codebyplan 1.13.39 → 1.13.41

package/templates/skills/cbp-task-check/SKILL.md

@@ -40,7 +40,7 @@ Parse the argument using the canonical chk-task-round notation (see `cbp-round-s
 | Shape | Regex | Resolves to |
 |-------|-------|-------------|
 | `{chk}-{task}` (e.g. `108-1`) | `^[0-9]+-[0-9]+$` | Checkpoint-bound: CHK-{chk} TASK-{task} |
-| _(empty)_ | — | Use MCP `get_current_task` to find the active in-progress task |
+| _(empty)_ | — | Resolve from local state per Step 1.5/2 (MCP `get_current_task` break-glass) — the active in-progress task |
 | `{task}` (bare number) | — | **Error**: "Use /cbp-standalone-task-check {N} instead — bare numbers no longer route to standalone tasks." |
 
 Anything else is malformed — surface this error and stop:
@@ -70,14 +70,14 @@ Given the parse from Step 1:
 
 | Parse | Resolution path |
 |-------|-----------------|
-| `{chk}-{task}` | MCP `get_checkpoints(repo_id)` → filter `number === {chk}`. MCP `get_tasks(checkpoint_id)` → filter `number === {task}`. |
-| _(empty)_ | MCP `get_current_task(repo_id)` — finds the active in-progress task. |
+| `{chk}-{task}` | Read `.codebyplan/state/checkpoints/*.json` → filter `number === {chk}`. Read `.codebyplan/state/checkpoints/<id>/tasks/*.json` → filter `number === {task}`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_checkpoints`/`get_tasks` when state dir absent and sync fails. |
+| _(empty)_ | Read `.codebyplan/state/todos.json` → find the active in-progress task. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_current_task(repo_id)` when state dir absent and sync fails. |
 
 If no in-progress task, show error and stop.
 
 ### Step 2: Quick Gate — Verify All Rounds Complete
 
-Use MCP `get_rounds` for the task. Verify all rounds are `completed`.
+Read `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>/rounds/*.json` (local-first). If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_rounds` when state dir absent and sync fails. Verify all rounds are `completed`.
 
 If any rounds still in_progress:
 
@@ -92,9 +92,9 @@ Stop here.
 
 ### Step 3: Load All Context
 
-1. Get checkpoint details (id, title, goal, context)
-2. Get task details (id, title, requirements, context, files_changed, qa)
-3. Get all rounds via MCP `get_rounds` (number, requirements, context, qa, files_changed)
+1. Checkpoint details — from `.codebyplan/state/checkpoints/<checkpointId>.json` (already read in Step 1.5)
+2. Task details — from `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>.json` (already read in Step 1.5)
+3. All rounds — from `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>/rounds/*.json` (already read in Step 2)
 
 ### Step 4: Spawn Task Check Agent
 
@@ -113,7 +113,7 @@ Wait for agent to complete. Agent handles all 10 phases including user satisfact
 
 ### Step 5: Save Agent Output
 
-Save agent output to task context via MCP `update_task`:
+Save agent output to task context: `codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --context '{"check_verdict": ...}'` (CLI write-through: local state file + REST). Break-glass fallback: MCP `update_task` when CLI is unavailable.
 
 - `task.context.check_verdict` = agent output (verdict, requirements_check, etc.)
 
@@ -160,7 +160,7 @@ Suggest: Approve files, then re-run `/cbp-task-check`. **STOP HERE** — wait fo
 
 ## Integration
 
-- **Reads**: MCP `get_current_task`, `get_rounds`, all changed files (via agent)
-- **Writes**: MCP `update_task` (context.check_verdict)
+- **Reads**: `.codebyplan/state/checkpoints/*.json`, `checkpoints/<id>/tasks/*.json`, `checkpoints/<id>/tasks/<id>/rounds/*.json`, `todos.json` (local-first; `npx codebyplan sync` on miss; MCP `get_current_task`/`get_rounds` break-glass), plus all changed files (via agent)
+- **Writes**: `codebyplan task update` (CLI write-through; MCP `update_task` break-glass)
 - **Triggers**: emits directive `Next: /clear, then /cbp-task-testing {chk-task}` on READY + satisfied (cross-context — testing is heavyweight, fresh context helps)
 - **Triggered by**: `/cbp-round-complete` (auto, when all files approved)

package/templates/skills/cbp-task-complete/SKILL.md

@@ -21,7 +21,7 @@ Parse the argument using the canonical chk-task-round notation (see `cbp-round-s
 | Shape | Regex | Resolves to |
 |-------|-------|-------------|
 | `{chk}-{task}` (e.g. `108-1`) | `^[0-9]+-[0-9]+$` | Checkpoint-bound: CHK-{chk} TASK-{task} |
-| _(empty)_ | — | Use MCP `get_current_task` to find the active in-progress task |
+| _(empty)_ | — | Resolve from local state per Step 1.5/2 (MCP `get_current_task` break-glass) — the active in-progress task |
 | `{task}` (bare number) | — | **Error**: "Use /cbp-standalone-task-complete {N} instead — bare numbers no longer route to standalone tasks." |
 
