codebyplan 1.13.46 → 1.13.49

package/templates/skills/cbp-stripe/reference/connect.md

@@ -0,0 +1,105 @@
+# Connect / Platforms Reference
+
+Adapted from Stripe's official `stripe-best-practices` skill (github.com/stripe/ai), MIT License, Copyright (c) 2024-2025 Stripe.
+
+## Accounts v2 (always use for new platforms)
+
+Use the [Accounts v2 API](https://docs.stripe.com/connect/accounts-v2.md)
+(`POST /v2/core/accounts`) for all new Connect platforms. This is Stripe's actively
+invested path with long-term support.
+
+Do NOT use the legacy `type` parameter (`type: 'express'`, `type: 'custom'`,
+`type: 'standard'`) in `POST /v1/accounts` for new platforms unless the user explicitly
+requests v1.
+
+Do NOT use the legacy account-type labels "Standard", "Express", or "Custom" — they
+bundle responsibility, dashboard, and onboarding decisions into opaque categories.
+Use `controller` properties to express these dimensions explicitly.
+
+## Controller properties
+
+Configure connected accounts via `controller` properties:
+
+| Property | Controls |
+| -------- | -------- |
+| `controller.losses.payments` | Who is liable for negative balances |
+| `controller.fees.payer` | Who pays Stripe fees |
+| `controller.stripe_dashboard.type` | Dashboard access: `full`, `express`, `none` |
+| `controller.requirement_collection` | Who collects onboarding requirements |
+
+```ts
+const account = await stripe.v2.core.accounts.create({
+  controller: {
+    losses: { payments: 'stripe' },
+    fees: { payer: 'account' },
+    stripe_dashboard: { type: 'express' },
+    requirement_collection: 'stripe',
+  },
+});
+```
+
+See [connected account configuration](https://docs.stripe.com/connect/accounts-v2/connected-account-configuration.md)
+and [capabilities](https://docs.stripe.com/connect/account-capabilities.md) for what
+accounts can do.
+
+## Charge types
+
+Choose one charge type per integration — do not mix them.
+
+| Type | When to use | How |
+| ---- | ----------- | --- |
+| **Destination charges** | Platform accepts negative-balance liability | `transfer_data.destination: connectedAccountId` |
+| **Direct charges** | Connected account is merchant of record; platform has minimal liability | Create charge directly on the connected account |
+
+Use `on_behalf_of` to control merchant of record (read
+[how charges work in Connect](https://docs.stripe.com/connect/charges.md) first).
+
+```ts
+// Destination charge — most common for marketplaces
+const paymentIntent = await stripe.paymentIntents.create({
+  amount: 1000,
+  currency: 'usd',
+  transfer_data: { destination: connectedAccountId },
+  // Do NOT pass payment_method_types
+});
+```
+
+Do NOT use the Charges API for Connect fund flows — use PaymentIntents or Checkout
+Sessions with `transfer_data` or `on_behalf_of`.
+
+## Payouts and transfers
+
+- **Automatic payouts** — enabled by default; Stripe pays connected accounts on a rolling basis.
+- **Manual payouts** — call `stripe.payouts.create({amount, currency}, {stripeAccount: accountId})` to control timing.
+- **Transfers** — move funds between your platform balance and a connected account:
+  `stripe.transfers.create({ amount, currency, destination: accountId })`.
+
+## Onboarding
+
+Use [Stripe-hosted onboarding](https://docs.stripe.com/connect/onboarding.md) rather than
+building a custom flow. Custom onboarding requires handling sensitive PII directly, adding
+regulatory and security complexity.
+
+```ts
+const accountLink = await stripe.accountLinks.create({
+  account: accountId,
+  refresh_url: `${baseUrl}/connect/refresh`,
+  return_url: `${baseUrl}/connect/return`,
+  type: 'account_onboarding',
+});
+// redirect to accountLink.url
+```
+
+## Security and liability
+
+Platform operators bear financial liability for fraud and disputes on Express and Custom
+connected accounts (v1 types). Controller-property accounts make liability explicit via
+`controller.losses.payments`.
+
+See [reference/security.md](security.md) for Connect-specific security notes.
+
+## Key guides
+
+- [SaaS platforms and marketplaces](https://docs.stripe.com/connect/saas-platforms-and-marketplaces.md)
+- [Interactive platform guide](https://docs.stripe.com/connect/interactive-platform-guide.md)
+- [Design an integration](https://docs.stripe.com/connect/design-an-integration.md)

