKS_DIR/cbp-mcp-worktree-inject.sh")
-  if echo "$FIRST_LINE" | grep -q '^#!/'; then
-    test_result "cbp-mcp-worktree-inject.sh has shebang" "passed" "passed"
-  else
-    test_result "cbp-mcp-worktree-inject.sh has shebang" "passed" "missing"
-  fi
-
-  if grep -q '@scope: org-shared' "$HOOKS_DIR/cbp-mcp-worktree-inject.sh"; then
-    test_result "cbp-mcp-worktree-inject.sh has @scope: org-shared" "passed" "passed"
-  else
-    test_result "cbp-mcp-worktree-inject.sh has @scope: org-shared" "passed" "missing"
-  fi
-
-  FIXTURES_DIR="$HOOKS_DIR/__test-fixtures__/cbp-mcp-worktree-inject"
-  if [ -d "$FIXTURES_DIR" ]; then
-    # already-has-id.json — expect exit 0 (passthrough)
-    ACTUAL_EXIT=$(bash "$HOOKS_DIR/cbp-mcp-worktree-inject.sh" < "$FIXTURES_DIR/already-has-id.json" >/dev/null 2>&1; echo $?)
-    if [ "$ACTUAL_EXIT" = "0" ]; then
-      test_result "cbp-mcp-worktree-inject.sh already-has-id exits 0" "passed" "passed"
-    else
-      test_result "cbp-mcp-worktree-inject.sh already-has-id exits 0" "passed" "failed (exit $ACTUAL_EXIT)"
-    fi
-
-    # missing-id-both-empty.json — resolvers return empty (in test env), expect exit 0
-    ACTUAL_EXIT=$(bash "$HOOKS_DIR/cbp-mcp-worktree-inject.sh" < "$FIXTURES_DIR/missing-id-both-empty.json" >/dev/null 2>&1; echo $?)
-    if [ "$ACTUAL_EXIT" = "0" ]; then
-      test_result "cbp-mcp-worktree-inject.sh missing-id passthrough exits 0" "passed" "passed"
-    else
-      test_result "cbp-mcp-worktree-inject.sh missing-id passthrough exits 0" "passed" "failed (exit $ACTUAL_EXIT)"
-    fi
-  else
-    test_result "cbp-mcp-worktree-inject.sh fixtures dir present" "passed" "missing"
-  fi
-fi
-
 # --- cbp-mcp-round-sync.sh ---
 
 if [ ! -f "$HOOKS_DIR/cbp-mcp-round-sync.sh" ]; then

package/templates/hooks/hooks.json

@@ -35,15 +35,6 @@
             "command": "bash ${CLAUDE_PLUGIN_ROOT}/hooks/cbp-mcp-migration-guard.sh"
           }
         ]
-      },
-      {
-        "matcher": "mcp__codebyplan__(update_task|complete_task|complete_round|update_checkpoint)",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash ${CLAUDE_PLUGIN_ROOT}/hooks/cbp-mcp-worktree-inject.sh"
-          }
-        ]
       }
     ],
     "PostToolUse": [

package/templates/rules/README.md

@@ -34,7 +34,14 @@ The `install`/`update`/`uninstall` flow handles these files identically to how i
 
 ## Current status
 
-Zero rules are shipped today. The wiring is in place so future PRs can land curated rules through the same install/update/uninstall flow as other templates.
+Four rules are shipped:
+
+| Rule file | Summary |
+|---|---|
+| `scope-vocabulary.md` | Canonical scope-marker enum (`org-shared` / `project-shared` / `repo-only:<name>`) enforced by three validators |
+| `context-file-loading.md` | Context-file load contract — who loads what, when, and how missing files are handled |
+| `todo-backend.md` | Todos queue contract, six DB-layer workflow invariants, and writer obligations for MCP mutators |
+| `supabase-branch-lifecycle.md` | Supabase preview-branch lifecycle mirrors the git feat-branch lifecycle — lazy create on first DB change, delete wherever the git branch is removed |
 