 Anything else is malformed — surface this error and stop:
@@ -51,14 +51,14 @@ Given the parse from Step 1:
 
 | Parse | Resolution path |
 |-------|-----------------|
-| `{chk}-{task}` | MCP `get_checkpoints(repo_id)` → filter `number === {chk}`. MCP `get_tasks(checkpoint_id)` → filter `number === {task}`. |
-| _(empty)_ | MCP `get_current_task(repo_id)` — finds the active in-progress task. |
+| `{chk}-{task}` | Read `.codebyplan/state/checkpoints/*.json` → filter `number === {chk}`. Read `.codebyplan/state/checkpoints/<id>/tasks/*.json` → filter `number === {task}`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_checkpoints`/`get_tasks` when state dir absent and sync fails. |
+| _(empty)_ | Read `.codebyplan/state/todos.json` → find the active in-progress task. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_current_task(repo_id)` when state dir absent and sync fails. |
 
 If no in-progress task, show error and stop.
 
 ### Step 2: Verify Rounds Complete and Validated
 
-Use MCP `get_rounds` for the task. Verify all rounds are `completed`.
+Read `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>/rounds/*.json` (local-first). If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_rounds` when state dir absent and sync fails. Verify all rounds are `completed`.
 
 If any round is `in_progress`:
 
@@ -132,11 +132,11 @@ Skip the push only when nothing was committed in Step 5 AND `/cbp-merge-main` re
 
 ### Step 6: Update Task Files
 
-`update_task(task_id, files_changed: aggregated_files)`.
+`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --files-changed '<json>'` (CLI write-through: local state file + REST). Break-glass fallback: MCP `update_task(task_id, files_changed: aggregated_files)` when CLI is unavailable.
 
 ### Step 7: Complete Task
 
-Call `complete_task(task_id)`. `caller_worktree_id` (CHK-140 TASK-7) identifies the calling worktree and is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook (CHK-198 TASK-2); the server falls back to the repo `main` worktree only when it is absent, then enforces the mutate-lock. The server auto-clears `assigned_user_id` + `assigned_worktree_id` on the task; if this was the last sibling task, it also clears the parent checkpoint's assignment. (Per CHK-104 hard-lock.)
+MCP `complete_task(task_id)` — kept on MCP because the CLI `codebyplan task complete` sends an empty POST body and cannot forward `caller_worktree_id`, which the server uses to enforce the mutate-lock. `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook (CHK-198 TASK-2); the server falls back to the repo `main` worktree only when it is absent, then enforces the mutate-lock. The server auto-clears `assigned_user_id` + `assigned_worktree_id` on the task; if this was the last sibling task, it also clears the parent checkpoint's assignment. (Per CHK-104 hard-lock.)
 
 ### Step 8: Run Cleanup + Migration (inline)
 
@@ -164,7 +164,9 @@ Then route. Same-context transitions (next task in this checkpoint) auto-trigger
 checkpoint_id := current_task.checkpoint_id
 if checkpoint_id is null  → error (should never happen — standalone tasks use /cbp-standalone-task-complete)
 else
-  siblings := get_tasks(checkpoint_id) minus current_task
+  // Read sibling tasks from local state (already synced by Step 1.5)
+  siblings := .codebyplan/state/checkpoints/<checkpointId>/tasks/*.json minus current_task
+  // Break-glass: MCP get_tasks(checkpoint_id) when state dir absent and sync fails
   all_done := every sibling has status === 'completed'
   if all_done                → CHECKPOINT-DONE; go to 9c
   else                       → MORE-TASKS-IN-CHECKPOINT; go to 9b
@@ -193,8 +195,8 @@ Do NOT use AskUserQuestion here — this is a directive, not a menu. The user ru
 
 - **Triggered by**: `/cbp-task-testing` (auto, when ALL PASS) — NOT directly from `/cbp-task-check`
 - **Chain**: `/cbp-task-check` → `/cbp-task-testing` → `/cbp-task-complete`
-- **Reads**: MCP `get_current_task`, `get_rounds`, `get_tasks`
-- **Writes**: MCP `update_task`, `complete_task`
+- **Reads**: `.codebyplan/state/checkpoints/*.json`, `checkpoints/<id>/tasks/*.json`, `checkpoints/<id>/tasks/<id>/rounds/*.json`, `todos.json` (local-first; `npx codebyplan sync` on miss; MCP `get_current_task`/`get_rounds`/`get_tasks` break-glass)
+- **Writes**: `codebyplan task update` for `files_changed` (CLI write-through; MCP `update_task` break-glass); MCP `complete_task` for task completion (kept MCP — CLI cannot forward `caller_worktree_id`)
 - **Uses skills (inline, no sub-agent)**: `cleanup` (if deletions), `migration` (if exports renamed)
 - **Triggers**: Same-context transitions auto-trigger via the Skill tool (next task in checkpoint → `/cbp-task-start {N}`). Cross-context transitions emit a directive `Next: /clear, then /cbp-X` for the user to invoke.
 - **Checkpoint-bound only** — for standalone tasks use `/cbp-standalone-task-complete`

package/templates/skills/cbp-task-create/SKILL.md

@@ -32,7 +32,7 @@ Stop and redirect to `/cbp-standalone-task-create`.
 
