codebyplan 1.13.61 → 1.13.63

package/templates/skills/cbp-standalone-task-complete/SKILL.md

@@ -3,6 +3,7 @@ scope: repo-only:codebyplan
 name: cbp-standalone-task-complete
 description: Complete a standalone task — ship feat branch to production via PR and mark done
 argument-hint: [task]  # e.g. `45` (standalone TASK-45)
+model: inherit
 effort: xhigh
 ---
 
@@ -10,7 +11,7 @@ effort: xhigh
 
 Complete a standalone task. Auto-triggered by `/cbp-standalone-task-testing` when all tests pass. Can also be run manually.
 
-This skill is gated by an `ask`-tier `Skill(cbp-standalone-task-complete)` permission rule in `settings.json` (shipped templates). **The permission prompt IS the user confirmation** — there is NO completion-confirmation AskUserQuestion inside this skill (the Step 7.5 `caller_worktree_id` guard is a separate environmental safety prompt, not a flow-control confirmation). A declined permission is a clean no-op (nothing committed, merged, pushed, or completed).
+This skill is gated by an `ask`-tier `Skill(cbp-standalone-task-complete)` permission rule in `settings.json` (shipped templates). **The permission prompt IS the user confirmation** — there is NO completion-confirmation AskUserQuestion inside this skill. A declined permission is a clean no-op (nothing committed, merged, pushed, or completed).
 
 ## Instructions
 
@@ -226,9 +227,7 @@ Complete via the CLI (wraps the `complete_standalone_task` MCP tool):
 codebyplan standalone-task complete --id <standalone_task.id>
 ```
 
-The CLI auto-resolves `caller_worktree_id` (override → worktree cache → resolver). `caller_worktree_id` is REQUIRED — the MCP server's pre-guard rejects mutations from non-matching worktrees, and the CLI hard-fails (exit 1) with registration guidance rather than sending an undefined id. The server auto-clears `assigned_worktree_id` on the task on success.
-
-If the CLI exits 1 with a "could not resolve caller_worktree_id" message, run `npx codebyplan setup` (or `codebyplan resolve-worktree --cache`) from this worktree, then re-run the command.
+The server keys on the JWT user (`ctx.userId`) — no worktree param is needed. The server auto-clears `assigned_user_id` on the task on success.
 
 ### Step 8: Run Cleanup + Migration (inline)
 
@@ -265,7 +264,6 @@ Do NOT use AskUserQuestion for routing. Do NOT use the Skill tool to auto-trigge
 
 ## Key Rules
 
-- **`caller_worktree_id` is REQUIRED** for `complete_standalone_task`
 - **Branch shipping lives here** (not in checkpoint-end) — standalone tasks self-ship to production via `codebyplan ship`
 - **Single-directive routing** — no menus, no auto-triggers via Skill tool
 - **No checkpoint** — never check `checkpoint_id`, always treat task as standalone

package/templates/skills/cbp-standalone-task-create/SKILL.md

@@ -2,7 +2,8 @@
 scope: repo-only:codebyplan
 name: cbp-standalone-task-create
 description: Creates a standalone task (not checkpoint-bound) via create_standalone_task MCP tool
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Standalone Task Create Command
@@ -87,28 +88,20 @@ To create the best task definition, I need to clarify:
 
 Skip if requirements are already clear from Step 1.
 
-### Step 6: Resolve Worktree Assignment
+### Step 6: Create Standalone Task
 
-Resolve worktree_id via `npx codebyplan resolve-worktree 2>/dev/null`.
-
-- If non-empty: pass as `assigned_worktree_id` in Step 7. This engages the hard-lock from creation.
-- If empty: warn the user that the task will be unassigned and offer to run `npx codebyplan setup` from the current directory first. After setup, re-resolve and proceed. If the user declines, create without `assigned_worktree_id`.
-
-### Step 7: Create Standalone Task
-
-Create via the CLI (wraps the `create_standalone_task` MCP tool; auto-resolves `caller_worktree_id`):
+Create via the CLI (wraps the `create_standalone_task` MCP tool):
 
 ```bash
 codebyplan standalone-task create \
   --title "<concise task title>" \
   --number <next number from Step 3> \
   --requirements "<numbered requirements list>" \
-  --context '<JSON: decisions from Q&A + source findings>' \
-  --assigned-worktree-id <from Step 6, if resolved>
+  --context '<JSON: decisions from Q&A + source findings>'
 ```
 
 - `--repo-id` is optional — the CLI reads it from `.codebyplan/repo.json`.
-- Omit `--assigned-worktree-id` when Step 6 did not resolve a worktree.
+- Task assignment is user-based — the server stamps `assigned_user_id` from the JWT on creation; no worktree param is needed.
 - On success the CLI prints the created row JSON (including `.id`) to stdout.
 
