codebyplan 1.13.43 → 1.13.45

package/templates/skills/cbp-build-cc-mode/SKILL.md

@@ -39,11 +39,12 @@ A skill that carries a `model:` line is a **gap** — remove it unless a deliber
 
 ### Agents — `model:` + `effort:`
 
-Default `model: sonnet` + `effort: xhigh`. Fifteen of the 16 authoring agents take the default (`cbp-cc-executor`, `cbp-database-agent`, `cbp-improve-claude`, `cbp-improve-round`, `cbp-research`, `cbp-round-executor`, `cbp-security-agent`, `cbp-task-check`, `cbp-task-planner`, `cbp-testing-qa-agent`, `cbp-e2e-playwright`, `cbp-e2e-maestro`, `cbp-e2e-tauri`, `cbp-e2e-vscode`, `cbp-e2e-xcuitest`). The 16th is the one exception:
+Default `model: sonnet` + `effort: xhigh`. Fifteen of the 17 authoring agents take the default (`cbp-cc-executor`, `cbp-database-agent`, `cbp-improve-claude`, `cbp-improve-round`, `cbp-research`, `cbp-round-executor`, `cbp-security-agent`, `cbp-task-check`, `cbp-task-planner`, `cbp-testing-qa-agent`, `cbp-e2e-playwright`, `cbp-e2e-maestro`, `cbp-e2e-tauri`, `cbp-e2e-vscode`, `cbp-e2e-xcuitest`). The other two are exceptions:
 
-| agent                | model | effort | reason                                                                              |
-| -------------------- | ----- | ------ | ----------------------------------------------------------------------------------- |
-| cbp-mechanical-edits | haiku | low    | Mechanical rename/substitution/frontmatter-edit subagent; no judgment, pure dispatch |
+| agent                | model  | effort | reason                                                                              |
+| -------------------- | ------ | ------ | ----------------------------------------------------------------------------------- |
+| cbp-mechanical-edits | haiku  | low    | Mechanical rename/substitution/frontmatter-edit subagent; no judgment, pure dispatch |
+| cbp-map-architecture | sonnet | high   | Read-only module analyzer; bounded structured-map generation, lighter than xhigh     |
 
 `model: inherit` is NOT permitted for agents — pin an explicit alias (`sonnet` / `haiku`) or a full ID.
 
@@ -53,18 +54,13 @@ A skill's `effort:` applies to the inline-running turn (the orchestrator turn th
 
 ## Audit Mode
 
-Invoked with no arguments. Procedure:
-
-1. Glob `packages/codebyplan-package/templates/agents/*.md` and `packages/codebyplan-package/templates/skills/*/SKILL.md`.
-2. For each file, read the frontmatter and parse `model:` + `effort:`.
-3. Apply the convention by surface:
-   - **Skill**: `model:` MUST be ABSENT; `effort:` MUST be present and one of `low`/`medium`/`high`/`xhigh`/`max` (default `xhigh`).
-   - **Agent**: `model:` MUST be present (per the agent table; default `sonnet`); `effort:` present (default `xhigh`).
-4. Emit one pipe-delimited line per file: `path | current_model/current_effort | expected | status`.
-5. Status values:
-   - `ok` — matches the convention.
-   - `gap` — a skill that carries a `model:` line, a skill missing `effort:`, an agent missing/incorrect `model:`, or any missing/invalid `effort:`.
-6. Print a summary: total audited, count `ok`, count `gap`.
+Run `codebyplan claude audit-mode` — it scans `packages/codebyplan-package/templates/agents/*.md` and `packages/codebyplan-package/templates/skills/*/SKILL.md`, applies the convention from the matrix above, and emits a pipe-delimited table:
+
+```
+path | surface | model/effort | expected | status
+```
+
+Plus a summary line: `N audited, N ok, N gaps`. Exits 0 when all files comply; exits 1 on any gap. Pass `--json` for a machine-readable entries array.
 
 The audit is read-only.
 

package/templates/skills/cbp-build-cc-rule/SKILL.md

@@ -153,7 +153,17 @@ ln -s ~/company-standards/security.md .claude/rules/security.md
 
 Claude Code resolves symlinks normally. Circular symlinks are detected.
 