 ### Step 1: Get Current Checkpoint
 
-Use MCP `get_current_task` with repo_id to find the active checkpoint.
+Read local state `.codebyplan/state/checkpoints/<id>.json` to find the active checkpoint; on miss run `npx codebyplan sync` once and re-read. Use MCP `get_current_task` as documented break-glass when the state dir is absent and sync fails (daemon-dead + CLI-unavailable).
 
 If no active checkpoint, show error and stop.
 
@@ -56,7 +56,7 @@ Please describe:
 
 ### Step 3: Load Existing Tasks
 
-Use MCP `get_tasks` for the checkpoint. Review:
+Read local state `.codebyplan/state/checkpoints/<id>/tasks/*.json` to load existing tasks for the checkpoint; on miss run `npx codebyplan sync` once and re-read. Use MCP `get_tasks` as documented break-glass when the state dir is absent and sync fails. Review:
 - Existing task titles and requirements
 - Task statuses (completed, in_progress, pending)
 - Dependencies between tasks
@@ -90,6 +90,8 @@ Before calling `create_task` for a finding, run a two-step dedup + bundle check:
 mcp__codebyplan__get_tasks(repo_id, standalone=true, status="pending")
 ```
 
+> **Note**: this `get_tasks(standalone=true)` call stays MCP — there is no local-state equivalent for cross-checkpoint standalone task listing.
+
 Compare the proposed task to each pending standalone task on these match dimensions:
 
 | Match dimension | Action if matched |
@@ -140,7 +142,7 @@ Find logical position in task order:
 
 ### Step 7: Create Task
 
-Use MCP `create_task` with:
+Use `codebyplan task create --checkpoint-id <id> ...` (CLI write-through) to create the task. Use MCP `create_task` as documented break-glass when the CLI is unavailable. Provide:
 - **title**: Concise task title
 - **requirements**: Numbered requirements list
 - **context**: Include decisions from Q&A, dependencies, source findings
@@ -190,7 +192,7 @@ Waiting for user to decide next step.
 
 ## Integration
 
-- **Reads**: MCP `get_current_task`, `get_tasks`
-- **Writes**: MCP `create_task`
+- **Reads**: Local state `.codebyplan/state/checkpoints/<id>.json` + `.../tasks/<id>.json`; on miss `npx codebyplan sync` once; MCP `get_current_task` / `get_tasks` as documented break-glass when the state dir is absent and sync fails. Step 3.5 dedup `get_tasks(standalone=true)` stays MCP — no local-state equivalent for standalone listing.
+- **Writes**: `codebyplan task create --checkpoint-id <id> ...` (CLI write-through); MCP `create_task` break-glass.
 - **Triggered by**: `/cbp-task-check` (suggested), `/cbp-task-testing` (suggested), user manual
 - **Does NOT auto-trigger** next command — user decides

package/templates/skills/cbp-task-start/SKILL.md

@@ -20,7 +20,7 @@ Parse the argument using the canonical chk-task-round notation (see `cbp-round-s
 | Shape | Regex | Resolves to |
 |-------|-------|-------------|
 | `{chk}-{task}` (e.g. `108-1`) | `^[0-9]+-[0-9]+$` | Checkpoint-bound: CHK-{chk} TASK-{task} |
-| _(empty)_ | — | Use MCP `get_current_task` to find the next pending task |
+| _(empty)_ | — | Resolve from local state per Step 1.5/2 (MCP `get_current_task` break-glass) — the next pending task |
 | `{task}` (bare number) | — | **Error**: "Use /cbp-standalone-task-start {N} instead — bare numbers no longer route to standalone tasks." |
 
 Anything else is malformed — surface this error and stop:
@@ -51,8 +51,8 @@ Given the parse from Step 1:
 
 | Parse | Resolution path |
 |-------|-----------------|
-| `{chk}-{task}` | MCP `get_checkpoints(repo_id)` → filter `number === {chk}` (must exist). MCP `get_tasks(checkpoint_id)` → filter `number === {task}` (must exist). |
-| _(empty)_ | MCP `get_current_task(repo_id)` — output gives both checkpoint (if any) and task. When multiple checkpoints are active and the result is ambiguous, surface the disambiguation prompt and stop. |
+| `{chk}-{task}` | Read `.codebyplan/state/checkpoints/*.json` (local-first) → filter `number === {chk}`. Read `.codebyplan/state/checkpoints/<id>/tasks/*.json` → filter `number === {task}`. If the state dir is missing or stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_checkpoints`/`get_tasks` when the state dir is absent and sync fails (daemon-dead + CLI-unavailable). |
+| _(empty)_ | Read `.codebyplan/state/todos.json` (local-first) → find the next pending task. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_current_task(repo_id)` when the state dir is absent and sync fails. When multiple checkpoints are active and the result is ambiguous, surface the disambiguation prompt and stop. |
 
 If any required row is missing, surface this and stop:
 
@@ -135,7 +135,7 @@ After successful switch:
 
 1. Re-run `git branch --show-current` to confirm `current == TARGET`. If not, fail loudly — something raced.
 2. **Persist for next time**:
-   - Checkpoint with `branch_name: null` → `update_checkpoint(checkpoint_id, branch_name: TARGET)`
+   - Checkpoint with `branch_name: null` → `codebyplan checkpoint update --id <checkpoint-id> --branch-name TARGET` (CLI write-through; break-glass: MCP `update_checkpoint`)
    - Checkpoint with existing `branch_name` → no write (already canonical)
 3. One-line confirmation in output: `Branch: [TARGET] (switched from [previous])`. No prompt, no waiting.
 
@@ -157,8 +157,8 @@ Skip this step if the task title and requirements contain no CVE ID (`CVE-YYYY-N
 
 1. Run `pnpm audit --json` from the monorepo root. If it fails (network, registry), surface the error and stop — do NOT start a CVE task without a clean snapshot.
 2. Parse the advisory list from the JSON output.
-3. Call MCP `get_tasks(repo_id)`; for each advisory, match by ID in task title/requirements.
-4. For every advisory with no matching open task, call MCP `create_task` per `cbp-task-create` Step 3.5 "Immediate Issue Capture Contract".
+3. Read `.codebyplan/state/checkpoints/<checkpointId>/tasks/*.json` (local-first; if missing/stale run `npx codebyplan sync` once; break-glass: MCP `get_tasks`); for each advisory, match by ID in task title/requirements.
