codebyplan 1.13.42 → 1.13.44

package/dist/cli.js

@@ -39,7 +39,7 @@ var VERSION, PACKAGE_NAME;
 var init_version = __esm({
   "src/lib/version.ts"() {
     "use strict";
-    VERSION = "1.13.42";
+    VERSION = "1.13.44";
     PACKAGE_NAME = "codebyplan";
   }
 });
@@ -29596,6 +29596,35 @@ function patchBump(version3) {
   const patch = parseInt(coreMatch[3], 10);
   return `${hasV ? "v" : ""}${major}.${minor}.${patch + 1}`;
 }
+function prereleaseBump(version3, id) {
+  const hasV = version3.startsWith("v");
+  const stripped = hasV ? version3.slice(1) : version3;
+  const coreMatch = stripped.match(/^(\d+)\.(\d+)\.(\d+)/);
+  if (!coreMatch) {
+    return version3;
+  }
+  const major = parseInt(coreMatch[1], 10);
+  const minor = parseInt(coreMatch[2], 10);
+  const patchSeg = coreMatch[3];
+  const prefix = hasV ? "v" : "";
+  const preMatch = stripped.match(/^\d+\.\d+\.\d+-(.+)$/);
+  if (preMatch) {
+    const preSuffix = preMatch[1];
+    const idDotPrefix = id + ".";
+    if (preSuffix.startsWith(idDotPrefix)) {
+      const nStr = preSuffix.slice(idDotPrefix.length);
+      const n = parseInt(nStr, 10);
+      if (!isNaN(n) && /^\d+$/.test(nStr)) {
+        return `${prefix}${coreMatch[1]}.${coreMatch[2]}.${patchSeg}-${id}.${n + 1}`;
+      }
+    }
+    if (preSuffix === id) {
+      return `${prefix}${coreMatch[1]}.${coreMatch[2]}.${patchSeg}-${id}.1`;
+    }
+    return `${prefix}${major}.${minor + 1}.0-${id}.1`;
+  }
+  return `${prefix}${major}.${minor + 1}.0-${id}.1`;
+}
 function compareSemver(a, b) {
   const parseCore = (v) => {
     const stripped = v.startsWith("v") ? v.slice(1) : v;
@@ -29676,6 +29705,7 @@ async function runBump(opts) {
   const cwd = resolve3(opts?.cwd ?? process.cwd());
   const dryRun = opts?.dryRun ?? false;
   const now = opts?.now ?? (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const prereleaseId = opts?.prereleaseId;
   const baseBranch = await readBaseBranch(cwd);
   const baseRef = resolveBaseRef(cwd, baseBranch);
   const diffResult = spawnSync5(
@@ -29749,7 +29779,7 @@ async function runBump(opts) {
     }
     const pkgJsonRelPath = relative5(cwd, pkgJsonPath).replace(/\\/g, "/");
     const baseRaw = gitShowFile(cwd, baseRef, pkgJsonRelPath);
-    if (baseRaw !== null) {
+    if (baseRaw !== null && !prereleaseId) {
       const baseVersion = extractVersion(baseRaw, pkgJsonPath);
       if (baseVersion !== null && compareSemver(currentVersion, baseVersion) > 0) {
         entries.push({
@@ -29765,7 +29795,7 @@ async function runBump(opts) {
         continue;
       }
     }
-    const nextVersion = patchBump(currentVersion);
+    const nextVersion = prereleaseId ? prereleaseBump(currentVersion, prereleaseId) : patchBump(currentVersion);
     const updatedVersionFiles = [];
     const skippedVersionFiles = [];
     for (const { abs, rel } of versionFileCandidates) {
@@ -29842,7 +29872,7 @@ function parseFlagsFromArgs6(args) {
 }
 function printBumpHelp() {
   process.stdout.write(
-    "\n  codebyplan bump\n\n  Detect changed workspace packages and patch-bump their versions.\n  Does NOT commit or push \u2014 pure version-file + changelog edits.\n\n  Flags:\n    --dry-run   Preview planned bumps without writing any files\n    --json      Write structured JSON output to stdout\n\n"
+    "\n  codebyplan bump [--prerelease <id>]\n\n  Detect changed workspace packages and patch-bump their versions.\n  Does NOT commit or push \u2014 pure version-file + changelog edits.\n\n  Flags:\n    --dry-run          Preview planned bumps without writing any files\n    --json             Write structured JSON output to stdout\n    --prerelease <id>  Cut/iterate a prerelease (X.Y.Z \u2192 X.(Y+1).0-id.1; id.N \u2192 id.N+1). Default id: beta\n\n"
   );
 }
 function printHumanResult(result) {
@@ -29883,12 +29913,18 @@ async function runBumpCommand(args) {
     printBumpHelp();
     process.exit(0);
   }
-  const { booleans } = parseFlagsFromArgs6(args);
+  const { flags, booleans } = parseFlagsFromArgs6(args);
   const dryRun = booleans.has("dry-run");
   const jsonOutput = booleans.has("json");
+  let prereleaseId;
+  if (flags["prerelease"] !== void 0) {
+    prereleaseId = flags["prerelease"] || "beta";
+  } else if (booleans.has("prerelease")) {
+    prereleaseId = "beta";
+  }
   let result;
   try {
-    result = await runBump({ dryRun });
+    result = await runBump({ dryRun, prereleaseId });
   } catch (err) {
     process.stderr.write(
       `bump: ${err instanceof Error ? err.message : String(err)}
@@ -35518,7 +35554,7 @@ void (async () => {
     codebyplan watch status           Show daemon status (--json for machine-readable)
     codebyplan watch run              Run daemon in foreground (used internally by start)
     codebyplan round sync-approvals   Sync git diff and approvals with round/task state
-    codebyplan bump                   Detect changed packages and patch-bump versions
+    codebyplan bump [--prerelease <id>]  Detect changed packages and patch-bump versions
     codebyplan ship                  Ship current feat branch to production via PR
     codebyplan upload-e2e-images     Upload new/changed committed e2e PNGs for a checkpoint
     codebyplan scaffold-publish-workflow   Write the publish-on-main GitHub workflow into ./.github/workflows/

