codebyplan 1.13.62 → 1.13.64

package/templates/skills/cbp-session-start/SKILL.md

@@ -41,7 +41,7 @@ codebyplan session start --json
 The orchestrator performs (in order, all fail-safe):
 
 1. Resolve `repo_id` from `.codebyplan/repo.json`
-2. `codebyplan resolve-worktree --json` → `worktree_id`, `worktree_error_kind`
+2. `codebyplan whoami --json` → `user_id`, `user_error_kind` (CHK-225 retired worktree identity — concurrency is user-level via `assigned_user_id`; the removed `resolve-worktree` verb no longer exists)
 3. `codebyplan session freshness-gate --halt-on-update` → update_halt short-circuit (no activate, no create-log when halt)
 4. Infra-drift nudge (monorepo-only), arch-map drift nudge, LSP binary nudge
 5. Read previous session log from `.codebyplan/state/session/current.json` (sync on miss)
@@ -49,7 +49,7 @@ The orchestrator performs (in order, all fail-safe):
 7. `codebyplan session update-state --action activate` (write-through)
 8. `codebyplan session create-log` → `session_log_id`
 9. Infra-files set math: active task round files subtracted from `git status --porcelain`
-10. `get_checkpoints({ repo_id, status:'active' })` → ownership partition (owned vs cross)
+10. `get_checkpoints({ repo_id, status:'active' })` → ownership partition (owned by you vs other users)
 11. Compute `next_action` + render the Step 6 output block
 
 The envelope shape:
@@ -58,8 +58,8 @@ The envelope shape:
 {
   status: 'ok' | 'update_halt',
   session_log_id: string | null,
-  worktree_id: string | null,
-  worktree_error_kind: string | null,
+  user_id: string | null,
+  user_error_kind: string | null,
   infra_drift_nudge: string | null,
   arch_map_nudge: string | null,
   lsp_nudges: string[],
@@ -104,13 +104,13 @@ Route from `envelope.next_action`:
 - **`resume_handoff`** — trigger `envelope.handoff.command` directly with `envelope.handoff.context` / `envelope.handoff.state`. Skip Step 5.7.
 - **`commit_then_todo`** — run Step 5.7 (infra commit gate), then trigger `/cbp-todo`.
 - **`trigger_todo`** — trigger `/cbp-todo` (owns active work, or idle path).
-- **`stop`** — do NOT auto-trigger `/cbp-todo`. The Ownership block in `rendered_block` communicates the situation; the user must switch to the owning worktree or start new work explicitly.
+- **`stop`** — do NOT auto-trigger `/cbp-todo`. The Ownership block in `rendered_block` communicates the situation; the user must coordinate with the owning user or start new work explicitly.
 
 ## Integration
 
 - **Triggered by**: user invocation, `/clear` recovery
-- **Reads**: MCP `health_check` (Step 0 hard gate — stays MCP unconditionally); `codebyplan session start --json` (Steps 1–5.8 — the orchestrator reads `.codebyplan/repo.json`, `.codebyplan/git.json`, `.codebyplan/state/session/current.json`, `.codebyplan/state/todos.json`, `.codebyplan/state/checkpoints/` entity files, `scripts/infra-drift.mjs`, `.codebyplan/architecture.json`, `.codebyplan/lsp.json`)
-- **Writes**: orchestrator calls `codebyplan session update-state --action activate` (Step 7) and `codebyplan session create-log` (Step 8) — both SKIPPED on Step 0 hard-fail and on `status: update_halt`
+- **Reads**: MCP `health_check` (Step 0 hard gate — stays MCP unconditionally); `codebyplan session start --json` (Steps 1–5.8 — the orchestrator runs `codebyplan whoami --json` for caller identity and reads `.codebyplan/repo.json`, `.codebyplan/git.json`, `.codebyplan/state/session/current.json`, `.codebyplan/state/todos.json`, `.codebyplan/state/checkpoints/` entity files, `scripts/infra-drift.mjs`, `.codebyplan/architecture.json`, `.codebyplan/lsp.json`)
+- **Writes**: orchestrator calls `codebyplan session update-state --action activate` (Step 7) and `codebyplan session create-log` (Step 8 — user-level; no worktree_id in the body) — both SKIPPED on Step 0 hard-fail and on `status: update_halt`
 - **Spawns**: none
 - **Triggers**: `/cbp-git-commit` (conditional, on user approval at Step 5.7), `envelope.handoff.command` (on `next_action: resume_handoff`), `/cbp-todo` (on `next_action: trigger_todo` or `commit_then_todo`); STOPS with no trigger on `next_action: stop` or `mcp_update_halt`
 - **Paired with**: `/cbp-session-end`

package/templates/skills/cbp-session-start/qa-regression.md

@@ -1,52 +1,59 @@
 ---
 name: cbp-session-start-qa-regression
-description: Manual regression procedure for the cbp-session-start worktree-ownership awareness + resolve-worktree distress channel (CHK-137 TASK-3)
+description: Manual regression procedure for the cbp-session-start user-identity awareness + user-lock routing (CHK-225 TASK-5)
 ---
 
-# cbp-session-start — Worktree-Ownership Regression
+# cbp-session-start — User-Identity Regression
 
-Manual procedure verifying that `/cbp-session-start` correctly resolves the caller's worktree identity, gates Step 7 auto-trigger on ownership, and surfaces distress signals non-blocking. Run these by hand whenever the SKILL's envelope-consumption logic (Step 0 health gate, the `codebyplan session start` invocation, the Step 5.7 commit gate, or the Step 7 `next_action` routing) changes.
+Manual procedure verifying that `/cbp-session-start` correctly resolves the caller's user identity (via `codebyplan whoami --json`), gates Step 7 auto-trigger on user-level ownership, and surfaces distress signals non-blocking. Run these by hand whenever the SKILL's envelope-consumption logic (Step 0 health gate, the `codebyplan session start` invocation, the Step 5.7 commit gate, or the Step 7 `next_action` routing) changes.
 