+4. For every advisory with no matching open task, run `codebyplan task create --checkpoint-id <id> ...` (CLI write-through; break-glass: MCP `create_task`) per `cbp-task-create` Step 3.5 "Immediate Issue Capture Contract".
 5. Report the sweep result:
    ```
    ## CVE/GHSA Audit Sweep
@@ -175,7 +175,7 @@ Before activating the task, verify the caller's worktree matches the assigned wo
 
 1. Read caller worktree: `CALLER_WT=$(npx codebyplan resolve-worktree 2>/dev/null)`.
 2. Determine target worktree:
-   - **Checkpoint-bound tasks**: `TARGET_WT = checkpoint.worktree_id` (read from MCP `get_checkpoints`). Note: checkpoint-bound tasks may have a NULL `task.assigned_worktree_id` because the lock lives on the parent checkpoint — fall through to `checkpoint.worktree_id`.
+   - **Checkpoint-bound tasks**: `TARGET_WT = checkpoint.worktree_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a NULL `task.assigned_worktree_id` because the lock lives on the parent checkpoint — fall through to `checkpoint.worktree_id`.
 3. If `TARGET_WT IS NOT NULL AND TARGET_WT != CALLER_WT`, surface this error and abort:
 
    ```
@@ -206,12 +206,12 @@ Before loading context, check if the feat branch has drifted from the production
 
 ### Step 4: Load Context
 
-Load context from DB:
+Load context from local state files:
 
-1. **Checkpoint context**: decisions, discoveries, dependencies, constraints
-2. **Task context**: task-specific decisions and requirements
-3. **Task research**: if any research was done
-4. **Previous rounds**: check for completed rounds via MCP `get_rounds`
+1. **Checkpoint context**: decisions, discoveries, dependencies, constraints — from `.codebyplan/state/checkpoints/<checkpointId>.json`
+2. **Task context**: task-specific decisions and requirements — from `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>.json`
+3. **Task research**: if any research was done — from the task file's `context` field
+4. **Previous rounds**: check for completed rounds — read `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>/rounds/*.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_rounds` when state dir absent and sync fails.
 
 Display context summary:
 
@@ -230,9 +230,7 @@ Display context summary:
 
 ### Step 5: Set Task Status
 
-Use MCP `update_task(task_id, status: "in_progress")`.
-
-If worktree_id present, include `claim_worktree_id` to auto-claim the checkpoint. `caller_worktree_id` (CHK-140 TASK-7) identifies the calling worktree and is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook (CHK-198 TASK-2); the server falls back to the repo `main` worktree only when it is absent.
+`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). If a worktree_id is present, also pass `--claim-worktree-id <worktreeId>` to auto-claim the checkpoint (the CLI passes all flags as snake-case PATCH fields). Break-glass fallback: MCP `update_task(task_id, status: "in_progress", claim_worktree_id: ..., caller_worktree_id: ...)` when the CLI is unavailable — note `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook only on the MCP path.
 
 ### Step 6: Auto-trigger Round Start
 
@@ -247,6 +245,6 @@ Trigger `/cbp-round-start` with **no argument**. Do NOT pass the task identifier
 ## Integration
 
 - **Gates**: Step 2.5 permission gate — asks the user to confirm before any side effect; **Cancel** aborts cleanly with no writes. Fires on every invocation (manual, auto-trigger, auto-loop).
-- **Reads**: MCP `get_current_task`, `get_tasks`, `get_rounds`
-- **Writes**: MCP `update_task`
+- **Reads**: `.codebyplan/state/checkpoints/*.json`, `checkpoints/<id>/tasks/*.json`, `checkpoints/<id>/tasks/<id>/rounds/*.json`, `todos.json` (local-first; `npx codebyplan sync` on miss; MCP `get_current_task`/`get_tasks`/`get_rounds` break-glass)
+- **Writes**: `codebyplan task update` (CLI write-through; MCP `update_task` break-glass)
 - **Triggers**: `/cbp-round-start` (auto, round 1, no argument)

package/templates/skills/cbp-task-testing/SKILL.md

@@ -30,7 +30,7 @@ Parse the argument using the canonical chk-task-round notation (see `cbp-round-s
 | Shape | Regex | Resolves to |
 |-------|-------|-------------|
 | `{chk}-{task}` (e.g. `108-1`) | `^[0-9]+-[0-9]+$` | Checkpoint-bound: CHK-{chk} TASK-{task} |
-| _(empty)_ | — | Use MCP `get_current_task` to find the active in-progress task |
+| _(empty)_ | — | Resolve from local state per Step 1.5/2 (MCP `get_current_task` break-glass) — the active in-progress task |
 | `{task}` (bare number) | — | **Error**: "Use /cbp-standalone-task-testing {N} instead — bare numbers no longer route to standalone tasks." |
 
 Anything else is malformed — surface this error and stop:
@@ -60,14 +60,14 @@ Given the parse from Step 1:
 
 | Parse | Resolution path |
 |-------|-----------------|
-| `{chk}-{task}` | MCP `get_checkpoints(repo_id)` → filter `number === {chk}`. MCP `get_tasks(checkpoint_id)` → filter `number === {task}`. |
-| _(empty)_ | MCP `get_current_task(repo_id)` — finds the active in-progress task. |
+| `{chk}-{task}` | Read `.codebyplan/state/checkpoints/*.json` → filter `number === {chk}`. Read `.codebyplan/state/checkpoints/<id>/tasks/*.json` → filter `number === {task}`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_checkpoints`/`get_tasks` when state dir absent and sync fails. |
+| _(empty)_ | Read `.codebyplan/state/todos.json` → find the active in-progress task. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_current_task(repo_id)` when state dir absent and sync fails. |
 
 If no in-progress task, show error and stop.
 
 ### Step 2: Verify All Rounds Complete
 
-Use MCP `get_rounds(task_id)`. Verify all rounds are `completed`. If any still `in_progress`:
+Read `.codebyplan/state/checkpoints/<checkpointId>/tasks/<taskId>/rounds/*.json` (local-first). If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_rounds(task_id)` when state dir absent and sync fails. Verify all rounds are `completed`. If any still `in_progress`:
 
