codebyplan 1.13.62 → 1.13.63

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebyplan",
-  "version": "1.13.62",
+  "version": "1.13.63",
   "description": "CLI for CodeByPlan — AI-powered development planning and tracking",
   "type": "module",
   "bin": {

package/templates/agents/cbp-e2e-playwright.md

@@ -31,20 +31,20 @@ pnpm exec playwright install --with-deps chromium
 
 Resolve the apps/{app} dev-server port at config-read time via the shared resolver
 `apps/{app}/e2e/resolve-web-dev-port.ts` — imported by BOTH `playwright.config.ts` and
-`e2e/auth.setup.ts` (single source of truth). It reads the per-worktree
+`e2e/auth.setup.ts` (single source of truth). It reads the per-checkout, branch-keyed
 `.codebyplan/server.local.json` overlay first, then the committed `.codebyplan/server.json`.
 Match by label rather than array position — a monorepo can have several Next.js allocations
 with similar label prefixes.
 
 **Label-matching rules** (`findWebDevPort`):
 
-- `server.local.json` overlay: each label has the worktree name appended as the last
-  parenthetical group (e.g. `"Web Dev (<worktree-name>)"`). Strip exactly ONE trailing
+- `server.local.json` overlay: each label has a branch-keyed suffix appended as the last
+  parenthetical group (e.g. `"Web Dev (<branch-keyed-suffix>)"`). Strip exactly ONE trailing
   `" (…)"` group, then require the result `=== "Web Dev"`.
-  - `"Web Dev (<worktree-name>)"` → strip → `"Web Dev"` ✓
-  - `"Web Dev (<other-worktree>) (<worktree-name>)"` → strip → `"Web Dev (<other-worktree>)"` ✗
+  - `"Web Dev (<branch-keyed-suffix>)"` → strip → `"Web Dev"` ✓
+  - `"Web Dev (<other-suffix>) (<branch-keyed-suffix>)"` → strip → `"Web Dev (<other-suffix>)"` ✗
 - `server.json` committed base: require `label === "Web Dev"` exactly (do NOT strip —
-  `"Web Dev (<other-worktree>)"` must not match).
+  `"Web Dev (<other-suffix>)"` must not match).
 
 **Resolution order** (first hit wins):
 
@@ -108,7 +108,7 @@ import { resolveWebDevPort } from "./e2e/resolve-web-dev-port";
 // findWebDevPort, parsePortFromUrl, and resolveWebDevPort live in the shared
 // module ./e2e/resolve-web-dev-port.ts (imported above) — single source of
 // truth, also consumed by e2e/auth.setup.ts. Resolution order:
-//   0. PLAYWRIGHT_BASE_URL → 1. server.local.json → 2. server.json
+//   0. PLAYWRIGHT_BASE_URL → 1. server.local.json (branch-keyed overlay) → 2. server.json
 //   → 3. E2E_BASE_URL → 4. 3010.
 const port = resolveWebDevPort();
 
@@ -198,7 +198,7 @@ timing**: it loads creds from `.env.local` + `.codebyplan/e2e.env`, calls
 the project ref from `NEXT_PUBLIC_SUPABASE_URL`, and writes a `sb-<projectref>-auth-token`
 cookie (domain `localhost`) into `state.json` using the same `encodeAuthCookie` from
 `e2e/auth-cookie.ts` that global-setup consumes. This makes seeding deterministic in any
-worktree — run `pnpm e2e:auth-setup` (optionally `--port N`) when `state.json` is missing or
+checkout — run `pnpm e2e:auth-setup` (optionally `--port N`) when `state.json` is missing or
 its refresh token has expired. Do NOT reintroduce a browser-login flow (the `(auth)/login`
 page is a client component whose `onSubmit` only attaches after hydration — clicking submit
 pre-hydration falls through to a native GET and never authenticates).
@@ -261,8 +261,8 @@ any already-running process, so the dev-server readiness probe is the active gua
 path.
 
 **Port alignment**: parse `playwright.config.ts` `baseURL` port; compare to the resolved
-port from `.codebyplan/server.local.json` (worktree overlay, checked first) then
-`.codebyplan/server.json` (committed base). On mismatch ask which is correct, then propose
+port from `.codebyplan/server.local.json` (per-checkout branch-keyed overlay, checked first)
+then `.codebyplan/server.json` (committed base). On mismatch ask which is correct, then propose
 an Edit to align them.
 
 ## Quality Fixture (MANDATORY)

package/templates/hooks/cbp-mcp-round-sync.sh

@@ -20,13 +20,10 @@
 #   - Web-UI flag (app_file_approval_by_user) consumption + reset
 #   - Writes both PATCH /api/rounds/${ROUND_ID} and PATCH /api/tasks/${TASK_ID}
 #
-# Caller worktree identity:
-#   The CLI auto-resolves caller_worktree_id (override flag → cache →
-#   in-process tuple API) and hard-fails with exit 1 if it cannot resolve
-#   on the write path. This hook resolves the worktree id before invoking the
-#   CLI and passes it via --caller-worktree-id so the server can honor the
-#   feat-worktree lock. The hook itself stays non-fatal (exits 0) and surfaces
-#   the CLI's stderr output to the user.
+# Caller identity:
+#   Worktree-based caller injection was retired in CHK-225. The hook no longer
+#   resolves or threads any worktree id; user identity travels via the MCP JWT.
+#   The hook stays fail-open and exits 0.
 #
 # Flags:
 #   --dry-run  Pass through to CLI (prints merged payload, no API writes).
@@ -83,16 +80,8 @@ if [ -z "$TASK_ID" ]; then
   exit 0
 fi
 
