codebyplan 1.13.43 → 1.13.45

package/templates/skills/cbp-task-start/SKILL.md

@@ -93,9 +93,7 @@ Compute `TARGET`:
 | Task type | TARGET |
 |-----------|--------|
 | Checkpoint-bound, `checkpoint.branch_name` set | `checkpoint.branch_name` (e.g. `feat/CHK-095-pricing-page`) |
-| Checkpoint-bound, `branch_name` null (legacy) | `feat/CHK-{NNN}-{kebab-slug-from-checkpoint-title}` |
-
-Slug rules: lowercase, words joined by `-`, drop punctuation, truncate to 40 chars.
+| Checkpoint-bound, `branch_name` null (legacy) | `feat/CHK-{NNN}-{slug}` where slug is computed via `codebyplan slug "{checkpoint title}"` |
 
 #### 3.2 — Compare current branch
 
@@ -103,29 +101,19 @@ Run `git branch --show-current`. If `current == TARGET` → continue to Step 3b.
 
 #### 3.3 — Switch automatically (no AskUserQuestion, no blocking)
 
-Run the switch directly. Three sub-cases, in order:
+Run the branch checkout via the deterministic CLI:
 
 ```bash
-# (a) target exists locally
-if git rev-parse --verify "$TARGET" >/dev/null 2>&1; then
-  git checkout "$TARGET"
-
-# (b) target exists on origin (track it)
-elif git rev-parse --verify "origin/$TARGET" >/dev/null 2>&1; then
-  git checkout -t "origin/$TARGET"
-
-# (c) target doesn't exist — create from production branch (main)
-else
-  # First make sure production is up to date
-  git fetch origin "$PRODUCTION" 2>/dev/null || true
-  git checkout -b "$TARGET" "origin/$PRODUCTION" 2>/dev/null \
-    || git checkout -b "$TARGET" "$PRODUCTION"
-fi
+RESULT=$(codebyplan branch checkout --target "$TARGET" --production "$PRODUCTION")
+# Parse JSON: { action: "checked_out_local" | "checked_out_tracking" | "created_from_production" | "error", branch, previous?, error? }
+ACTION=$(echo "$RESULT" | jq -r '.action')
 ```
 
-**Carrying uncommitted work** — `git checkout` carries clean (non-conflicting) working-tree changes to the new branch automatically. This is intended: changes made on `main` while preparing the task move with the user to the new feat branch. No `git stash`, ever (per `git-safety.md`). No `git add`, ever (per `git-workflow.md`).
+**Interpreting the result:**
+- `action === "error"`: surface the raw `error` field verbatim, stop, do NOT attempt recovery. The user resolves git state and re-invokes. This is the only case where `/cbp-task-start` halts on branch state.
+- Otherwise (all success actions): branch is now `TARGET`. Continue to Step 3.4.
 
-**If `git checkout` exits non-zero** (typically "would clobber" because a tracked file has unstaged changes that conflict with target's version): surface the raw git error verbatim, stop, do NOT attempt recovery. The user resolves and re-invokes. This is the only case where `/cbp-task-start` halts on branch state.
+**Carrying uncommitted work** — the CLI respects git's automatic carrying of clean (non-conflicting) working-tree changes. Changes made while preparing the task move with the user to the new feat branch. No `git stash`, ever (per `git-safety.md`). No `git add`, ever (per `git-workflow.md`).
 
 **Note — Supabase preview branch**: no Supabase branch is created at this point. Creation is lazy — it happens on the first DB change when `/cbp-supabase-migrate` runs on the feat branch, which provisions a Supabase branch named identically to the git branch. See `cbp-supabase-migrate` Step 2.3 for the creation protocol.
 

package/templates/skills/cbp-task-testing/SKILL.md

@@ -9,7 +9,7 @@ effort: xhigh
 
 # Task Testing Command
 
-Comprehensive task-level testing — the **cross-round double-check** run once after all rounds complete. Per-round QA (per-app build/lint/types, the `console.log`/debug scan, the OWASP/secret grep, `pnpm audit`) is owned by each round's `testing-qa-agent`; this skill does NOT re-run it. Instead it tests the **entire delivered feature holistically** across the full task diff — catching cross-package and cross-round problems no single round can see. Runs inline — no sub-agent.
+Comprehensive task-level testing — runs all automated tests and walks the user through manual testing one-by-one. Distinct from round-level testing (`testing-qa-agent`): this tests the **entire delivered feature holistically** after all rounds are complete. Runs inline — no sub-agent.
 
 ## When Used
 
@@ -19,13 +19,13 @@ Comprehensive task-level testing — the **cross-round double-check** run once a
 
 ## Scope vs Round-Level Validation
 
-Per-wave `testing-qa-agent` runs inside `/cbp-round-execute` Step 5 and **owns per-round QA**: per-app build/lint/types, the `console.log`/debug scan, the OWASP/secret full-diff grep, and `pnpm audit`. This skill does NOT repeat them. It adds only the cross-round layer invisible within a single round: workspace-wide lint, workspace tsc, and the full test suite (which catch cross-package breakage), plus the cross-round code review (Step 6.5), the autonomous sim screenshot loop (Step 6.x), and the user manual walkthrough (Step 8).
+Per-wave `testing-qa-agent` runs inside `/cbp-round-execute` Step 5. This skill adds the cross-cutting layer that is only visible across the full task diff: whole-repo lint, whole-repo typecheck, full test suite, `pnpm audit` (via `codebyplan check --scope task --json`), and full-diff security scan — each run once here, not per-round.
 