-Since the worktree resolution, handoff freshness, ownership partition, and Step 6 render are now computed inside `codebyplan session start` (Steps 1–5.8 collapsed into one CLI call), the deterministic behavior is covered by unit tests (`src/cli/session/start.test.ts`, `src/lib/session.test.ts`). These scenarios are now best verified by inspecting the **envelope** the CLI emits — run `codebyplan session start --json` and read its fields — rather than tracing SKILL prose. The `ownership`, `next_action`, `handoff.fresh`, and `worktree_error_kind` fields below correspond to envelope keys.
+Since the user resolution, handoff freshness, ownership partition, and Step 6 render are now computed inside `codebyplan session start` (Steps 1–5.8 collapsed into one CLI call), the deterministic behavior is covered by unit tests (`src/cli/session/start.test.ts`, `src/lib/session.test.ts`). These scenarios are now best verified by inspecting the **envelope** the CLI emits — run `codebyplan session start --json` and read its fields — rather than tracing SKILL prose. The `ownership`, `next_action`, `handoff.fresh`, and `user_error_kind` fields below correspond to envelope keys.
 
 Repo under test: `2ff6d405-39c5-47b8-a6d1-59f998ac0537`.
 
 ## Preconditions
 
 - The SKILL keeps Step 0 (`health_check`) as a hard gate, then delegates Steps 1–5.8 to `codebyplan session start --json` — confirm with `grep -n 'session start --json' SKILL.md` → at least one hit.
-- The orchestrator resolves worktree identity via `resolve-worktree --json` and partitions ownership via `get_checkpoints({ repo_id, status: 'active' })` — confirm the envelope carries `worktree_id` / `worktree_error_kind` / `owned_count` / `total_count`.
+- The orchestrator resolves user identity via `whoami --json` and partitions ownership via `get_checkpoints({ repo_id, status: 'active' })` — confirm the envelope carries `user_id` / `user_error_kind` / `owned_count` / `total_count`.
 - The Step 6 Ownership block (the envelope's `rendered_block`) is READ-ONLY — confirm no "reassign", "release_assignment", or "transfer" language appears in SKILL.md: `grep -n 'reassign\|release_assignment\|transfer' SKILL.md` → no hits.
-- The handoff freshness gate includes the cross-worktree stale rule (checkpoint `worktree_id` non-null and differs from caller) — covered by the `probeHandoff` unit tests; the envelope surfaces the outcome as `handoff.fresh`.
+- The handoff freshness gate includes the cross-user stale rule (checkpoint `assigned_user_id` non-null and differs from caller) — covered by the `probeHandoff` unit tests; the envelope surfaces the outcome as `handoff.fresh`.
 
-## Scenario A — caller owns an active CHK → auto-trigger
+## Scenario A — current user owns an active CHK → auto-trigger
 
-1. Run from a worktree whose `WORKTREE_ID` matches the active checkpoint's `worktree_id` (or both are `null`).
-2. `get_checkpoints({ repo_id, status: 'active' })` returns at least one entry whose `worktree_id === WORKTREE_ID` (or both null).
-3. **Expected**: envelope `owned_count >= 1`, `next_action: 'trigger_todo'`. `rendered_block` shows `Ownership: N active CHK(s), N owned by this worktree`. The SKILL's Step 7 fires `/cbp-todo`.
+1. Run signed in as a user whose `user_id` matches the active checkpoint's `assigned_user_id` (or the checkpoint's `assigned_user_id` is `null`).
+2. `get_checkpoints({ repo_id, status: 'active' })` returns at least one entry whose `assigned_user_id === user_id` (or is null).
+3. **Expected**: envelope `owned_count >= 1`, `next_action: 'trigger_todo'`. `rendered_block` shows `Ownership: N active CHK(s), N owned by you`. The SKILL's Step 7 fires `/cbp-todo`.
 
-## Scenario B — active CHK(s) exist but none owned by caller → Ownership block + STOP
+## Scenario B — active CHK(s) exist, all owned by a different user → Ownership block + STOP
 
-Repro: caller worktree is `codebyplan-claude-2` (`38cd7dfa`). The only active checkpoint is CHK-136, assigned to `codebyplan-cli` (`016bd7f2`).
+Repro: current user is `alice@example.com` (`uuid-A`). The only active checkpoint is CHK-136, assigned to `bob@example.com` (`uuid-B`).
 
-1. `resolve-worktree --json` returns `{"worktree_id":"38cd7dfa-...","error_kind":null}`.
-2. `get_checkpoints({ repo_id, status: 'active' })` returns CHK-136 with `worktree_id = "016bd7f2-..."`.
-3. Step 5.8: `owned_count = 0`, `total_count = 1`, `cross_worktree = [CHK-136]`.
-4. **Expected**: envelope `owned_count = 0`, `total_count = 1`, `next_action: 'stop'`, `cross_checkpoints = [CHK-136]`. `rendered_block` shows `Ownership: 1 active CHK(s), 0 owned by this worktree` and `[Cross-worktree: CHK-136 (…)]`. The SKILL **STOPS** on `next_action: 'stop'` — `/cbp-todo` is NOT auto-triggered. No reassignment language appears.
+1. `whoami --json` returns `{"user_id":"uuid-A","email":"alice@example.com"}`.
+2. `get_checkpoints({ repo_id, status: 'active' })` returns CHK-136 with `assigned_user_id = "uuid-B"`.
+3. Step 5.8: `owned_count = 0`, `total_count = 1`, `cross_checkpoints = [CHK-136]`.
+4. **Expected**: envelope `owned_count = 0`, `total_count = 1`, `next_action: 'stop'`, `cross_checkpoints = [CHK-136]`. `rendered_block` shows `Ownership: 1 active CHK(s), 0 owned by you` and `[Other users: CHK-136 (…)]`. The SKILL **STOPS** on `next_action: 'stop'` — `/cbp-todo` is NOT auto-triggered. No reassignment language appears.
 
 ## Scenario C — no active CHKs anywhere → idle /cbp-todo trigger
 
 1. `get_checkpoints({ repo_id, status: 'active' })` returns `[]`.
 2. Step 5.8: `owned_count = 0`, `total_count = 0`.
-3. **Expected**: envelope `owned_count = 0`, `total_count = 0`, `next_action: 'trigger_todo'`. `rendered_block` shows `Ownership: 0 active CHK(s), 0 owned by this worktree`. The SKILL fires `/cbp-todo` (idle path → checkpoint-create or session-end suggestion).
+3. **Expected**: envelope `owned_count = 0`, `total_count = 0`, `next_action: 'trigger_todo'`. `rendered_block` shows `Ownership: 0 active CHK(s), 0 owned by you`. The SKILL fires `/cbp-todo` (idle path → checkpoint-create or session-end suggestion).
 