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebyplan",
-  "version": "1.13.42",
+  "version": "1.13.44",
   "description": "CLI for CodeByPlan — AI-powered development planning and tracking",
   "type": "module",
   "bin": {

package/templates/agents/cbp-round-executor.md

@@ -212,6 +212,16 @@ If modifying managed files (`.claude/*`, `.claude/docs/architecture/*`, etc.):
 
 **Why:** Routing commands do this automatically. If you bypass routing, you MUST do source consultation manually. Skills contain coding patterns and conventions that must be followed.
 
+### Step 2.4: Architecture Map Consultation
+
+For ANY module you are about to edit (app code or managed files), check for a pre-computed architecture map:
+
+1. For each path in `files_to_modify`, derive its module and Glob `.claude/architecture/<module-slug>.md`.
+2. If a map exists, read it BEFORE Step 3 — it surfaces the module's boundaries, internal structure, dependencies, and where-things-live landmarks, reducing broad file-system scans.
+3. If `.claude/architecture/` is absent or the module has no map, proceed without it (not a blocker).
+
+See `.claude/context/architecture-map.md` for the full consultation contract. Unlike Step 2 (managed files only), this step fires for every round regardless of file type.
+
 ### Step 2.5: Search Before Creating
 
 For each file with action `create` in `files_to_modify`:

package/templates/agents/cbp-task-planner.md

@@ -376,6 +376,11 @@ delegation_hint:
 
 Read `.claude/rules/*.md` and relevant architecture docs.
 
+If `.claude/architecture/` contains map file(s) for the target module(s), read them before
+finalizing scope — they provide pre-computed structural context (boundaries, dependencies,
+landmarks) that reduces the need for broad file-system scans. See
+`.claude/context/architecture-map.md` for the consultation contract.
+
 ### Phase 4: Clarify Requirements (Context-First)
 
 Before any AskUserQuestion call, check (1) `checkpoint.context`, (2) `task.context`, (3) codebase via Grep/Glob/Read. Only ask if all three fail. When asking, prefix with `Checked: [sources]. Not found. Asking: [question]`. If a question IS answered in context, use that answer directly — do not re-ask.

