codebyplan 1.13.62 → 1.13.63

package/templates/skills/cbp-task-start/SKILL.md

@@ -157,21 +157,21 @@ Skip this step if the task title and requirements contain no CVE ID (`CVE-YYYY-N
 
 See `dependency-vulnerability-fixes.md` "Audit Sweep at Task Start" for the source rule.
 
-### Step 3.5: Worktree-Match Verification
+### Step 3.5: User-Match Verification
 
-Before activating the task, verify the caller's worktree matches the assigned worktree on the target row. (Per CHK-104 — DB-level hard-lock prevents cross-worktree mutations.)
+Before activating the task, verify the current user is allowed to claim/edit the checkpoint row.
 
-1. Read caller worktree: `CALLER_WT=$(npx codebyplan resolve-worktree 2>/dev/null)`.
-2. Determine target worktree:
-   - **Checkpoint-bound tasks**: `TARGET_WT = checkpoint.worktree_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a NULL `task.assigned_worktree_id` because the lock lives on the parent checkpoint — fall through to `checkpoint.worktree_id`.
-3. If `TARGET_WT IS NOT NULL AND TARGET_WT != CALLER_WT`, surface this error and abort:
+1. Resolve the current user: `CURRENT_USER=$(npx codebyplan whoami --json 2>/dev/null)` → parse `user_id` and `email` from the JSON. If the command fails or returns null/empty, `CURRENT_USER_ID` is null (anonymous session).
+2. Determine the target owner:
+   - **Checkpoint-bound tasks**: `TARGET_USER = checkpoint.assigned_user_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a null `task.assigned_user_id`; the lock lives on the parent checkpoint — fall through to `checkpoint.assigned_user_id`.
+3. If `TARGET_USER IS NOT NULL AND TARGET_USER != CURRENT_USER_ID`, surface this error and abort:
 
    ```
-   TASK-N is assigned to worktree {TARGET_WT_NAME} ({TARGET_WT}); current worktree is {CALLER_WT_NAME} ({CALLER_WT}).
-   Use the release_assignment MCP tool (requires maintainer role) if {TARGET_WT_NAME} is dead, then re-run /cbp-task-start.
+   TASK-N is assigned to user {TARGET_EMAIL} ({TARGET_USER}); you are logged in as {CURRENT_EMAIL} ({CURRENT_USER_ID}).
+   Use the release_assignment MCP tool (requires maintainer role) if that user is no longer active, then re-run /cbp-task-start.
    ```
 
-4. If `TARGET_WT IS NULL` or matches, proceed.
+4. If `TARGET_USER IS NULL` or matches `CURRENT_USER_ID`, proceed.
 
 ### Step 3.6: Main-Drift Check (optional)
 
@@ -218,7 +218,7 @@ Display context summary:
 
 ### Step 5: Set Task Status
 
-`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). If a worktree_id is present, also pass `--claim-worktree-id <worktreeId>` to auto-claim the checkpoint (the CLI passes all flags as snake-case PATCH fields). Break-glass fallback: MCP `update_task(task_id, status: "in_progress", claim_worktree_id: ..., caller_worktree_id: ...)` when the CLI is unavailable — note `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook only on the MCP path.
+`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). The server keys on the JWT user for authz — no worktree or claim params are needed or accepted. Break-glass fallback: MCP `update_task(task_id, status: "in_progress")` when the CLI is unavailable — all worktree-identity params are deprecated and silently ignored server-side; omit them.
 
 ### Step 6: Auto-trigger Round Start
 

package/templates/skills/cbp-todo/SKILL.md

@@ -7,27 +7,13 @@ effort: medium
 
 # Todo Command
 
-Single entry point after `/clear`: read the pure-read todo queue, gate on worktree ownership + checkpoint planning, load context, then trigger the next command. It ensures Claude always has full context — and never auto-routes into work locked to another worktree — before any command runs.
+Single entry point after `/clear`: read the pure-read todo queue, gate on user ownership + checkpoint planning, load context, then trigger the next command. It ensures Claude always has full context — and never auto-routes into work locked to another user — before any command runs.
 