-## Scenario D — cross-worktree handoff → Step 4.5 marks stale, falls through
+## Scenario D — stale handoff pointing to a different user's checkpoint → handoff marked stale, falls through
 
-1. The most-recent closed session log contains a handoff payload whose `context.checkpoint_id` resolves to a checkpoint with `worktree_id = "016bd7f2-..."` (a different worktree).
-2. Caller `WORKTREE_ID = "38cd7dfa-..."`.
-3. **Expected**: the orchestrator's handoff freshness gate hits the cross-worktree stale rule (`checkpoint.worktree_id` non-null AND differs from caller) → envelope `handoff.fresh: false`. The mismatched handoff is NOT auto-resumed (`next_action` is never `resume_handoff`); ownership/routing proceed normally per `owned_count`/`total_count`.
+1. The most-recent closed session log contains a handoff payload whose `context.checkpoint_id` resolves to a checkpoint with `assigned_user_id = "uuid-B"` (a different user).
+2. Caller `user_id = "uuid-A"`.
+3. **Expected**: the orchestrator's handoff freshness gate hits the cross-user stale rule (`checkpoint.assigned_user_id` non-null AND differs from caller) → envelope `handoff.fresh: false`. The mismatched handoff is NOT auto-resumed (`next_action` is never `resume_handoff`); ownership/routing proceed normally per `owned_count`/`total_count`.
 
-## Scenario E — resolver distress (non-tuple-miss) → warning line above Ownership block, session proceeds
+## Scenario E — whoami distress (identity unresolved) → session proceeds, non-blocking warning
 
-1. `resolve-worktree --json` returns `{"worktree_id":null,"error_kind":"local_config_read_failed"}` (or any other non-null, non-tuple-miss `error_kind`).
-2. **Expected**: the envelope carries `worktree_error_kind: 'local_config_read_failed'`; `status` stays `'ok'` (non-blocking). `rendered_block` surfaces `⚠ resolve-worktree: local_config_read_failed — local state is broken; routing may be unreliable. Run \`npx codebyplan setup\` to repair.` ABOVE the Ownership block. The orchestrator still activates + creates the session log. `next_action` routes per the `owned_count`/`total_count` values as normal — the skill does NOT hard-stop the way `/cbp-todo` does on the same distress kinds.
-3. **Compound case** (distress typically leaves `worktree_id` null): ownership then classifies every checkpoint with a non-null `worktree_id` as `cross_checkpoints[]` (only truly-null-`worktree_id` checkpoints land in `owned_checkpoints[]`). So if all active checkpoints are assigned, `owned_count = 0` and `next_action: 'stop'` — the distress warning + Ownership block are the only output. The created session log records `worktree_id: null` (the resolver could not read local state); this is expected, not a failure.
+1. `whoami --json` returns `{"user_id":null,"error_kind":"local_config_read_failed"}` (or any other non-null, non-tuple-miss `error_kind`).
+2. **Expected**: the envelope carries `user_error_kind: 'local_config_read_failed'`; `status` stays `'ok'` (non-blocking). `rendered_block` surfaces `⚠ whoami: local_config_read_failed — identity could not be resolved; routing may be unreliable. Run \`npx codebyplan whoami\` to check identity.` ABOVE the Ownership block. The orchestrator still activates + creates the session log. `next_action` routes per the `owned_count`/`total_count` values as normal — the skill does NOT hard-stop the way `/cbp-todo` does on the same distress kinds.
+3. **Compound case** (distress typically leaves `user_id` null): ownership then classifies every checkpoint with a non-null `assigned_user_id` as `cross_checkpoints[]` (only open, null-`assigned_user_id` checkpoints land in `owned_checkpoints[]`). So if all active checkpoints are assigned, `owned_count = 0` and `next_action: 'stop'` — the distress warning + Ownership block are the only output. The created session log records the caller's JWT user server-side; the envelope `user_id: null` (the resolver could not read local identity) is expected, not a failure.
+
+## Scenario F — anonymous session (whoami returns null / signed out) → session proceeds, open checkpoints treated as own
+
+1. `whoami --json` returns `null` (signed out), empty output, or exits non-zero.
+2. `user_id` is treated as null (anonymous) with `user_error_kind: 'tuple_miss'`.
+3. `get_checkpoints({ repo_id, status: 'active' })` returns checkpoints with `assigned_user_id` null or set to real user IDs.
+4. **Expected**: ownership classifies null-`assigned_user_id` checkpoints as `owned_checkpoints[]` (no user to compare against) and non-null-`assigned_user_id` checkpoints as `cross_checkpoints[]` (anonymous caller cannot claim them). `rendered_block` shows the `⚠ Not signed in — run \`npx codebyplan login\` to sign in` line below the User line. `next_action` routes per `owned_count`/`total_count` as normal — the session does NOT hard-stop solely due to anonymous identity. The session log is created in Step 8.

package/templates/skills/cbp-standalone-task-complete/SKILL.md

@@ -11,7 +11,7 @@ effort: xhigh
 
 Complete a standalone task. Auto-triggered by `/cbp-standalone-task-testing` when all tests pass. Can also be run manually.
 
-This skill is gated by an `ask`-tier `Skill(cbp-standalone-task-complete)` permission rule in `settings.json` (shipped templates). **The permission prompt IS the user confirmation** — there is NO completion-confirmation AskUserQuestion inside this skill (the Step 7.5 `caller_worktree_id` guard is a separate environmental safety prompt, not a flow-control confirmation). A declined permission is a clean no-op (nothing committed, merged, pushed, or completed).
+This skill is gated by an `ask`-tier `Skill(cbp-standalone-task-complete)` permission rule in `settings.json` (shipped templates). **The permission prompt IS the user confirmation** — there is NO completion-confirmation AskUserQuestion inside this skill. A declined permission is a clean no-op (nothing committed, merged, pushed, or completed).
 