-### Step 8 — Verify loading
+### Step 8 — Validate
+
+Run the validator:
+
+```bash
+bash "${CLAUDE_SKILL_DIR}/scripts/validate-rule.sh" "{scope-path}/{name}.md"
+```
+
+It checks: YAML frontmatter present, `scope:` field present and valid enum value, H1 heading present and its kebab-case form matches the filename, `paths:` field (warns if absent — unconditional rules burn context on every session), line count (warns at 100, errors at 200).
+
+### Step 9 — Verify loading
 
 Run `/memory` in a fresh Claude Code session to confirm the rule is listed. If path-scoped, open a file matching the glob to confirm it triggers.
 

package/templates/skills/cbp-build-cc-rule/scripts/validate-rule.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# @scope: org-shared
+# Validate a Claude Code rule file at .claude/rules/{name}.md.
+# Usage: validate-rule.sh <path-to-rule-file>
+# Exit 0 = valid, exit 1 = invalid (errors printed to stderr).
+
+set -euo pipefail
+
+FILE="${1:?Usage: validate-rule.sh <path-to-rule-file>}"
+
+if [ ! -f "$FILE" ]; then
+  echo "ERROR: file not found: $FILE" >&2
+  exit 1
+fi
+
+errors=0
+err() { echo "  - $1" >&2; errors=$((errors + 1)); }
+
+# Frontmatter must be present
+if ! head -1 "$FILE" | grep -qE '^---[[:space:]]*$'; then
+  err "missing YAML frontmatter opener '---'"
+fi
+
+# Extract frontmatter block
+fm=$(awk '/^---[[:space:]]*$/{n++; next} n==1{print} n==2{exit}' "$FILE")
+
+# scope: field required + must match enum
+if ! grep -qE '^scope:[[:space:]]*' <<< "$fm"; then
+  err "missing CBP required field: scope (org-shared|project-shared|repo-only:<repo-name>)"
+else
+  scope_val=$(grep -E '^scope:' <<< "$fm" | head -1 | sed -E 's/^scope:[[:space:]]*//; s/[[:space:]]*$//')
+  if ! [[ "$scope_val" =~ ^(org-shared|project-shared|repo-only:[a-z0-9]([a-z0-9-]*[a-z0-9])?)$ ]]; then
+    err "scope value '$scope_val' is not a valid enum value (org-shared|project-shared|repo-only:<slug>)"
+  fi
+fi
+
+# H1 heading must be present and its kebab-case form must match the filename (sans .md)
+h1=$(grep -m1 '^# ' "$FILE" | sed 's/^# //' || true)
+if [ -z "$h1" ]; then
+  err "missing H1 heading"
+else
+  # Convert H1 to kebab-case: lowercase, spaces→hyphens, strip non-alnum chars (except hyphens)
+  h1_kebab=$(echo "$h1" | tr '[:upper:]' '[:lower:]' | sed 's/ /-/g; s/_/-/g; s/[^a-z0-9-]//g')
+  fname=$(basename "$FILE" .md)
+  if [ "$h1_kebab" != "$fname" ]; then
+    err "H1 '$h1' (kebab: '$h1_kebab') does not match filename '$(basename "$FILE")'"
+  fi
+fi
+
+# paths: warning only — unconditional rules load at every session start (use sparingly)
+if ! grep -qE '^paths:[[:space:]]*' <<< "$fm"; then
+  echo "  WARN: no paths: field — rule loads unconditionally at session start; use sparingly" >&2
+fi
+
+# Line count thresholds (matches cbp-build-cc-rule hook: warn ≥ 100, error ≥ 200)
+lines=$(wc -l < "$FILE")
+if [ "$lines" -ge 200 ]; then
+  err "rule file is $lines lines (hard limit 200; split on topic)"
+elif [ "$lines" -ge 100 ]; then
+  echo "  WARN: rule file is $lines lines (recommended max 100; consider splitting)" >&2
+fi
+
+if [ "$errors" -gt 0 ]; then
+  echo "validation FAILED ($errors issue(s)) for $FILE" >&2
+  exit 1
+fi
+
+echo "validation OK: $FILE"
+exit 0