 ```
 ## Cannot Run Task Testing
@@ -202,20 +202,20 @@ Collect failures from automated tests (Step 6), cross-round code review (Step 6.
 
 ### Step 10: Save Results
 
+`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --context '<json>'` (CLI write-through: local state file + REST), merging `task_testing_output` into the existing context object. Break-glass fallback: MCP `update_task` when CLI is unavailable.
+
 ```ts
-update_task(task_id, {
-  context: {
-    ...existing,
-    task_testing_output: {
-      claude_tests: [...],
-      cross_round_code_findings: [...],   // from Step 6.5
-      user_tests: [...],
-      problems_found: [...],
-      all_passed: boolean,
-      summary: { total, passed, failed, pending }
-    }
+// context payload to merge:
+{
+  task_testing_output: {
+    claude_tests: [...],
+    cross_round_code_findings: [...],   // from Step 6.5
+    user_tests: [...],
+    problems_found: [...],
+    all_passed: boolean,
+    summary: { total, passed, failed, pending }
   }
-})
+}
 ```
 
 ### Step 11: Route Based on Results
@@ -269,7 +269,7 @@ Waiting for user to run `/cbp-task-create`.
 
 ## Integration
 
-- **Reads**: MCP `get_current_task`, `get_rounds`, all aggregated files
-- **Writes**: MCP `update_task` (context.task_testing_output)
+- **Reads**: `.codebyplan/state/checkpoints/*.json`, `checkpoints/<id>/tasks/*.json`, `checkpoints/<id>/tasks/<id>/rounds/*.json`, `todos.json` (local-first; `npx codebyplan sync` on miss; MCP `get_current_task`/`get_rounds` break-glass), plus all aggregated files
+- **Writes**: `codebyplan task update` (CLI write-through; MCP `update_task` break-glass)
 - **Triggers**: `/cbp-task-complete` (auto, when ALL PASS)
 - **Triggered by**: user runs `/cbp-task-testing {chk-task}` per directive from `/cbp-task-check` on READY verdict (after `/cbp-round-execute`-driven validation completed all rounds)

package/templates/skills/cbp-todo/SKILL.md

@@ -40,7 +40,7 @@ npx codebyplan whoami --json   # → {"user_id":"<uuid>","email":"…"} or null
 
 ### Step 1: Read the Todo Queue (pure-read)
 
-With `USER_ID` resolved, call MCP `get_todos({ repo_id, user_id, worktree_id })` (omit `worktree_id` when `WORKTREE_ID` is `null` or unresolved — that returns only unscoped rows). Take **`rows[0]`** as the queue head (ordered by `sort_order`).
+With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id, worktree_id })` when the state dir is absent and sync fails. Filter by `user_id` and `worktree_id` (omit `worktree_id` when `WORKTREE_ID` is `null` or unresolved). Take **`rows[0]`** as the queue head (ordered by `sort_order`).
 