 ## Instructions
 
@@ -227,9 +227,7 @@ Complete via the CLI (wraps the `complete_standalone_task` MCP tool):
 codebyplan standalone-task complete --id <standalone_task.id>
 ```
 
-The CLI auto-resolves `caller_worktree_id` (override → worktree cache → resolver). `caller_worktree_id` is REQUIRED — the MCP server's pre-guard rejects mutations from non-matching worktrees, and the CLI hard-fails (exit 1) with registration guidance rather than sending an undefined id. The server auto-clears `assigned_worktree_id` on the task on success.
-
-If the CLI exits 1 with a "could not resolve caller_worktree_id" message, run `npx codebyplan setup` (or `codebyplan resolve-worktree --cache`) from this worktree, then re-run the command.
+The server keys on the JWT user (`ctx.userId`) — no worktree param is needed. The server auto-clears `assigned_user_id` on the task on success.
 
 ### Step 8: Run Cleanup + Migration (inline)
 
@@ -266,7 +264,6 @@ Do NOT use AskUserQuestion for routing. Do NOT use the Skill tool to auto-trigge
 
 ## Key Rules
 
-- **`caller_worktree_id` is REQUIRED** for `complete_standalone_task`
 - **Branch shipping lives here** (not in checkpoint-end) — standalone tasks self-ship to production via `codebyplan ship`
 - **Single-directive routing** — no menus, no auto-triggers via Skill tool
 - **No checkpoint** — never check `checkpoint_id`, always treat task as standalone

package/templates/skills/cbp-standalone-task-create/SKILL.md

@@ -88,28 +88,20 @@ To create the best task definition, I need to clarify:
 
 Skip if requirements are already clear from Step 1.
 
-### Step 6: Resolve Worktree Assignment
+### Step 6: Create Standalone Task
 
-Resolve worktree_id via `npx codebyplan resolve-worktree 2>/dev/null`.
-
-- If non-empty: pass as `assigned_worktree_id` in Step 7. This engages the hard-lock from creation.
-- If empty: warn the user that the task will be unassigned and offer to run `npx codebyplan setup` from the current directory first. After setup, re-resolve and proceed. If the user declines, create without `assigned_worktree_id`.
-
-### Step 7: Create Standalone Task
-
-Create via the CLI (wraps the `create_standalone_task` MCP tool; auto-resolves `caller_worktree_id`):
+Create via the CLI (wraps the `create_standalone_task` MCP tool):
 
 ```bash
 codebyplan standalone-task create \
   --title "<concise task title>" \
   --number <next number from Step 3> \
   --requirements "<numbered requirements list>" \
-  --context '<JSON: decisions from Q&A + source findings>' \
-  --assigned-worktree-id <from Step 6, if resolved>
+  --context '<JSON: decisions from Q&A + source findings>'
 ```
 
 - `--repo-id` is optional — the CLI reads it from `.codebyplan/repo.json`.
-- Omit `--assigned-worktree-id` when Step 6 did not resolve a worktree.
+- Task assignment is user-based — the server stamps `assigned_user_id` from the JWT on creation; no worktree param is needed.
 - On success the CLI prints the created row JSON (including `.id`) to stdout.
 
 ```
@@ -127,7 +119,7 @@ codebyplan standalone-task create \
 - Files likely touched: [relevant paths]
 ```
 
-### Step 8: Route
+### Step 7: Route
 
 ```
 Standalone TASK-[N] created successfully.

package/templates/skills/cbp-standalone-task-start/SKILL.md

@@ -106,20 +106,20 @@ If `current` is still in `branch_config.protected`, block with a hard error citi
 1. Run `git status --short` to check for uncommitted files.
 2. If uncommitted files exist → commit them with `chore: clean slate for task start`. Prefer `git add -A && git commit -m "..."`.
 
-### Step 3.5: Worktree-Match Verification
+### Step 3.5: User-Match Verification
 
-Before activating, verify the caller's worktree matches the assigned worktree.
+Before activating, verify the current user is allowed to claim/edit the standalone task row.
 
-1. `CALLER_WT=$(npx codebyplan resolve-worktree 2>/dev/null)`. If empty, omit `caller_worktree_id` from MCP calls.
-2. `TARGET_WT = task.assigned_worktree_id`.
-3. If `TARGET_WT IS NOT NULL AND TARGET_WT != CALLER_WT`, surface error and abort:
+1. Resolve the current user: `CURRENT_USER=$(npx codebyplan whoami --json 2>/dev/null)` → parse `user_id` and `email` from the JSON. If the command fails or returns null/empty, `CURRENT_USER_ID` is null (anonymous session).
+2. `TARGET_USER = task.assigned_user_id`.
+3. If `TARGET_USER IS NOT NULL AND TARGET_USER != CURRENT_USER_ID`, surface error and abort:
 
    ```
-   Standalone TASK-N is assigned to worktree {TARGET_WT_NAME} ({TARGET_WT}); current worktree is {CALLER_WT_NAME} ({CALLER_WT}).
-   Use the release_assignment MCP tool (requires maintainer role) if {TARGET_WT_NAME} is dead, then re-run /cbp-standalone-task-start.
+   Standalone TASK-N is assigned to user {TARGET_EMAIL} ({TARGET_USER}); you are logged in as {CURRENT_EMAIL} ({CURRENT_USER_ID}).
+   Use the release_assignment MCP tool (requires maintainer role) if that user is no longer active, then re-run /cbp-standalone-task-start.
    ```
 
-4. If `TARGET_WT IS NULL` or matches, proceed.
+4. If `TARGET_USER IS NULL` or matches `CURRENT_USER_ID`, proceed.
 
 ### Step 3.6: Main-Drift Check (optional)
 
@@ -150,13 +150,13 @@ Load context from DB:
 
 ### Step 5: Set Task Status
 
-Set status via the CLI (wraps `update_standalone_task`; auto-resolves `caller_worktree_id`):
+Set status via the CLI (wraps `update_standalone_task`):
 
 ```bash
 codebyplan standalone-task update --id <task.id> --status in_progress
 ```
 
-`--id` is the standalone task UUID resolved in Step 2. The CLI resolves `caller_worktree_id` itself (override → worktree cache → resolver), so `CALLER_WT` does not need to be passed.
+`--id` is the standalone task UUID resolved in Step 2. The server keys on the JWT user for authz — no worktree or caller params are needed or accepted; all worktree-identity flags are deprecated and silently ignored server-side.
 