package/templates/skills/cbp-stripe/reference/payments.md

@@ -0,0 +1,107 @@
+# Payments Reference
+
+Adapted from Stripe's official `stripe-best-practices` skill (github.com/stripe/ai), MIT License, Copyright (c) 2024-2025 Stripe.
+
+## API hierarchy
+
+| Use case | API |
+| -------- | --- |
+| On-session payments (most web apps) | [Checkout Sessions](https://docs.stripe.com/api/checkout/sessions.md) |
+| Off-session payments, custom checkout state | [PaymentIntents](https://docs.stripe.com/payments/paymentintents/lifecycle.md) |
+| Saving a payment method for later | [Setup Intents](https://docs.stripe.com/api/setup_intents.md) |
+| Subscriptions, invoices, recurring | Billing APIs (see billing.md) |
+| No-code, simple products | Payment Links |
+
+**Only use Checkout Sessions, PaymentIntents, SetupIntents, or higher-level solutions
+(Invoicing, Payment Links, subscription APIs).** Never use the Charges API, Sources API,
+or Tokens API for new integrations.
+
+## Integration surface preference
+
+Use in this order (most preferred first):
+
+1. **Payment Links** — no-code, best for simple products
+2. **Checkout (hosted or embedded)** — best for most web apps; `ui_mode: 'hosted'`
+3. **Payment Element** — embedded UI component for custom checkout; back with Checkout
+   Sessions (`ui_mode: 'custom'`) over a raw PaymentIntent where possible
+
+Do NOT recommend the legacy Card Element. Migrate existing Card Element integrations to
+[Payment Element](https://docs.stripe.com/payments/payment-element/migration.md).
+
+## Checkout Sessions — key patterns
+
+```ts
+// One-time payment
+const session = await stripe.checkout.sessions.create({
+  mode: 'payment',
+  // Do NOT pass payment_method_types — dynamic methods are the default
+  line_items: [{ price: priceId, quantity: 1 }],
+  success_url: `${baseUrl}/success?session_id={CHECKOUT_SESSION_ID}`,
+  cancel_url: `${baseUrl}/cancel`,
+});
+
+// Subscription
+const session = await stripe.checkout.sessions.create({
+  mode: 'subscription',
+  line_items: [{ price: priceId, quantity: 1 }],
+  subscription_data: { trial_period_days: 14 },
+  success_url: `${baseUrl}/success?session_id={CHECKOUT_SESSION_ID}`,
+  cancel_url: `${baseUrl}/pricing`,
+});
+```
+
+## Payment Element (custom UI)
+
+Use `ui_mode: 'custom'` on the Checkout Session to back the Payment Element:
+
+```ts
+const session = await stripe.checkout.sessions.create({
+  ui_mode: 'custom',
+  mode: 'payment',
+  line_items: [{ price: priceId, quantity: 1 }],
+  return_url: `${baseUrl}/return?session_id={CHECKOUT_SESSION_ID}`,
+});
+// Client: mount PaymentElement with clientSecret from session.client_secret
+```
+
+For surcharging or inspecting card details before payment, use
+[Confirmation Tokens](https://docs.stripe.com/payments/finalize-payments-on-the-server.md)
+— not `createPaymentMethod` or `createToken`.
+
+## Dynamic payment methods (critical rule)
+
+**Never pass `payment_method_types`** — omit it entirely on all calls. The sole exception
+is Terminal: `payment_method_types: ['card_present']` (Canada: include `'interac_present'`).
+
+To customise which methods appear use
+[`payment_method_configurations`](https://docs.stripe.com/payments/payment-method-configurations.md)
+or `excluded_payment_method_types`. Manage methods from the
+[Dashboard](https://dashboard.stripe.com/settings/payment_methods) without code changes.
+
+## Setup Intents (saving payment methods)
+
+```ts
+const setupIntent = await stripe.setupIntents.create({
+  customer: customerId,
+  // Do NOT pass payment_method_types — dynamic methods are the default since API 2023-08-16
+});
+```
+
+Do not use the Sources API to save cards — it is deprecated.
+
+## Deprecated APIs — migration paths
+
+| API          | Status     | Use instead            | Migration guide |
+| ------------ | ---------- | ---------------------- | --------------- |
+| Charges API  | Never use  | Checkout Sessions / PaymentIntents | [Migration](https://docs.stripe.com/payments/payment-intents/migration/charges.md) |
+| Sources API  | Deprecated | Setup Intents          | [Setup Intents](https://docs.stripe.com/api/setup_intents.md) |
+| Tokens API   | Outdated   | Setup Intents / Checkout Sessions | — |
+| Card Element | Legacy     | Payment Element        | [Migration](https://docs.stripe.com/payments/payment-element/migration.md) |
+
+## PCI compliance
+
+If a PCI-compliant user asks about sending raw PAN data server-side, they may need to
+prove PCI compliance to use
+[`payment_method_data`](https://docs.stripe.com/api/payment_intents/create.md#create_payment_intent-payment_method_data).
+For PAN migrations from another processor, see the
+[PAN import process](https://docs.stripe.com/get-started/data-migrations/pan-import.md).