 - The head carries `command`, `instructions`, `state`, `metadata`, `worktree_id`, `checkpoint_id`, `task_id`.
 - The routing context (checkpoint/task) lives in **`rows[0].metadata`**.
@@ -53,7 +53,7 @@ Queue `command` values may use the `/codebyplan:<name>` plugin-namespace form (e
 
 Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different worktree.
 
-Resolve the checkpoint from `rows[0].metadata` (or MCP `get_current_task`), then load its `worktree_id` + `plan` + `status` via MCP `get_checkpoints` and its task count via MCP `get_tasks(checkpoint_id)`. This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
+Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `worktree_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
 
 Two ownership signals:
 
@@ -64,7 +64,7 @@ Two ownership signals:
    - target `worktree_id` non-null **AND** caller `WORKTREE_ID` is `null`/unresolved → **block** (deliberate safety: identity cannot be confirmed. This does not contradict Step 0 — reading the queue is fine, auto-triggering INTO assigned work is not. Run `npx codebyplan setup` to register this worktree).
    - target `worktree_id` non-null and differs from a non-null caller → **block**.
 
-On block, resolve the owning worktree's `name` + `path` via MCP `get_worktrees({ repo_id })` (match by id), then emit and STOP:
+On block, resolve the owning worktree's `name` + `path` via MCP `get_worktrees({ repo_id })` (display-only ownership-block path — no CLI verb exists for worktrees; stays MCP), then emit and STOP:
 
 ```
 ⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to worktree <name> (<short-uuid>), not this one (<this-name> / <this-short-uuid>).
@@ -83,7 +83,7 @@ Ownership passed (Step 1.5). Now guard against a lagging queue routing into alre
 Reject the auto-trigger when EITHER holds:
 
 - The target checkpoint's `status` is `completed` or `cancelled`.
-- Every task returned by `get_tasks(checkpoint_id)` (loaded in Step 1.5) has status `completed` or `cancelled` — no actionable task remains.
+- Every task from `.codebyplan/state/checkpoints/<id>/tasks/` (loaded in Step 1.5; fallback MCP `get_tasks(checkpoint_id)`) has status `completed` or `cancelled` — no actionable task remains.
 
 On reject, surface the mismatch — naming the head command and the stale entity — then **STOP** (do not auto-trigger the head command). Use the variant matching the trigger condition:
 
@@ -123,33 +123,33 @@ Skip this gate when the routing target has no checkpoint (idle — see Step 3) o
 
 Once the gates pass, load the context the head command needs. This ensures `/clear` + `/cbp-todo` reliably restores full working context.
 
-**Use the context loading matrix below.** Match the `command` (in its `/cbp-<name>` form) to determine what to load.
+**Use the context loading matrix below.** Match the `command` (in its `/cbp-<name>` form) to determine what to load. For all reads: use `.codebyplan/state/` local files first; run `npx codebyplan sync` and re-read if stale; MCP break-glass when state dir absent and sync fails.
 
 | Command Pattern | Context to Load |
 |----------------|-----------------|
 | `/cbp-session-start` | None — `/cbp-session-start` handles its own loading |
-| `/cbp-checkpoint-create` | If checkpoint exists in `rows[0].metadata`: load checkpoint via MCP `get_checkpoints` (filter by number). Display checkpoint title, goal, ideas summary |
-| `/cbp-checkpoint-plan` | Load checkpoint via MCP `get_checkpoints` (filter by number) + `get_tasks(checkpoint_id)`. Display checkpoint title, goal, ideas, existing task count |
-| `/cbp-checkpoint-start` | Load checkpoint via MCP `get_checkpoints` + `get_tasks(checkpoint_id)`. Display checkpoint title, status, claim state, first pending task |
-| `/cbp-task-start [N]` | Load via MCP `get_current_task`. Display checkpoint title + task title/requirements summary |
-| `/cbp-round-start` | Load via MCP `get_current_task` + `get_rounds(task_id)`. Display checkpoint + task + round count + last round summary |
-| `/cbp-round-update` | Load via MCP `get_current_task` + `get_rounds(task_id)`. Display checkpoint + task + files_changed triage summary (claude_approved, findings, hard_fail) |
+| `/cbp-checkpoint-create` | If checkpoint exists in `rows[0].metadata`: load checkpoint from `.codebyplan/state/checkpoints/<id>.json` (fallback MCP `get_checkpoints`). Display checkpoint title, goal, ideas summary |
+| `/cbp-checkpoint-plan` | Load checkpoint from `.codebyplan/state/checkpoints/<id>.json` + task files under `checkpoints/<id>/tasks/` (fallback MCP `get_checkpoints` + `get_tasks`). Display checkpoint title, goal, ideas, existing task count |
+| `/cbp-checkpoint-start` | Load checkpoint + task files from local state (fallback MCP `get_checkpoints` + `get_tasks`). Display checkpoint title, status, claim state, first pending task |