 ### Step 6: Auto-trigger Round Start
 

package/templates/skills/cbp-task-create/SKILL.md

@@ -146,7 +146,7 @@ Use `codebyplan task create --checkpoint-id <id> ...` (CLI write-through) to cre
 - **requirements**: Numbered requirements list
 - **context**: Include decisions from Q&A, dependencies, source findings
 
-**For checkpoint-bound tasks**, an empty `worktree_id` is fine — no caller-worktree stamping is needed because the parent checkpoint's `worktree_id` governs.
+**For checkpoint-bound tasks**, assignment is user-based — the task's `assigned_user_id` is stamped server-side from the JWT; no caller-worktree param is needed.
 
 ```
 ## Task Created

package/templates/skills/cbp-task-start/SKILL.md

@@ -157,21 +157,21 @@ Skip this step if the task title and requirements contain no CVE ID (`CVE-YYYY-N
 
 See `dependency-vulnerability-fixes.md` "Audit Sweep at Task Start" for the source rule.
 
-### Step 3.5: Worktree-Match Verification
+### Step 3.5: User-Match Verification
 
-Before activating the task, verify the caller's worktree matches the assigned worktree on the target row. (Per CHK-104 — DB-level hard-lock prevents cross-worktree mutations.)
+Before activating the task, verify the current user is allowed to claim/edit the checkpoint row.
 
-1. Read caller worktree: `CALLER_WT=$(npx codebyplan resolve-worktree 2>/dev/null)`.
-2. Determine target worktree:
-   - **Checkpoint-bound tasks**: `TARGET_WT = checkpoint.worktree_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a NULL `task.assigned_worktree_id` because the lock lives on the parent checkpoint — fall through to `checkpoint.worktree_id`.
-3. If `TARGET_WT IS NOT NULL AND TARGET_WT != CALLER_WT`, surface this error and abort:
+1. Resolve the current user: `CURRENT_USER=$(npx codebyplan whoami --json 2>/dev/null)` → parse `user_id` and `email` from the JSON. If the command fails or returns null/empty, `CURRENT_USER_ID` is null (anonymous session).
+2. Determine the target owner:
+   - **Checkpoint-bound tasks**: `TARGET_USER = checkpoint.assigned_user_id` (read from the local checkpoint file already loaded in Step 2). Note: checkpoint-bound tasks may have a null `task.assigned_user_id`; the lock lives on the parent checkpoint — fall through to `checkpoint.assigned_user_id`.
+3. If `TARGET_USER IS NOT NULL AND TARGET_USER != CURRENT_USER_ID`, surface this error and abort:
 
    ```
-   TASK-N is assigned to worktree {TARGET_WT_NAME} ({TARGET_WT}); current worktree is {CALLER_WT_NAME} ({CALLER_WT}).
-   Use the release_assignment MCP tool (requires maintainer role) if {TARGET_WT_NAME} is dead, then re-run /cbp-task-start.
+   TASK-N is assigned to user {TARGET_EMAIL} ({TARGET_USER}); you are logged in as {CURRENT_EMAIL} ({CURRENT_USER_ID}).
+   Use the release_assignment MCP tool (requires maintainer role) if that user is no longer active, then re-run /cbp-task-start.
    ```
 
-4. If `TARGET_WT IS NULL` or matches, proceed.
+4. If `TARGET_USER IS NULL` or matches `CURRENT_USER_ID`, proceed.
 
 ### Step 3.6: Main-Drift Check (optional)
 
@@ -218,7 +218,7 @@ Display context summary:
 
 ### Step 5: Set Task Status
 
-`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). If a worktree_id is present, also pass `--claim-worktree-id <worktreeId>` to auto-claim the checkpoint (the CLI passes all flags as snake-case PATCH fields). Break-glass fallback: MCP `update_task(task_id, status: "in_progress", claim_worktree_id: ..., caller_worktree_id: ...)` when the CLI is unavailable — note `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook only on the MCP path.
+`codebyplan task update --id <taskId> --checkpoint-id <checkpointId> --status in_progress` (CLI write-through: local state file + REST). The server keys on the JWT user for authz — no worktree or claim params are needed or accepted. Break-glass fallback: MCP `update_task(task_id, status: "in_progress")` when the CLI is unavailable — all worktree-identity params are deprecated and silently ignored server-side; omit them.
 
 ### Step 6: Auto-trigger Round Start
 

package/templates/skills/cbp-todo/SKILL.md

@@ -7,27 +7,13 @@ effort: medium
 
 # Todo Command
 
-Single entry point after `/clear`: read the pure-read todo queue, gate on worktree ownership + checkpoint planning, load context, then trigger the next command. It ensures Claude always has full context — and never auto-routes into work locked to another worktree — before any command runs.
+Single entry point after `/clear`: read the pure-read todo queue, gate on user ownership + checkpoint planning, load context, then trigger the next command. It ensures Claude always has full context — and never auto-routes into work locked to another user — before any command runs.
 
 ## Instructions
 
-### Step 0: Resolve Caller Identity (worktree + user)
+### Step 0: Resolve Caller Identity (user)
 
-Before any MCP call, resolve who and where the caller is.
-
-**Worktree** — derive the caller `worktree_id` and any distress signal in one structured read:
-
-```bash
-npx codebyplan resolve-worktree --json   # → {"worktree_id":"<uuid>|null","error_kind":null|"<kind>"}
-```
-
-- `error_kind` is `null` or `"tuple_miss"` → healthy. `WORKTREE_ID` = `worktree_id` (may be `null`: a legitimate main-repo or unregistered-worktree case — proceed to read the queue, but downstream hard-locks reject mutations on assigned rows).
-- `error_kind` is `local_config_read_failed`, `local_config_write_failed`, `legacy_file_blocks_dir`, `api_failed`, `git_failed`, or `unhandled` → **broken local state**. Surface the distress line and STOP (skip Steps 1–4) — routing is unreliable when the resolver cannot read local state:
-
-```
-⚠ resolve-worktree: <error_kind> — local state is broken; routing is unreliable.
-Run `npx codebyplan setup` from this directory to register/repair, then re-run /cbp-todo.
-```
+Before any MCP call, resolve who the caller is.
 
 **User** — `get_todos` (Step 1) requires a `user_id`:
 
@@ -36,45 +22,44 @@ npx codebyplan whoami --json   # → {"user_id":"<uuid>","email":"…"} or null
 ```
 