 ## Contributing a rule
 

package/templates/rules/supabase-branch-lifecycle.md

@@ -0,0 +1,99 @@
+---
+scope: org-shared
+description: Supabase preview-branch lifecycle mirrors the git feat-branch lifecycle
+paths:
+  - "supabase/migrations/**"
+  - ".codebyplan/shipment.json"
+  - ".codebyplan/git.json"
+  - ".claude/skills/cbp-supabase-migrate/**"
+  - ".claude/skills/cbp-supabase-branch-check/**"
+  - ".claude/skills/cbp-checkpoint-end/**"
+  - ".claude/skills/cbp-git-worktree-remove/**"
+  - ".claude/skills/cbp-ship-main/**"
+---
+
+# Supabase Branch Lifecycle
+
+When a checkpoint or standalone task does DB work on its own feat branch, that branch gets
+a Supabase preview branch whose lifecycle mirrors the git branch — created on first DB
+change, deleted when the git branch is removed.
+
+## Contract
+
+Each feat branch that touches the database owns exactly one Supabase preview branch, named
+identically to the git branch. The git branch is the source of truth; the Supabase branch
+follows it.
+
+## Create (lazy)
+
+The Supabase branch is created by `cbp-supabase-migrate` (Step 2.3) on the **first DB
+change** for the branch — never eagerly at git-branch creation time. Creation is guarded
+by the skill's db_paths detection so the step fires only when the invocation actually
+touches the database.
+
+The branch is named **verbatim** after the git branch, slashes included (e.g.
+`feat/CHK-144-supabase-branch-lifecycle`). This identical naming is the linchpin: the
+GitHub branching integration reconciles to the same branch on PR open rather than creating
+a duplicate.
+
+After creation, the branch name and resulting `project_ref` are recorded on the parent
+checkpoint or standalone task context (via `mcp__codebyplan__update_checkpoint` /
+`mcp__codebyplan__update_task`) and may also be noted in `.codebyplan/shipment.json` so
+cleanup skills can discover and remove it without querying the API.
+
+## Delete
+
+The Supabase branch is removed wherever the git branch is deleted:
+
+| Skill | Trigger |
+|---|---|
+| `cbp-checkpoint-end` | stale-branch cleanup + current feat-branch delete on ship |
+| `cbp-git-worktree-remove` | worktree teardown removes the coupled Supabase branch |
+| `cbp-ship-main` | `branch_deleted` event after PR merge |
+
+Deletion is **existence-checked and idempotent** — a not-found response is treated as
+success. This tolerates the GitHub integration auto-deleting the preview branch on PR
+close before the skill runs.
+
+These skills use `delete_branch` (MCP tool), never `merge_branch`. Production migrations
+reach main via the existing merge path (GitHub rebuild / `last_shipped_migration_version`);
+there is no separate Supabase branch merge step.
+
+## Exclusions
+
+This lifecycle applies **only to feat branches**. It MUST NOT fire for:
+
+- The main/production branch (`branch_config.production`, default `"main"`)
+- Any branch listed in `branch_config.protected[]`
+- A standalone task running directly on the production branch
+- The integration branch (`branch_config.integration`) when non-null — it gets a persistent branch via `cbp-supabase-setup`, not a lazy ephemeral one.
+
+`cbp-supabase-migrate` Step 2.3 Guard 1 enforces this by reading `.codebyplan/git.json`
+and skipping provisioning when the current branch matches `$PRODUCTION`, `$PROTECTED`, or
+a non-null `$INTEGRATION`.
+
+## Guards
+
+Skills that delete Supabase branches MUST:
+
+1. Verify the branch name matches the feat branch being removed (never delete by
+   `project_ref` alone).
+2. Never delete the parent/production project (`rrvtrumtkhrsbhcyrwvf`) itself.
+3. Never delete a persistent/long-lived branch that does not correspond to the git branch
+   being torn down.
+
+## PR Gate (retained)
+
+`cbp-supabase-branch-check` runs as a required PR gate, independent of the create/delete
+coupling. By-name resolution works whether the branch was created by `cbp-supabase-migrate`
+or auto-created by the GitHub integration — both paths use the same branch name.
+
+## Skill Map
+
+| Role | Skill |
+|---|---|
+| Create (lazy) | `cbp-supabase-migrate` (Step 2.3) |
+| Delete | `cbp-checkpoint-end`, `cbp-git-worktree-remove`, `cbp-ship-main` |
+| PR gate | `cbp-supabase-branch-check` |
+
+Each skill in the Skill Map above carries an inline back-reference to this rule at its create or teardown step.