+| `/cbp-task-start [N]` | Load from `.codebyplan/state/session/current.json` (fallback MCP `get_current_task`). Display checkpoint title + task title/requirements summary |
+| `/cbp-round-start` | Load from local state session + round files (fallback MCP `get_current_task` + `get_rounds`). Display checkpoint + task + round count + last round summary |
+| `/cbp-round-update` | Load from local state session + round files (fallback MCP `get_current_task` + `get_rounds`). Display checkpoint + task + files_changed triage summary (claude_approved, findings, hard_fail) |
 | `/cbp-round-input` | **Full context load** (see Step 2b) |
-| `/cbp-task-check` | Load via MCP `get_current_task`. Display checkpoint + task + files summary |
-| `/cbp-task-testing` | Load via MCP `get_current_task` + `get_rounds(task_id)`. Display checkpoint + task + testing status summary |
-| `/cbp-task-create` | Load via MCP `get_current_task`. Display checkpoint + task list summary |
-| `/cbp-task-complete` | Load via MCP `get_current_task`. Display checkpoint + task summary |
-| `/cbp-checkpoint-complete` | Load via MCP `get_current_task`. Display checkpoint summary |
+| `/cbp-task-check` | Load from local state session (fallback MCP `get_current_task`). Display checkpoint + task + files summary |
+| `/cbp-task-testing` | Load from local state session + round files (fallback MCP `get_current_task` + `get_rounds`). Display checkpoint + task + testing status summary |
+| `/cbp-task-create` | Load from local state session (fallback MCP `get_current_task`). Display checkpoint + task list summary |
+| `/cbp-task-complete` | Load from local state session (fallback MCP `get_current_task`). Display checkpoint + task summary |
+| `/cbp-checkpoint-complete` | Load from local state session (fallback MCP `get_current_task`). Display checkpoint summary |
 | *(no command / idle)* | See Step 3 — suggest `/cbp-session-end` |
 
-**For any unrecognized command:** Load via MCP `get_current_task` as a safe default. Display whatever context is available.
+**For any unrecognized command:** Load from local state session (fallback MCP `get_current_task`) as a safe default. Display whatever context is available.
 
 ### Step 2b: Full Context Load (for `/cbp-round-input`)
 
 This is the most context-dependent command. Load everything:
 
-1. **MCP `get_current_task`** — checkpoint (title, goal, context with decisions/discoveries) + task (title, requirements, context, files_changed, QA)
-2. **MCP `get_rounds(task_id)`** — all rounds for the task (requirements, context with executor_output/testing_qa_output, QA)
+1. **Local state** `.codebyplan/state/session/current.json` → checkpoint + task (title, goal, context with decisions/discoveries, requirements, files_changed, QA). Fallback: MCP `get_current_task`.
+2. **Local round files** `.codebyplan/state/checkpoints/<id>/tasks/<id>/rounds/*.json` — all rounds for the task. Fallback: MCP `get_rounds(task_id)`.
 
 Display a brief context summary:
 
@@ -172,7 +172,7 @@ Display a brief context summary:
 
 Reached when `get_todos` returns `[]` or `USER_ID` was unavailable.
 
-1. **Fallback discovery** (worktree-scoped): MCP `get_current_task({ repo_id, worktree_id })` and `get_checkpoints({ repo_id, worktree_id, status: 'active' })` to discover whether actionable work exists for this caller.
+1. **Fallback discovery** (worktree-scoped): read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
 2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `worktree_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
 3. **Nothing actionable** → suggest ending the session:
 
@@ -193,5 +193,5 @@ Reached only when the Step 1.5 ownership gate allowed routing to continue, the S
 
 - **Called by**: `/cbp-session-start`, `/cbp-task-complete`, `/cbp-checkpoint-complete`, manual, after `/clear`
 - **Resolves**: `npx codebyplan resolve-worktree --json` (worktree id + distress signal), `npx codebyplan whoami --json` (user id)
-- **Reads**: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks`, `get_worktrees`
+- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`, `worktrees.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails. `get_worktrees` stays MCP (display-only ownership-block path; no CLI verb).
 - **Triggers**: `rows[0].command` (auto, after the Step 1.5 ownership gate and Step 1.55 stale-entity guard pass, and the Step 1.6 planning gate falls through); Step 1.55 overrides to STOP (stale completed/cancelled entity); Step 1.6 overrides to `/cbp-checkpoint-plan` (unplanned) or `/cbp-checkpoint-start` (planned-but-pending)

package/templates/skills/supabase/CHANGELOG.md

@@ -0,0 +1,35 @@
+# Changelog
+
+## [0.1.4](https://github.com/supabase/agent-skills/compare/v0.1.3...v0.1.4) (2026-06-05)
+
+
+### Features
+