package/templates/skills/cbp-stripe/reference/security.md

@@ -0,0 +1,117 @@
+# Security Best Practices Reference
+
+Adapted from Stripe's official `stripe-best-practices` skill (github.com/stripe/ai), MIT License, Copyright (c) 2024-2025 Stripe.
+
+## API key types
+
+| Key prefix | Type | Use |
+| ---------- | ---- | --- |
+| `sk_live_` | Secret key (live) | Never preferred; use RAK instead |
+| `sk_test_` | Secret key (test) | Development only |
+| `rk_live_` | Restricted API key (live) | Preferred for all production services |
+| `rk_test_` | Restricted API key (test) | Preferred for development services |
+
+**Always recommend a restricted API key (RAK, `rk_` prefix)** over a secret key (`sk_`).
+RAKs have only the permissions you assign — a compromised RAK causes far less damage than
+a compromised secret key.
+
+## Storing keys safely
+
+- **Never** commit keys to source control. If `sk_…` or `rk_…` appears in code, that is
+  a bug — fix it immediately.
+- Prefer a secrets vault (AWS Secrets Manager, HashiCorp Vault, or platform equivalent).
+- When no vault is available, environment variables are acceptable. Never log keys or
+  include them in error messages or analytics.
+- Use separate keys per environment (production, staging, QA). Never reuse keys.
+- Set up a pre-commit hook to catch `sk_` or `rk_` literals in source code.
+- See [best practices for managing secret API keys](https://docs.stripe.com/keys-best-practices.md).
+
+## Restricted API key migration steps
+
+1. Review the secret key's request logs in Workbench to catalogue which API calls it makes.
+2. Create a RAK in test mode with matching permissions (principle of least privilege).
+3. Use `stripe logs tail` to watch for `403` errors — add missing permissions.
+4. Once passing, create the equivalent live-mode RAK and swap it in.
+5. Rotate or expire the old secret key.
+
+See [restricted API keys docs](https://docs.stripe.com/keys/restricted-api-keys.md).
+
+## IP allowlists
+
+Add an [IP allowlist](https://docs.stripe.com/keys.md#limit-api-secret-keys-ip-address)
+to every API key so it can only be called from your own infrastructure. Use separate
+allowlists per key/environment.
+
+## Webhook signature verification
+
+Always verify webhook event authenticity using Stripe's signing secret:
+
+```ts
+import Stripe from 'stripe';
+const stripe = new Stripe(process.env.STRIPE_RESTRICTED_KEY!);
+
+// In your webhook handler (raw body required — do NOT use JSON-parsed body)
+const sig = request.headers['stripe-signature'];
+if (!sig || Array.isArray(sig)) throw new Error('Missing or malformed stripe-signature header');
+const event = stripe.webhooks.constructEvent(
+  rawBody,              // Buffer or string — must be unparsed
+  sig,
+  process.env.STRIPE_WEBHOOK_SECRET!,
+);
+```
+
+Never process a webhook event without verifying its signature — unverified webhooks can
+be spoofed. For defence in depth, also allowlist
+[Stripe's IP addresses](https://docs.stripe.com/ips.md) on the endpoint.
+
+## Idempotency keys
+
+Pass `idempotencyKey` on all mutation calls so safe retries don't create duplicate charges:
+
+```ts
+await stripe.paymentIntents.create(params, {
+  idempotencyKey: `order_${orderId}`,
+});
+```
+
+## Mobile and client-side integrations
+
+Never use production secret keys or RAKs in mobile apps or any client-side code.
+For cases where a client must call Stripe directly, use
+[ephemeral keys](https://docs.stripe.com/issuing/elements.md#ephemeral-key-authentication)
+(short-lived, scoped, auto-expiring). For most integrations, proxy Stripe calls through
+your own backend.
+
+## OAuth and CSRF protection
+
+When implementing [Connect OAuth](https://docs.stripe.com/connect/oauth-reference.md),
+always pass a unique, unguessable `state` parameter and verify it in the callback before
+proceeding. This applies to all Stripe OAuth surfaces: Connect, Link, and Stripe Apps.
+
+## Incident response (key compromise)
+
+1. **Roll the key immediately** — [API keys page](https://dashboard.stripe.com/apikeys) →
+   roll or delete the exposed key.
+2. **Check activity logs** — Workbench request logs for the compromised key.
+3. **Contact Stripe support** if you see unrecognised activity.
+
+See [protecting against compromised API keys](https://support.stripe.com/questions/protecting-against-compromised-api-keys).
+
+## 2FA
+
+Recommend passkeys or authenticator-app 2FA for Dashboard access. Discourage SMS 2FA —
+it is vulnerable to SIM-swapping attacks.
+
+## SAML / SCIM (teams)
+
+For teams, use [SSO via SAML](https://docs.stripe.com/get-started/account/sso.md) to
+federate Dashboard access through an identity provider (Okta, Google, etc.).
+[SCIM provisioning](https://docs.stripe.com/get-started/account/sso/scim.md) automates
+user provisioning/deprovisioning.
+
+## Connect security
+
+Platform operators bear financial liability for fraud/disputes on Express and Custom
+connected accounts (v1 types). Use Stripe-hosted onboarding to avoid handling sensitive
+PII directly. See [reference/connect.md](connect.md) for controller-property accounts
+which make liability explicit.