 ```
@@ -126,7 +119,7 @@ codebyplan standalone-task create \
 - Files likely touched: [relevant paths]
 ```
 
-### Step 8: Route
+### Step 7: Route
 
 ```
 Standalone TASK-[N] created successfully.

package/templates/skills/cbp-standalone-task-start/SKILL.md

@@ -3,7 +3,8 @@ scope: repo-only:codebyplan
 name: cbp-standalone-task-start
 description: Start a standalone task, load context from DB
 argument-hint: [task]  # e.g. `45` (standalone TASK-45)
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Standalone Task Start Command
@@ -105,20 +106,20 @@ If `current` is still in `branch_config.protected`, block with a hard error citi
 1. Run `git status --short` to check for uncommitted files.
 2. If uncommitted files exist → commit them with `chore: clean slate for task start`. Prefer `git add -A && git commit -m "..."`.
 
-### Step 3.5: Worktree-Match Verification
+### Step 3.5: User-Match Verification
 
-Before activating, verify the caller's worktree matches the assigned worktree.
+Before activating, verify the current user is allowed to claim/edit the standalone task row.
 
-1. `CALLER_WT=$(npx codebyplan resolve-worktree 2>/dev/null)`. If empty, omit `caller_worktree_id` from MCP calls.
-2. `TARGET_WT = task.assigned_worktree_id`.
-3. If `TARGET_WT IS NOT NULL AND TARGET_WT != CALLER_WT`, surface error and abort:
+1. Resolve the current user: `CURRENT_USER=$(npx codebyplan whoami --json 2>/dev/null)` → parse `user_id` and `email` from the JSON. If the command fails or returns null/empty, `CURRENT_USER_ID` is null (anonymous session).
+2. `TARGET_USER = task.assigned_user_id`.
+3. If `TARGET_USER IS NOT NULL AND TARGET_USER != CURRENT_USER_ID`, surface error and abort:
 
    ```
-   Standalone TASK-N is assigned to worktree {TARGET_WT_NAME} ({TARGET_WT}); current worktree is {CALLER_WT_NAME} ({CALLER_WT}).
-   Use the release_assignment MCP tool (requires maintainer role) if {TARGET_WT_NAME} is dead, then re-run /cbp-standalone-task-start.
+   Standalone TASK-N is assigned to user {TARGET_EMAIL} ({TARGET_USER}); you are logged in as {CURRENT_EMAIL} ({CURRENT_USER_ID}).
+   Use the release_assignment MCP tool (requires maintainer role) if that user is no longer active, then re-run /cbp-standalone-task-start.
    ```
 
-4. If `TARGET_WT IS NULL` or matches, proceed.
+4. If `TARGET_USER IS NULL` or matches `CURRENT_USER_ID`, proceed.
 
 ### Step 3.6: Main-Drift Check (optional)
 
@@ -149,13 +150,13 @@ Load context from DB:
 
 ### Step 5: Set Task Status
 
-Set status via the CLI (wraps `update_standalone_task`; auto-resolves `caller_worktree_id`):
+Set status via the CLI (wraps `update_standalone_task`):
 
 ```bash
 codebyplan standalone-task update --id <task.id> --status in_progress
 ```
 
-`--id` is the standalone task UUID resolved in Step 2. The CLI resolves `caller_worktree_id` itself (override → worktree cache → resolver), so `CALLER_WT` does not need to be passed.
+`--id` is the standalone task UUID resolved in Step 2. The server keys on the JWT user for authz — no worktree or caller params are needed or accepted; all worktree-identity flags are deprecated and silently ignored server-side.
 
 ### Step 6: Auto-trigger Round Start
 

package/templates/skills/cbp-standalone-task-testing/SKILL.md

@@ -4,7 +4,8 @@ name: cbp-standalone-task-testing
 description: Run comprehensive task-level testing after /cbp-standalone-task-check passes
 argument-hint: [task]  # e.g. `45` (standalone TASK-45)
 triggers: [cbp-standalone-task-complete]
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Standalone Task Testing Command

package/templates/skills/cbp-stripe/SKILL.md

@@ -2,7 +2,8 @@
 scope: org-shared
 name: cbp-stripe
 description: "Stripe integration guidance — load when implementing or reviewing payments, Checkout, subscriptions/billing, webhooks, Connect, Tax, or Treasury. Encodes the API-selection routing table, the no-payment_method_types rule, restricted-key security, and Stripe SDK conventions."
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Stripe Integration (CBP)

package/templates/skills/cbp-supabase-branch-check/SKILL.md

@@ -3,7 +3,8 @@ name: cbp-supabase-branch-check
 description: Gate skill called by /cbp-ship-main (pre-merge) to verify the Supabase preview branch health check is green before allowing a PR to be merged; skips when no DB-path changes are detected.
 argument-hint: "[--mode pre_pr_create|pre_merge] [--target integration|production]"
 allowed-tools: Bash(git *), Bash(gh *), Bash(jq *), Bash(supabase *), Bash(sleep *), Bash(echo *), Read, mcp__supabase__list_branches, mcp__supabase__get_logs
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Supabase Branch Check