-# Resolve worktree id before invoking the CLI so the server can honor the
-# feat-worktree lock. On miss (unregistered worktree) the CLI falls back to
-# its in-process resolve and hard-fails with guidance if still unresolved.
-WORKTREE_ID=$(npx codebyplan resolve-worktree 2>/dev/null)
-
 # Delegate to the codebyplan CLI (single source of truth for merge semantics)
 CMD_ARGS=("round" "sync-approvals" "--round-id" "$ROUND_ID" "--task-id" "$TASK_ID")
-if [ -n "$WORKTREE_ID" ]; then
-  CMD_ARGS+=("--caller-worktree-id" "$WORKTREE_ID")
-fi
 [ "$DRY_RUN" = "true" ] && CMD_ARGS+=("--dry-run")
 
 if npx codebyplan "${CMD_ARGS[@]}"; then

package/templates/hooks/cbp-test-hooks.sh

@@ -374,87 +374,6 @@ fi
 
 echo ""
 
-# ===== HOOK SMOKE TESTS — cbp-mcp-caller-worktree-inject =====
-echo "## Hook Smoke Tests — cbp-mcp-caller-worktree-inject (CHK-198)"
-
-INJECT_HOOK="$HOOKS_DIR/cbp-mcp-caller-worktree-inject.sh"
-# Absolute path — the fail-open test runs the hook from a temp cwd (to isolate it
-# from this repo's git context), where the relative "$HOOKS_DIR" no longer resolves.
-INJECT_HOOK_ABS="$(cd "$HOOKS_DIR" 2>/dev/null && pwd)/cbp-mcp-caller-worktree-inject.sh"
-
-if [ ! -f "$INJECT_HOOK" ]; then
-  test_result "cbp-mcp-caller-worktree-inject.sh present" "passed" "missing"
-else
-  test_result "cbp-mcp-caller-worktree-inject.sh present" "passed" "passed"
-
-  FIRST_LINE=$(head -1 "$INJECT_HOOK")
-  if echo "$FIRST_LINE" | grep -q '^#!/'; then
-    test_result "cbp-mcp-caller-worktree-inject.sh has shebang" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh has shebang" "passed" "missing"
-  fi
-
-  if grep -q '@scope: org-shared' "$INJECT_HOOK"; then
-    test_result "cbp-mcp-caller-worktree-inject.sh has @scope: org-shared" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh has @scope: org-shared" "passed" "missing"
-  fi
-
-  # Fail-open: run from a non-repo temp dir with no worktree cache and no
-  # CLAUDE_PROJECT_DIR — neither the cache nor the CLI fallback can resolve a
-  # worktree, so the hook must exit 0 with empty stdout (no updatedInput).
-  ISO=$(mktemp -d)
-  OUTPUT=$( (cd "$ISO" && env -u CLAUDE_PROJECT_DIR bash "$INJECT_HOOK_ABS" <<< '{"tool_input":{"task_id":"x"}}') 2>/dev/null )
-  EXIT_CODE=$?
-  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
-    test_result "cbp-mcp-caller-worktree-inject.sh fail-open (unresolvable) exits 0 + empty stdout" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh fail-open (unresolvable) exits 0 + empty stdout" "passed" "failed (exit=$EXIT_CODE)"
-  fi
-  rm -rf "$ISO"
-
-  # C6 — input already carries a non-empty caller_worktree_id → never overwrite;
-  # early-return with exit 0 and empty stdout (no resolution attempted).
-  OUTPUT=$(echo '{"tool_input":{"caller_worktree_id":"11111111-1111-1111-1111-111111111111"}}' | bash "$INJECT_HOOK" 2>/dev/null)
-  EXIT_CODE=$?
-  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
-    test_result "cbp-mcp-caller-worktree-inject.sh C6 keeps existing caller_worktree_id (exit 0 + empty stdout)" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh C6 keeps existing caller_worktree_id (exit 0 + empty stdout)" "passed" "failed (exit=$EXIT_CODE)"
-  fi
-
-  # Injection — a worktree.local.json whose .branch matches the current git branch
-  # makes the cache fast-path resolve. Use a synthetic UUID so the assertion proves
-  # the cache value (not the live CLI) was injected. Skipped when no concrete git
-  # branch resolves (detached HEAD / non-git checkout) or jq is unavailable.
-  CUR_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
-  if [ -n "$CUR_BRANCH" ] && [ "$CUR_BRANCH" != "HEAD" ] && command -v jq >/dev/null 2>&1; then
-    ISO=$(mktemp -d)
-    mkdir -p "$ISO/.codebyplan"
-    FAKE_WT="abcdef01-2345-6789-abcd-ef0123456789"
-    jq -n --arg b "$CUR_BRANCH" --arg w "$FAKE_WT" \
-      '{worktree_id:$w, branch:$b}' > "$ISO/.codebyplan/worktree.local.json"
-    OUTPUT=$(CLAUDE_PROJECT_DIR="$ISO" bash "$INJECT_HOOK" <<< '{"tool_input":{"task_id":"x"}}' 2>/dev/null)
-    EXIT_CODE=$?
-    INJECTED=$(echo "$OUTPUT" | jq -r '.hookSpecificOutput.updatedInput.caller_worktree_id // empty' 2>/dev/null)
-    # Sibling-key survival — CC's updatedInput REPLACES tool_input wholesale (it is
-    # not a partial merge), so the hook must echo back every original field merged
-    # with caller_worktree_id. Assert the non-target sibling key (task_id) survives;
-    # this is the assertion gap that let the replace-vs-merge bug ship in round 2.
-    PRESERVED=$(echo "$OUTPUT" | jq -r '.hookSpecificOutput.updatedInput.task_id // empty' 2>/dev/null)
-    if [ "$EXIT_CODE" = "0" ] && [ "$INJECTED" = "$FAKE_WT" ] && [ "$PRESERVED" = "x" ]; then
-      test_result "cbp-mcp-caller-worktree-inject.sh injects caller_worktree_id AND preserves sibling keys" "passed" "passed"
-    else
-      test_result "cbp-mcp-caller-worktree-inject.sh injects caller_worktree_id AND preserves sibling keys" "passed" "failed (exit=$EXIT_CODE injected=$INJECTED preserved=$PRESERVED)"
-    fi
-    rm -rf "$ISO"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh injection test (no branch resolvable — skipped)" "passed" "passed"
-  fi
-fi
-
-echo ""
-
 # ===== HOOK SMOKE TESTS — cbp-session-start-hook =====
 echo "## Hook Smoke Tests — cbp-session-start-hook (CHK-178)"
 