package/templates/github-workflows/publish.yml

@@ -2,14 +2,16 @@
 #
 # This workflow publishes the codebyplan npm package on every merge to main
 # where the committed package.json version exceeds the version currently on npm.
-# No release PR, no conventional-commit parsing — the version committed in the
-# feat branch is the version that ships.
+# It also auto-publishes prerelease versions (e.g. 1.14.0-beta.1) from feat/**
+# branches to a scoped dist-tag (e.g. --tag beta) — see the beta channel docs
+# for the full workflow. No release PR, no conventional-commit parsing — the
+# version committed in the feat branch is the version that ships.
 #
 # Two values a consuming repo must adjust:
 #   1. paths: — set to the package directory whose package.json drives versioning
 #              (current value: 'packages/codebyplan-package/**')
 #   2. npm view <package-name> — replace `codebyplan` with the actual package name
-#              in the "Check version vs published" step
+#              in the "Check version vs published" and exact-version check steps
 #
 # Everything else (OIDC auth, pnpm 10.12.4, Node 20, build:npm → publish) is
 # intentionally generic and works as-is for any single-package npm publish.
@@ -20,6 +22,7 @@ on:
   push:
     branches:
       - main
+      - "feat/**"
     paths:
       - "packages/codebyplan-package/**"
   workflow_dispatch:
@@ -40,6 +43,7 @@ jobs:
     outputs:
       should_publish: ${{ steps.check.outputs.should_publish }}
       version: ${{ steps.check.outputs.version }}
+      dist_tag: ${{ steps.check.outputs.dist_tag }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -54,27 +58,80 @@ jobs:
           fi
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
 
-          # Pre-release versions (e.g. 1.2.3-beta.1) must never auto-publish to the
-          # 'latest' dist-tag — sort -V is not semver-aware for pre-release suffixes,
-          # and this workflow always publishes to latest. Publish pre-releases
-          # manually with `npm publish --tag <pre-id>`. The version core (X.Y.Z) has
-          # no hyphen, so any '-' marks a pre-release.
+          # Compute dist-tag from version:
+          #   prerelease (contains hyphen) → extract id between '-' and first '.'
+          #   e.g.  1.14.0-beta.1 → "beta";  1.14.0-rc.1 → "rc"
+          #   stable → "latest"
           case "$VERSION" in
             *-*)
-              echo "VERSION=${VERSION} is a pre-release — skipping auto-publish."
-              echo "should_publish=false" >> "$GITHUB_OUTPUT"
-              exit 0
+              PRE_ID="${VERSION#*-}"
+              DIST_TAG="${PRE_ID%%.*}"
+              ;;
+            *)
+              DIST_TAG="latest"
               ;;
           esac
+          echo "dist_tag=${DIST_TAG}" >> "$GITHUB_OUTPUT"
 
-          # Manual dispatch: always publish (recovery / forced re-publish path).
+          # ── workflow_dispatch ──────────────────────────────────────────────
+          # Manual trigger: always publish (recovery / forced re-publish path).
+          # Uses the computed dist_tag so manual prerelease publishes are tagged
+          # correctly.
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            echo "Manual dispatch — skipping gt check, will publish."
+            echo "Manual dispatch — will publish (dist-tag: ${DIST_TAG})."
             echo "should_publish=true" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          # Push path: compare committed version against the npm registry.
+          # ── feat/** push ───────────────────────────────────────────────────
+          # C4 guard: three conditions must hold before publishing from feat/**:
+          #   (1) prerelease-required: stable versions on feat/** are skipped.
+          #   (2) exact-version check: if this exact version is already on npm, skip.
+          #   (3) path filter: already enforced by on.push.paths above.
+          case "${{ github.ref }}" in
+            refs/heads/feat/*)
+              case "$VERSION" in
+                *-*)
+                  # Prerelease — check if this exact version already exists on npm.
+                  EXACT_OUT=$(npm view "codebyplan@${VERSION}" version 2>&1)
+                  EXACT_EXIT=$?
+                  if [ "$EXACT_EXIT" -eq 0 ]; then
+                    echo "VERSION=${VERSION} already published — skipping (exact-version guard)."
+                    echo "should_publish=false" >> "$GITHUB_OUTPUT"
+                    exit 0
+                  fi
+                  if echo "$EXACT_OUT" | grep -q "E404"; then
+                    echo "VERSION=${VERSION} not yet published — will publish (dist-tag: ${DIST_TAG})."
+                    echo "should_publish=true" >> "$GITHUB_OUTPUT"
+                    exit 0
+                  fi
+                  # Non-E404 failure: transient registry error — abort to avoid
+                  # a duplicate publish in a degraded state.
+                  echo "ERROR: npm view codebyplan@${VERSION} failed (exit ${EXACT_EXIT}): ${EXACT_OUT}"
+                  exit 1
+                  ;;
+                *)
+                  # C4 prerelease-required gate: stable versions on feat/** skip.
+                  echo "VERSION=${VERSION} is not a prerelease — feat/** branches require a prerelease version (e.g. run 'codebyplan bump --prerelease beta'). Skipping."
+                  echo "should_publish=false" >> "$GITHUB_OUTPUT"
+                  exit 0
+                  ;;
+              esac
+              ;;
+          esac
+
+          # ── main push ──────────────────────────────────────────────────────
+          # Prerelease versions must never auto-publish to latest from main.
+          # The version core (X.Y.Z) has no hyphen, so any '-' marks a prerelease.
+          case "$VERSION" in
+            *-*)
+              echo "VERSION=${VERSION} is a pre-release — skipping auto-publish on main (use a feat/** branch or workflow_dispatch)."
+              echo "should_publish=false" >> "$GITHUB_OUTPUT"
+              exit 0
+              ;;
+          esac
+
+          # Stable on main: compare committed version against the npm registry.
           # Distinguish "never published" (E404 → first publish) from a transient
           # registry/network error (abort rather than blindly publish).
           NPM_OUT=$(npm view codebyplan version 2>&1)
@@ -88,7 +145,9 @@ jobs:
             echo "ERROR: npm view failed (exit ${NPM_EXIT}): ${NPM_OUT}"
             exit 1
           fi
-          PUBLISHED="$NPM_OUT"
+          # Extract the first semver-looking line so a registry deprecation/advisory
+          # notice in NPM_OUT cannot corrupt the sort -V comparison below.
+          PUBLISHED=$(printf '%s\n' "$NPM_OUT" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
 