package/templates/skills/cbp-supabase-migrate/SKILL.md

@@ -3,6 +3,7 @@ name: cbp-supabase-migrate
 description: Scaffold or adopt a Supabase migration for the current PR branch, apply to the branch's preview DB, run advisor checks, regenerate TypeScript types. Includes a fresh-branch dry-run pre-flight that uses one persistent dry-run ephemeral branch per feature branch.
 argument-hint: "[--new <name> | <path-to-sql>]"
 allowed-tools: Read, Edit, Write, Bash(codebyplan supabase *), Bash(npx codebyplan supabase *), Bash(npx codebyplan checkpoint update *), Bash(npx codebyplan task update *), Bash(git *), Bash(supabase *), Bash(jq *), Bash(date *), Bash(which *), Bash(cp *), Bash(mv *), Bash(test *), Bash(ls *), mcp__supabase__apply_migration, mcp__supabase__list_migrations, mcp__supabase__get_advisors, mcp__supabase__generate_typescript_types, mcp__supabase__reset_branch, mcp__supabase__list_branches, mcp__supabase__create_branch, mcp__supabase__get_cost, mcp__supabase__confirm_cost, mcp__codebyplan__update_checkpoint, mcp__codebyplan__update_task
+model: inherit
 effort: xhigh
 ---
 

package/templates/skills/cbp-supabase-setup/SKILL.md

@@ -3,7 +3,8 @@ name: cbp-supabase-setup
 description: Enable Supabase GitHub branching integration — GitHub app authorization, required-status-check enforcement on main + integration branch, persistent branch creation, and idempotency marker in .codebyplan/shipment.json.
 argument-hint: "[--force]"
 allowed-tools: Read, Edit, Bash(supabase *), Bash(jq *), Bash(mv *), Bash(date *), Bash(test *), Bash(which *)
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Supabase Branching Setup

package/templates/skills/cbp-task-create/SKILL.md

@@ -1,7 +1,8 @@
 ---
 name: cbp-task-create
 description: Create a new task within the active checkpoint
-effort: xhigh
+model: inherit
+effort: high
 ---
 
 # Task Create Command
@@ -145,7 +146,7 @@ Use `codebyplan task create --checkpoint-id <id> ...` (CLI write-through) to cre
 - **requirements**: Numbered requirements list
 - **context**: Include decisions from Q&A, dependencies, source findings
 
-**For checkpoint-bound tasks**, an empty `worktree_id` is fine — no caller-worktree stamping is needed because the parent checkpoint's `worktree_id` governs.
+**For checkpoint-bound tasks**, assignment is user-based — the task's `assigned_user_id` is stamped server-side from the JWT; no caller-worktree param is needed.
 
 ```
 ## Task Created

package/templates/skills/cbp-task-start/SKILL.md

@@ -3,6 +3,7 @@ name: cbp-task-start
 description: Start a task, load context from DB
 triggers: [cbp-round-plan]
 argument-hint: [chk-task]  # e.g. `108-1` (CHK-108 TASK-1)
+model: inherit
 effort: xhigh
 ---
 
@@ -156,21 +157,21 @@ Skip this step if the task title and requirements contain no CVE ID (`CVE-YYYY-N
 
 See `dependency-vulnerability-fixes.md` "Audit Sweep at Task Start" for the source rule.
 
-### Step 3.5: Worktree-Match Verification
+### Step 3.5: User-Match Verification
 
-Before activating the task, verify the caller's worktree matches the assigned worktree on the target row. (Per CHK-104 — DB-level hard-lock prevents cross-worktree mutations.)
+Before activating the task, verify the current user is allowed to claim/edit the checkpoint row.
 
-1. Read caller worktree: `CALLER_WT=$(npx codebyplan resolve-worktree 2>/dev/null)`.
-2. Determine target worktree:
-   - **Checkpoint-bound tasks**: `TARGET_WT = checkpoint.worktree_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a NULL `task.assigned_worktree_id` because the lock lives on the parent checkpoint — fall through to `checkpoint.worktree_id`.
-3. If `TARGET_WT IS NOT NULL AND TARGET_WT != CALLER_WT`, surface this error and abort:
+1. Resolve the current user: `CURRENT_USER=$(npx codebyplan whoami --json 2>/dev/null)` → parse `user_id` and `email` from the JSON. If the command fails or returns null/empty, `CURRENT_USER_ID` is null (anonymous session).
+2. Determine the target owner:
+   - **Checkpoint-bound tasks**: `TARGET_USER = checkpoint.assigned_user_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a null `task.assigned_user_id`; the lock lives on the parent checkpoint — fall through to `checkpoint.assigned_user_id`.
+3. If `TARGET_USER IS NOT NULL AND TARGET_USER != CURRENT_USER_ID`, surface this error and abort:
 
    ```
-   TASK-N is assigned to worktree {TARGET_WT_NAME} ({TARGET_WT}); current worktree is {CALLER_WT_NAME} ({CALLER_WT}).
-   Use the release_assignment MCP tool (requires maintainer role) if {TARGET_WT_NAME} is dead, then re-run /cbp-task-start.
+   TASK-N is assigned to user {TARGET_EMAIL} ({TARGET_USER}); you are logged in as {CURRENT_EMAIL} ({CURRENT_USER_ID}).
+   Use the release_assignment MCP tool (requires maintainer role) if that user is no longer active, then re-run /cbp-task-start.
    ```
 
-4. If `TARGET_WT IS NULL` or matches, proceed.
+4. If `TARGET_USER IS NULL` or matches `CURRENT_USER_ID`, proceed.
 
 ### Step 3.6: Main-Drift Check (optional)
 
@@ -217,7 +218,7 @@ Display context summary:
 
 ### Step 5: Set Task Status
 
-`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). If a worktree_id is present, also pass `--claim-worktree-id <worktreeId>` to auto-claim the checkpoint (the CLI passes all flags as snake-case PATCH fields). Break-glass fallback: MCP `update_task(task_id, status: "in_progress", claim_worktree_id: ..., caller_worktree_id: ...)` when the CLI is unavailable — note `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook only on the MCP path.
+`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). The server keys on the JWT user for authz — no worktree or claim params are needed or accepted. Break-glass fallback: MCP `update_task(task_id, status: "in_progress")` when the CLI is unavailable — all worktree-identity params are deprecated and silently ignored server-side; omit them.
 
 ### Step 6: Auto-trigger Round Start
 

package/templates/skills/cbp-todo/SKILL.md

@@ -1,32 +1,19 @@
 ---
 name: cbp-todo
 description: Entry point - what to work on next
-effort: low
+model: inherit
+effort: medium
 ---
 
 # Todo Command
 
-Single entry point after `/clear`: read the pure-read todo queue, gate on worktree ownership + checkpoint planning, load context, then trigger the next command. It ensures Claude always has full context — and never auto-routes into work locked to another worktree — before any command runs.
+Single entry point after `/clear`: read the pure-read todo queue, gate on user ownership + checkpoint planning, load context, then trigger the next command. It ensures Claude always has full context — and never auto-routes into work locked to another user — before any command runs.
 
 ## Instructions
 
-### Step 0: Resolve Caller Identity (worktree + user)
+### Step 0: Resolve Caller Identity (user)
 
-Before any MCP call, resolve who and where the caller is.
-
-**Worktree** — derive the caller `worktree_id` and any distress signal in one structured read:
-
-```bash
-npx codebyplan resolve-worktree --json   # → {"worktree_id":"<uuid>|null","error_kind":null|"<kind>"}
-```
-
-- `error_kind` is `null` or `"tuple_miss"` → healthy. `WORKTREE_ID` = `worktree_id` (may be `null`: a legitimate main-repo or unregistered-worktree case — proceed to read the queue, but downstream hard-locks reject mutations on assigned rows).
-- `error_kind` is `local_config_read_failed`, `local_config_write_failed`, `legacy_file_blocks_dir`, `api_failed`, `git_failed`, or `unhandled` → **broken local state**. Surface the distress line and STOP (skip Steps 1–4) — routing is unreliable when the resolver cannot read local state:
-
-```
-⚠ resolve-worktree: <error_kind> — local state is broken; routing is unreliable.
-Run `npx codebyplan setup` from this directory to register/repair, then re-run /cbp-todo.
-```
+Before any MCP call, resolve who the caller is.
 
 **User** — `get_todos` (Step 1) requires a `user_id`:
 
@@ -35,45 +22,44 @@ npx codebyplan whoami --json   # → {"user_id":"<uuid>","email":"…"} or null
 ```
 