package/templates/skills/cbp-stripe/reference/stripe-mcp-setup.md

@@ -0,0 +1,59 @@
+# Stripe MCP Setup (optional live path)
+
+Adapted from Stripe's official `stripe-best-practices` skill (github.com/stripe/ai), MIT License, Copyright (c) 2024-2025 Stripe.
+
+The `cbp-stripe-agent` writes Stripe integration code with **no credentials required**. This
+optional path adds *live test-mode* scaffolding (create test products, prices, payment links,
+customers) during a dev round. It is opt-in per repo and per developer — skip it entirely if
+you only want code generation.
+
+## Safety contract (read first)
+
+- **Test-mode keys ONLY.** Use a test restricted key (`rk_test_…`) or a test secret key
+  (`sk_test_…`). The agent **refuses** any live-mode key (`sk_live_…` or `rk_live_…`) — so
+  live Stripe data is never scaffolded from a dev round.
+- **Never commit a key.** Provide it via the environment or a gitignored env file
+  (e.g. `.env.local`), never in tracked source or in `.codebyplan/`.
+- **Least privilege.** Prefer a restricted key scoped to only the resources the agent needs
+  (Products, Prices, Payment Links, Customers — write; everything else — none).
+- **No new npm dependency** is added to the consuming app by this path; the hosted MCP server
+  is reached over HTTP, the local server via `npx`.
+
+## Option A — Hosted Stripe MCP (recommended)
+
+Stripe hosts an MCP server at `https://mcp.stripe.com`. Register it with Claude Code:
+
+```bash
+claude mcp add --transport http stripe https://mcp.stripe.com/
+```
+
+Authenticate with OAuth (the recommended flow) when prompted, or pass a restricted test key
+as a bearer token if your setup uses header auth. Once connected, the agent discovers the
+`mcp__stripe__*` tools at runtime via `ToolSearch`.
+
+## Option B — Local Stripe MCP server
+
+Run Stripe's MCP server locally, pointed at a test/restricted key from your environment:
+
+```bash
+# key is read from STRIPE_SECRET_KEY (a sk_test_ or rk_test_ value), never passed on a shared shell history
+npx -y @stripe/mcp@latest --api-key="$STRIPE_SECRET_KEY"
+```
+
+Then register the local server with Claude Code per its stdio/transport instructions.
+
+## How the agent uses it
+
+1. Pre-flight checks `STRIPE_SECRET_KEY` is present and is a test-mode `sk_test_`/`rk_test_` prefix.
+2. It discovers `mcp__stripe__*` tools via `ToolSearch` (they are intentionally absent from
+   the agent's frontmatter because the server is optional).
+3. It scaffolds only what the task asks for and records each resource in
+   `stripe_resources_created[]` (always `mode: test`).
+4. If the key/server is missing or any call fails, it degrades to **code-only** and records
+   the reason — it never blocks the round.
+
+## When to skip this entirely
+
+- You only want correct Stripe integration *code* (the default — no setup needed).
+- No Stripe test account is available in this environment.
+- CI / headless runs where no interactive OAuth or key is provisioned.