 - A `user_id` is returned → use it in Step 1.
-- `null` (CLI keychain empty — common in OAuth-MCP-only environments) → the queue cannot be scoped by user; skip Step 1 and use the Step 3 fallback. The Step 1.5 ownership gate still applies.
+- `null` or empty `user_id` (CLI keychain empty — common in OAuth-MCP-only environments) → the queue cannot be scoped by user; skip Step 1 and use the Step 3 fallback. The Step 1.5 ownership gate still applies.
 
 ### Step 1: Read the Todo Queue (pure-read)
 
-With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id, worktree_id })` when the state dir is absent and sync fails. Filter by `user_id` and `worktree_id` (omit `worktree_id` when `WORKTREE_ID` is `null` or unresolved). Take **`rows[0]`** as the queue head (ordered by `sort_order`).
+With `USER_ID` resolved, read `.codebyplan/state/todos.json` (local-first). If missing or stale (`_cursor.json` absent or `sync_status !== "synced"`), run `npx codebyplan sync` once and re-read. Break-glass fallback: MCP `get_todos({ repo_id, user_id })` when the state dir is absent and sync fails. Filter by `user_id`. Take **`rows[0]`** as the queue head (ordered by `sort_order`).
 
-- The head carries `command`, `instructions`, `state`, `metadata`, `worktree_id`, `checkpoint_id`, `task_id`.
+- The head carries `command`, `instructions`, `state`, `metadata`, `checkpoint_id`, `task_id`.
 - The routing context (checkpoint/task) lives in **`rows[0].metadata`**.
 - `get_todos` is **pure-read** — `apps/todo-worker` is the sole regen authority. NEVER call `get_next_action` or `regenerate_todos_for_repo`.
 - Empty array, or `USER_ID` unavailable → go to Step 3 (empty-queue fallback).
 
 Queue `command` values may use the `/codebyplan:<name>` plugin-namespace form (e.g. `/codebyplan:round-start`); treat each as the matching `/cbp-<name>` skill for the Step 2 matrix.
 
-### Step 1.5: Resolve Target + Worktree-Ownership Gate
+### Step 1.5: Resolve Target + User-Ownership Gate
 
-Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different worktree.
+Resolve the routing target's checkpoint and gate on ownership BEFORE any auto-trigger — including the Step 1.6 planning hand-offs. Refuse to route into, plan, or start work locked to a different user.
 
-Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `worktree_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
+Resolve the checkpoint from `rows[0].metadata` (or read `.codebyplan/state/session/current.json` for the active task, falling back to MCP `get_current_task`), then load its `assigned_user_id` + `plan` + `status` from `.codebyplan/state/checkpoints/<id>.json` (falling back to MCP `get_checkpoints`) and its task count from `.codebyplan/state/checkpoints/<id>/tasks/` files (falling back to MCP `get_tasks(checkpoint_id)`). This single load is reused by the Step 1.6 planning gate. Skip this gate when the routing target has no checkpoint (idle — see Step 3) or the command is `/cbp-session-start`.
 
 Two ownership signals:
 
-1. **Server-detected conflict** — `rows[0].state === "worktree_conflict"` (command `/codebyplan:release-or-switch`): the todo-worker already detected the lock conflict. The owner is in `rows[0].metadata.conflicting_worktree_name` / `.conflicting_worktree_id`. Surface the mismatch message below and **STOP**. Do NOT auto-trigger the release-or-switch command and do NOT call `release_assignment` — switch worktrees rather than reassigning a lock to the caller.
-2. **Checkpoint-ownership check** — take the target checkpoint's `worktree_id` (loaded above, keyed by `rows[0].checkpoint_id` / `metadata.checkpoint.id`) and compare with caller `WORKTREE_ID`:
-   - target `worktree_id` is `null` → **allow** (unassigned — any worktree may pick it up; covers the both-null main-repo case).
-   - target `worktree_id` === caller `WORKTREE_ID` → **allow**.
-   - target `worktree_id` non-null **AND** caller `WORKTREE_ID` is `null`/unresolved → **block** (deliberate safety: identity cannot be confirmed. This does not contradict Step 0 — reading the queue is fine, auto-triggering INTO assigned work is not. Run `npx codebyplan setup` to register this worktree).
-   - target `worktree_id` non-null and differs from a non-null caller → **block**.
+1. **Server-detected conflict** — `rows[0].state === "worktree_conflict"` (command `/codebyplan:release-or-switch`): the todo-worker already detected the lock conflict. (`worktree_conflict` is the worker's current state-value name — it now reflects a user-level lock conflict and is renamed alongside the web-UI/schema work in a later task.) Surface the mismatch message below and **STOP**. Do NOT auto-trigger the release-or-switch command and do NOT call `release_assignment` — the user who owns the lock must release it or a maintainer must use `release_assignment`.
+2. **Checkpoint-ownership check** — take the target checkpoint's `assigned_user_id` (loaded above) and compare with caller `USER_ID`:
+   - target `assigned_user_id` is `null` → **allow** (unassigned — any user may pick it up).
+   - target `assigned_user_id` === caller `USER_ID` → **allow**.
+   - target `assigned_user_id` non-null AND differs from caller `USER_ID` → **block**.
 