 ## Instructions
 
 ### Step 1: Parse `$ARGUMENTS`
 
-Parse the argument using the canonical chk-task-round notation (see `cbp-round-start` Step 0 "CHK / TASK / ROUND Identifier Notation Vocabulary"):
+Parse the argument using the canonical chk-task-round notation (see `.claude/rules/notation-consistency.md`):
 
 | Shape | Regex | Resolves to |
 |-------|-------|-------------|
@@ -104,14 +104,24 @@ Capture stdout and stderr for each check.
 
 **Hard-fail tests** (block completion):
 
+Run the unified check matrix:
+
+```bash
+codebyplan check --scope task --json
+```
+
+Capture the JSON result. The runner is **whole-repo + baseline**: it runs `turbo run lint|typecheck|test` across every package and diffs each per-package result against the committed `.check-baseline.json`, so only NEW per-package failures fail a check. Five checks run for `--scope task`: `gate6` (sibling-identity parity — ALWAYS hard-fail, never baselined), `lint`, `typecheck`, `tests`, and `audit` (`audit.new_failures` lists new GHSA advisory ids not in the allowlist). A baselined check's `status` is `pass` when its `new_failures` array is empty even if the underlying command exited non-zero. If `any_failed === true` (or `hard_fail_checks` is non-empty), this is a hard fail — surface each failing result's `stdout`/`stderr`/`new_failures` and stop.
+
+For each result entry, record: `category` (from `result.check`), `status` (from `result.status`), `details`, `stdout` (from `result.stdout`), `stderr` (from `result.stderr`), and `new_failures` (from `result.new_failures` — the newly-failing packages / new GHSA ids; the field is omitted/`undefined` for `gate6`, not `null`).
+
+Additional hard-fail checks (not part of the runner):
+
 | Category                | Command                         | Condition                        |
 | ----------------------- | ------------------------------- | -------------------------------- |
-| Full-repo lint          | `pnpm -w lint`                  | Always                           |
-| Full-repo types         | `pnpm exec tsc --noEmit`        | Source files changed             |
-| Full-repo unit tests    | `pnpm test --run`               | Source files in aggregated_files |
 | Per-package E2E         | `pnpm --filter <pkg> e2e:test`  | UI files in aggregated_files     |
+| Full-diff security scan | inline grep or `security-agent` | Always                           |
 
-These are the workspace-wide / cross-package checks only — per-app build/lint/types, the `console.log`/debug scan, the OWASP/secret grep, and `pnpm audit` already ran per-round inside `testing-qa-agent` and are NOT repeated here. Per-file lint + format are enforced by `lint-format-on-edit.sh` per edit. This step catches cross-package issues invisible to per-wave checks.
+Per-file lint + format are enforced by `lint-format-on-edit.sh` hook per edit. This step catches cross-package issues invisible to per-wave checks.
 
 **Soft tests** (report, don't block):
 
@@ -120,8 +130,6 @@ These are the workspace-wide / cross-package checks only — per-app build/lint/
 | Visual     | Screenshot compare via `e2e:visual-check` | UI work + dev server running |
 | API Health | `curl` health endpoint                    | API routes changed           |
 
-For each test, record: `category, status (pass|fail|skipped), details, stdout, stderr`.
-
 #### Step 6.x: Autonomous Sim Screenshot Validation (mobile / on-device)
 
 For mobile rounds (Maestro / XCUITest / Tauri-mobile) where unit tests passed but the round touched component-mount code paths (custom hooks, prop signatures, conditional renders, navigation tabs), unit-test green is NOT sufficient evidence that the screen mounts at runtime. Use the autonomous sim screenshot loop to catch runtime crashes invisible to mocked unit tests.
@@ -168,7 +176,7 @@ For each finding, record: `{category, file, description, severity: 'low'|'medium
 
 Findings with severity `medium` or `high` feed the Step 9 problem classification. `low` findings are recorded in `task_testing_output` for the record but do not block.
 
-If any finding points to a need that exceeds task scope (e.g. a utility worth extracting for the wider codebase, a convention the repo should adopt globally), route per `cbp-task-create` Step 3.5 "Immediate Issue Capture Contract — How to Capture" — default to a NEW TASK in the current checkpoint, not a standalone task. Standalone routing applies only when the finding is genuinely off-axis from every active checkpoint AND the user has confirmed standalone routing.
+If any finding points to a need that exceeds task scope (e.g. a utility worth extracting for the wider codebase, a convention the repo should adopt globally), route per `immediate-issue-capture.md` "How to Capture" — default to a NEW TASK in the current checkpoint, not a standalone task. Standalone routing applies only when the finding is genuinely off-axis from every active checkpoint AND the user has confirmed standalone routing.
 
 ### Step 7: Separate Claude-Testable vs User-Testable