codebyplan 1.13.63 → 1.13.64

package/dist/cli.js

@@ -48,7 +48,7 @@ var VERSION, PACKAGE_NAME;
 var init_version = __esm({
   "src/lib/version.ts"() {
     "use strict";
-    VERSION = "1.13.63";
+    VERSION = "1.13.64";
     PACKAGE_NAME = "codebyplan";
   }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebyplan",
-  "version": "1.13.63",
+  "version": "1.13.64",
   "description": "CLI for CodeByPlan — AI-powered development planning and tracking",
   "type": "module",
   "bin": {

package/templates/hooks/cbp-skill-context-guard.sh

@@ -1,11 +1,16 @@
 #!/bin/bash
 # @scope: org-shared
 # Hook: PreToolUse (Skill)
-# Purpose: Deny heavy close-out skills when context window > CBP_CONTEXT_WARN_TOKENS (default 200000).
-#          Reads transcript_path from stdin, sums the latest assistant message.usage — same logic
-#          as cbp-context-window-notify.sh. If total exceeds threshold AND the skill is in the
-#          heavy close-out allowlist, emits hookSpecificOutput.permissionDecision=deny directing
-#          Claude to run /cbp-clear-prep. Always exits 0 — fail-open.
+# Purpose: Deny heavy close-out skills when context window exceeds the model-aware threshold:
+#          200K tokens for standard models (CBP_CONTEXT_WARN_TOKENS, default 200000);
+#          800K tokens for 1M-context models whose id contains "[1m]"
+#          (CBP_CONTEXT_WARN_TOKENS_1M, default 800000).
+#          Reads transcript_path from stdin, extracts the latest assistant message.usage
+#          AND model id in one pass — same logic as cbp-context-window-notify.sh.
+#          If total exceeds the tier threshold AND the skill is in the heavy close-out
+#          allowlist, emits hookSpecificOutput.permissionDecision=deny directing Claude
+#          to run /cbp-clear-prep. Always exits 0 — fail-open.
+#          No model id found → standard tier (fail-conservative).
 
 set -euo pipefail
 
@@ -17,8 +22,6 @@ TRANSCRIPT=$(echo "$INPUT" | jq -r '.transcript_path // ""' 2>/dev/null) || TRAN
 [ -z "$TRANSCRIPT" ] && exit 0
 [ ! -f "$TRANSCRIPT" ] && exit 0
 
-THRESHOLD="${CBP_CONTEXT_WARN_TOKENS:-200000}"
-
 # Heavy close-out allowlist (cbp-clear-prep + cbp-clear-continue deliberately excluded so
 # they always run even when context > threshold).
 HEAVY_SKILLS="cbp-round-build cbp-verify cbp-standalone-task-testing cbp-checkpoint-check cbp-checkpoint-end"
@@ -33,20 +36,37 @@ for heavy in $HEAVY_SKILLS; do
 done
 [ "$IS_HEAVY" = "false" ] && exit 0
 
-# Token sum — same logic as cbp-context-window-notify.sh
-TOTAL=$(tail -n 400 "$TRANSCRIPT" \
+# Extract model id AND token sum from the latest assistant message with usage, in one pass.
+# Outputs two tab-separated fields: MODEL_ID <tab> TOTAL.
+# Use cut -f1/f2 (not read -r A B) to correctly handle an empty first field (no .message.model).
+_TSV=$(tail -n 400 "$TRANSCRIPT" \
   | jq -rR 'fromjson? | select(.message.usage != null)
-      | (.message.usage
-         | ((.input_tokens // 0) + (.cache_creation_input_tokens // 0) + (.cache_read_input_tokens // 0)))' \
-  2>/dev/null | tail -1) || TOTAL=0
+      | [ (.message.model // ""),
+          ((.message.usage.input_tokens // 0)
+           + (.message.usage.cache_creation_input_tokens // 0)
+           + (.message.usage.cache_read_input_tokens // 0)) ]
+      | @tsv' 2>/dev/null | tail -1) || _TSV=""
+MODEL_ID=$(printf '%s' "${_TSV:-}" | cut -f1)
+TOTAL=$(printf '%s' "${_TSV:-}" | cut -f2)
+MODEL_ID="${MODEL_ID:-}"
 TOTAL="${TOTAL:-0}"
 