-On block, resolve the owning worktree's `name` + `path` via MCP `get_worktrees({ repo_id })` (display-only ownership-block path — no CLI verb exists for worktrees; stays MCP), then emit and STOP:
+On block, emit and STOP (show the owner email if resolvable from the whoami context, otherwise the `assigned_user_id` UUID):
 
 ```
-⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to worktree <name> (<short-uuid>), not this one (<this-name> / <this-short-uuid>).
+⚠ Work mismatch: CHK-<NNN> TASK-<N> is assigned to user <email-or-uuid>, not you.
 Options:
-  A) Switch to <owning-worktree-path> and resume there
-  B) Work on something else here — run /cbp-checkpoint-create or /cbp-task-create
+  A) Work on something else — run /cbp-checkpoint-create or /cbp-task-create
+  B) Ask the owner to release the assignment, or a maintainer can use release_assignment, then re-run /cbp-todo
   C) /cbp-session-end
 ```
 
-`<short-uuid>` = first 8 chars of the worktree UUID. Caller unresolved → render "this one" as `(unresolved / —)`. Name lookup miss → show the UUID alone. Wait for the user. NEVER propose reassigning the checkpoint to the caller worktree.
+Wait for the user. NEVER propose reassigning the checkpoint to the caller.
 
 ### Step 1.55: Stale-Entity Guard
 
@@ -170,8 +155,8 @@ Display a brief context summary:
 
 Reached when `get_todos` returns `[]` or `USER_ID` was unavailable.
 