           # sort -V: version-aware sort. If VERSION sorts AFTER PUBLISHED, it is greater.
           GREATER=$(printf '%s\n%s\n' "$PUBLISHED" "$VERSION" | sort -V | tail -n1)
@@ -147,7 +206,7 @@ jobs:
         working-directory: packages/codebyplan-package
         run: |
           echo "dry_run=true — skipping actual publish."
-          echo "Would publish: codebyplan@${{ needs.check-version.outputs.version }}"
+          echo "Would publish: codebyplan@${{ needs.check-version.outputs.version }} (dist-tag: ${{ needs.check-version.outputs.dist_tag }})"
 
       # No NODE_AUTH_TOKEN: npm >= 11.5.1 exchanges the GitHub OIDC token for a
       # short-lived publish token. Requires a Trusted Publisher configured for
@@ -158,10 +217,14 @@ jobs:
       # source repository visibility: private" otherwise). This works for both
       # public and private repos. If your source repo is PUBLIC and you want
       # supply-chain attestation, add `--provenance` to the command below.
+      #
+      # --tag: routes stable publishes to "latest" and prerelease publishes to
+      # the prerelease id (e.g. "beta", "rc"). C1 guarantee: betas never land on
+      # "latest" because dist_tag is computed from the version string.
       - name: Publish to npm
         if: ${{ github.event_name != 'workflow_dispatch' || inputs.dry_run != true }}
         working-directory: packages/codebyplan-package
-        run: npm publish --access public
+        run: npm publish --access public --tag ${{ needs.check-version.outputs.dist_tag }}
 
   tag-and-release:
     name: Tag + GitHub release
@@ -199,9 +262,18 @@ jobs:
           if gh release view "${TAG}" > /dev/null 2>&1; then
             echo "GitHub release ${TAG} already exists — skipping."
           else
-            gh release create "${TAG}" \
-              --title "codebyplan v${VERSION}" \
-              --notes "codebyplan v${VERSION} — published to npm: https://www.npmjs.com/package/codebyplan/v/${VERSION} (install: npm install -g codebyplan@${VERSION})" \
-              --latest
+            # C1 guard: prerelease versions get --prerelease (NOT --latest);
+            # stable versions get --latest (existing behaviour preserved).
+            if echo "${VERSION}" | grep -q "-"; then
+              gh release create "${TAG}" \
+                --title "codebyplan v${VERSION}" \
+                --notes "codebyplan v${VERSION} — published to npm: https://www.npmjs.com/package/codebyplan/v/${VERSION} (install: npm install -g codebyplan@${VERSION})" \
+                --prerelease
+            else
+              gh release create "${TAG}" \
+                --title "codebyplan v${VERSION}" \
+                --notes "codebyplan v${VERSION} — published to npm: https://www.npmjs.com/package/codebyplan/v/${VERSION} (install: npm install -g codebyplan@${VERSION})" \
+                --latest
+            fi
             echo "Created GitHub release ${TAG}."
           fi

package/templates/skills/cbp-session-start/SKILL.md

@@ -12,7 +12,7 @@ Activate the session, open a fresh session log, and surface the previous log's p
 