+# Tier selection: [1m] in model id → 1M tier; otherwise standard (fail-conservative)
+if printf '%s' "$MODEL_ID" | grep -qF '[1m]'; then
+  THRESHOLD="${CBP_CONTEXT_WARN_TOKENS_1M:-800000}"
+  TIER="1M"
+else
+  THRESHOLD="${CBP_CONTEXT_WARN_TOKENS:-200000}"
+  TIER="standard"
+fi
+
 if [ "$TOTAL" -ge "$THRESHOLD" ] 2>/dev/null; then
   jq -n \
     --argjson tokens "$TOTAL" \
     --argjson threshold "$THRESHOLD" \
     --arg skill "$SKILL_NAME" \
-    '{hookSpecificOutput:{permissionDecision:"deny",permissionDecisionReason:("Context window at \($tokens) tokens (threshold \($threshold)) is too large to safely run /\($skill). Run /cbp-clear-prep now to capture a handoff, then /clear, then /cbp-clear-continue to resume.")}}'
+    --arg tier "$TIER" \
+    '{hookSpecificOutput:{permissionDecision:"deny",permissionDecisionReason:("Context window at \($tokens) tokens (\($tier) tier, threshold \($threshold)) is too large to safely run /\($skill). Run /cbp-clear-prep now to capture a handoff, then /clear, then /cbp-clear-continue to resume.")}}'
 fi
 
 exit 0

package/templates/hooks/cbp-test-hooks.sh

@@ -374,6 +374,87 @@ fi
 
 echo ""
 