package/templates/hooks/hooks.json

@@ -69,15 +69,6 @@
             "command": "bash ${CLAUDE_PLUGIN_ROOT}/hooks/cbp-mcp-migration-guard.sh"
           }
         ]
-      },
-      {
-        "matcher": "mcp__codebyplan__(update_checkpoint|complete_checkpoint|update_task|complete_task|add_round|update_round|complete_round|create_standalone_task|update_standalone_task|complete_standalone_task|add_standalone_round|update_standalone_round|complete_standalone_round|update_standalone_file_change)",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash ${CLAUDE_PLUGIN_ROOT}/hooks/cbp-mcp-caller-worktree-inject.sh"
-          }
-        ]
       }
     ],
     "PostToolUse": [

package/templates/rules/cbp-operating-gotchas.md

@@ -25,11 +25,13 @@ SHARED tooling behavior only — repo-specific gotchas belong in that repo's own
   clobbers existing `decisions` / `discoveries` / `check_results`. Always read the current row,
   merge your change into the full object/array, then write the whole thing back.
 
-- **`resolve-worktree` empty output = a NULL `(device, path, branch)` tuple, not a broken
-  resolver.** When identity is unresolved the server can collapse the caller to the repo's main
-  worktree, so feat-locked writes get rejected. Pass `caller_worktree_id` on every MCP mutation,
-  and confirm ownership by matching the row's repo path + branch to the current directory before
-  mutating.
+- **User-level locks are invisible until a mutation they block.** `get_checkpoints` /
+  `get_tasks` succeed even when another user holds the assignment; the 403 fires only on
+  `update_*` / `complete_*`. The lock keys on the JWT user (`ctx.userId`) vs the row's
+  `assigned_user_id` (null = open). `caller_worktree_id` / `worktree_id` params are
+  accepted-and-ignored — do not thread them. Verify `assigned_user_id` matches
+  `npx codebyplan whoami` before mutating; recover a stale assignment with
+  `release_assignment` (maintainer).
 
 - **Full-repo lint/type baselines are often pre-existing red.** A round must gate on the files
   it changed, not the whole-repo baseline — scope lint/tsc checks to the round's changed set so a
@@ -40,14 +42,10 @@ SHARED tooling behavior only — repo-specific gotchas belong in that repo's own
   `update_task` alone — updating only the task leaves the round entries unapproved and
   `complete_task` rejects with "files are not approved".
 
-- **CLI transport uses REST (reads) and OAuth+MCP (writes) — a 502 from `codebyplan round sync-approvals` is transient MCP churn, not an outage.** The CLI exits 0 with a warning and MCP tools still work. A missing `CODEBYPLAN_API_KEY` surfaces as an `ApiError`, not a 502. `sync-approvals` can also drag untracked per-device dirs into `files_changed` — run it from the repo root or pass `--caller-worktree-id`.
+- **CLI transport uses REST (reads) and OAuth+MCP (writes) — a 502 from `codebyplan round sync-approvals` is transient MCP churn, not an outage.** The CLI exits 0 with a warning and MCP tools still work. A missing `CODEBYPLAN_API_KEY` surfaces as an `ApiError`, not a 502. `sync-approvals` can also drag untracked per-device dirs into `files_changed` — run it from the repo root.
 
 - **`codebyplan claude update` requires a TTY.** On non-TTY stdin (CI, piped) it half-applies then errors. Re-run with `--yes` to accept defaults non-interactively.
 
-- **Checkpoint locks are invisible until a mutation they block.** `get_checkpoints` / `get_tasks` succeed even when another worktree holds the lock; the 403 fires only on `update_*` / `complete_*`. Verify the row's `worktree_id` matches the caller before mutating. A null-`worktree_id` checkpoint can still be actively shipped by whichever worktree physically holds its feat branch — check `git worktree list` first.
-
-- **`update_task` accepts `caller_worktree_id` for lock-verify only — it does NOT assign ownership.** Ownership assignment goes through the web UI or the dedicated assignment path. Don't conflate `caller_worktree_id` with `assigned_worktree_id`.
-
 - **Re-run config-driven gates after merging main into a feat branch.** A merge can add or change `.codebyplan/shipment.json`, ports, branch config, `e2e.json`, and `eslint.json` — treat the post-merge state as a fresh baseline before continuing.
 