-1. **Fallback discovery** (worktree-scoped): read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
-2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `worktree_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
+1. **Fallback discovery**: read `.codebyplan/state/session/current.json` and scan `.codebyplan/state/checkpoints/` for active checkpoints (fallback: MCP `get_current_task` + `get_checkpoints`) to discover whether actionable work exists for this caller.
+2. **Actionable work found** → treat the discovered checkpoint as the routing target and apply BOTH the Step 1.5 ownership gate and the Step 1.6 planning gate to it, using the `assigned_user_id` + `plan` + `status` returned by `get_checkpoints` (the fallback has no `rows[0]` — substitute the discovered checkpoint). If both gates pass, route via Step 2 → Step 4.
 3. **Nothing actionable** → suggest ending the session:
 
 ```
@@ -190,6 +175,6 @@ Reached only when the Step 1.5 ownership gate allowed routing to continue, the S
 ## Integration
 
 - **Called by**: `/cbp-session-start`, `/cbp-finalize`, `/cbp-checkpoint-complete`, manual, after `/clear`
-- **Resolves**: `npx codebyplan resolve-worktree --json` (worktree id + distress signal), `npx codebyplan whoami --json` (user id)
-- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`, `worktrees.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails. `get_worktrees` stays MCP (display-only ownership-block path; no CLI verb).
+- **Resolves**: `npx codebyplan whoami --json` (user id)
+- **Reads**: `.codebyplan/state/todos.json`, `session/current.json`, `checkpoints/<id>.json`, `checkpoints/<id>/tasks/<id>.json`, `checkpoints/<id>/tasks/<id>/rounds/<id>.json`. If missing/stale, run `npx codebyplan sync` once and re-read. Break-glass: MCP `get_todos`, `get_current_task`, `get_rounds`, `get_checkpoints`, `get_tasks` when state dir absent and sync fails.
 - **Triggers**: `rows[0].command` (auto, after the Step 1.5 ownership gate and Step 1.55 stale-entity guard pass, and the Step 1.6 planning gate falls through); Step 1.55 overrides to STOP (stale completed/cancelled entity); Step 1.6 overrides to `/cbp-checkpoint-plan` (unplanned) or `/cbp-checkpoint-start` (planned-but-pending)

package/templates/skills/cbp-todo/qa-regression.md

@@ -1,51 +1,45 @@
 ---
 name: cbp-todo-qa-regression
-description: Manual regression procedure for the cbp-todo worktree-ownership gate + get_todos switch (CHK-137 TASK-2)
+description: Manual regression procedure for the cbp-todo user-ownership gate + get_todos switch (CHK-225 TASK-5)
 ---
 
-# cbp-todo — Worktree-Ownership Regression
+# cbp-todo — User-Ownership Regression
 
-Manual procedure verifying that `/cbp-todo` reads the pure-read `get_todos` queue and refuses to auto-route into work locked to another worktree. No automated harness exists for markdown skills; run these by hand (or read the queue with the MCP tools) whenever Step 0/1/1.5 of `SKILL.md` changes.
+Manual procedure verifying that `/cbp-todo` reads the pure-read `get_todos` queue and refuses to auto-route into work locked to another user. No automated harness exists for markdown skills; run these by hand (or read the queue with the MCP tools) whenever Step 0/1/1.5 of `SKILL.md` changes.
 
 Repo under test: `2ff6d405-39c5-47b8-a6d1-59f998ac0537`. Resolve a real `user_id` with `npx codebyplan whoami --json`, or harvest a non-null `assigned_user_id` from `get_checkpoints`.
 
 ## Preconditions
 
 - `get_todos` is the only Step 1 read — confirm no `get_next_action` / `regenerate_todos_for_repo` call remains (`grep -n 'get_next_action\|regenerate_todos_for_repo' SKILL.md` → no hits).
-- Step 0 uses `resolve-worktree --json` and `whoami --json`.
+- Step 0 uses `whoami --json` only — no worktree-resolution CLI verb appears in SKILL.md (verify by grepping the banned token list against SKILL.md; zero hits expected).
 - Step 1.55 (Stale-Entity Guard) must NOT call `get_next_action` or `regenerate_todos_for_repo` when rejecting a stale head — it reuses the checkpoint `status` + task statuses already loaded in Step 1.5 (the same grep above covers it).
 
-## Scenario A — caller owns the work → auto-trigger
+## Scenario A — current user owns the work → auto-trigger
 
-1. From a worktree that owns the active checkpoint (caller `WORKTREE_ID` === target checkpoint `worktree_id`, or target `worktree_id` is `null`).
-2. `get_todos({ repo_id, user_id, worktree_id })` returns a head whose target checkpoint is owned by the caller (or unscoped).
+1. `npx codebyplan whoami --json` returns `user_id` matching the target checkpoint's `assigned_user_id` (or `assigned_user_id` is `null` — open queue).
+2. `get_todos({ repo_id, user_id })` returns a head whose target checkpoint is owned by the caller (or unassigned).
 3. **Expected**: Step 1.5 ownership gate allows, Step 1.6 planning gate falls through, Step 4 auto-triggers `rows[0].command` (mapped to its `/cbp-<name>` form).
 
-## Scenario B1 — server-generated conflict head → halt
+## Scenario B — checkpoint assigned to a DIFFERENT user → halt
 
-1. Caller `codebyplan-claude-2` (`38cd7dfa`). Active work assigned to `codebyplan-cli` (`016bd7f2`).
-2. `get_todos` head is the server conflict todo: `state === "worktree_conflict"`, `command "/codebyplan:release-or-switch"`, `metadata.conflicting_worktree_name === "codebyplan-cli"`.
-3. **MCP calls expected**: `get_todos`; `get_worktrees` (to resolve `016bd7f2` path for the message). NO `get_checkpoints` needed — the server already resolved the conflict.
-4. **Expected**: Step 1.5 server-conflict branch blocks and STOPS. The "Work mismatch" message names `codebyplan-cli (016bd7f2)` vs `codebyplan-claude-2 (38cd7dfa)`, offers Switch (`/Users/merilyviks/codebyplan-cli`) / other-work / session-end. NO auto-trigger; NO `release_assignment` call (never reassign the lock to the caller).
+1. `whoami` returns user A. Target checkpoint `assigned_user_id` is user B (non-null, different).
+2. `get_todos` head is a normal routing todo whose target checkpoint `assigned_user_id` is user B's UUID.
+3. **MCP calls expected**: `get_todos`; `get_checkpoints` (Step 1.5 load, reads the target `assigned_user_id`). Owner is identified by `assigned_user_id` directly (email from whoami context if resolvable, else the UUID) — no worktree-lookup MCP call is needed.
+4. **Expected**: Step 1.5 checkpoint-ownership branch blocks and STOPS with the "Work mismatch" message naming the owner email-or-uuid. NO auto-trigger; the Step 1.6 planning gate never runs (ownership precedes it). NEVER propose reassigning the checkpoint to the caller.
 
-## Scenario B2 — normal head, mismatched checkpoint owner → halt
+## Scenario C — empty queue / anonymous caller → fallback
 
-1. Caller `codebyplan-claude-2` (`38cd7dfa`). `get_todos` head is a normal routing todo whose target checkpoint `worktree_id` is `016bd7f2`.
-2. **MCP calls expected**: `get_todos`; `get_checkpoints` (Step 1.5 load, reads the target `worktree_id`); `get_worktrees` (resolve `016bd7f2` name + path).
-3. **Expected**: Step 1.5 checkpoint-ownership branch blocks and STOPS with the same "Work mismatch" message. NO auto-trigger; the Step 1.6 planning gate never runs (ownership precedes it).
-
-## Scenario C — empty queue + cross-worktree current task → halt
-
-1. `get_todos` returns `[]` (or `whoami` returned `null`, so Step 1 was skipped).
-2. Step 3 fallback: `get_current_task({ repo_id, worktree_id })` / `get_checkpoints({ repo_id, worktree_id, status: 'active' })` surface a checkpoint whose `worktree_id` differs from the caller.
-3. **Expected**: the Step 1.5 ownership gate (applied to the fallback target) blocks the discovered work with the same "Work mismatch" message. NO auto-trigger. `regenerate_todos_for_repo` is never called.
+1. `get_todos` returns `[]` OR `whoami` returned `null`/empty `user_id`, so Step 1 was skipped.
+2. Step 3 fallback: `get_current_task` / `get_checkpoints` surface a checkpoint whose `assigned_user_id` differs from the caller (or caller is anonymous).
+3. **Expected**: the Step 1.5 ownership gate (applied to the fallback target) blocks the discovered work with the "Work mismatch" message when the user differs, or routes to the idle suggestion when the caller is anonymous and no open work is found. NO auto-trigger. `regenerate_todos_for_repo` is never called.
 
 ## Scenario D — stale queue head for a completed/cancelled entity → halt
 
-1. Caller owns the active checkpoint (Scenario A ownership holds), but the todo-worker queue is lagging — `health_check.todos_freshness_ok === false`. The `get_todos` head targets a checkpoint (or task) that has since been completed or cancelled.
-2. Step 1.5 loads the target checkpoint `status` + `get_tasks(checkpoint_id)` (already required for the ownership/planning gates — no extra reads).
-3. **Expected**: Step 1.55 rejects the auto-trigger — target checkpoint `status` is `completed`/`cancelled` (or every task is `completed`/`cancelled`) — surfaces the "Stale queue head" message naming the command + `CHK-NNN`[ `TASK-N`] + status, and STOPS. NO auto-trigger. NO `get_next_action` / `regenerate_todos_for_repo` call.
+1. Caller's `user_id` matches the target checkpoint's `assigned_user_id` (ownership passes), but the todo-worker queue is lagging — `health_check.todos_freshness_ok === false`. The `get_todos` head targets a checkpoint (or task) that has since been completed or cancelled.
+2. Step 1.5 loads the target checkpoint `status` + task statuses (already required for the ownership/planning gates — no extra reads).
+3. **Expected**: Step 1.55 rejects the auto-trigger — target checkpoint `status` is `completed`/`cancelled` (or every task is `completed`/`cancelled`) — surfaces the "Stale queue head" message naming the command + `CHK-NNN`[`TASK-N`] + status, and STOPS. NO auto-trigger. NO `get_next_action` / `regenerate_todos_for_repo` call.
 
-## Edge — both null
+## Edge — null assigned_user_id (open work)
 
-Caller `WORKTREE_ID` empty AND target checkpoint `worktree_id` `null` → legitimate main-repo / unassigned work → auto-trigger allowed.
+`assigned_user_id` is `null` on the target checkpoint AND caller has a valid `user_id` → open/unassigned work → auto-trigger allowed (proceeds to Step 1.6 planning gate).

package/templates/skills/cbp-verify/reference/round-scope.md

@@ -58,5 +58,4 @@ human confirmation — do not add an AskUserQuestion in cbp-verify at round scop
 
 `codebyplan round update --id <round_id> --task-id <uuid> --checkpoint-id <uuid> --context '<json>'`
 (merge `verify_manifest` into existing context; the REPLACE contract requires the full object).
-Break-glass: MCP `update_round` (checkpoint KIND) / `update_standalone_round` (standalone KIND) —
-pass `caller_worktree_id` on locked feat rows.
+Break-glass: MCP `update_round` (checkpoint KIND) / `update_standalone_round` (standalone KIND).