+# ===== HOOK SMOKE TESTS — cbp-mcp-caller-worktree-inject =====
+echo "## Hook Smoke Tests — cbp-mcp-caller-worktree-inject (CHK-198)"
+
+INJECT_HOOK="$HOOKS_DIR/cbp-mcp-caller-worktree-inject.sh"
+# Absolute path — the fail-open test runs the hook from a temp cwd (to isolate it
+# from this repo's git context), where the relative "$HOOKS_DIR" no longer resolves.
+INJECT_HOOK_ABS="$(cd "$HOOKS_DIR" 2>/dev/null && pwd)/cbp-mcp-caller-worktree-inject.sh"
+
+if [ ! -f "$INJECT_HOOK" ]; then
+  test_result "cbp-mcp-caller-worktree-inject.sh present" "passed" "missing"
+else
+  test_result "cbp-mcp-caller-worktree-inject.sh present" "passed" "passed"
+
+  FIRST_LINE=$(head -1 "$INJECT_HOOK")
+  if echo "$FIRST_LINE" | grep -q '^#!/'; then
+    test_result "cbp-mcp-caller-worktree-inject.sh has shebang" "passed" "passed"
+  else
+    test_result "cbp-mcp-caller-worktree-inject.sh has shebang" "passed" "missing"
+  fi
+
+  if grep -q '@scope: org-shared' "$INJECT_HOOK"; then
+    test_result "cbp-mcp-caller-worktree-inject.sh has @scope: org-shared" "passed" "passed"
+  else
+    test_result "cbp-mcp-caller-worktree-inject.sh has @scope: org-shared" "passed" "missing"
+  fi
+
+  # Fail-open: run from a non-repo temp dir with no worktree cache and no
+  # CLAUDE_PROJECT_DIR — neither the cache nor the CLI fallback can resolve a
+  # worktree, so the hook must exit 0 with empty stdout (no updatedInput).
+  ISO=$(mktemp -d)
+  OUTPUT=$( (cd "$ISO" && env -u CLAUDE_PROJECT_DIR bash "$INJECT_HOOK_ABS" <<< '{"tool_input":{"task_id":"x"}}') 2>/dev/null )
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
+    test_result "cbp-mcp-caller-worktree-inject.sh fail-open (unresolvable) exits 0 + empty stdout" "passed" "passed"
+  else
+    test_result "cbp-mcp-caller-worktree-inject.sh fail-open (unresolvable) exits 0 + empty stdout" "passed" "failed (exit=$EXIT_CODE)"
+  fi
+  rm -rf "$ISO"
+
+  # C6 — input already carries a non-empty caller_worktree_id → never overwrite;
+  # early-return with exit 0 and empty stdout (no resolution attempted).
+  OUTPUT=$(echo '{"tool_input":{"caller_worktree_id":"11111111-1111-1111-1111-111111111111"}}' | bash "$INJECT_HOOK" 2>/dev/null)
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
+    test_result "cbp-mcp-caller-worktree-inject.sh C6 keeps existing caller_worktree_id (exit 0 + empty stdout)" "passed" "passed"
+  else
+    test_result "cbp-mcp-caller-worktree-inject.sh C6 keeps existing caller_worktree_id (exit 0 + empty stdout)" "passed" "failed (exit=$EXIT_CODE)"
+  fi
+
+  # Injection — a worktree.local.json whose .branch matches the current git branch
+  # makes the cache fast-path resolve. Use a synthetic UUID so the assertion proves
+  # the cache value (not the live CLI) was injected. Skipped when no concrete git
+  # branch resolves (detached HEAD / non-git checkout) or jq is unavailable.
+  CUR_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+  if [ -n "$CUR_BRANCH" ] && [ "$CUR_BRANCH" != "HEAD" ] && command -v jq >/dev/null 2>&1; then
+    ISO=$(mktemp -d)
+    mkdir -p "$ISO/.codebyplan"
+    FAKE_WT="abcdef01-2345-6789-abcd-ef0123456789"
+    jq -n --arg b "$CUR_BRANCH" --arg w "$FAKE_WT" \
+      '{worktree_id:$w, branch:$b}' > "$ISO/.codebyplan/worktree.local.json"
+    OUTPUT=$(CLAUDE_PROJECT_DIR="$ISO" bash "$INJECT_HOOK" <<< '{"tool_input":{"task_id":"x"}}' 2>/dev/null)
+    EXIT_CODE=$?
+    INJECTED=$(echo "$OUTPUT" | jq -r '.hookSpecificOutput.updatedInput.caller_worktree_id // empty' 2>/dev/null)
+    # Sibling-key survival — CC's updatedInput REPLACES tool_input wholesale (it is
+    # not a partial merge), so the hook must echo back every original field merged
+    # with caller_worktree_id. Assert the non-target sibling key (task_id) survives;
+    # this is the assertion gap that let the replace-vs-merge bug ship in round 2.
+    PRESERVED=$(echo "$OUTPUT" | jq -r '.hookSpecificOutput.updatedInput.task_id // empty' 2>/dev/null)
+    if [ "$EXIT_CODE" = "0" ] && [ "$INJECTED" = "$FAKE_WT" ] && [ "$PRESERVED" = "x" ]; then
+      test_result "cbp-mcp-caller-worktree-inject.sh injects caller_worktree_id AND preserves sibling keys" "passed" "passed"
+    else
+      test_result "cbp-mcp-caller-worktree-inject.sh injects caller_worktree_id AND preserves sibling keys" "passed" "failed (exit=$EXIT_CODE injected=$INJECTED preserved=$PRESERVED)"
+    fi
+    rm -rf "$ISO"
+  else
+    test_result "cbp-mcp-caller-worktree-inject.sh injection test (no branch resolvable — skipped)" "passed" "passed"
+  fi
+fi
+
+echo ""
+
 # ===== HOOK SMOKE TESTS — cbp-session-start-hook =====
 echo "## Hook Smoke Tests — cbp-session-start-hook (CHK-178)"
 