 - A `user_id` is returned → use it in Step 1.
-- `null` (CLI keychain empty — common in OAuth-MCP-only environments) → the queue cannot be scoped by user; skip Step 1 and use the Step 3 fallback. The Step 1.5 ownership gate still applies.
+- `null` or empty `user_id` (CLI keychain empty — common in OAuth-MCP-only environments) → the queue cannot be scoped by user; skip Step 1 and use the Step 3 fallback. The Step 1.5 ownership gate still applies.
 
 ### Step 1: Read the Todo Queue (pure-read)
 
-With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id, worktree_id })` when the state dir is absent and sync fails. Filter by `user_id` and `worktree_id` (omit `worktree_id` when `WORKTREE_ID` is `null` or unresolved). Take **`rows[0]`** as the queue head (ordered by `sort_order`).
+With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id })` when the state dir is absent and sync fails. Filter by `user_id`. Take **`rows[0]`** as the queue head (ordered by `sort_order`).
 
-- The head carries `command`, `instructions`, `state`, `metadata`, `worktree_id`, `checkpoint_id`, `task_id`.
+- The head carries `command`, `instructions`, `state`, `metadata`, `checkpoint_id`, `task_id`.
 - The routing context (checkpoint/task) lives in **`rows[0].metadata`**.
 - `get_todos` is **pure-read** — `apps/todo-worker` is the sole regen authority. NEVER call `get_next_action` or `regenerate_todos_for_repo`.
 - Empty array, or `USER_ID` unavailable → go to Step 3 (empty-queue fallback).
 
 Queue `command` values may use the `/codebyplan:<name>` plugin-namespace form (e.g. `/codebyplan:round-start`); treat each as the matching `/cbp-<name>` skill for the Step 2 matrix.
 
-### Step 1.5: Resolve Target + Worktree-Ownership Gate
+### Step 1.5: Resolve Target + User-Ownership Gate
 
-Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different worktree.
+Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different user.
 
-Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `worktree_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
+Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `assigned_user_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
 
 Two ownership signals:
 
-1. **Server-detected conflict** — `rows[0].state === "worktree_conflict"` (command `/codebyplan:release-or-switch`): the todo-worker already detected the lock conflict. The owner is in `rows[0].metadata.conflicting_worktree_name` / `.conflicting_worktree_id`. Surface the mismatch message below and **STOP**. Do NOT auto-trigger the release-or-switch command and do NOT call `release_assignment` — switch worktrees rather than reassigning a lock to the caller.
-2. **Checkpoint-ownership check** — take the target checkpoint's `worktree_id` (loaded above, keyed by `rows[0].checkpoint_id` / `metadata.checkpoint.id`) and compare with caller `WORKTREE_ID`:
-   - target `worktree_id` is `null` → **allow** (unassigned — any worktree may pick it up; covers the both-null main-repo case).
-   - target `worktree_id` === caller `WORKTREE_ID` → **allow**.
-   - target `worktree_id` non-null **AND** caller `WORKTREE_ID` is `null`/unresolved → **block** (deliberate safety: identity cannot be confirmed. This does not contradict Step 0 — reading the queue is fine, auto-triggering INTO assigned work is not. Run `npx codebyplan setup` to register this worktree).
-   - target `worktree_id` non-null and differs from a non-null caller → **block**.
+1. **Server-detected conflict** — `rows[0].state === "worktree_conflict"` (command `/codebyplan:release-or-switch`): the todo-worker already detected the lock conflict. (`worktree_conflict` is the worker's current state-value name — it now reflects a user-level lock conflict and is renamed alongside the web-UI/schema work in a later task.) Surface the mismatch message below and **STOP**. Do NOT auto-trigger the release-or-switch command and do NOT call `release_assignment` — the user who owns the lock must release it or a maintainer must use `release_assignment`.
+2. **Checkpoint-ownership check** — take the target checkpoint's `assigned_user_id` (loaded above) and compare with caller `USER_ID`:
+   - target `assigned_user_id` is `null` → **allow** (unassigned — any user may pick it up).
+   - target `assigned_user_id` === caller `USER_ID` → **allow**.
+   - target `assigned_user_id` non-null AND differs from caller `USER_ID` → **block**.
 
-On block, resolve the owning worktree's `name` + `path` via MCP `get_worktrees({ repo_id })` (display-only ownership-block path — no CLI verb exists for worktrees; stays MCP), then emit and STOP:
+On block, emit and STOP (show the owner email if resolvable from the whoami context, otherwise the `assigned_user_id` UUID):
 
 ```
-⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to worktree <name> (<short-uuid>), not this one (<this-name> / <this-short-uuid>).
+⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to user <email-or-uuid>, not you.
 Options:
-  A) Switch to <owning-worktree-path> and resume there
-  B) Work on something else here — run /cbp-checkpoint-create or /cbp-task-create
+  A) Work on something else — run /cbp-checkpoint-create or /cbp-task-create
+  B) Ask the owner to release the assignment, or a maintainer can use release_assignment, then re-run /cbp-todo
   C) /cbp-session-end
 ```
 
-`<short-uuid>` = first 8 chars of the worktree UUID. Caller unresolved → render "this one" as `(unresolved / —)`. Name lookup miss → show the UUID alone. Wait for the user. NEVER propose reassigning the checkpoint to the caller worktree.
+Wait for the user. NEVER propose reassigning the checkpoint to the caller.
 
 ### Step 1.55: Stale-Entity Guard
 
@@ -169,8 +155,8 @@ Display a brief context summary:
 
 Reached when `get_todos` returns `[]` or `USER_ID` was unavailable.
 