package/templates/skills/cbp-build-cc-settings/SKILL.md

@@ -183,8 +183,8 @@ Applied to every session. Full env-var catalogue: the official Claude Code env-v
 ### Step 9 — Validate and verify
 
 ```bash
-# Pretty-print and validate JSON
-jq . .claude/settings.json
+# Validate structure, $schema, and permission-rule syntax
+bash "${CLAUDE_SKILL_DIR}/scripts/validate-settings.sh" "{scope-path}/settings.json"
 
 # Ask Claude Code itself
 # (inside a session)

package/templates/skills/cbp-build-cc-settings/scripts/validate-settings.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+# @scope: org-shared
+# Validate a Claude Code settings*.json file.
+# Usage: validate-settings.sh <path-to-settings-file>
+# Exit 0 = valid, exit 1 = invalid (errors printed to stderr).
+
+set -euo pipefail
+
+FILE="${1:?Usage: validate-settings.sh <path-to-settings-file>}"
+
+if [ ! -f "$FILE" ]; then
+  echo "ERROR: file not found: $FILE" >&2
+  exit 1
+fi
+
+errors=0
+err() { echo "  - $1" >&2; errors=$((errors + 1)); }
+
+# Requires jq
+if ! command -v jq &>/dev/null; then
+  echo "ERROR: jq is required but not found in PATH" >&2
+  exit 1
+fi
+
+# Must be valid JSON
+if ! jq -e . "$FILE" > /dev/null 2>&1; then
+  echo "validation FAILED (invalid JSON) for $FILE" >&2
+  exit 1
+fi
+
+# $schema key recommended
+if ! jq -e '."$schema"' "$FILE" > /dev/null 2>&1; then
+  echo "  WARN: no \$schema key — add \"https://json.schemastore.org/claude-code-settings.json\" for editor validation" >&2
+fi
+
+# Permission entry syntax: Tool or Tool(specifier) — e.g. Bash(git diff *), Read, mcp__foo__bar
+PERM_PATTERN='^[A-Za-z_][A-Za-z0-9_]*(\(.*\))?$'
+
+for tier in allow ask deny; do
+  while IFS= read -r entry; do
+    [ -z "$entry" ] && continue
+    if ! [[ "$entry" =~ $PERM_PATTERN ]]; then
+      err "permissions.$tier entry '$entry' does not match 'Tool' or 'Tool(specifier)' syntax"
+    fi
+  done < <(jq -r --arg tier "$tier" '.permissions[$tier][]? // empty' "$FILE" 2>/dev/null || true)
+done
+
+# No entry may appear in BOTH allow and ask (allow wins; having it in both is misleading)
+allow_list=$(jq -r '.permissions.allow[]? // empty' "$FILE" 2>/dev/null || true)
+ask_list=$(jq -r '.permissions.ask[]? // empty' "$FILE" 2>/dev/null || true)
+
+if [ -n "$allow_list" ] && [ -n "$ask_list" ]; then
+  while IFS= read -r entry; do
+    [ -z "$entry" ] && continue
+    if printf '%s\n' "$ask_list" | grep -qxF "$entry"; then
+      err "permission '$entry' appears in both allow and ask (allow wins; remove from ask)"
+    fi
+  done <<< "$allow_list"
+fi
+
+if [ "$errors" -gt 0 ]; then
+  echo "validation FAILED ($errors issue(s)) for $FILE" >&2
+  exit 1
+fi
+
+echo "validation OK: $FILE"
+exit 0

package/templates/skills/cbp-checkpoint-create/SKILL.md

@@ -88,14 +88,22 @@ This is the first identity-stamping point — when claiming, passing `worktree_i
 
 Read `.codebyplan/git.json` `branch_config.production` (default `"main"`) as `BASE`. codebyplan repos are main-only — never create or branch from a `development`/integration branch.
 
+Compute the slug deterministically:
+
+```bash
+SLUG=$(codebyplan slug "{checkpoint title}")
+```
+
+Then create and push the branch:
+
 ```bash
 git fetch origin "$BASE" 2>/dev/null || true
-git checkout -b "feat/CHK-{NNN}-{slug}" "origin/$BASE" 2>/dev/null \
-  || git checkout -b "feat/CHK-{NNN}-{slug}" "$BASE"
-git push -u origin "feat/CHK-{NNN}-{slug}"
+git checkout -b "feat/CHK-{NNN}-$SLUG" "origin/$BASE" 2>/dev/null \
+  || git checkout -b "feat/CHK-{NNN}-$SLUG" "$BASE"
+git push -u origin "feat/CHK-{NNN}-$SLUG"
 ```
 
-Slug: lowercase, dash-joined, punctuation dropped, ≤40 chars. Persist the branch via `codebyplan checkpoint update --id <checkpoint-id> --branch-name "feat/CHK-{NNN}-{slug}"` (CLI write-through; break-glass: MCP `update_checkpoint`). (The dedicated `/cbp-git-branch-feat-create` skill is the canonical config-driven helper if you prefer to delegate.)
+Persist the branch via `codebyplan checkpoint update --id <checkpoint-id> --branch-name "feat/CHK-{NNN}-$SLUG"` (CLI write-through; break-glass: MCP `update_checkpoint`). (The dedicated `/cbp-git-branch-feat-create` skill is the canonical config-driven helper if you prefer to delegate.)
 
 **Note — Supabase preview branch**: no Supabase branch is created here. Creation is lazy — it happens on the first DB change when `/cbp-supabase-migrate` runs on this feat branch, which provisions a Supabase branch named identically to the git branch. See `cbp-supabase-migrate` Step 2.3 for the creation protocol.
 

package/templates/skills/cbp-checkpoint-end/SKILL.md