 ## Behavioral Preferences

package/templates/rules/supabase-branch-lifecycle.md

@@ -47,7 +47,7 @@ The Supabase branch is removed wherever the git branch is deleted:
 | Skill | Trigger |
 |---|---|
 | `cbp-checkpoint-end` | stale-branch cleanup + current feat-branch delete on ship |
-| `codebyplan worktree remove CHK-NNN` | worktree teardown removes the coupled Supabase branch |
+| `codebyplan worktree remove <path>` | git-worktree teardown removes the coupled Supabase branch (branch-keyed, not identity-keyed) |
 | `cbp-ship-main` | `branch_deleted` event after PR merge |
 | `cbp-standalone-task-complete` | `branch_deleted` event after standalone PR merge (Step 7.3) |
 
@@ -93,7 +93,7 @@ or auto-created by the GitHub integration — both paths use the same branch nam
 | Role | Skill |
 |---|---|
 | Create (lazy) | `cbp-supabase-migrate` (Step 2.3) |
-| Delete | `cbp-checkpoint-end`, `cbp-standalone-task-complete`, `codebyplan worktree remove`, `cbp-ship-main` |
+| Delete | `cbp-checkpoint-end`, `cbp-standalone-task-complete`, `codebyplan worktree remove <path>`, `cbp-ship-main` |
 | PR gate | `cbp-supabase-branch-check` |
 
 Each skill in the Skill Map above carries an inline back-reference to this rule at its create or teardown step.

package/templates/rules/todo-backend.md

@@ -12,16 +12,16 @@ The todos queue is materialised by `apps/todo-worker` (CHK-122) and consumed by
 
 ## 1. Six workflow invariants — DB-layer guards, never bypassable
 
-Defined in `supabase/migrations/20260511211900_chk111_workflow_invariants.sql`. These are `BEFORE UPDATE` triggers — they refuse invalid state transitions and produce structured `RAISE EXCEPTION` errors with `HINT` pointing at the offending row. **Do NOT port these to TS.** The DB layer is the bypass-proof contract.
+Defined in `supabase/migrations/20260511211900_chk111_workflow_invariants.sql` (updated by `supabase/migrations/20260612000000_chk225_task1_user_locks.sql`). These are `BEFORE UPDATE` triggers — they refuse invalid state transitions and produce structured `RAISE EXCEPTION` errors with `HINT` pointing at the offending row. **Do NOT port these to TS.** The DB layer is the bypass-proof contract.
 
 | # | Trigger | What it enforces |
 |---|---------|------------------|
-| 1 | `trg_enforce_checkpoint_activation_worktree` | A checkpoint cannot be activated without `worktree_id` set |
-| 2 | `enforce_standalone_task_worktree` (via task workflow) | A standalone task cannot be moved to `in_progress` without `assigned_worktree_id` |
+| 1 | `trg_enforce_checkpoint_activation_worktree` | A checkpoint cannot be activated without `assigned_user_id` set (CHK-225: was `worktree_id`) |
+| 2 | `trg_enforce_standalone_task_workflow_invariants` | A standalone task cannot be moved to `in_progress` without `assigned_user_id` (CHK-225: was `assigned_worktree_id`) |
 | 3 | `trg_enforce_task_workflow_invariants` | ≤ 1 `in_progress` task per checkpoint |
 | 4 | `trg_enforce_single_in_progress_round_per_task` | ≤ 1 `in_progress` round per task |
-| 5 | `trg_enforce_single_active_scope_per_worktree` | ≤ 1 active (checkpoint OR standalone task) per worktree |
-| 6 | `trg_enforce_standalone_task_scope_per_worktree` | ≤ 1 `in_progress` standalone task per worktree |
+| 5 | `trg_enforce_single_active_scope_per_worktree` | ≤ 1 active (checkpoint OR standalone task) per `assigned_user_id` (CHK-225: was per `worktree_id`) |
+| 6 | `trg_enforce_standalone_task_scope_per_worktree` | ≤ 1 `in_progress` standalone task per `assigned_user_id` (CHK-225: was per `assigned_worktree_id`) |
 
 The worker is a passive cross-checker (`apps/todo-worker/src/invariants/check.ts`) — if its check disagrees with the DB, the DB wins.
 
@@ -34,7 +34,7 @@ MCP write → enqueueTodosJob → todos_jobs (status='pending')
                                   ↓
             worker claim_todos_job (SELECT … FOR UPDATE SKIP LOCKED)
                                   ↓
-              computeTodos(repo, worktree, user) → desired rows
+              computeTodos(repo, user) → desired rows
                                   ↓
             apply_todos RPC → todos table (status='current' / 'pending')
                                   ↓
@@ -71,7 +71,7 @@ The queue head (`get_todos` `rows[0]`) maps to one of these slash commands. The
 
 ## 5. Heartbeat policy
 
-The worker's `node-cron` heartbeat runs at `0 0 * * *` (UTC midnight). It enumerates every `(repo, worktree, user)` tuple with an active checkpoint OR in-progress standalone task and enqueues a `HEARTBEAT_SWEEP` todos_jobs row for each. This catches drift from missed `enqueueTodosJob` calls in MCP writers.
+The worker's `node-cron` heartbeat runs at `0 0 * * *` (UTC midnight). It enumerates every `(repo, user)` pair with an active checkpoint OR in-progress standalone task (via `assigned_user_id`) and enqueues a `HEARTBEAT_SWEEP` todos_jobs row for each. This catches drift from missed `enqueueTodosJob` calls in MCP writers.
 