-1. **Fallback discovery** (worktree-scoped): read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
-2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `worktree_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
+1. **Fallback discovery**: read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
+2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `assigned_user_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
 3. **Nothing actionable** → suggest ending the session:
 
 ```
@@ -189,6 +175,6 @@ Reached only when the Step 1.5 ownership gate allowed routing to continue, the S
 ## Integration
 
 - **Called by**: `/cbp-session-start`, `/cbp-finalize`, `/cbp-checkpoint-complete`, manual, after `/clear`
-- **Resolves**: `npx codebyplan resolve-worktree --json` (worktree id + distress signal), `npx codebyplan whoami --json` (user id)
-- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`, `worktrees.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails. `get_worktrees` stays MCP (display-only ownership-block path; no CLI verb).
+- **Resolves**: `npx codebyplan whoami --json` (user id)
+- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails.
 - **Triggers**: `rows[0].command` (auto, after the Step 1.5 ownership gate and Step 1.55 stale-entity guard pass, and the Step 1.6 planning gate falls through); Step 1.55 overrides to STOP (stale completed/cancelled entity); Step 1.6 overrides to `/cbp-checkpoint-plan` (unplanned) or `/cbp-checkpoint-start` (planned-but-pending)

package/templates/skills/cbp-todo/qa-regression.md

@@ -1,51 +1,45 @@
 ---
 name: cbp-todo-qa-regression
-description: Manual regression procedure for the cbp-todo worktree-ownership gate + get_todos switch (CHK-137 TASK-2)
+description: Manual regression procedure for the cbp-todo user-ownership gate + get_todos switch (CHK-225 TASK-5)
 ---
 
-# cbp-todo — Worktree-Ownership Regression
+# cbp-todo — User-Ownership Regression
 
-Manual procedure verifying that `/cbp-todo` reads the pure-read `get_todos` queue and refuses to auto-route into work locked to another worktree. No automated harness exists for markdown skills; run these by hand (or read the queue with the MCP tools) whenever Step 0/1/1.5 of `SKILL.md` changes.
+Manual procedure verifying that `/cbp-todo` reads the pure-read `get_todos` queue and refuses to auto-route into work locked to another user. No automated harness exists for markdown skills; run these by hand (or read the queue with the MCP tools) whenever Step 0/1/1.5 of `SKILL.md` changes.
 
 Repo under test: `2ff6d405-39c5-47b8-a6d1-59f998ac0537`. Resolve a real `user_id` with `npx codebyplan whoami --json`, or harvest a non-null `assigned_user_id` from `get_checkpoints`.
 
 ## Preconditions
 
 - `get_todos` is the only Step 1 read — confirm no `get_next_action` / `regenerate_todos_for_repo` call remains (`grep -n 'get_next_action\|regenerate_todos_for_repo' SKILL.md` → no hits).
-- Step 0 uses `resolve-worktree --json` and `whoami --json`.
+- Step 0 uses `whoami --json` only — no worktree-resolution CLI verb appears in SKILL.md (verify by grepping the banned token list against SKILL.md; zero hits expected).
 - Step 1.55 (Stale-Entity Guard) must NOT call `get_next_action` or `regenerate_todos_for_repo` when rejecting a stale head — it reuses the checkpoint `status` + task statuses already loaded in Step 1.5 (the same grep above covers it).
 
-## Scenario A — caller owns the work → auto-trigger
+## Scenario A — current user owns the work → auto-trigger
 
-1. From a worktree that owns the active checkpoint (caller `WORKTREE_ID` === target checkpoint `worktree_id`, or target `worktree_id` is `null`).
-2. `get_todos({ repo_id, user_id, worktree_id })` returns a head whose target checkpoint is owned by the caller (or unscoped).
+1. `npx codebyplan whoami --json` returns `user_id` matching the target checkpoint's `assigned_user_id` (or `assigned_user_id` is `null` — open queue).
+2. `get_todos({ repo_id, user_id })` returns a head whose target checkpoint is owned by the caller (or unassigned).
 3. **Expected**: Step 1.5 ownership gate allows, Step 1.6 planning gate falls through, Step 4 auto-triggers `rows[0].command` (mapped to its `/cbp-<name>` form).
 
-## Scenario B1 — server-generated conflict head → halt
+## Scenario B — checkpoint assigned to a DIFFERENT user → halt
 
-1. Caller `codebyplan-claude-2` (`38cd7dfa`). Active work assigned to `codebyplan-cli` (`016bd7f2`).
-2. `get_todos` head is the server conflict todo: `state === "worktree_conflict"`, `command "/codebyplan:release-or-switch"`, `metadata.conflicting_worktree_name === "codebyplan-cli"`.
-3. **MCP calls expected**: `get_todos`; `get_worktrees` (to resolve `016bd7f2` path for the message). NO `get_checkpoints` needed — the server already resolved the conflict.
-4. **Expected**: Step 1.5 server-conflict branch blocks and STOPS. The "Work mismatch" message names `codebyplan-cli (016bd7f2)` vs `codebyplan-claude-2 (38cd7dfa)`, offers Switch (`/Users/merilyviks/codebyplan-cli`) / other-work / session-end. NO auto-trigger; NO `release_assignment` call (never reassign the lock to the caller).
+1. `whoami` returns user A. Target checkpoint `assigned_user_id` is user B (non-null, different).