@@ -166,12 +166,19 @@ Only after both the local and remote git delete above succeed, run a conditional
 
 > Lifecycle contract: see [[supabase-branch-lifecycle]].
 
-- Call `mcp__supabase__list_branches` with `project_id: rrvtrumtkhrsbhcyrwvf`.
-- Scan the returned list for an entry whose `name` exactly equals `$BRANCH`.
-- If found: call `mcp__supabase__delete_branch` with its `branch_id`. Record the branch name in `SUPABASE_BRANCHES_DELETED[]`.
-- If not found: no-op silently — the GitHub integration may have already removed it on PR close; not-found is success, NOT an error.
-- If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
-- Never delete the parent project `rrvtrumtkhrsbhcyrwvf` itself or any persistent/production branch.
+- Resolve the parent project ref and apply the lifecycle guard in one deterministic call:
+
+  ```bash
+  codebyplan supabase teardown-preview "$BRANCH"
+  ```
+
+  Parse its JSON `{ status, parent_ref, project_ref, reason }`. The command never deletes anything — it reads the parent ref from `.codebyplan/shipment.json` (`.shipment.surfaces.supabase.project_ref`) and applies the protected / production / parent-ref guard from [[supabase-branch-lifecycle]].
+- If `status === "rejected"`: STOP the teardown for this branch and surface `reason` — never delete a production / protected / integration branch or one whose preview ref equals the parent.
+- Otherwise (`allowed` or `not_found`), use `parent_ref` for the live existence check — `mcp__supabase__list_branches` with `project_id: <parent_ref>`, then scan for an entry whose `name` exactly equals `$BRANCH`:
+  - If found: call `mcp__supabase__delete_branch` with its `branch_id`. Record the branch name in `SUPABASE_BRANCHES_DELETED[]`.
+  - If not found: no-op silently — the GitHub integration may have already removed it on PR close; not-found is success, NOT an error.
+  - If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
+- Never delete the parent project (`parent_ref` from `codebyplan supabase teardown-preview`) itself or any persistent/production branch — the `teardown-preview` guard enforces this.
 
 Accumulate all Supabase branch names removed across the loop in `SUPABASE_BRANCHES_DELETED`.
 
@@ -198,11 +205,12 @@ git push origin --delete "$FEAT_BRANCH"
 
 After the feat branch git delete, run the same conditional Supabase teardown for `$FEAT_BRANCH`:
 
-- Call `mcp__supabase__list_branches` with `project_id: rrvtrumtkhrsbhcyrwvf`.
-- Scan for an entry whose `name` exactly equals `$FEAT_BRANCH`.
-- If found: call `mcp__supabase__delete_branch` with its `branch_id`. Add `$FEAT_BRANCH` to `SUPABASE_BRANCHES_DELETED[]`.
-- If not found: no-op silently — idempotent, not-found is success.
-- If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$FEAT_BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
+- Run `codebyplan supabase teardown-preview "$FEAT_BRANCH"` and parse its JSON `{ status, parent_ref, project_ref, reason }` (reads the parent ref from `.codebyplan/shipment.json`, applies the lifecycle guard, never deletes).
+- If `status === "rejected"`: STOP the teardown and surface `reason` — never delete a production / protected / integration branch or one whose preview ref equals the parent.
+- Otherwise (`allowed` or `not_found`), use `parent_ref` for the live existence check — `mcp__supabase__list_branches` with `project_id: <parent_ref>`, then scan for an entry whose `name` exactly equals `$FEAT_BRANCH`:
+  - If found: call `mcp__supabase__delete_branch` with its `branch_id`. Add `$FEAT_BRANCH` to `SUPABASE_BRANCHES_DELETED[]`.
+  - If not found: no-op silently — idempotent, not-found is success.
+  - If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$FEAT_BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
 
 ### Step 10: Save Shipment Results and Summary
 

package/templates/skills/cbp-git-commit/SKILL.md

@@ -108,21 +108,19 @@ REPO_PATH="$(git rev-parse --show-toplevel)"
 
 **If `--files` provided:** Use the manual file list.
 
-**If `--scope-task`:** Resolve via local state + intersection.
+**If `--scope-task`:** Resolve via the deterministic CLI.
+
+First, read `task.files_changed[].path` (local-first from `.codebyplan/state/checkpoints/*/tasks/*.json`; on miss run `npx codebyplan sync` once, then re-read; MCP `get_current_task` as documented break-glass when the state dir is absent and sync fails) and format as a CSV string. Then compute the intersection:
 