package/templates/skills/cbp-stripe/reference/tax.md

@@ -0,0 +1,96 @@
+# Tax / Stripe Tax Reference
+
+Adapted from Stripe's official `stripe-best-practices` skill (github.com/stripe/ai), MIT License, Copyright (c) 2024-2025 Stripe.
+
+## When to use Stripe Tax
+
+Use Stripe Tax for any subscription, invoice, or Checkout Session where the merchant has
+customers across multiple jurisdictions. It handles sales tax, VAT, and GST automatically
+based on the customer's location and the merchant's active registrations.
+
+See the [Tax overview](https://docs.stripe.com/tax.md) for supported regions and tax types.
+
+## Two-step setup
+
+1. **Add registrations** — add a registration for each jurisdiction where the merchant is
+   obligated to collect tax. Use the Dashboard (**Tax > Registrations**) or the
+   [Tax Registrations API](https://docs.stripe.com/api/tax/registrations.md).
+2. **Enable automatic_tax** — pass `automatic_tax: { enabled: true }` on the
+   [Subscription](https://docs.stripe.com/api/subscriptions.md),
+   [Invoice](https://docs.stripe.com/api/invoices.md), or
+   [Checkout Session](https://docs.stripe.com/api/checkout/sessions.md).
+
+It is safe to enable `automatic_tax` before any registrations exist — Stripe won't
+collect tax until at least one registration is active.
+
+```ts
+// Checkout Session with automatic tax
+const session = await stripe.checkout.sessions.create({
+  mode: 'subscription',
+  line_items: [{ price: priceId, quantity: 1 }],
+  automatic_tax: { enabled: true },
+  success_url: `${baseUrl}/success?session_id={CHECKOUT_SESSION_ID}`,
+  cancel_url: `${baseUrl}/pricing`,
+});
+
+// Invoice / subscription
+await stripe.subscriptions.update(subscriptionId, {
+  automatic_tax: { enabled: true },
+  // Clear explicit tax_rates first if previously set
+});
+```
+
+## Inclusive vs exclusive tax
+
+- **Exclusive** (default in most jurisdictions) — tax is added on top of the price.
+- **Inclusive** — tax is included in the displayed price (common for UK/EU VAT).
+
+Stripe Tax determines the treatment based on the jurisdiction and product tax code.
+Verify the treatment in Dashboard > Tax > Overview.
+
+## Tax IDs
+
+Collect customer tax IDs (VAT numbers, EIN, etc.) for B2B transactions to enable
+zero-rated or exempt invoices. Pass `tax_id_collection: { enabled: true }` on Checkout
+Sessions, or use the
+[Tax IDs API](https://docs.stripe.com/api/customer_tax_ids.md) to attach IDs to customers.
+
+## Address collection
+
+Stripe Tax requires a customer address to calculate tax. On Checkout Sessions pass
+`billing_address_collection: 'required'`. For subscriptions, ensure the customer has
+a billing address before enabling `automatic_tax`.
+
+## Registrations API
+
+To create and manage registrations programmatically:
+
+```ts
+await stripe.tax.registrations.create({
+  country: 'US',
+  country_options: {
+    us: { state: 'CA', type: 'state_sales_tax' },
+  },
+  active_from: 'now',
+});
+```
+
+## Traps to avoid
+
+- `automatic_tax` and explicit `tax_rates` are mutually exclusive. For existing
+  subscriptions, clear `default_tax_rates` and all item-level `tax_rates` before
+  enabling `automatic_tax` — the update will fail otherwise.
+- For EU merchants, one OSS union registration covers all 27 member states. Do not
+  register individual EU countries separately unless the merchant has a physical presence
+  there.
+- Do not guess which jurisdictions apply — prompt the user to configure them in the
+  Dashboard first.
+- Do not approximate unsupported jurisdictions. Check
+  [supported countries](https://docs.stripe.com/tax/supported-countries.md) first. For
+  unsupported jurisdictions, fall back to manual `tax_rates` on the subscription/invoice.
+- Customs duties and excise taxes are out of scope for Stripe Tax.
+
+## Bulk migration
+
+To switch existing subscriptions from manual `tax_rates` to `automatic_tax` in bulk,
+use the [Tax migration tool](https://docs.stripe.com/billing/taxes/migration.md).