+2. `get_todos` head is a normal routing todo whose target checkpoint `assigned_user_id` is user B's UUID.
+3. **MCP calls expected**: `get_todos`; `get_checkpoints` (Step 1.5 load, reads the target `assigned_user_id`). Owner is identified by `assigned_user_id` directly (email from whoami context if resolvable, else the UUID) — no worktree-lookup MCP call is needed.
+4. **Expected**: Step 1.5 checkpoint-ownership branch blocks and STOPS with the "Work mismatch" message naming the owner email-or-uuid. NO auto-trigger; the Step 1.6 planning gate never runs (ownership precedes it). NEVER propose reassigning the checkpoint to the caller.
 
-## Scenario B2 — normal head, mismatched checkpoint owner → halt
+## Scenario C — empty queue / anonymous caller → fallback
 
-1. Caller `codebyplan-claude-2` (`38cd7dfa`). `get_todos` head is a normal routing todo whose target checkpoint `worktree_id` is `016bd7f2`.
-2. **MCP calls expected**: `get_todos`; `get_checkpoints` (Step 1.5 load, reads the target `worktree_id`); `get_worktrees` (resolve `016bd7f2` name + path).
-3. **Expected**: Step 1.5 checkpoint-ownership branch blocks and STOPS with the same "Work mismatch" message. NO auto-trigger; the Step 1.6 planning gate never runs (ownership precedes it).
-
-## Scenario C — empty queue + cross-worktree current task → halt
-
-1. `get_todos` returns `[]` (or `whoami` returned `null`, so Step 1 was skipped).
-2. Step 3 fallback: `get_current_task({ repo_id, worktree_id })` / `get_checkpoints({ repo_id, worktree_id, status: 'active' })` surface a checkpoint whose `worktree_id` differs from the caller.
-3. **Expected**: the Step 1.5 ownership gate (applied to the fallback target) blocks the discovered work with the same "Work mismatch" message. NO auto-trigger. `regenerate_todos_for_repo` is never called.
+1. `get_todos` returns `[]` OR `whoami` returned `null`/empty `user_id`, so Step 1 was skipped.
+2. Step 3 fallback: `get_current_task` / `get_checkpoints` surface a checkpoint whose `assigned_user_id` differs from the caller (or caller is anonymous).
+3. **Expected**: the Step 1.5 ownership gate (applied to the fallback target) blocks the discovered work with the "Work mismatch" message when the user differs, or routes to the idle suggestion when the caller is anonymous and no open work is found. NO auto-trigger. `regenerate_todos_for_repo` is never called.
 
 ## Scenario D — stale queue head for a completed/cancelled entity → halt
 
-1. Caller owns the active checkpoint (Scenario A ownership holds), but the todo-worker queue is lagging — `health_check.todos_freshness_ok === false`. The `get_todos` head targets a checkpoint (or task) that has since been completed or cancelled.
-2. Step 1.5 loads the target checkpoint `status` + `get_tasks(checkpoint_id)` (already required for the ownership/planning gates — no extra reads).
-3. **Expected**: Step 1.55 rejects the auto-trigger — target checkpoint `status` is `completed`/`cancelled` (or every task is `completed`/`cancelled`) — surfaces the "Stale queue head" message naming the command + `CHK-NNN`[ `TASK-N`] + status, and STOPS. NO auto-trigger. NO `get_next_action` / `regenerate_todos_for_repo` call.
+1. Caller's `user_id` matches the target checkpoint's `assigned_user_id` (ownership passes), but the todo-worker queue is lagging — `health_check.todos_freshness_ok === false`. The `get_todos` head targets a checkpoint (or task) that has since been completed or cancelled.
+2. Step 1.5 loads the target checkpoint `status` + task statuses (already required for the ownership/planning gates — no extra reads).
+3. **Expected**: Step 1.55 rejects the auto-trigger — target checkpoint `status` is `completed`/`cancelled` (or every task is `completed`/`cancelled`) — surfaces the "Stale queue head" message naming the command + `CHK-NNN`[`TASK-N`] + status, and STOPS. NO auto-trigger. NO `get_next_action` / `regenerate_todos_for_repo` call.
 
-## Edge — both null
+## Edge — null assigned_user_id (open work)
 
-Caller `WORKTREE_ID` empty AND target checkpoint `worktree_id` `null` → legitimate main-repo / unassigned work → auto-trigger allowed.
+`assigned_user_id` is `null` on the target checkpoint AND caller has a valid `user_id` → open/unassigned work → auto-trigger allowed (proceeds to Step 1.6 planning gate).

package/templates/skills/cbp-verify/SKILL.md

@@ -3,6 +3,7 @@ name: cbp-verify
 description: Unified verify stage — deterministic gates, real-execution proof, and a fresh-context diff review at round or task scope. Auto-triggered by cbp-round-build; escalates to task scope on the last clean round.
 argument-hint: [chk-task[-round] | task[-round]]
 triggers: [cbp-round-plan, cbp-round-complete, cbp-finalize]
+model: inherit
 effort: xhigh
 ---
 
@@ -98,6 +99,10 @@ Triage the returned findings: in-scope mechanical fixes the orchestrator applies
 (`Edit`/`Write`); blocking out-of-scope findings → `/cbp-round-plan` fix round. A baseline
 regression is a **blocking user-accept gate** — never auto-accepted.
 
+#### Orchestration (optional)
+