+* add instructions to check changelog ([#74](https://github.com/supabase/agent-skills/issues/74)) ([4bb13d8](https://github.com/supabase/agent-skills/commit/4bb13d858d19f1f848505a66f46fc9603fdcde95))
+* add npm supply-chain security guidance to supabase skill ([#94](https://github.com/supabase/agent-skills/issues/94)) ([82df90a](https://github.com/supabase/agent-skills/commit/82df90a5de1cd84386d8bc192746e50343b86dc0))
+* instructions on exposing tables to the data api ([#71](https://github.com/supabase/agent-skills/issues/71)) ([f15a5a4](https://github.com/supabase/agent-skills/commit/f15a5a40779072a530c9e53c3f14ec4131118ea6))
+* using Supabase agent skills ([#12](https://github.com/supabase/agent-skills/issues/12)) ([7c2e389](https://github.com/supabase/agent-skills/commit/7c2e3894fddfde8eb6c77d2a8921904543b9be7a))
+
+
+### Bug Fixes
+
+* bump supabase skill to v0.1.1 and fix Data API broken link ([#72](https://github.com/supabase/agent-skills/issues/72)) ([5a6542e](https://github.com/supabase/agent-skills/commit/5a6542e08fc026d90c9a6a0f5a67749e9ceb9946))
+* cover SECURITY DEFINER, auth.role() deprecation, and BOLA in security checklist ([#85](https://github.com/supabase/agent-skills/issues/85)) ([133f43e](https://github.com/supabase/agent-skills/commit/133f43e8c2ffc48823ff0630c692cabecea3e3a3))
+* update Data API doc link and bump supabase skill to v0.1.1 ([#73](https://github.com/supabase/agent-skills/issues/73)) ([e5f7a7c](https://github.com/supabase/agent-skills/commit/e5f7a7cfd697765848ffd6a4505f3c02e1ee17ee))
+
+## [0.1.3](https://github.com/supabase/agent-skills/compare/v0.1.2...v0.1.3) (2026-06-02)
+
+
+### Features
+
+* add instructions to check changelog ([#74](https://github.com/supabase/agent-skills/issues/74)) ([4bb13d8](https://github.com/supabase/agent-skills/commit/4bb13d858d19f1f848505a66f46fc9603fdcde95))
+* add npm supply-chain security guidance to supabase skill ([#94](https://github.com/supabase/agent-skills/issues/94)) ([82df90a](https://github.com/supabase/agent-skills/commit/82df90a5de1cd84386d8bc192746e50343b86dc0))
+* instructions on exposing tables to the data api ([#71](https://github.com/supabase/agent-skills/issues/71)) ([f15a5a4](https://github.com/supabase/agent-skills/commit/f15a5a40779072a530c9e53c3f14ec4131118ea6))
+* using Supabase agent skills ([#12](https://github.com/supabase/agent-skills/issues/12)) ([7c2e389](https://github.com/supabase/agent-skills/commit/7c2e3894fddfde8eb6c77d2a8921904543b9be7a))
+
+
+### Bug Fixes
+
+* bump supabase skill to v0.1.1 and fix Data API broken link ([#72](https://github.com/supabase/agent-skills/issues/72)) ([5a6542e](https://github.com/supabase/agent-skills/commit/5a6542e08fc026d90c9a6a0f5a67749e9ceb9946))
+* cover SECURITY DEFINER, auth.role() deprecation, and BOLA in security checklist ([#85](https://github.com/supabase/agent-skills/issues/85)) ([133f43e](https://github.com/supabase/agent-skills/commit/133f43e8c2ffc48823ff0630c692cabecea3e3a3))
+* update Data API doc link and bump supabase skill to v0.1.1 ([#73](https://github.com/supabase/agent-skills/issues/73)) ([e5f7a7c](https://github.com/supabase/agent-skills/commit/e5f7a7cfd697765848ffd6a4505f3c02e1ee17ee))

package/templates/skills/supabase/PROVENANCE.md

@@ -0,0 +1,50 @@
+# Provenance
+
+This skill is vendored from the official Supabase **agent-skills** project.
+
+| Field | Value |
+|-------|-------|
+| Upstream | https://github.com/supabase/agent-skills |
+| Upstream path | `skills/supabase/` |
+| Pinned commit | `1356046015476711a769601079262b5635929427` |
+| Vendored on | 2026-06-08 |
+| Skill version | `0.1.2` in `SKILL.md` frontmatter — but the vendored content is current to release **`0.1.4`** (2026-06-05) per `CHANGELOG.md`; upstream does not bump `metadata.version` per release, so trust the pinned commit + `CHANGELOG.md`, not the frontmatter field, when assessing drift |
+| License | MIT |
+
+The **only** CodeByPlan modification is the added `scope: org-shared` line in the
+`SKILL.md` frontmatter (required by the CBP `.claude/` scope-marker convention —
+`rules/scope-vocabulary.md`). Everything else — the `SKILL.md` body, `references/`,
+`assets/`, and `CHANGELOG.md` — is upstream-verbatim.
+
+## Refresh
+
+Re-vendor when upstream publishes a newer version (typically on a `codebyplan`
+package release):
+
+1. Re-fetch every file under the upstream path above, pinned to the latest commit.
+2. Re-inject the single `scope: org-shared` frontmatter line into `SKILL.md`.
+3. Copy the result into **both** `packages/codebyplan-package/templates/skills/supabase/`
+   and the byte-identical `.claude/skills/supabase/` twin (GATE 6 sibling-identity).
+4. Update the pinned commit + version in this file.
+
+## License (MIT)
+
+Copyright (c) 2026 Supabase
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.