package/templates/settings.project.base.json

@@ -39,8 +39,7 @@
       "Bash(git push --force:*)",
       "Bash(git push -f:*)",
       "Bash(git checkout -- :*)",
-      "Bash(git add .:*)",
-      "Bash(git add -A:*)",
+      "Bash(git add:*)",
       "Bash(rm -rf:*)",
       "Bash(pnpm add:*)",
       "Bash(pnpm install:*)",

package/templates/skills/cbp-build-cc-settings/reference/cbp-conventions.md

@@ -47,8 +47,7 @@ These values are part of the CBP baseline and should not be weakened:
       "Bash(git push --force:*)",
       "Bash(git push -f:*)",
       "Bash(git checkout -- :*)",
-      "Bash(git add .:*)",
-      "Bash(git add -A:*)",
+      "Bash(git add:*)",
       "Bash(rm -rf:*)",
       "Bash(pnpm add:*)",
       "Bash(pnpm install:*)",

package/templates/skills/cbp-checkpoint-create/SKILL.md

@@ -95,6 +95,8 @@ git push -u origin "feat/CHK-{NNN}-{slug}"
 
 Slug: lowercase, dash-joined, punctuation dropped, ≤40 chars. Persist the branch via MCP `update_checkpoint(checkpoint_id, branch_name: "feat/CHK-{NNN}-{slug}")`. (The dedicated `/cbp-git-branch-feat-create` skill is the canonical config-driven helper if you prefer to delegate.)
 
+**Note — Supabase preview branch**: no Supabase branch is created here. Creation is lazy — it happens on the first DB change when `/cbp-supabase-migrate` runs on this feat branch, which provisions a Supabase branch named identically to the git branch. See `cbp-supabase-migrate` Step 2.3 for the creation protocol.
+
 ### Step 10: Show Result + Auto-Trigger Plan
 
 ```

package/templates/skills/cbp-checkpoint-end/SKILL.md

@@ -141,13 +141,25 @@ C) Keep all
 
 Only delete with explicit user confirmation. Delete both local and remote:
 ```bash
-git branch -d "$BRANCH" 2>/dev/null
-git push origin --delete "$BRANCH"
+git branch -d "$BRANCH" && git push origin --delete "$BRANCH"
 ```
 
+Only after both the local and remote git delete above succeed, run a conditional Supabase preview-branch teardown for that branch name (do not suppress the delete output — a failed local delete must stay visible):
+
+> Lifecycle contract: see [[supabase-branch-lifecycle]].
+
+- Call `mcp__supabase__list_branches` with `project_id: rrvtrumtkhrsbhcyrwvf`.
+- Scan the returned list for an entry whose `name` exactly equals `$BRANCH`.
+- If found: call `mcp__supabase__delete_branch` with its `branch_id`. Record the branch name in `SUPABASE_BRANCHES_DELETED[]`.
+- If not found: no-op silently — the GitHub integration may have already removed it on PR close; not-found is success, NOT an error.
+- If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
+- Never delete the parent project `rrvtrumtkhrsbhcyrwvf` itself or any persistent/production branch.
+
+Accumulate all Supabase branch names removed across the loop in `SUPABASE_BRANCHES_DELETED`.
+
 ### Step 9: Current Feat Branch Cleanup
 
-Present comprehensive summary first (Step 10), then ask about current feat branch via AskUserQuestion:
+Before asking about the current feat branch, present a partial summary of what has shipped so far — runtime surfaces (from `/cbp-ship` Step 7), stale branches cleaned (Step 8), and the `SUPABASE_BRANCHES_DELETED` accumulated so far — then ask about the current feat branch via AskUserQuestion (the complete shipment record is finalised in Step 10):
 