 ```bash
-# 1. Read task.files_changed[] from local state (glob for active task file)
-#    On miss: npx codebyplan sync once, then re-read.
-#    MCP get_current_task as documented break-glass when state dir absent + sync fails.
-task_paths=$(cat .codebyplan/state/checkpoints/*/tasks/*.json 2>/dev/null \
-  | jq -r 'select(.status=="in_progress") | .files_changed[].path' | head -n 200)
-# 2. Read staged paths
-staged_paths=$(git diff --cached --name-only)
-# 3. Compute intersection
-intersect=$(comm -12 <(echo "$task_paths" | sort) <(echo "$staged_paths" | sort))
+TASK_FILES_CSV="path1,path2,path3"  # CSV string of task.files_changed[].path (local-first)
+SCOPE_RESULT=$(codebyplan commit --scope-task --task-files "$TASK_FILES_CSV")
+# Parse JSON: { files: string[], count: number }
+FILES=$(echo "$SCOPE_RESULT" | jq -r '.files[]')
+COUNT=$(echo "$SCOPE_RESULT" | jq -r '.count')
 ```
 
-If `intersect` is empty: emit error and STOP.
+If `COUNT === 0` (empty `files[]`): emit error and STOP.
 
 ```
 ## Error: No Task Files Staged
@@ -135,7 +133,7 @@ Options:
 - Or use --all to commit the foreign-staged files instead.
 ```
 
-If non-empty: use `intersect` as the file list for Step 5.
+If `COUNT > 0`: use `FILES` as the file list for Step 5.
 
 **If `--task`, `--all`, or no scope:** No filtering — all staged files committed.
 

package/templates/skills/cbp-git-worktree-create/SKILL.md

@@ -159,59 +159,18 @@ If the main repo has no `.codebyplan/e2e.env` yet, provision it after setup by r
 cd "$WORKTREE_PATH" && git push -u origin "$BRANCH_NAME"
 ```
 
-### Step 9: Register Worktree in CodeByPlan
+### Step 9: Register Worktree and Write `.codebyplan/` Config
 
-Get the repo ID from CLAUDE.md (`Repo ID` in Key References table).
+Run `codebyplan worktree create "$BRANCH_NAME" --path "$WORKTREE_PATH"` and parse the JSON output (`{ worktree_files_written: boolean, mcp_registered: boolean, worktree_id?, warn? }`):
 
-Use MCP `create_worktree` to register the worktree in the CodeByPlan database:
+- If `warn` is present: surface it as a non-blocking warning.
+- Save the returned `worktree_id` for reference (if present).
 
-```
-MCP create_worktree:
-  repo_id: [repo-id from CLAUDE.md]
-  name: $BRANCH_NAME
-  path: $WORKTREE_PATH
-  status: "active"
-```
-
-Save the returned `worktree_id` for reference.
-
-### Step 10: Write `.codebyplan/` directory
-
-Create the `.codebyplan/` directory in the worktree root and write per-concern config stubs:
-
-```bash
-mkdir -p "$WORKTREE_PATH/.codebyplan"
-```
-
-Write `.codebyplan/repo.json` with the correct `repo_id`:
-
-```json
-{
-  "repo_id": "[repo-id from CLAUDE.md]"
-}
-```
-
-Write stubs for the other per-concern files (populated by `npx codebyplan sync` on first run):
-
-```bash
-# .codebyplan/server.json — server port and type config
-echo '{}' > "$WORKTREE_PATH/.codebyplan/server.json"
-
-# .codebyplan/git.json — branch config
-echo '{}' > "$WORKTREE_PATH/.codebyplan/git.json"
-
-# .codebyplan/shipment.json — surface shipment config
-echo '{}' > "$WORKTREE_PATH/.codebyplan/shipment.json"
-
-# .codebyplan/vendor.json — vendor docs path
-echo '{}' > "$WORKTREE_PATH/.codebyplan/vendor.json"
-```
-
-The `.codebyplan/device.local.json` file is created by `npx codebyplan setup` on the device (gitignored). The `worktree_id` is never COMMITTED; it may be cached per-device in the gitignored `.codebyplan/worktree.local.json` (branch-keyed, re-derivable via `codebyplan resolve-worktree --cache`), otherwise resolved at runtime from the `(device_id, repo path, branch)` tuple via `npx codebyplan resolve-worktree`.
+The CLI atomically writes the `.codebyplan/` directory with per-concern config stubs and registers the worktree in the CodeByPlan database. The `.codebyplan/device.local.json` file is created by `npx codebyplan setup` on the device (gitignored). The `worktree_id` is never COMMITTED; it may be cached per-device in the gitignored `.codebyplan/worktree.local.json` (branch-keyed, re-derivable via `codebyplan resolve-worktree --cache`), otherwise resolved at runtime from the `(device_id, repo path, branch)` tuple via `npx codebyplan resolve-worktree`.
 
 No need to mark as `skip-worktree` — the committed files are merge-safe per CHK-108 and CHK-120.
 