 Backoff: a failed job retries at `now + 2^attempts minutes` (cap 60min). After 3 attempts, the job stays `failed` and the heartbeat picks it up again at the next sweep.
 
@@ -83,7 +83,6 @@ The shared enqueue helper lives at `packages/mcp-tools/src/tools/enqueue-todos.t
 enqueueTodosJob(
   client: SupabaseClient,
   repoId: string,
-  callerWorktreeId: string | undefined,
   userId: string | null,
   reason: string
 ): Promise<void>
@@ -108,6 +107,8 @@ Every workflow mutator MUST call `void enqueueTodosJob(...)` after the mutation
 
 CHK-111 shipped the original todos queue as Postgres triggers + a 583-LOC `regenerate_todos_for_repo` PL/pgSQL function. CHK-122 ported the regen to `apps/todo-worker` (Node) for shared infrastructure with `apps/docs-ingest` (CHK-116), easier testing, and per-user fanout. The 10 `trg_*_todos` triggers and the 4 `wrap_*` wrappers were dropped in migration `20260521000000_chk122_drop_legacy_todos_regen.sql`. The 6 BEFORE-UPDATE invariant triggers stayed.
 
+CHK-225 updated the invariant triggers from worktree-scoped to user-scoped (`assigned_user_id`). The trigger names were preserved for continuity; only the function bodies changed. Migration: `20260612000000_chk225_task1_user_locks.sql`.
+
 ## 8. Deployment — Railway
 
 `apps/todo-worker` runs as a Railway service alongside `apps/backend`. Setup:
@@ -119,3 +120,5 @@ CHK-111 shipped the original todos queue as Postgres triggers + a 583-LOC `regen
 5. Save the resulting `project_ref` to `.codebyplan.json` `shipment.surfaces.railway-todo-worker.project_ref`.
 
 Smoke after deploy: run `/cbp-finalize` in any worktree → tail Railway logs → expect a `claim → apply` cycle within `WORKER_POLL_MS`.
+
+**CHK-225 deploy note**: apply migration `20260612100000` (drops `worktree_id` from `todos` + `todos_jobs`, dedup todos rows, updates `apply_todos` RPC) BEFORE running `railway up` for the worker. Until the migration lands, the worker's 3-arg `apply_todos` call fails with a function-not-found error.

package/templates/settings.project.base.json

@@ -66,7 +66,6 @@
       "mcp__codebyplan__create_project",
       "mcp__codebyplan__create_repo",
       "mcp__codebyplan__delete_session_log",
-      "mcp__codebyplan__delete_worktree",
       "mcp__codebyplan__release_assignment",
       "mcp__stripe__create_customer",
       "mcp__stripe__create_product",
@@ -161,7 +160,6 @@
       "mcp__codebyplan__get_task_templates",
       "mcp__codebyplan__get_tasks",
       "mcp__codebyplan__get_todos",
-      "mcp__codebyplan__get_worktrees",
       "mcp__codebyplan__list_tech_stack_sync_sessions",
       "mcp__codebyplan__get_chunk",
       "mcp__codebyplan__get_library_toc",
@@ -183,7 +181,6 @@
       "mcp__codebyplan__create_session_log",
       "mcp__codebyplan__update_session_log",
       "mcp__codebyplan__update_session_state",
-      "mcp__codebyplan__create_worktree",
       "mcp__codebyplan__flag_stale_chunk",
       "mcp__codebyplan__update_eslint_repo_config",
       "mcp__codebyplan__update_server_config",
@@ -196,8 +193,6 @@
       "Bash(npx codebyplan supabase:*)",
       "Bash(codebyplan whoami:*)",
       "Bash(npx codebyplan whoami:*)",
-      "Bash(codebyplan resolve-worktree:*)",
-      "Bash(npx codebyplan resolve-worktree:*)",
       "Bash(codebyplan version-status:*)",
       "Bash(npx codebyplan version-status:*)",
       "Bash(codebyplan worktree:*)",

package/templates/skills/cbp-build-cc-settings/reference/cbp-permission-policy.md

@@ -25,7 +25,7 @@ Precedence is `deny > ask > allow`; arrays union across scopes (managed/user/pro
 - **Non-lifecycle, non-shipment `/cbp-*` skills** — authoring (`cbp-build-cc-*`), frontend (`cbp-frontend-*`), git (`cbp-git-*`, `cbp-merge-main`, `cbp-refresh-infra`), round work (`cbp-round-plan`, `cbp-verify` — `cbp-verify` is the autonomous verify stage that runs deterministic gates, proves execution, spawns the fresh-context reviewer, and routes to `cbp-round-complete` or `cbp-round-plan`, so it runs without a prompt), setup/configure (`cbp-setup-*`, `cbp-ship-configure`, `cbp-supabase-*`), task prep (`cbp-task-create`/`-start`, `cbp-standalone-task-check`/`-testing`), planning (`cbp-checkpoint-plan`/`-update`), plus `cbp-session-start` and `cbp-todo`. Invoking a skill is the intended mode of operation; the gated side effects happen inside via the Bash/MCP tools the skill calls, which carry their own tiering. The lifecycle/state-transition and plan-approval skills are the exception — they live in `ask` (next section).
 - **All `mcp__codebyplan__*` reads** (`get_*`, `list_*`, `search_*`, `health_check`, `lookup_symbol`, `resolve_library_id`, `get_chunk`).
 - **Routine workflow-write MCP tools** the pipeline calls many times per task: create/update/complete checkpoint, task, and round; session log + session-state writes; `create_worktree`, `add_library`, `flag_stale_chunk`, `update_server_config`, `update_eslint_repo_config`, `update_task_template`. Gating these with `ask` would make the autonomous workflow unusable.
-- **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `resolve-worktree`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
+- **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
 