package/templates/skills/cbp-stripe/reference/treasury.md

@@ -0,0 +1,87 @@
+# Treasury / Financial Accounts Reference
+
+Adapted from Stripe's official `stripe-best-practices` skill (github.com/stripe/ai), MIT License, Copyright (c) 2024-2025 Stripe.
+
+## v2 Financial Accounts API (use for new integrations)
+
+For embedded financial accounts (bank accounts with routing/account numbers, money
+movement), use the
+[v2 Financial Accounts API](https://docs.stripe.com/api/v2/core/vault/financial-accounts.md)
+(`POST /v2/core/vault/financial_accounts`). This is required for new integrations.
+
+Do NOT use the legacy
+[v1 Treasury Financial Accounts API](https://docs.stripe.com/api/treasury/financial_accounts.md)
+(`POST /v1/treasury/financial_accounts`) for new integrations. Existing v1 integrations
+continue to work.
+
+For concepts and guides, see
+[Treasury for platforms overview](https://docs.stripe.com/treasury/connect.md).
+
+## Creating a financial account
+
+Financial accounts are always attached to a Connect connected account:
+
+```ts
+const financialAccount = await stripe.v2.core.vault.financialAccounts.create(
+  { description: 'Main operating account' },
+  { stripeAccount: connectedAccountId },
+);
+// financialAccount.id — use for fund flows
+```
+
+## Fund flows
+
+| Direction | Object | Use |
+| --------- | ------ | --- |
+| Platform → financial account | `OutboundTransfer` | Top-up from platform balance |
+| Financial account → external bank | `OutboundPayment` | Pay out to a linked bank |
+| External bank → financial account | `InboundTransfer` | Pull from a linked bank |
+| External source → financial account | `ReceivedCredit` | Funds received in (inbound ACH/wire, Stripe payouts) |
+
+```ts
+// Outbound transfer (platform balance → financial account)
+const transfer = await stripe.treasury.outboundTransfers.create({
+  financial_account: financialAccountId,
+  amount: 100_00,
+  currency: 'usd',
+  destination_payment_method: 'default',
+});
+```
+
+## Linking a bank account (Setup Intents)
+
+To enable outbound payments to an external bank, link the bank account using a Setup Intent
+with `flow_directions: ['outbound']`:
+
+```ts
+const setupIntent = await stripe.setupIntents.create(
+  {
+    payment_method_types: ['us_bank_account'], // Treasury exception: required here
+    flow_directions: ['outbound'],
+  },
+  { stripeAccount: connectedAccountId },
+);
+// Complete the Setup Intent flow on the client, then confirm the payment method
+```
+
+Note: `payment_method_types` is required for Treasury bank-account Setup Intents — this
+is one of the narrow exceptions to the no-`payment_method_types` rule (along with Terminal).
+
+## Compliance notes
+
+- Financial accounts are subject to KYC/KYB requirements collected during Connect onboarding.
+  Ensure the connected account has the `treasury` capability enabled before creating accounts.
+- Funds held in financial accounts are not FDIC-insured by default; check Stripe's current
+  partner bank arrangements in the Treasury documentation.
+- For platforms in the US: Stripe Treasury is available for US-based connected accounts only.
+  Contact Stripe for international availability.
+- Do not use Treasury to hold customer funds without confirming applicable money-transmission
+  license obligations with your legal team.
+
+## Key references
+
+- [Treasury for platforms overview](https://docs.stripe.com/treasury/connect.md)
+- [v2 Financial Accounts API](https://docs.stripe.com/api/v2/core/vault/financial-accounts.md)
+- [OutboundTransfers](https://docs.stripe.com/api/treasury/outbound_transfers.md)
+- [OutboundPayments](https://docs.stripe.com/api/treasury/outbound_payments.md)
+- [InboundTransfers](https://docs.stripe.com/api/treasury/inbound_transfers.md)