-### Step 11: Show Result
+### Step 10: Show Result
 
 ```
 ## Worktree Created
@@ -238,4 +197,4 @@ No need to mark as `skip-worktree` — the committed files are merge-safe per CH
 ## Integration
 
 - **Related**: `/cbp-git-worktree-remove` (cleanup and deregister)
-- **MCP tools**: `create_worktree`
+- **CLI**: `codebyplan worktree create <name> --path <abs>` (Step 9 — writes `.codebyplan/` config and registers worktree)

package/templates/skills/cbp-git-worktree-remove/SKILL.md

@@ -49,31 +49,17 @@ Set:
 - `WORKTREE_PATH` = resolved path
 - `BRANCH_NAME` = branch checked out in that worktree
 
-### Step 4: Look Up Worktree in CodeByPlan
+### Step 4: Look Up and Deregister Worktree in CodeByPlan
 
-Get the repo ID from CLAUDE.md (`Repo ID` in Key References table).
+Run `codebyplan worktree remove "$BRANCH_NAME"` and parse the JSON output (`{ mcp_deregistered: boolean, warn? }`):
 
-Use MCP `get_worktrees` to find the worktree record:
-
-```
-MCP get_worktrees:
-  repo_id: [repo-id from CLAUDE.md]
-  status: "active"
-```
-
-Match by `name` = `$BRANCH_NAME` or `path` = `$WORKTREE_PATH`.
-
-Set `WORKTREE_ID` = matched worktree's `id`.
-
-If not found in CodeByPlan, note it and continue with local removal.
+- If `warn` is present: surface it as a non-blocking warning. The worktree was not found in CodeByPlan or deregistration failed, but local removal will proceed.
+- If `mcp_deregistered === true`: worktree was successfully deregistered.
+- If `mcp_deregistered === false`: worktree was not registered or deregistration failed; continue with local removal.
 
 ### Step 5: Check for Assigned Checkpoints
 
-If `WORKTREE_ID` was found, warn if any checkpoints are assigned to this worktree:
-
-```
-⚠ This worktree has [N] checkpoint(s) assigned. They will become unassigned.
-```
+If the worktree was successfully deregistered in Step 4 (`mcp_deregistered === true`), any checkpoints that were assigned to it will become unassigned. This is expected behavior and requires no additional action.
 
 ### Step 6: Confirm with User
 
@@ -92,16 +78,7 @@ Ask:
 2. Remove worktree and delete branch
 3. Cancel
 
-### Step 7: Deregister from CodeByPlan
-
-If `WORKTREE_ID` was found, delete the worktree record:
-
-```
-MCP delete_worktree:
-  worktree_id: [worktree-id]
-```
-
-### Step 8: Remove Git Worktree
+### Step 7: Remove Git Worktree
 
 ```bash
 git worktree remove "$WORKTREE_PATH"
@@ -114,7 +91,7 @@ git worktree remove --force "$WORKTREE_PATH"
 
 Only use `--force` if the user confirms.
 
-### Step 9: Delete Branch (if requested)
+### Step 8: Delete Branch (if requested)
 
 **Protected branch check:** Read the protected set from `.codebyplan/git.json`:
 ```bash
@@ -135,15 +112,21 @@ After the git branch delete succeeds, run a conditional Supabase preview-branch
 
 > Lifecycle contract: see [[supabase-branch-lifecycle]].
 
-- Resolve the parent project ref: read `.codebyplan/shipment.json` `.shipment.surfaces.supabase.project_ref`; if absent or empty, read the first line of `supabase/.temp/project-ref`. Use that resolved ref as the `project_id`.
-- Call `mcp__supabase__list_branches` with the resolved `project_id`.
-- Scan the returned list for an entry whose `name` exactly equals `$BRANCH_NAME`.
-- If found: call `mcp__supabase__delete_branch` with its `branch_id`. Report "Supabase preview branch deleted: `$BRANCH_NAME`".
-- If not found: no-op silently — the GitHub integration may have already removed it on PR close; not-found is success, NOT an error.
-- If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$BRANCH_NAME` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
-- Never delete the branch where `is_default` is true in the `list_branches` response (the production/parent project branch) or any other persistent/long-lived branch.
+- Resolve the parent project ref and apply the lifecycle guard in one deterministic call:
+
+  ```bash
+  codebyplan supabase teardown-preview "$BRANCH_NAME"
+  ```
+
+  Parse its JSON `{ status, parent_ref, project_ref, reason }`. The command never deletes anything — it reads the parent ref from `.codebyplan/shipment.json` (`.shipment.surfaces.supabase.project_ref`) and applies the protected / production / parent-ref guard from [[supabase-branch-lifecycle]].
+- If `status === "rejected"`: STOP the teardown and surface `reason` — never delete a production / protected / integration branch or one whose preview ref equals the parent.
+- Otherwise (`allowed` or `not_found`), use `parent_ref` for the live existence check — `mcp__supabase__list_branches` with `project_id: <parent_ref>`, then scan for an entry whose `name` exactly equals `$BRANCH_NAME`:
+  - If found: call `mcp__supabase__delete_branch` with its `branch_id`. Report "Supabase preview branch deleted: `$BRANCH_NAME`".
+  - If not found: no-op silently — the GitHub integration may have already removed it on PR close; not-found is success, NOT an error.
+  - If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$BRANCH_NAME` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
+- Never delete the parent project (`parent_ref` from `codebyplan supabase teardown-preview`) itself or any persistent/production branch — the `teardown-preview` guard enforces this.
 
-### Step 10: Show Result
+### Step 9: Show Result
 