 ## Instructions
 
-Run Steps 0 through 5.8 silently (no intermediate output) — except Step 0 aborts the session on MCP failure, Step 1.4 may surface a one-line fast-forward note or warning, Step 1.5 may surface a one-line infra-drift nudge, Step 1.6 may run an install-and-halt path, Step 1.7 may surface a one-line LSP binary nudge, Step 4.5 may auto-resume a handoff and exit session-start entirely (no Step 6 output), and Step 5.7 may surface an approval gate. (Step numbers are organizational labels; execution order is 0 → 1 → 1.4 → 1.5 → 1.6 → 1.7 → 3 → 4 → 4.5 → 5 → 5.7 → 5.8 → 6 → 7.) Produce ONE output block at Step 6, then auto-trigger or stop per Step 7.
+Run Steps 0 through 5.8 silently (no intermediate output) — except Step 0 aborts the session on MCP failure, Step 1.4 may surface a one-line fast-forward note or warning, Step 1.5 may surface a one-line infra-drift nudge, Step 1.55 may surface a one-line architecture-map drift nudge, Step 1.6 may run an install-and-halt path, Step 1.7 may surface a one-line LSP binary nudge, Step 4.5 may auto-resume a handoff and exit session-start entirely (no Step 6 output), and Step 5.7 may surface an approval gate. (Step numbers are organizational labels; execution order is 0 → 1 → 1.4 → 1.5 → 1.55 → 1.6 → 1.7 → 3 → 4 → 4.5 → 5 → 5.7 → 5.8 → 6 → 7.) Produce ONE output block at Step 6, then auto-trigger or stop per Step 7.
 
 ### Step 0: MCP Health Gate
 
@@ -91,9 +91,37 @@ Surface — never block — when this worktree's source-monorepo `.claude/` infr
 
 Fully non-blocking; every failure path falls through with no output.
 
+### Step 1.55: Architecture-Map Drift Check
+
+Surface — never block — when this repo's generated `.claude/architecture/` maps have
+gone stale (a mapped module's source was committed past the SHA stamped in
+`.codebyplan/architecture.json`). Runs after the infra-drift check (Step 1.5) and may add
+one line to the Step 6 output. This is the freshness nudge for the architecture-map
+pipeline (mirrors the infra-drift pattern; the analog for first-party code maps):
+
+- **No manifest** — `.codebyplan/architecture.json` absent → skip silently (the repo has
+  no maps yet; nothing to drift-check).
+- **Manifest present** — run the drift probe best-effort and count drifted modules:
+
+  ```bash
+  npx codebyplan arch-map drift 2>/dev/null | grep -c '^[[:space:]]*DRIFTED' || true
+  ```
+
+  If the count is `> 0`, hold this single line for Step 6:
+
+  ```
+  ⚠ .claude/architecture is N module(s) stale — run /cbp-refresh-arch-map
+  ```
+
+  A count of `0` (all maps fresh, no stamped modules, or any probe failure) emits nothing.
+
+Fully non-blocking; every failure path falls through with no output. The `arch-map` CLI is
+itself hook-safe (exits 0 on any internal error), so a missing or too-old `codebyplan`
+binary simply yields a zero count and no line.
+
 ### Step 1.6: Package Freshness Gate
 