 ## Instructions
 
-### Step 0: Resolve Caller Identity (worktree + user)
+### Step 0: Resolve Caller Identity (user)
 
-Before any MCP call, resolve who and where the caller is.
-
-**Worktree** — derive the caller `worktree_id` and any distress signal in one structured read:
-
-```bash
-npx codebyplan resolve-worktree --json   # → {"worktree_id":"<uuid>|null","error_kind":null|"<kind>"}
-```
-
-- `error_kind` is `null` or `"tuple_miss"` → healthy. `WORKTREE_ID` = `worktree_id` (may be `null`: a legitimate main-repo or unregistered-worktree case — proceed to read the queue, but downstream hard-locks reject mutations on assigned rows).
-- `error_kind` is `local_config_read_failed`, `local_config_write_failed`, `legacy_file_blocks_dir`, `api_failed`, `git_failed`, or `unhandled` → **broken local state**. Surface the distress line and STOP (skip Steps 1–4) — routing is unreliable when the resolver cannot read local state:
-
-```
-⚠ resolve-worktree: <error_kind> — local state is broken; routing is unreliable.
-Run `npx codebyplan setup` from this directory to register/repair, then re-run /cbp-todo.
-```
+Before any MCP call, resolve who the caller is.
 
 **User** — `get_todos` (Step 1) requires a `user_id`:
 
@@ -36,45 +22,44 @@ npx codebyplan whoami --json   # → {"user_id":"<uuid>","email":"…"} or null
 ```
 
 - A `user_id` is returned → use it in Step 1.
-- `null` (CLI keychain empty — common in OAuth-MCP-only environments) → the queue cannot be scoped by user; skip Step 1 and use the Step 3 fallback. The Step 1.5 ownership gate still applies.
+- `null` or empty `user_id` (CLI keychain empty — common in OAuth-MCP-only environments) → the queue cannot be scoped by user; skip Step 1 and use the Step 3 fallback. The Step 1.5 ownership gate still applies.
 
 ### Step 1: Read the Todo Queue (pure-read)
 
-With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id, worktree_id })` when the state dir is absent and sync fails. Filter by `user_id` and `worktree_id` (omit `worktree_id` when `WORKTREE_ID` is `null` or unresolved). Take **`rows[0]`** as the queue head (ordered by `sort_order`).
+With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id })` when the state dir is absent and sync fails. Filter by `user_id`. Take **`rows[0]`** as the queue head (ordered by `sort_order`).
 
-- The head carries `command`, `instructions`, `state`, `metadata`, `worktree_id`, `checkpoint_id`, `task_id`.
+- The head carries `command`, `instructions`, `state`, `metadata`, `checkpoint_id`, `task_id`.
 - The routing context (checkpoint/task) lives in **`rows[0].metadata`**.
 - `get_todos` is **pure-read** — `apps/todo-worker` is the sole regen authority. NEVER call `get_next_action` or `regenerate_todos_for_repo`.
 - Empty array, or `USER_ID` unavailable → go to Step 3 (empty-queue fallback).
 
 Queue `command` values may use the `/codebyplan:<name>` plugin-namespace form (e.g. `/codebyplan:round-start`); treat each as the matching `/cbp-<name>` skill for the Step 2 matrix.
 
-### Step 1.5: Resolve Target + Worktree-Ownership Gate
+### Step 1.5: Resolve Target + User-Ownership Gate
 
-Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different worktree.
+Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different user.
 
-Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `worktree_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
+Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `assigned_user_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
 
 Two ownership signals:
 
-1. **Server-detected conflict** — `rows[0].state === "worktree_conflict"` (command `/codebyplan:release-or-switch`): the todo-worker already detected the lock conflict. The owner is in `rows[0].metadata.conflicting_worktree_name` / `.conflicting_worktree_id`. Surface the mismatch message below and **STOP**. Do NOT auto-trigger the release-or-switch command and do NOT call `release_assignment` — switch worktrees rather than reassigning a lock to the caller.
-2. **Checkpoint-ownership check** — take the target checkpoint's `worktree_id` (loaded above, keyed by `rows[0].checkpoint_id` / `metadata.checkpoint.id`) and compare with caller `WORKTREE_ID`:
-   - target `worktree_id` is `null` → **allow** (unassigned — any worktree may pick it up; covers the both-null main-repo case).
-   - target `worktree_id` === caller `WORKTREE_ID` → **allow**.
-   - target `worktree_id` non-null **AND** caller `WORKTREE_ID` is `null`/unresolved → **block** (deliberate safety: identity cannot be confirmed. This does not contradict Step 0 — reading the queue is fine, auto-triggering INTO assigned work is not. Run `npx codebyplan setup` to register this worktree).
-   - target `worktree_id` non-null and differs from a non-null caller → **block**.
+1. **Server-detected conflict** — `rows[0].state === "worktree_conflict"` (command `/codebyplan:release-or-switch`): the todo-worker already detected the lock conflict. (`worktree_conflict` is the worker's current state-value name — it now reflects a user-level lock conflict and is renamed alongside the web-UI/schema work in a later task.) Surface the mismatch message below and **STOP**. Do NOT auto-trigger the release-or-switch command and do NOT call `release_assignment` — the user who owns the lock must release it or a maintainer must use `release_assignment`.
+2. **Checkpoint-ownership check** — take the target checkpoint's `assigned_user_id` (loaded above) and compare with caller `USER_ID`:
+   - target `assigned_user_id` is `null` → **allow** (unassigned — any user may pick it up).
+   - target `assigned_user_id` === caller `USER_ID` → **allow**.
+   - target `assigned_user_id` non-null AND differs from caller `USER_ID` → **block**.
 
-On block, resolve the owning worktree's `name` + `path` via MCP `get_worktrees({ repo_id })` (display-only ownership-block path — no CLI verb exists for worktrees; stays MCP), then emit and STOP:
+On block, emit and STOP (show the owner email if resolvable from the whoami context, otherwise the `assigned_user_id` UUID):
 