 ```
 ## Worktree Removed
@@ -159,4 +142,4 @@ After the git branch delete succeeds, run a conditional Supabase preview-branch
 ## Integration
 
 - **Related**: `/cbp-git-worktree-create` (create and register)
-- **MCP tools**: `get_worktrees`, `delete_worktree`
+- **CLI**: `codebyplan worktree remove <name>` (Step 4 — deregister from CodeByPlan)

package/templates/skills/cbp-map-architecture/SKILL.md

@@ -1,6 +1,7 @@
 ---
 scope: org-shared
 name: cbp-map-architecture
+effort: xhigh
 description: Orchestrate architecture map generation for one or all modules. Spawns the cbp-map-architecture agent per module, writes per-module .md files to .claude/architecture/, regenerates INDEX.md and graph.md, and stamps each module via the CLI. Idempotent — safe to re-run.
 argument-hint: '[--module <path>] [--deep <path,...>]'
 allowed-tools: Read, Write, Edit, Glob, Grep, Bash, Task

package/templates/skills/cbp-merge-main/SKILL.md

@@ -69,36 +69,24 @@ Triggered by `/cbp-task-start` (Step 3.6, optional stale-check), `/cbp-task-comp
 
 Supabase migrations are version-keyed by their numeric filename prefix. Two files sharing a prefix break `supabase db push`: the schema_migrations table records ONE version per prefix, the second file at the same prefix becomes orphaned, and every subsequent migration stalls — surfacing as the Supabase Preview check failing with `MIGRATIONS_FAILED`. Catch this BEFORE committing the merge, while a clean rollback is one `git merge --abort` away.
 
-1. Probe both sides of the would-be merge. Use `git ls-files` for the HEAD side so any in-progress `git mv` staged in the index (e.g. a rename produced by step 5 of a prior pass through this section) is reflected — `git ls-tree HEAD` would still see the committed-only state and re-trigger the collision. Use `git ls-tree origin/{BASE}` for the main side since we want the committed remote state, not anything locally staged:
+1. Probe both sides of the would-be merge via the deterministic CLI:
 
    ```bash
-   git ls-files supabase/migrations/ 2>/dev/null \
-     | sed 's|.*/||' | sort > /tmp/cbp-merge-our-names.txt
-   git ls-tree -r --name-only origin/{BASE} supabase/migrations/ 2>/dev/null \
-     | sed 's|.*/||' | sort > /tmp/cbp-merge-their-names.txt
+   PROBE=$(codebyplan migration-collisions --base "$BASE" --json)
+   # Parse JSON: { base, collisions: [{ prefix, ours: string[], theirs: string[] }] }
+   COLLISIONS=$(echo "$PROBE" | jq '.collisions')
    ```
 
-2. A true collision is a numeric prefix that appears on BOTH sides with DIFFERENT filenames. A shared filename (same prefix, same basename — i.e. an already-merged migration) is NOT a collision. Compute the unique-to-each-side basenames first, then look for shared prefixes within that unique set:
+2. If `COLLISIONS` is empty (`[]`), proceed silently to Step 2.
 
-   ```bash
-   # Files unique to each side (same-named files are NOT collisions)
-   comm -23 /tmp/cbp-merge-our-names.txt /tmp/cbp-merge-their-names.txt > /tmp/cbp-merge-only-ours.txt
-   comm -13 /tmp/cbp-merge-our-names.txt /tmp/cbp-merge-their-names.txt > /tmp/cbp-merge-only-theirs.txt
-   # True collision: a prefix in only-ours also appears in only-theirs (same prefix, different basename)
-   COLLISIONS=$(cat /tmp/cbp-merge-only-ours.txt /tmp/cbp-merge-only-theirs.txt \
-     | sed 's|_.*||' | sort | uniq -d)
-   ```
-
-3. If `COLLISIONS` is empty, proceed silently to Step 2.
-
-4. If `COLLISIONS` is non-empty, for each colliding prefix list both file paths (one from `HEAD`, one from `origin/{BASE}`) and surface via AskUserQuestion:
+3. If `COLLISIONS` is non-empty, for each colliding prefix in the array (each element has `prefix`, `ours[]`, `theirs[]`) surface via AskUserQuestion:
 