-Check whether a newer `codebyplan` is published and safe to auto-install on this worktree's current branch. Runs AFTER the infra-drift check (Step 1.5) and BEFORE session activation (Step 3).
+Check whether a newer `codebyplan` is published and safe to auto-install on this worktree's current branch. Runs AFTER the architecture-map drift check (Step 1.55) and BEFORE session activation (Step 3).
 
 ```bash
 VERSION_JSON=$(npx codebyplan version-status 2>/dev/null)
@@ -231,6 +259,9 @@ Session active | Worktree: [worktree_id or "unregistered"]
 
 [⚠ resolve-worktree: <error_kind> — local state is broken; routing may be unreliable. Run `npx codebyplan setup` to repair. — only when error_kind is non-null and not tuple_miss]
 
+[⚠ .claude/ infra is N behind — run /cbp-refresh-infra — only when Step 1.5 found drift]
+[⚠ .claude/architecture is N module(s) stale — run /cbp-refresh-arch-map — only when Step 1.55 found drift]
+
 Previous session: [title or "none"]
   Pending: [pending items from previous log, or "—"]
 
@@ -257,7 +288,7 @@ Three-branch gate using `owned_count` and `total_count` from Step 5.8:
 
 - **Triggered by**: user invocation, `/clear` recovery
 - **Resolves**: `npx codebyplan resolve-worktree --json` (worktree id + distress signal; non-tuple-miss distress is non-blocking at session-start)
-- **Reads**: `.codebyplan/repo.json`, `.codebyplan/git.json` (`branch_config.production` for the Step 1.4 home-branch fast-forward), MCP `health_check` (Step 0 hard gate — stays MCP unconditionally); local-first reads (with `npx codebyplan sync` + MCP break-glass): `.codebyplan/state/session/current.json` (Step 4 previous log + Step 4.5 handoff probe), `.codebyplan/state/checkpoints/<id>.json` / `tasks/<id>.json` / `rounds/<id>.json` (Step 4.5 freshness probe), `.codebyplan/state/todos.json` (Step 5.7 active-task lookup); MCP `get_checkpoints({ repo_id, status: 'active' })` (Step 5.8 ownership partition — MCP only, no local mirror for active-filter query); `scripts/infra-drift.mjs` + a best-effort `git fetch` (Step 1.5 monorepo drift); `npx codebyplan version-status` (Step 1.6 package-freshness gate); `npx codebyplan lsp --check` (Step 1.7 LSP binary nudge — reads `.codebyplan/lsp.json`, non-blocking). Reads at Step 3 and later do NOT fire on a Step 0 MCP hard-fail or the Step 1.6 update-and-halt path
+- **Reads**: `.codebyplan/repo.json`, `.codebyplan/git.json` (`branch_config.production` for the Step 1.4 home-branch fast-forward), MCP `health_check` (Step 0 hard gate — stays MCP unconditionally); local-first reads (with `npx codebyplan sync` + MCP break-glass): `.codebyplan/state/session/current.json` (Step 4 previous log + Step 4.5 handoff probe), `.codebyplan/state/checkpoints/<id>.json` / `tasks/<id>.json` / `rounds/<id>.json` (Step 4.5 freshness probe), `.codebyplan/state/todos.json` (Step 5.7 active-task lookup); MCP `get_checkpoints({ repo_id, status: 'active' })` (Step 5.8 ownership partition — MCP only, no local mirror for active-filter query); `scripts/infra-drift.mjs` + a best-effort `git fetch` (Step 1.5 monorepo drift); `npx codebyplan arch-map drift` + `.codebyplan/architecture.json` presence (Step 1.55 architecture-map drift nudge, non-blocking); `npx codebyplan version-status` (Step 1.6 package-freshness gate); `npx codebyplan lsp --check` (Step 1.7 LSP binary nudge — reads `.codebyplan/lsp.json`, non-blocking). Reads at Step 3 and later do NOT fire on a Step 0 MCP hard-fail or the Step 1.6 update-and-halt path
 - **Writes**: `codebyplan session create-log` (Step 5 — CLI write-through; break-glass: MCP `create_session_log`), `codebyplan session update-state --action activate` (Step 3 — CLI write-through to `.codebyplan/state/session/state.json`; break-glass: MCP `update_session_state`) — both SKIPPED on a Step 0 MCP hard-fail and on the Step 1.6 update-and-halt path
 - **Spawns**: none
 - **Triggers**: `/cbp-git-commit` (conditional, on user approval at Step 5.7 or the Step 1.6 update path), `handoff.command` (on fresh handoff hit at Step 4.5), `/cbp-todo` (auto fall-through when owned_count >= 1 or total_count === 0; STOPS with no trigger when total_count >= 1 AND owned_count === 0; NOT triggered on a Step 0 hard-fail or the Step 1.6 update-and-halt path)