 ```
-⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to worktree <name> (<short-uuid>), not this one (<this-name> / <this-short-uuid>).
+⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to user <email-or-uuid>, not you.
 Options:
-  A) Switch to <owning-worktree-path> and resume there
-  B) Work on something else here — run /cbp-checkpoint-create or /cbp-task-create
+  A) Work on something else — run /cbp-checkpoint-create or /cbp-task-create
+  B) Ask the owner to release the assignment, or a maintainer can use release_assignment, then re-run /cbp-todo
   C) /cbp-session-end
 ```
 
-`<short-uuid>` = first 8 chars of the worktree UUID. Caller unresolved → render "this one" as `(unresolved / —)`. Name lookup miss → show the UUID alone. Wait for the user. NEVER propose reassigning the checkpoint to the caller worktree.
+Wait for the user. NEVER propose reassigning the checkpoint to the caller.
 
 ### Step 1.55: Stale-Entity Guard
 
@@ -170,8 +155,8 @@ Display a brief context summary:
 
 Reached when `get_todos` returns `[]` or `USER_ID` was unavailable.
 
-1. **Fallback discovery** (worktree-scoped): read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
-2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `worktree_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
+1. **Fallback discovery**: read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
+2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `assigned_user_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
 3. **Nothing actionable** → suggest ending the session:
 
 ```
@@ -190,6 +175,6 @@ Reached only when the Step 1.5 ownership gate allowed routing to continue, the S
 ## Integration
 
 - **Called by**: `/cbp-session-start`, `/cbp-finalize`, `/cbp-checkpoint-complete`, manual, after `/clear`
-- **Resolves**: `npx codebyplan resolve-worktree --json` (worktree id + distress signal), `npx codebyplan whoami --json` (user id)
-- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`, `worktrees.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails. `get_worktrees` stays MCP (display-only ownership-block path; no CLI verb).
+- **Resolves**: `npx codebyplan whoami --json` (user id)
+- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails.
 - **Triggers**: `rows[0].command` (auto, after the Step 1.5 ownership gate and Step 1.55 stale-entity guard pass, and the Step 1.6 planning gate falls through); Step 1.55 overrides to STOP (stale completed/cancelled entity); Step 1.6 overrides to `/cbp-checkpoint-plan` (unplanned) or `/cbp-checkpoint-start` (planned-but-pending)

package/templates/skills/cbp-todo/qa-regression.md

@@ -1,51 +1,45 @@
 ---
 name: cbp-todo-qa-regression
-description: Manual regression procedure for the cbp-todo worktree-ownership gate + get_todos switch (CHK-137 TASK-2)
+description: Manual regression procedure for the cbp-todo user-ownership gate + get_todos switch (CHK-225 TASK-5)
 ---
 
-# cbp-todo — Worktree-Ownership Regression
+# cbp-todo — User-Ownership Regression
 
-Manual procedure verifying that `/cbp-todo` reads the pure-read `get_todos` queue and refuses to auto-route into work locked to another worktree. No automated harness exists for markdown skills; run these by hand (or read the queue with the MCP tools) whenever Step 0/1/1.5 of `SKILL.md` changes.
+Manual procedure verifying that `/cbp-todo` reads the pure-read `get_todos` queue and refuses to auto-route into work locked to another user. No automated harness exists for markdown skills; run these by hand (or read the queue with the MCP tools) whenever Step 0/1/1.5 of `SKILL.md` changes.
 