    - **Rename HEAD-side (Recommended when a main migration is already applied to a shared remote)** — rename the local file to a fresh, sequential timestamp that respects existing apply-order dependencies (probe `supabase migration list --db-url <preview>` if a preview branch exists, or inspect FK references in surrounding migrations). The orchestrator runs `git mv <old> <new>` itself; the rename lands in the git index and is picked up by the re-probe at step 5.
    - **Rename main-side (manual, OUT-OF-SKILL)** — only when the main file definitely has not been applied anywhere yet AND the user has write access to `{BASE}`. This skill does NOT touch the main branch: it runs on a feat branch (Step 0 enforces this) and the Key Rules below forbid any push from this skill. The user must, in a separate terminal: `git checkout {BASE} && git mv <old> <new> && git commit -m "fix(migration): rename to resolve collision with feat/..." && git push origin {BASE}`. After that push is confirmed remote-side, re-invoke `/cbp-merge-main` — Step 1 will fetch the updated main tip and Step 1.5 will re-probe with the rename in place.
    - **Defer to a new task in the active checkpoint** — `git merge --abort` is unnecessary because Step 2 has not started. Create a CHK-bound task per `cbp-round-end` reference `findings-presentation.md` "Infra Issue Absorption Contract — Resolve-in-Current-Scope by Default" and STOP `/cbp-merge-main`. Resume after the task completes.
    - **Abort merge** — STOP the skill. User decides later.
 
-5. After any HEAD-side rename action, re-execute Step 1.5 (collisions may chain — fixing one can expose another). The HEAD-side probe at step 1 uses `git ls-files` rather than `git ls-tree HEAD`, so the freshly-staged `git mv` is visible without requiring a commit. Main-side renames require a fresh `/cbp-merge-main` invocation (the user manually fetched and re-ran per option 2 above), not an in-skill loop.
+4. After any HEAD-side rename action, re-execute Step 1.5 (collisions may chain — fixing one can expose another). The CLI probes the HEAD side via `git ls-files` (so staged renames are visible), matching the documented re-probe behavior. Main-side renames require a fresh `/cbp-merge-main` invocation (the user manually fetched and re-ran per option 2 above), not an in-skill loop.
 
 This check is intentionally placed BEFORE Step 2's `git merge`: catching collisions pre-merge means no merge commit to revert, no conflict-resolution work to throw away, no Supabase Preview poll to fail.
 
@@ -165,27 +153,34 @@ This check is intentionally placed BEFORE Step 2's `git merge`: catching collisi
 
 Run a scoped subset of the testing-qa check matrix INLINE (no agent spawn — this skill stays lightweight):
 
-1. `pnpm -w lint` — always. On non-zero exit, surface stdout/stderr and AskUserQuestion:
+1. From the repo root, run:
+
+   ```bash
+   codebyplan check --scope merged --json
+   ```
+
+   `--scope merged` runs `gate6`, `lint`, `typecheck`, and `tests` (no `audit` — that is `task` scope only). The runner is **whole-repo + baseline**: it runs `turbo run lint|typecheck|test` across every package and diffs against the committed `.check-baseline.json`, so only NEW per-package failures fail a check (`status: 'fail'` with a non-empty `new_failures`). `gate6` (sibling-identity parity) is ALWAYS hard-fail and never baselined. Capture the JSON result.
+
+2. For each result entry where `status === 'fail'`, surface its `stdout`/`stderr` and present an AskUserQuestion:
    - **Continue (commit-as-is)** — leave the merge committed; flag QA failure in output.
    - **Abort merge** — `git reset --hard HEAD~1` to revert just the merge commit. Stop the skill.
    - **Skip (mark warn)** — leave the merge committed; treat as warn, not fail.
 
-2. `pnpm exec tsc --noEmit` — only if any merged file matches `*.ts` or `*.tsx`. Same three-option prompt on failure.
-
-3. `pnpm test --run` — only if any merged file matches typical source globs (`src/**`, `apps/**/src/**`, `packages/**/src/**`). Same three-option prompt on failure.
-
-4. Build a `qa_summary` object:
+3. Build a `qa_summary` object from the runner's results array:
 
    ```
    {
+     "gate6": "pass" | "fail" | "warn" | "skipped",
      "lint": "pass" | "fail" | "warn" | "skipped",
-     "tsc": "pass" | "fail" | "warn" | "skipped",
+     "typecheck": "pass" | "fail" | "warn" | "skipped",
      "tests": "pass" | "fail" | "warn" | "skipped",
      "merged_files_count": N,
      "user_choice_on_failure": "continue" | "abort" | "skip" | null
    }
    ```
 
+   Map runner `status` values: `"pass"` → `"pass"`, `"skipped"` → `"skipped"`, `"fail"` → `"fail"` or `"warn"` per the user's choice above.
+
 Do NOT auto-revert without user consent. User-driven gating is the contract.
 
 ### Step 5: Output

package/templates/skills/cbp-refresh-arch-map/SKILL.md

@@ -1,6 +1,7 @@
 ---
 scope: org-shared
 name: cbp-refresh-arch-map
+effort: high
 description: Drift-scoped refresh of the .claude/architecture/ map — re-runs the cbp-map-architecture agent for ONLY the modules whose stamped git SHA has changed, regenerates INDEX.md + graph.md, and re-stamps. Idempotent; no-op when no module has drifted.
 argument-hint: '[--module <path>]'
 allowed-tools: Read, Write, Edit, Glob, Grep, Bash, Task