 ```
 The current feat branch [BRANCH] has been fully merged.
@@ -166,6 +178,14 @@ git branch -d "$FEAT_BRANCH"
 git push origin --delete "$FEAT_BRANCH"
 ```
 
+After the feat branch git delete, run the same conditional Supabase teardown for `$FEAT_BRANCH`:
+
+- Call `mcp__supabase__list_branches` with `project_id: rrvtrumtkhrsbhcyrwvf`.
+- Scan for an entry whose `name` exactly equals `$FEAT_BRANCH`.
+- If found: call `mcp__supabase__delete_branch` with its `branch_id`. Add `$FEAT_BRANCH` to `SUPABASE_BRANCHES_DELETED[]`.
+- If not found: no-op silently — idempotent, not-found is success.
+- If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$FEAT_BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
+
 ### Step 10: Save Shipment Results and Summary
 
 Update checkpoint context via MCP `update_checkpoint`. The `shipment` block contains both branch promotion AND runtime surface results (from `/cbp-ship` Step 7):
@@ -177,8 +197,9 @@ context.shipment: {
   feat_to_base: { pr_url, merged: true/false },
   surfaces: [...],          // populated by /cbp-ship — per-surface deploy results
   skipped: [...],           // populated by /cbp-ship — surfaces explicitly skipped
-  stale_branches_cleaned: [list of deleted branches],
-  feat_branch_deleted: true/false
+  stale_branches_cleaned: [list of deleted git branches],
+  feat_branch_deleted: true/false,
+  supabase_branches_deleted: [list of Supabase preview branch names removed in Steps 8–9]
 }
 ```
 
@@ -198,6 +219,7 @@ Present summary:
 ### Branch Operations
 - Stale branches deleted: [N] ([list])
 - Feat branch: [deleted/kept]
+- Supabase preview branches deleted: [N] ([list from supabase_branches_deleted], or "none")
 
 ### Before/After Branch State
 - Before: [list of feat/* branches]

package/templates/skills/cbp-checkpoint-start/SKILL.md

@@ -57,7 +57,7 @@ This mirrors the CHK-104 hard-lock model — never wrest a checkpoint from a liv
 
 If the checkpoint is already `active` AND `worktree_id` already equals `CALLER_WT` (the Step 3 no-op row), skip this step entirely and proceed to Step 5 — nothing to write.
 
-Otherwise set the checkpoint `active` via MCP `update_checkpoint(checkpoint_id, status: "active"`, plus `worktree_id: CALLER_WT` when claiming per Step 3, plus `caller_worktree_id: CALLER_WT` so the hard-lock pre-guard accepts the call (omit `caller_worktree_id` only when `CALLER_WT` is empty). If the checkpoint was already `active` but a claim is still needed, skip the status write and only write `worktree_id`.
+Otherwise set the checkpoint `active` via MCP `update_checkpoint(checkpoint_id, status: "active"`, plus `worktree_id: CALLER_WT` when claiming per Step 3. The server resolves the caller's worktree identity from the JWT/ctx (CHK-140 TASK-3 — `caller_worktree_id` input field removed). If the checkpoint was already `active` but a claim is still needed, skip the status write and only write `worktree_id`.
 
 ### Step 5: Route
 
@@ -78,7 +78,7 @@ Show a one-line confirmation before routing:
 ## Integration
 
 - **Reads**: MCP `get_checkpoints`, `get_tasks`; `npx codebyplan resolve-worktree`
-- **Writes**: MCP `update_checkpoint` (status + worktree_id, with caller_worktree_id pre-guard)
+- **Writes**: MCP `update_checkpoint` (status + worktree_id; server resolves caller worktree from JWT/ctx)
 - **Triggered by**: `/cbp-checkpoint-plan` (auto when claimed at create), `/cbp-todo` (planned-but-pending gate), or user directly
 - **Triggers**: `/cbp-task-start` (auto when claimed), or `/cbp-checkpoint-plan` (when the checkpoint is unplanned)
 - **Never**: plans or creates tasks — that is `/cbp-checkpoint-plan`

package/templates/skills/cbp-git-worktree-remove/SKILL.md

@@ -116,7 +116,12 @@ Only use `--force` if the user confirms.
 
 ### Step 9: Delete Branch (if requested)
 
-**Protected branch check:** If `$BRANCH_NAME` is `main`, `development`, or `preview` — refuse deletion and stop.
+**Protected branch check:** Read the protected set from `.codebyplan/git.json`:
+```bash
+PRODUCTION=$(jq -r '.branch_config.production // "main"' .codebyplan/git.json)
+PROTECTED=$(jq -r '.branch_config.protected[]? // empty' .codebyplan/git.json)
+```
+If `$BRANCH_NAME` equals `$PRODUCTION` or appears in `$PROTECTED` — refuse deletion and stop.
 
 **Checkpoint verification:** Before deleting a feat branch, verify that the associated checkpoint has completed via `/cbp-checkpoint-end`. If the checkpoint is still active, warn the user that unshipped work may be lost.
 