 ### `ask` — the deliberate confirm-gate
 

package/templates/skills/cbp-checkpoint-create/SKILL.md

@@ -60,35 +60,25 @@ Skip when the description has zero domain matches OR the user already named a ta
 
 Lightweight inference from the description — no deep analysis. **Title**: concise, ≤80 chars. **Goal**: ≤300 chars, a faithful restatement of intent (not a plan).
 
-### Step 6: Claim-or-Open Prompt
-
-Ask the user via AskUserQuestion whether to claim this checkpoint now:
-
-- **Claim for me + this worktree** (default) — resolve `npx codebyplan resolve-worktree 2>/dev/null` and set it as the checkpoint `worktree_id` at create. The creator carries momentum straight through plan → start.
-- **Leave it open** — create with `worktree_id` null so anyone free can claim it later via `/cbp-checkpoint-start`.
-
-Record the choice; it drives both the create call (Step 7) and the plan→start routing in `/cbp-checkpoint-plan`.
-
-### Step 7: Create Checkpoint Row
+### Step 6: Create Checkpoint Row
 
 `codebyplan checkpoint create` (CLI write-through: writes `.codebyplan/state/checkpoints/<id>.json` + REST). Pass flags:
 - `--repo-id` (from `.codebyplan/repo.json`), `--title`, `--goal`, `--deadline`, `--status pending`
 - `--ideas` JSON `[{ description: <raw user text> }]`
-- `--worktree-id` the resolved worktree **only if the user chose "claim"**; omit when "leave open"
 
-Do **not** pass `--number` — the database auto-assigns the next per-repo checkpoint number via a `BEFORE INSERT` trigger (advisory-locked `MAX(number)+1` scoped to `repo_id`). The DB-assigned number comes back on the created row (and is written into `.codebyplan/state/checkpoints/<id>.json`); read it for the branch slug (Step 8) and the result display (Step 9).
+Do **not** pass `--number` — the database auto-assigns the next per-repo checkpoint number via a `BEFORE INSERT` trigger (advisory-locked `MAX(number)+1` scoped to `repo_id`). The DB-assigned number comes back on the created row (and is written into `.codebyplan/state/checkpoints/<id>.json`); read it for the branch slug (Step 7) and the result display (Step 8).
 
 Break-glass fallback: MCP `create_checkpoint` (also omit `number`) when the CLI is unavailable.
 
-This is the first identity-stamping point — when claiming, passing `worktree_id` here engages the CHK-104 hard-lock from birth. No `context`, `research`, `plan`, or tasks are written here.
+Assignment (`assigned_user_id`) is stamped server-side from the caller's JWT when the checkpoint is activated via `/cbp-checkpoint-start` — it is not set at create time. No `context`, `research`, `plan`, or tasks are written here.
 
-### Step 8: Create + Switch to Feat Branch
+### Step 7: Create + Switch to Feat Branch
 
-`{NNN}` below is the DB-assigned checkpoint number read back from the Step 7 `codebyplan checkpoint create` response.
+`{NNN}` below is the DB-assigned checkpoint number read back from the Step 6 `codebyplan checkpoint create` response.
 
 Read `.codebyplan/git.json` `branch_config.production` (default `"main"`) as `BASE`. codebyplan repos are main-only — never create or branch from a `development`/integration branch.
 
-**8.1 — Reuse the cloud-created branch when present.** When the repo is GitHub-connected, the CHK-207 `create-feat-branch` Edge Function fires on the Step 7 row INSERT, creates `feat/CHK-{NNN}-<slug>` on origin, and writes `branch_name` back to the checkpoint row. Creating a second, differently-slugged branch here orphans the cloud one — so re-read the row first:
+**7.1 — Reuse the cloud-created branch when present.** When the repo is GitHub-connected, the CHK-207 `create-feat-branch` Edge Function fires on the Step 6 row INSERT, creates `feat/CHK-{NNN}-<slug>` on origin, and writes `branch_name` back to the checkpoint row. Creating a second, differently-slugged branch here orphans the cloud one — so re-read the row first:
 
 ```bash
 sleep 5  # give the INSERT webhook a moment to write branch_name back
@@ -96,14 +86,14 @@ npx codebyplan sync 2>/dev/null || true
 BRANCH=$(jq -r '.branch_name // empty' ".codebyplan/state/checkpoints/{checkpoint-id}.json" 2>/dev/null)
 ```
 
-(Break-glass: MCP `get_checkpoints` and read the row's `branch_name`.) If `BRANCH` is non-empty, check out the existing remote branch and skip 8.2 entirely — do NOT push (it already exists on origin) and do NOT persist `--branch-name` (the Edge Function already recorded it):
+(Break-glass: MCP `get_checkpoints` and read the row's `branch_name`.) If `BRANCH` is non-empty, check out the existing remote branch and skip 7.2 entirely — do NOT push (it already exists on origin) and do NOT persist `--branch-name` (the Edge Function already recorded it):
 
 ```bash
 git fetch origin "$BRANCH"
 git checkout -b "$BRANCH" --track "origin/$BRANCH"
 ```
 