package/templates/skills/cbp-supabase-branch-check/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-supabase-branch-check
 description: Gate skill called by /cbp-ship-main (pre-merge) to verify the Supabase preview branch health check is green before allowing a PR to be merged; skips when no DB-path changes are detected.
 argument-hint: "[--mode pre_pr_create|pre_merge] [--target integration|production]"

package/templates/skills/cbp-supabase-branch-check/reference/dag-steps.md

@@ -1,7 +1,3 @@
----
-scope: org-shared
----
-
 # DAG Steps — Supabase Preview Branch
 
 Reference for cbp-supabase-branch-check Step 7. Maps each Supabase branching DAG step

package/templates/skills/cbp-supabase-migrate/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-supabase-migrate
 description: Scaffold or adopt a Supabase migration for the current PR branch, apply to the branch's preview DB, run advisor checks, regenerate TypeScript types. Includes a fresh-branch dry-run pre-flight that uses one persistent dry-run ephemeral branch per feature branch.
 argument-hint: "[--new <name> | <path-to-sql>]"

package/templates/skills/cbp-supabase-setup/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-supabase-setup
 description: Enable Supabase GitHub branching integration — GitHub app authorization, required-status-check enforcement on main + integration branch, persistent branch creation, and idempotency marker in .codebyplan/shipment.json.
 argument-hint: "[--force]"

package/templates/skills/cbp-task-check/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-task-check
 description: AI production review for the current task
 argument-hint: [chk-task]

package/templates/skills/cbp-task-complete/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-task-complete
 description: Complete current task
 argument-hint: [chk-task]

package/templates/skills/cbp-task-create/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-task-create
 description: Create a new task within the active checkpoint
 effort: xhigh

package/templates/skills/cbp-task-start/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-task-start
 description: Start a task, load context from DB
 triggers: [cbp-round-start]

package/templates/skills/cbp-task-testing/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-task-testing
 description: Run comprehensive task-level testing after /cbp-task-check passes
 argument-hint: [chk-task]

package/templates/skills/cbp-todo/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-todo
 description: Entry point - what to work on next
 effort: low

package/templates/skills/cbp-todo/qa-regression.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: cbp-todo-qa-regression
 description: Manual regression procedure for the cbp-todo worktree-ownership gate + get_todos switch (CHK-137 TASK-2)
 ---

package/templates/skills/supabase/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: supabase
 description: "Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client libraries and SSR integrations (supabase-js, @supabase/ssr) in Next.js, React, SvelteKit, Astro, Remix; auth issues (login, logout, sessions, JWT, cookies, getSession, getUser, getClaims, RLS); Supabase CLI or MCP server; schema changes, migrations, security audits, Postgres extensions (pg_graphql, pg_cron, pg_vector)."
 metadata:

package/templates/skills/supabase-postgres-best-practices/SKILL.md

@@ -1,5 +1,4 @@
 ---
-scope: org-shared
 name: supabase-postgres-best-practices
 description: Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
 license: MIT