 Repo under test: `2ff6d405-39c5-47b8-a6d1-59f998ac0537`. Resolve a real `user_id` with `npx codebyplan whoami --json`, or harvest a non-null `assigned_user_id` from `get_checkpoints`.
 
 ## Preconditions
 
 - `get_todos` is the only Step 1 read — confirm no `get_next_action` / `regenerate_todos_for_repo` call remains (`grep -n 'get_next_action\|regenerate_todos_for_repo' SKILL.md` → no hits).
-- Step 0 uses `resolve-worktree --json` and `whoami --json`.
+- Step 0 uses `whoami --json` only — no worktree-resolution CLI verb appears in SKILL.md (verify by grepping the banned token list against SKILL.md; zero hits expected).
 - Step 1.55 (Stale-Entity Guard) must NOT call `get_next_action` or `regenerate_todos_for_repo` when rejecting a stale head — it reuses the checkpoint `status` + task statuses already loaded in Step 1.5 (the same grep above covers it).
 
-## Scenario A — caller owns the work → auto-trigger
+## Scenario A — current user owns the work → auto-trigger
 
-1. From a worktree that owns the active checkpoint (caller `WORKTREE_ID` === target checkpoint `worktree_id`, or target `worktree_id` is `null`).
-2. `get_todos({ repo_id, user_id, worktree_id })` returns a head whose target checkpoint is owned by the caller (or unscoped).
+1. `npx codebyplan whoami --json` returns `user_id` matching the target checkpoint's `assigned_user_id` (or `assigned_user_id` is `null` — open queue).
+2. `get_todos({ repo_id, user_id })` returns a head whose target checkpoint is owned by the caller (or unassigned).
 3. **Expected**: Step 1.5 ownership gate allows, Step 1.6 planning gate falls through, Step 4 auto-triggers `rows[0].command` (mapped to its `/cbp-<name>` form).
 
-## Scenario B1 — server-generated conflict head → halt
+## Scenario B — checkpoint assigned to a DIFFERENT user → halt
 
-1. Caller `codebyplan-claude-2` (`38cd7dfa`). Active work assigned to `codebyplan-cli` (`016bd7f2`).
-2. `get_todos` head is the server conflict todo: `state === "worktree_conflict"`, `command "/codebyplan:release-or-switch"`, `metadata.conflicting_worktree_name === "codebyplan-cli"`.
-3. **MCP calls expected**: `get_todos`; `get_worktrees` (to resolve `016bd7f2` path for the message). NO `get_checkpoints` needed — the server already resolved the conflict.
-4. **Expected**: Step 1.5 server-conflict branch blocks and STOPS. The "Work mismatch" message names `codebyplan-cli (016bd7f2)` vs `codebyplan-claude-2 (38cd7dfa)`, offers Switch (`/Users/merilyviks/codebyplan-cli`) / other-work / session-end. NO auto-trigger; NO `release_assignment` call (never reassign the lock to the caller).
+1. `whoami` returns user A. Target checkpoint `assigned_user_id` is user B (non-null, different).
+2. `get_todos` head is a normal routing todo whose target checkpoint `assigned_user_id` is user B's UUID.
+3. **MCP calls expected**: `get_todos`; `get_checkpoints` (Step 1.5 load, reads the target `assigned_user_id`). Owner is identified by `assigned_user_id` directly (email from whoami context if resolvable, else the UUID) — no worktree-lookup MCP call is needed.
+4. **Expected**: Step 1.5 checkpoint-ownership branch blocks and STOPS with the "Work mismatch" message naming the owner email-or-uuid. NO auto-trigger; the Step 1.6 planning gate never runs (ownership precedes it). NEVER propose reassigning the checkpoint to the caller.
 