@@ -126,6 +131,17 @@ git branch -d "$BRANCH_NAME" && git push origin --delete "$BRANCH_NAME"
 
 Use `-d` (not `-D`) to prevent deleting unmerged work. If it fails because the branch is not fully merged, inform the user and ask if they want to force delete with `-D`.
 
+After the git branch delete succeeds, run a conditional Supabase preview-branch teardown for `$BRANCH_NAME`:
+
+> Lifecycle contract: see [[supabase-branch-lifecycle]].
+
+- Call `mcp__supabase__list_branches` with `project_id: rrvtrumtkhrsbhcyrwvf`.
+- Scan the returned list for an entry whose `name` exactly equals `$BRANCH_NAME`.
+- If found: call `mcp__supabase__delete_branch` with its `branch_id`. Report "Supabase preview branch deleted: `$BRANCH_NAME`".
+- If not found: no-op silently — the GitHub integration may have already removed it on PR close; not-found is success, NOT an error.
+- If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$BRANCH_NAME` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
+- Never delete the parent project `rrvtrumtkhrsbhcyrwvf` itself or any persistent/production branch.
+
 ### Step 10: Show Result
 
 ```

package/templates/skills/cbp-session-start/SKILL.md

@@ -12,7 +12,7 @@ Activate the session, open a fresh session log, and surface the previous log's p
 
 ## Instructions
 
-Run Steps 0 through 5.8 silently (no intermediate output) — except Step 1.4 may surface a one-line fast-forward note or warning, and Step 5.7 may surface an approval gate. (Step numbers are organizational labels; execution order is 0 → 1 → 1.4 → 2 → 3 → 4 → 4.5 → 5 → 5.7 → 5.8 → 6 → 7.) Produce ONE output block at Step 6, then auto-trigger or stop per Step 7.
+Run Steps 0 through 5.8 silently (no intermediate output) — except Step 1.4 may surface a one-line fast-forward note or warning, Step 1.5 may surface a one-line infra-drift nudge, and Step 5.7 may surface an approval gate. (Step numbers are organizational labels; execution order is 0 → 1 → 1.4 → 1.5 → 2 → 3 → 4 → 4.5 → 5 → 5.7 → 5.8 → 6 → 7.) Produce ONE output block at Step 6, then auto-trigger or stop per Step 7.
 
 ### Step 0: MCP Health Check
 
@@ -49,7 +49,7 @@ RESOLVE_JSON=$(npx codebyplan resolve-worktree --json)
 
 Extract `worktree_id` and `error_kind` from the JSON output.
 
-- `error_kind` is `null` or `"tuple_miss"` → healthy. `WORKTREE_ID` = `worktree_id` (may be `null`: a legitimate main-repo or unregistered-worktree case — proceed normally; downstream hard-lock pre-guards may reject mutations on assigned rows).
+- `error_kind` is `null` or `"tuple_miss"` → healthy. `WORKTREE_ID` = `worktree_id` (may be `null`: a legitimate main-repo or unregistered-worktree case — proceed normally; the server resolves worktree identity from the JWT/ctx, falling back to the repo main-worktree when no specific worktree is matched).
 - `error_kind` is `local_config_read_failed`, `local_config_write_failed`, `legacy_file_blocks_dir`, `api_failed`, `git_failed`, or `unhandled` → **broken local state**. Hold the `error_kind` for Step 6 to display as a distress warning. Session continues (non-blocking — unlike `/cbp-todo`, session-start does NOT hard-stop on a non-tuple-miss distress).
 
 Pass `WORKTREE_ID` to MCP tools that support it. Null `WORKTREE_ID` means the (device, path, branch) tuple is unregistered — note this for Step 6.
@@ -77,6 +77,31 @@ CURRENT="$(git rev-parse --abbrev-ref HEAD)"
 
 Never rebase, reset, force-push, or stash. A non-fast-forwardable home branch is a signal to reconcile manually, not to overwrite.
 
+### Step 1.5: Infra Drift Check
+
+Surface — never block — when this worktree's CBP tooling has fallen behind. Runs after Step 1.4 and may add one line to the Step 6 output. Two mutually-exclusive concepts, keyed on repo type (`$PRODUCTION` is the branch resolved in Step 1.4):
+
