codebyplan 1.13.17 → 1.13.20

package/dist/cli.js

@@ -14,7 +14,7 @@ var VERSION, PACKAGE_NAME;
 var init_version = __esm({
   "src/lib/version.ts"() {
     "use strict";
-    VERSION = "1.13.17";
+    VERSION = "1.13.20";
     PACKAGE_NAME = "codebyplan";
   }
 });
@@ -1616,6 +1616,7 @@ var init_settings_merge = __esm({
       "disableSkillShellExecution",
       "skipWebFetchPreflight",
       "fastModePerSessionOptIn",
+      "autoMemoryEnabled",
       "effortLevel",
       "showClearContextOnPlanAccept",
       "syntaxHighlightingDisabled",
@@ -2373,6 +2374,22 @@ var whoami_exports = {};
 __export(whoami_exports, {
   runWhoami: () => runWhoami
 });
+async function fetchMe(accessToken) {
+  try {
+    const res = await fetch(meEndpoint(), {
+      headers: { Authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    return {
+      email: body.email ?? null,
+      username: body.username ?? null
+    };
+  } catch {
+    return null;
+  }
+}
 async function runWhoami(opts = {}) {
   const tokens = await loadTokens();
   if (opts.json) {
@@ -2381,8 +2398,13 @@ async function runWhoami(opts = {}) {
       process.exitCode = 1;
       return;
     }
+    const me2 = await fetchMe(tokens.access_token);
     console.log(
-      JSON.stringify({ user_id: tokens.user_id, email: tokens.email })
+      JSON.stringify({
+        user_id: tokens.user_id,
+        email: me2?.email ?? tokens.email,
+        username: me2?.username ?? null
+      })
     );
     return;
   }
@@ -2391,15 +2413,26 @@ async function runWhoami(opts = {}) {
     process.exitCode = 1;
     return;
   }
+  const me = await fetchMe(tokens.access_token);
+  const degraded = me === null;
+  const email = me?.email ?? tokens.email;
+  const username = me?.username ?? null;
   console.log(`
-  user_id: ${tokens.user_id}`);
-  console.log(`  email:   ${tokens.email ?? "(unknown)"}
+  user_id:  ${tokens.user_id}`);
+  console.log(`  email:    ${email ?? "(unknown)"}`);
+  console.log(`  username: ${username ?? "(not set)"}`);
+  if (degraded) {
+    console.log(`  (profile fetch failed \u2014 showing stored credentials)
 `);
+  } else {
+    console.log();
+  }
 }
 var init_whoami = __esm({
   "src/cli/whoami.ts"() {
     "use strict";
     init_keychain();
+    init_urls();
   }
 });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebyplan",
-  "version": "1.13.17",
+  "version": "1.13.20",
   "description": "CLI for CodeByPlan — AI-powered development planning and tracking",
   "type": "module",
   "bin": {

package/templates/hooks/cbp-test-coverage-gate.sh

@@ -64,10 +64,10 @@ while IFS= read -r FILE; do
     continue
   fi
 
-  # Skip files under a __tests__/ directory — fixtures, helpers, setup, and
-  # other test infrastructure are imported by the test files that exercise
-  # them; requiring a dedicated .test.ts for a fixture is nonsensical.
-  if echo "$FILE" | grep -qE '/__tests__/'; then
+  # Skip files under a __tests__/ or __mocks__/ directory — fixtures, helpers,
+  # setup, manual mocks, and other test infrastructure are imported by the test
+  # files that exercise them; requiring a dedicated .test.ts is nonsensical.
+  if echo "$FILE" | grep -qE '/__tests__/|/__mocks__/'; then
     SKIPPED=$((SKIPPED + 1))
     continue
   fi