-**8.2 — Fallback: create the branch locally.** Only when `BRANCH` is empty (repo not GitHub-connected, or the webhook hasn't landed). Compute the slug deterministically:
+**7.2 — Fallback: create the branch locally.** Only when `BRANCH` is empty (repo not GitHub-connected, or the webhook hasn't landed). Compute the slug deterministically:
 
 ```bash
 SLUG=$(codebyplan slug "{checkpoint title}")
@@ -122,13 +112,13 @@ Persist the branch via `codebyplan checkpoint update --id <checkpoint-id> --bran
 
 **Note — Supabase preview branch**: no Supabase branch is created here. Creation is lazy — it happens on the first DB change when `/cbp-supabase-migrate` runs on this feat branch, which provisions a Supabase branch named identically to the git branch. See `cbp-supabase-migrate` Step 2.3 for the creation protocol.
 
-### Step 9: Show Result + Auto-Trigger Plan
+### Step 8: Show Result + Auto-Trigger Plan
 
 ```
 ## Checkpoint Created
 
 **CHK-NNN**: [title]  •  **Deadline**: [date]  •  **Branch**: feat/CHK-NNN-slug
-**Claim**: [claimed by this worktree / left open]
+**Assignment**: stamped on activation via /cbp-checkpoint-start
 **Worktree**: `npx codebyplan worktree add CHK-{NNN}`
 
 Now planning CHK-NNN… handing off to /cbp-checkpoint-plan.
@@ -139,6 +129,6 @@ Auto-trigger `/cbp-checkpoint-plan {NNN}` in the same context. This skill create
 ## Integration
 
 - **Runs inline**: mechanical setup only — no assessment, research, Q&A, plan, or tasks
-- **Reads**: `.codebyplan/state/checkpoints/*.json` (local-first; `npx codebyplan sync` if stale; MCP `get_checkpoints` break-glass); `.codebyplan/repo.json`, `.codebyplan/git.json`; `npx codebyplan resolve-worktree`
-- **Writes**: `codebyplan checkpoint create` (description-only ideas + deadline + optional worktree_id), `codebyplan checkpoint update --branch-name` (break-glass: MCP `create_checkpoint` / `update_checkpoint`)
+- **Reads**: `.codebyplan/state/checkpoints/*.json` (local-first; `npx codebyplan sync` if stale; MCP `get_checkpoints` break-glass); `.codebyplan/repo.json`, `.codebyplan/git.json`
+- **Writes**: `codebyplan checkpoint create` (description-only ideas + deadline), `codebyplan checkpoint update --branch-name` (break-glass: MCP `create_checkpoint` / `update_checkpoint`)
 - **Triggers**: `/cbp-checkpoint-plan` (auto)

package/templates/skills/cbp-checkpoint-end/SKILL.md

@@ -265,6 +265,41 @@ After the feat branch git delete, run the same conditional Supabase teardown for
   - If not found: no-op silently — idempotent, not-found is success.
   - If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$FEAT_BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
 
+### Step 9.5: Physical Git-Worktree Cleanup
+
+After the feat branch has been git-deleted (Step 9), check whether a git worktree is still
+checked out to that now-deleted branch and clean it up if safe.
+
+```bash
+git worktree list --porcelain
+```
+
+Scan the output for any `worktree` entry whose `branch` field matches `refs/heads/$FEAT_BRANCH`
+(i.e. the feat branch just deleted in Step 9). For each matching worktree path:
+
+**Case A — the current session is NOT inside that worktree path:**
+
+```bash
+codebyplan worktree remove <path>
+git worktree prune
+```
+
+Record the removed path in `WORKTREES_REMOVED[]`. If `codebyplan worktree remove` exits
+non-zero, emit a non-blocking warning and continue — a failed removal does not halt shipment.
+
+**Case B — the current session IS inside that worktree path (i.e. `$PWD` starts with
+`<path>`):**
+
+Do NOT self-remove. Surface a single directive (no A/B/C menu):
+
+> "This session is inside the worktree at `<path>`. After switching to your main checkout,
+> run `codebyplan worktree remove <path>` to clean it up."
+
+Record the path in `WORKTREES_REMOVED[]` as `{ path, status: 'pending_manual_cleanup' }`.
+
+If `git worktree list --porcelain` finds no worktree checked out to the deleted feat branch,
+skip this step silently — `WORKTREES_REMOVED` stays empty.
+
 ### Step 10: Save Shipment Results and Summary
 