-## Scenario B2 — normal head, mismatched checkpoint owner → halt
+## Scenario C — empty queue / anonymous caller → fallback
 
-1. Caller `codebyplan-claude-2` (`38cd7dfa`). `get_todos` head is a normal routing todo whose target checkpoint `worktree_id` is `016bd7f2`.
-2. **MCP calls expected**: `get_todos`; `get_checkpoints` (Step 1.5 load, reads the target `worktree_id`); `get_worktrees` (resolve `016bd7f2` name + path).
-3. **Expected**: Step 1.5 checkpoint-ownership branch blocks and STOPS with the same "Work mismatch" message. NO auto-trigger; the Step 1.6 planning gate never runs (ownership precedes it).
-
-## Scenario C — empty queue + cross-worktree current task → halt
-
-1. `get_todos` returns `[]` (or `whoami` returned `null`, so Step 1 was skipped).
-2. Step 3 fallback: `get_current_task({ repo_id, worktree_id })` / `get_checkpoints({ repo_id, worktree_id, status: 'active' })` surface a checkpoint whose `worktree_id` differs from the caller.
-3. **Expected**: the Step 1.5 ownership gate (applied to the fallback target) blocks the discovered work with the same "Work mismatch" message. NO auto-trigger. `regenerate_todos_for_repo` is never called.
+1. `get_todos` returns `[]` OR `whoami` returned `null`/empty `user_id`, so Step 1 was skipped.
+2. Step 3 fallback: `get_current_task` / `get_checkpoints` surface a checkpoint whose `assigned_user_id` differs from the caller (or caller is anonymous).
+3. **Expected**: the Step 1.5 ownership gate (applied to the fallback target) blocks the discovered work with the "Work mismatch" message when the user differs, or routes to the idle suggestion when the caller is anonymous and no open work is found. NO auto-trigger. `regenerate_todos_for_repo` is never called.
 
 ## Scenario D — stale queue head for a completed/cancelled entity → halt
 
-1. Caller owns the active checkpoint (Scenario A ownership holds), but the todo-worker queue is lagging — `health_check.todos_freshness_ok === false`. The `get_todos` head targets a checkpoint (or task) that has since been completed or cancelled.
-2. Step 1.5 loads the target checkpoint `status` + `get_tasks(checkpoint_id)` (already required for the ownership/planning gates — no extra reads).
-3. **Expected**: Step 1.55 rejects the auto-trigger — target checkpoint `status` is `completed`/`cancelled` (or every task is `completed`/`cancelled`) — surfaces the "Stale queue head" message naming the command + `CHK-NNN`[ `TASK-N`] + status, and STOPS. NO auto-trigger. NO `get_next_action` / `regenerate_todos_for_repo` call.
+1. Caller's `user_id` matches the target checkpoint's `assigned_user_id` (ownership passes), but the todo-worker queue is lagging — `health_check.todos_freshness_ok === false`. The `get_todos` head targets a checkpoint (or task) that has since been completed or cancelled.
+2. Step 1.5 loads the target checkpoint `status` + task statuses (already required for the ownership/planning gates — no extra reads).
+3. **Expected**: Step 1.55 rejects the auto-trigger — target checkpoint `status` is `completed`/`cancelled` (or every task is `completed`/`cancelled`) — surfaces the "Stale queue head" message naming the command + `CHK-NNN`[`TASK-N`] + status, and STOPS. NO auto-trigger. NO `get_next_action` / `regenerate_todos_for_repo` call.
 
-## Edge — both null
+## Edge — null assigned_user_id (open work)
 
-Caller `WORKTREE_ID` empty AND target checkpoint `worktree_id` `null` → legitimate main-repo / unassigned work → auto-trigger allowed.
+`assigned_user_id` is `null` on the target checkpoint AND caller has a valid `user_id` → open/unassigned work → auto-trigger allowed (proceeds to Step 1.6 planning gate).

package/templates/skills/cbp-verify/reference/round-scope.md

@@ -58,5 +58,4 @@ human confirmation — do not add an AskUserQuestion in cbp-verify at round scop
 
 `codebyplan round update --id <round_id> --task-id <uuid> --checkpoint-id <uuid> --context '<json>'`
 (merge `verify_manifest` into existing context; the REPLACE contract requires the full object).
-Break-glass: MCP `update_round` (checkpoint KIND) / `update_standalone_round` (standalone KIND) —
-pass `caller_worktree_id` on locked feat rows.
+Break-glass: MCP `update_round` (checkpoint KIND) / `update_standalone_round` (standalone KIND).