+- **Monorepo (concept A)** — both `packages/codebyplan-package/templates/` and `scripts/infra-drift.mjs` exist. Step 1.4 skips the fetch on a feat branch, so refresh `origin/$PRODUCTION` best-effort first, then run the reporter:
+
+  ```bash
+  git fetch origin "$PRODUCTION" 2>/dev/null || true
+  node scripts/infra-drift.mjs 2>/dev/null || true
+  ```
+
+  The script self-guards (feat branch + behind > 0) and emits at most one `⚠ .claude/ infra is N behind — run /cbp-refresh-infra` line. Hold any output for Step 6.
+
+- **Consumer (concept B)** — no `templates/`, but an install manifest exists (`.claude/.cbp.manifest.json`, falling back to `.cbp-claude.manifest.json` then `.codebyplan-claude.manifest.json`). Compare its `version` to the latest published `codebyplan`, offline-safe:
+
+  ```bash
+  LATEST="$(npm view codebyplan version 2>/dev/null)"
+  ```
+
+  When `$LATEST` is non-empty and newer than the manifest `version`, hold one line for Step 6: `⚠ codebyplan {installed} → {LATEST} — run npx codebyplan@latest claude update`. Any failure (offline, npm absent) → silent.
+
+- **Neither** → skip silently.
+
+Concept B never fires in the monorepo — the `templates/` guard routes the source repo to concept A only (its manifest `version` is intentionally stale). Fully non-blocking; every failure path falls through with no output.
+
 ### Step 2: Check Dev Server
 
 **Skip if `server_type` is `"none"`.**
@@ -198,7 +223,7 @@ Three-branch gate using `owned_count` and `total_count` from Step 5.8:
 
 - **Triggered by**: user invocation, `/clear` recovery
 - **Resolves**: `npx codebyplan resolve-worktree --json` (worktree id + distress signal; non-tuple-miss distress is non-blocking at session-start)
-- **Reads**: `.codebyplan/repo.json`, `.codebyplan/git.json` (`branch_config.production` for the Step 1.4 home-branch fast-forward), MCP `get_session_logs` (worktree-filtered, limit 1 — single call shared by Step 4 and Step 4.5), MCP `health_check`, MCP `get_current_task`, MCP `get_rounds`, MCP `get_checkpoints` (two calls: `{ repo_id, status: 'active' }` for the Step 5.8 ownership partition; `{ repo_id }` unfiltered for the Step 4.5 freshness probe, which may resolve a non-active checkpoint), MCP `get_tasks` / `get_rounds` for the Step 4.5 freshness probe
+- **Reads**: `.codebyplan/repo.json`, `.codebyplan/git.json` (`branch_config.production` for the Step 1.4 home-branch fast-forward), MCP `get_session_logs` (worktree-filtered, limit 1 — single call shared by Step 4 and Step 4.5), MCP `health_check`, MCP `get_current_task`, MCP `get_rounds`, MCP `get_checkpoints` (two calls: `{ repo_id, status: 'active' }` for the Step 5.8 ownership partition; `{ repo_id }` unfiltered for the Step 4.5 freshness probe, which may resolve a non-active checkpoint), MCP `get_tasks` / `get_rounds` for the Step 4.5 freshness probe; `scripts/infra-drift.mjs` + a best-effort `git fetch` (Step 1.5 monorepo drift) or the install manifest + `npm view codebyplan version` (Step 1.5 consumer drift)
 - **Writes**: MCP `create_session_log` (new, possibly empty), MCP `update_session_state` (activate)
 - **Spawns**: none
 - **Triggers**: `/cbp-git-commit` (conditional, on user approval), `handoff.command` (on fresh handoff hit at Step 4.5), `/cbp-todo` (auto fall-through when owned_count >= 1 or total_count === 0; STOPS with no trigger when total_count >= 1 AND owned_count === 0)

package/templates/skills/{cbp-e2e-setup → cbp-setup-e2e}/SKILL.md

@@ -1,6 +1,6 @@
 ---
 scope: org-shared
-name: cbp-e2e-setup
+name: cbp-setup-e2e
 description: Detect installed E2E frameworks, ask which to enable, record credentials source (gitignored env-file path + var names only, never secrets), and write/refresh .codebyplan/e2e.json. Interactive, idempotent.
 argument-hint: "[--force]"
 model: sonnet