 Update checkpoint context via `codebyplan checkpoint update <id> --context '{"shipment": {...}}'` (CLI write-through); use MCP `update_checkpoint` as documented break-glass when the CLI is unavailable. The `shipment` block contains both branch promotion AND runtime surface results (from `/cbp-ship` Step 7):
@@ -280,6 +315,7 @@ context.shipment: {
   stale_branches_cleaned: [list of deleted git branches],
   feat_branch_deleted: true/false,
   supabase_branches_deleted: [list of Supabase preview branch names removed in Steps 8–9],
+  worktrees_removed: WORKTREES_REMOVED,      // from Step 9.5 — paths removed or pending manual cleanup
   e2e_images_uploaded: E2E_IMAGES_UPLOADED   // from Step 7.5 — { count, stored_paths, skipped, error? } (CHK-171)
 }
 ```
@@ -310,6 +346,7 @@ Present summary:
 - Stale branches deleted: [N] ([list])
 - Feat branch: [deleted/kept]
 - Supabase preview branches deleted: [N] ([list from supabase_branches_deleted], or "none")
+- Git worktrees cleaned: [N] ([paths from worktrees_removed], or "none")
 
 ### Before/After Branch State
 - Before: [list of feat/* branches]

package/templates/skills/cbp-checkpoint-plan/SKILL.md

@@ -8,7 +8,7 @@ effort: xhigh
 
 # Checkpoint Plan Command
 
-Runs INLINE (no subagent) — all analysis and Q&A stay in the main session. This is the rigour stage that prevents half-baked plans: it discovers shortcomings, decides whether existing dependencies suffice or a new one is warranted, compares competing approaches, and only THEN creates tasks. It produces `plan.steps[]` + tasks but **never activates the checkpoint and never claims a user/worktree** — that is `/cbp-checkpoint-start`.
+Runs INLINE (no subagent) — all analysis and Q&A stay in the main session. This is the rigour stage that prevents half-baked plans: it discovers shortcomings, decides whether existing dependencies suffice or a new one is warranted, compares competing approaches, and only THEN creates tasks. It produces `plan.steps[]` + tasks but **never activates the checkpoint and never claims a user** — that is `/cbp-checkpoint-start`.
 
 ## Pipeline
 
@@ -37,7 +37,7 @@ Malformed (non-numeric, contains `-`): surface `checkpoint-plan: invalid argumen
 2. Read task files under `.codebyplan/state/checkpoints/<id>/tasks/*.json` (fallback: MCP `get_tasks(checkpoint_id)`) — load existing tasks. This sets the mode:
    - **fresh** — zero tasks: full plan + create all tasks.
    - **additive re-plan** — tasks exist: gap-analyse against them; only ADD new tasks or refine requirements for gaps. NEVER delete or overwrite an in-flight task.
-3. Note whether `worktree_id` is set (claimed at create) — drives routing in Step 11.
+3. Note whether `assigned_user_id` is set (claimed at activation) — drives routing in Step 11.
 
 ### Step 2: Assess Ideas + Codebase
 
@@ -134,16 +134,18 @@ Final write of the complete `checkpoint.context` JSONB via `codebyplan checkpoin
 ...
 ```
 
-This skill does **NOT** activate the checkpoint and does **NOT** claim a user/worktree.
+This skill does **NOT** activate the checkpoint and does **NOT** claim a user.
 
-- **Claimed by THIS session** — `worktree_id` is set AND equals `npx codebyplan resolve-worktree 2>/dev/null`: auto-trigger `/cbp-checkpoint-start` in the same context (the creator carries momentum into activation).
-- **Otherwise** — `worktree_id` is null, set to a different worktree, or `resolve-worktree` is empty: surface a single directive — `Next: /cbp-checkpoint-start` — so the owning session (or anyone free, if open) claims and starts it. Never auto-activate a checkpoint owned by a different worktree.
+Resolve the current user: `npx codebyplan whoami --json` → `user_id`.
+
+- **Open or yours** — `whoami` returns a `user_id` AND `assigned_user_id` is either null (unclaimed) or equals caller `user_id`: auto-trigger `/cbp-checkpoint-start` in the same context. `assigned_user_id` is stamped on activation, so a freshly-created checkpoint (null) is claimed by `/cbp-checkpoint-start` itself — the creator carries momentum into activation.
+- **Owned by another, or no identity** — `assigned_user_id` is non-null and differs from caller `user_id`, or `whoami` returns no `user_id`: surface a single directive — `Next: /cbp-checkpoint-start` — so the owning session (or anyone free, if open) claims and starts it. Never auto-activate a checkpoint owned by a different user.
 
 ## Integration
 
-- **Reads**: `.codebyplan/state/checkpoints/<id>.json`, `checkpoints/<id>/tasks/*.json`, `session/current.json` (local-first; `npx codebyplan sync` if stale; break-glass: MCP `get_current_task`, `get_checkpoints`, `get_tasks`)
+- **Reads**: `.codebyplan/state/checkpoints/<id>.json`, `checkpoints/<id>/tasks/*.json`, `session/current.json` (local-first; `npx codebyplan sync` if stale; break-glass: MCP `get_current_task`, `get_checkpoints`, `get_tasks`); `npx codebyplan whoami --json`
 - **Writes**: `codebyplan checkpoint update` (ideas assessment, context, plan, research), `codebyplan task create` (break-glass: MCP `update_checkpoint`, `create_task`)
 - **Spawns**: `cbp-research` (level 2+ only), config-matched `cbp-e2e-*` specialist (opt-in discovery probe, `whole_checkpoint_mode` — see `context/testing/e2e.md` dispatch contract)
 - **Triggered by**: `/cbp-checkpoint-create` (auto), or user directly
-- **Triggers**: `/cbp-checkpoint-start` (auto when claimed at create; directive when left open)
-- **Never**: activates the checkpoint or claims a user/worktree — that is `/cbp-checkpoint-start`
+- **Triggers**: `/cbp-checkpoint-start` (auto when open/unclaimed or assigned to the current user; directive when owned by another or no identity)
+- **Never**: activates the checkpoint or claims a user — that is `/cbp-checkpoint-start`