package/templates/hooks/cbp-mcp-caller-worktree-inject.sh

@@ -1,78 +0,0 @@
-#!/bin/bash
-# @hook: PreToolUse mcp__codebyplan__(update_checkpoint|complete_checkpoint|update_task|complete_task|add_round|update_round|complete_round|create_standalone_task|update_standalone_task|complete_standalone_task|add_standalone_round|update_standalone_round|complete_standalone_round|update_standalone_file_change)
-# Hook: PreToolUse for MCP write tools
-#
-# Purpose: Inject caller_worktree_id into MCP mutation tool inputs when the
-#          field is absent. Reads the worktree.local.json branch-keyed cache
-#          first (fast path); falls back to `codebyplan resolve-worktree --cache`.
-#
-# Fail-open: ALL exit paths exit 0. A hook failure must never block a tool call.
-#            Use explicit guards rather than set -euo pipefail (which would exit
-#            non-zero on the first failing command before the final exit 0).
-
-# C0 — require jq; if absent, emit nothing and exit 0 (fail-open).
-if ! command -v jq > /dev/null 2>&1; then
-  exit 0
-fi
-
-# Read stdin once into a variable.
-INPUT=$(cat)
-
-# C6 — if caller_worktree_id is already a non-empty string, do not overwrite.
-# (jq '// empty' already maps JSON null to an empty string, so a plain -n test suffices.)
-EXISTING=$(echo "$INPUT" | jq -r '.tool_input.caller_worktree_id // empty' 2>/dev/null)
-if [ -n "$EXISTING" ]; then
-  # Already populated — plain allow (exit 0 with no output).
-  exit 0
-fi
-
-# C5 — resolve worktree id, fast path first.
-RESOLVED_WT=""
-
-# Determine repo root: prefer $CLAUDE_PROJECT_DIR, fall back to PWD.
-REPO_ROOT="${CLAUDE_PROJECT_DIR:-$PWD}"
-CACHE_FILE="$REPO_ROOT/.codebyplan/worktree.local.json"
-
-if [ -f "$CACHE_FILE" ]; then
-  CACHED_WT=$(jq -r '.worktree_id // empty' "$CACHE_FILE" 2>/dev/null)
-  CACHED_BRANCH=$(jq -r '.branch // empty' "$CACHE_FILE" 2>/dev/null)
-
-  if [ -n "$CACHED_WT" ] && [ "$CACHED_WT" != "null" ] && \
-     [ -n "$CACHED_BRANCH" ] && [ "$CACHED_BRANCH" != "null" ]; then
-    # Validate branch matches current git branch.
-    CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
-    if [ -n "$CURRENT_BRANCH" ] && [ "$CURRENT_BRANCH" = "$CACHED_BRANCH" ]; then
-      RESOLVED_WT="$CACHED_WT"
-    fi
-  fi
-fi
-
-# Fallback to CLI resolution if cache miss or branch mismatch.
-if [ -z "$RESOLVED_WT" ]; then
-  RESOLVED_WT=$(codebyplan resolve-worktree --cache 2>/dev/null \
-    || npx --no-install codebyplan resolve-worktree --cache 2>/dev/null \
-    || true)
-fi
-
-# UUID guard — accept only a canonical UUID (8-4-4-4-12 hex).
-UUID_PATTERN='^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'
-if [ -z "$RESOLVED_WT" ] || ! echo "$RESOLVED_WT" | grep -qE "$UUID_PATTERN"; then
-  # Unresolved or invalid — plain allow, no updatedInput.
-  exit 0
-fi
-
-# C3 — emit updatedInput as the FULL tool_input with caller_worktree_id added.
-# Claude Code's PreToolUse updatedInput REPLACES tool_input wholesale (it is not a
-# partial merge), so we must echo back every existing field merged with the new
-# caller_worktree_id — otherwise the tool loses round_id/duration_minutes/etc.
-echo "$INPUT" | jq \
-  --arg wt "$RESOLVED_WT" \
-  '{
-    hookSpecificOutput: {
-      hookEventName: "PreToolUse",
-      permissionDecision: "allow",
-      updatedInput: (.tool_input + { caller_worktree_id: $wt })
-    }
-  }'
-
-exit 0