package/templates/settings.project.base.json

@@ -17,6 +17,7 @@
     "baseRef": "fresh"
   },
   "autoScrollEnabled": true,
+  "autoMemoryEnabled": false,
   "cleanupPeriodDays": 30,
   "includeGitInstructions": true,
   "showThinkingSummaries": true,
@@ -53,6 +54,16 @@
       "Skill(cbp-checkpoint-end)",
       "Skill(cbp-ship)",
       "Skill(cbp-ship-main)",
+      "Skill(cbp-checkpoint-start)",
+      "Skill(cbp-checkpoint-create)",
+      "Skill(cbp-checkpoint-check)",
+      "Skill(cbp-checkpoint-complete)",
+      "Skill(cbp-round-update)",
+      "Skill(cbp-session-end)",
+      "Skill(cbp-task-complete)",
+      "Skill(cbp-standalone-task-create)",
+      "Skill(cbp-standalone-task-start)",
+      "Skill(cbp-standalone-task-complete)",
       "mcp__codebyplan__accept_invite",
       "mcp__codebyplan__change_role",
       "mcp__codebyplan__create_launch",
@@ -100,11 +111,7 @@
       "Skill(cbp-build-cc-rule)",
       "Skill(cbp-build-cc-settings)",
       "Skill(cbp-build-cc-skill)",
-      "Skill(cbp-checkpoint-check)",
-      "Skill(cbp-checkpoint-complete)",
-      "Skill(cbp-checkpoint-create)",
       "Skill(cbp-checkpoint-plan)",
-      "Skill(cbp-checkpoint-start)",
       "Skill(cbp-checkpoint-update)",
       "Skill(cbp-frontend-a11y)",
       "Skill(cbp-frontend-design)",
@@ -121,28 +128,17 @@
       "Skill(cbp-round-execute)",
       "Skill(cbp-round-input)",
       "Skill(cbp-round-start)",
-      "Skill(cbp-round-update)",
-      "Skill(cbp-session-end)",
       "Skill(cbp-session-start)",
       "Skill(cbp-setup-cmux)",
       "Skill(cbp-setup-e2e)",
       "Skill(cbp-setup-eslint)",
       "Skill(cbp-ship-configure)",
       "Skill(cbp-standalone-task-check)",
-      "Skill(cbp-standalone-task-complete)",
-      "Skill(cbp-standalone-task-create)",
-      "Skill(cbp-standalone-task-start)",
       "Skill(cbp-standalone-task-testing)",
       "Skill(cbp-supabase-branch-check)",
       "Skill(cbp-supabase-migrate)",
       "Skill(cbp-supabase-setup)",
-      "Skill(cbp-standalone-task-check)",
-      "Skill(cbp-standalone-task-complete)",
-      "Skill(cbp-standalone-task-create)",
-      "Skill(cbp-standalone-task-start)",
-      "Skill(cbp-standalone-task-testing)",
       "Skill(cbp-task-check)",
-      "Skill(cbp-task-complete)",
       "Skill(cbp-task-create)",
       "Skill(cbp-task-start)",
       "Skill(cbp-task-testing)",

package/templates/skills/cbp-build-cc-settings/reference/cbp-permission-policy.md

@@ -22,7 +22,7 @@ Precedence is `deny > ask > allow`; arrays union across scopes (managed/user/pro
 
 ### `allow` — the autonomous workflow surface
 
-- **All `/cbp-*` skills** except the production-shipment trio below. Invoking a skill is the intended mode of operation; the gated side effects happen inside via the Bash/MCP tools the skill calls, which carry their own tiering.
+- **Non-lifecycle, non-shipment `/cbp-*` skills** — authoring (`cbp-build-cc-*`), frontend (`cbp-frontend-*`), git (`cbp-git-*`, `cbp-merge-main`, `cbp-refresh-infra`), round work (`cbp-round-check`/`-end`/`-execute`/`-input`/`-start`), setup/configure (`cbp-setup-*`, `cbp-ship-configure`, `cbp-supabase-*`), task prep (`cbp-task-check`/`-create`/`-start`/`-testing`, `cbp-standalone-task-check`/`-testing`), planning (`cbp-checkpoint-plan`/`-update`), plus `cbp-session-start` and `cbp-todo`. Invoking a skill is the intended mode of operation; the gated side effects happen inside via the Bash/MCP tools the skill calls, which carry their own tiering. The lifecycle/state-transition skills are the exception — they live in `ask` (next section).
 - **All `mcp__codebyplan__*` reads** (`get_*`, `list_*`, `search_*`, `health_check`, `lookup_symbol`, `resolve_library_id`, `get_chunk`).
 - **Routine workflow-write MCP tools** the pipeline calls many times per task: create/update/complete checkpoint, task, and round; session log + session-state writes; `create_worktree`, `add_library`, `flag_stale_chunk`, `update_server_config`, `update_eslint_repo_config`, `update_task_template`. Gating these with `ask` would make the autonomous workflow unusable.
 - **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `resolve-worktree`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
@@ -30,6 +30,7 @@ Precedence is `deny > ask > allow`; arrays union across scopes (managed/user/pro
 ### `ask` — the deliberate confirm-gate
 
 - **Production-shipment skills**: `cbp-ship`, `cbp-ship-main`, `cbp-checkpoint-end` — these promote/deploy to production, so they prompt even in an otherwise auto-allowed setup.
+- **Lifecycle / state-transition skills**: `cbp-checkpoint-start`, `cbp-checkpoint-create`, `cbp-checkpoint-check`, `cbp-checkpoint-complete`, `cbp-round-update`, `cbp-session-end`, `cbp-task-complete`, `cbp-standalone-task-create`, `cbp-standalone-task-start`, `cbp-standalone-task-complete` — these open or close checkpoints, tasks, rounds, and sessions (advancing workflow state in the database), so they stop for explicit confirmation rather than running autonomously.
 - **Destructive / admin / external MCP tools**: `delete_session_log`, `delete_worktree`, `delete_launch`, `create_repo`, `create_launch`, `update_launch`, `release_assignment`, and the membership tools `invite_member`, `remove_member`, `change_role`, `accept_invite`, `revoke_invite`.
 - **Mutating / external / clobber-risk CLI commands** (both prefixes): `setup`, `login`, `logout`, `upgrade-auth`, `config` (can overwrite committed `.codebyplan/` files), `branch` (rewrites branch config), `ship`, `claude` (`install`/`update`/`uninstall` overwrite `.claude/`).