+When a finding warrants adversarial confirmation, Phase 4's `cbp-verify-reviewer` spawn MAY be expressed as a `Workflow(...)` script — e.g. N independent multi-vote reviewers — instead of a single ad-hoc spawn. This is opt-in (ultracode session or explicit user request); the single-spawn flow above stays the DEFAULT and is unchanged. See `rules/workflow-orchestration.md`.
+
 ### PHASE 5 — VERDICT + ROUTE (single directive, never an A/B/C menu)
 
 Combine Phase 2 + 3 + 4. Route on one directive (`feedback-close-out-routing.md`):

package/templates/skills/cbp-verify/reference/round-scope.md

@@ -58,5 +58,4 @@ human confirmation — do not add an AskUserQuestion in cbp-verify at round scop
 
 `codebyplan round update --id <round_id> --task-id <uuid> --checkpoint-id <uuid> --context '<json>'`
 (merge `verify_manifest` into existing context; the REPLACE contract requires the full object).
-Break-glass: MCP `update_round` (checkpoint KIND) / `update_standalone_round` (standalone KIND) —
-pass `caller_worktree_id` on locked feat rows.
+Break-glass: MCP `update_round` (checkpoint KIND) / `update_standalone_round` (standalone KIND).

package/templates/skills/supabase/SKILL.md

@@ -1,6 +1,8 @@
 ---
 name: supabase
 description: "Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client libraries and SSR integrations (supabase-js, @supabase/ssr) in Next.js, React, SvelteKit, Astro, Remix; auth issues (login, logout, sessions, JWT, cookies, getSession, getUser, getClaims, RLS); Supabase CLI or MCP server; schema changes, migrations, security audits, Postgres extensions (pg_graphql, pg_cron, pg_vector)."
+model: inherit
+effort: medium
 metadata:
   author: supabase
   version: "0.1.2"

package/templates/skills/supabase-postgres-best-practices/SKILL.md

@@ -2,6 +2,8 @@
 name: supabase-postgres-best-practices
 description: Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.
 license: MIT
+model: inherit
+effort: low
 metadata:
   author: supabase
   version: "1.1.1"

package/templates/hooks/cbp-mcp-caller-worktree-inject.sh

@@ -1,78 +0,0 @@
-#!/bin/bash
-# @hook: PreToolUse mcp__codebyplan__(update_checkpoint|complete_checkpoint|update_task|complete_task|add_round|update_round|complete_round|create_standalone_task|update_standalone_task|complete_standalone_task|add_standalone_round|update_standalone_round|complete_standalone_round|update_standalone_file_change)
-# Hook: PreToolUse for MCP write tools
-#
-# Purpose: Inject caller_worktree_id into MCP mutation tool inputs when the
-#          field is absent. Reads the worktree.local.json branch-keyed cache
-#          first (fast path); falls back to `codebyplan resolve-worktree --cache`.
-#
-# Fail-open: ALL exit paths exit 0. A hook failure must never block a tool call.
-#            Use explicit guards rather than set -euo pipefail (which would exit
-#            non-zero on the first failing command before the final exit 0).
-
-# C0 — require jq; if absent, emit nothing and exit 0 (fail-open).
-if ! command -v jq > /dev/null 2>&1; then
-  exit 0
-fi
-
-# Read stdin once into a variable.
-INPUT=$(cat)
-
-# C6 — if caller_worktree_id is already a non-empty string, do not overwrite.
-# (jq '// empty' already maps JSON null to an empty string, so a plain -n test suffices.)
-EXISTING=$(echo "$INPUT" | jq -r '.tool_input.caller_worktree_id // empty' 2>/dev/null)
-if [ -n "$EXISTING" ]; then
-  # Already populated — plain allow (exit 0 with no output).
-  exit 0
-fi
-
-# C5 — resolve worktree id, fast path first.
-RESOLVED_WT=""
-
-# Determine repo root: prefer $CLAUDE_PROJECT_DIR, fall back to PWD.
-REPO_ROOT="${CLAUDE_PROJECT_DIR:-$PWD}"
-CACHE_FILE="$REPO_ROOT/.codebyplan/worktree.local.json"
-
-if [ -f "$CACHE_FILE" ]; then
-  CACHED_WT=$(jq -r '.worktree_id // empty' "$CACHE_FILE" 2>/dev/null)
-  CACHED_BRANCH=$(jq -r '.branch // empty' "$CACHE_FILE" 2>/dev/null)
-
-  if [ -n "$CACHED_WT" ] && [ "$CACHED_WT" != "null" ] && \
-     [ -n "$CACHED_BRANCH" ] && [ "$CACHED_BRANCH" != "null" ]; then
-    # Validate branch matches current git branch.
-    CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
-    if [ -n "$CURRENT_BRANCH" ] && [ "$CURRENT_BRANCH" = "$CACHED_BRANCH" ]; then
-      RESOLVED_WT="$CACHED_WT"
-    fi
-  fi
-fi
-
-# Fallback to CLI resolution if cache miss or branch mismatch.
-if [ -z "$RESOLVED_WT" ]; then
-  RESOLVED_WT=$(codebyplan resolve-worktree --cache 2>/dev/null \
-    || npx --no-install codebyplan resolve-worktree --cache 2>/dev/null \
-    || true)
-fi
-
-# UUID guard — accept only a canonical UUID (8-4-4-4-12 hex).
-UUID_PATTERN='^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'
-if [ -z "$RESOLVED_WT" ] || ! echo "$RESOLVED_WT" | grep -qE "$UUID_PATTERN"; then
-  # Unresolved or invalid — plain allow, no updatedInput.
-  exit 0
-fi
-
-# C3 — emit updatedInput as the FULL tool_input with caller_worktree_id added.
-# Claude Code's PreToolUse updatedInput REPLACES tool_input wholesale (it is not a
-# partial merge), so we must echo back every existing field merged with the new
-# caller_worktree_id — otherwise the tool loses round_id/duration_minutes/etc.
-echo "$INPUT" | jq \
-  --arg wt "$RESOLVED_WT" \
-  '{
-    hookSpecificOutput: {
-      hookEventName: "PreToolUse",
-      permissionDecision: "allow",
-      updatedInput: (.tool_input + { caller_worktree_id: $wt })
-    }
-  }'
-
-exit 0