@@ -533,6 +614,91 @@ else
 
 fi
 
+echo ""
+
+# ===== HOOK SMOKE TESTS — cbp-skill-context-guard model-aware tier (CHK-224) =====
+echo "## Hook Smoke Tests — cbp-skill-context-guard model-aware tier (CHK-224)"
+
+FIXTURES_GUARD_MODEL="$HOOKS_DIR/__test-fixtures__/cbp-skill-context-guard"
+
+# Case M1: standard model @201K → deny (standard tier, 200K threshold)
+if [ -f "$FIXTURES_GUARD_MODEL/over-threshold-standard.jsonl" ]; then
+  STDIN=$(jq -n \
+    --arg t "$FIXTURES_GUARD_MODEL/over-threshold-standard.jsonl" \
+    --arg s "cbp-round-build" \
+    '{transcript_path:$t,tool_input:{skill:$s}}')
+  OUTPUT=$(echo "$STDIN" | CBP_CONTEXT_WARN_TOKENS=200000 bash "$GUARD_HOOK" 2>/dev/null)
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] \
+     && echo "$OUTPUT" | jq -e '.hookSpecificOutput.permissionDecision == "deny"' >/dev/null 2>&1; then
+    test_result "cbp-skill-context-guard.sh standard model @201K → deny (standard tier)" "passed" "passed"
+  else
+    test_result "cbp-skill-context-guard.sh standard model @201K → deny (standard tier)" "passed" "failed (exit=$EXIT_CODE output=$(echo "$OUTPUT" | head -c 80))"
+  fi
+fi
+
+# Case M2: [1m] model @201K → empty stdout (allowed; 201K is below 800K 1M-tier threshold)
+if [ -f "$FIXTURES_GUARD_MODEL/over-threshold-1m.jsonl" ]; then
+  STDIN=$(jq -n \
+    --arg t "$FIXTURES_GUARD_MODEL/over-threshold-1m.jsonl" \
+    --arg s "cbp-round-build" \
+    '{transcript_path:$t,tool_input:{skill:$s}}')
+  OUTPUT=$(echo "$STDIN" | CBP_CONTEXT_WARN_TOKENS_1M=800000 bash "$GUARD_HOOK" 2>/dev/null)
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
+    test_result "cbp-skill-context-guard.sh [1m] model @201K → empty stdout (under 800K 1M tier)" "passed" "passed"
+  else
+    test_result "cbp-skill-context-guard.sh [1m] model @201K → empty stdout (under 800K 1M tier)" "passed" "failed (exit=$EXIT_CODE output=$(echo "$OUTPUT" | head -c 80))"
+  fi
+fi
+
+# Case M3: [1m] model @850K → deny (1M tier, 800K threshold)
+if [ -f "$FIXTURES_GUARD_MODEL/over-threshold-1m-denied.jsonl" ]; then
+  STDIN=$(jq -n \
+    --arg t "$FIXTURES_GUARD_MODEL/over-threshold-1m-denied.jsonl" \
+    --arg s "cbp-round-build" \
+    '{transcript_path:$t,tool_input:{skill:$s}}')
+  OUTPUT=$(echo "$STDIN" | CBP_CONTEXT_WARN_TOKENS_1M=800000 bash "$GUARD_HOOK" 2>/dev/null)
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] \
+     && echo "$OUTPUT" | jq -e '.hookSpecificOutput.permissionDecision == "deny"' >/dev/null 2>&1; then
+    test_result "cbp-skill-context-guard.sh [1m] model @850K → deny (1M tier)" "passed" "passed"
+  else
+    test_result "cbp-skill-context-guard.sh [1m] model @850K → deny (1M tier)" "passed" "failed (exit=$EXIT_CODE output=$(echo "$OUTPUT" | head -c 80))"
+  fi
+fi
+
+# Case M4: env override CBP_CONTEXT_WARN_TOKENS=150000 + standard model @201K → deny
+if [ -f "$FIXTURES_GUARD_MODEL/over-threshold-standard.jsonl" ]; then
+  STDIN=$(jq -n \
+    --arg t "$FIXTURES_GUARD_MODEL/over-threshold-standard.jsonl" \
+    --arg s "cbp-round-build" \
+    '{transcript_path:$t,tool_input:{skill:$s}}')
+  OUTPUT=$(echo "$STDIN" | CBP_CONTEXT_WARN_TOKENS=150000 bash "$GUARD_HOOK" 2>/dev/null)
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] \
+     && echo "$OUTPUT" | jq -e '.hookSpecificOutput.permissionDecision == "deny"' >/dev/null 2>&1; then
+    test_result "cbp-skill-context-guard.sh env CBP_CONTEXT_WARN_TOKENS=150000 + standard @201K → deny" "passed" "passed"
+  else
+    test_result "cbp-skill-context-guard.sh env CBP_CONTEXT_WARN_TOKENS=150000 + standard @201K → deny" "passed" "failed (exit=$EXIT_CODE output=$(echo "$OUTPUT" | head -c 80))"
+  fi
+fi
+
+# Case M5: env override CBP_CONTEXT_WARN_TOKENS_1M=900000 + [1m] model @850K → empty stdout (allowed)
+if [ -f "$FIXTURES_GUARD_MODEL/over-threshold-1m-denied.jsonl" ]; then
+  STDIN=$(jq -n \
+    --arg t "$FIXTURES_GUARD_MODEL/over-threshold-1m-denied.jsonl" \
+    --arg s "cbp-round-build" \
+    '{transcript_path:$t,tool_input:{skill:$s}}')
+  OUTPUT=$(echo "$STDIN" | CBP_CONTEXT_WARN_TOKENS_1M=900000 bash "$GUARD_HOOK" 2>/dev/null)
+  EXIT_CODE=$?
+  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
+    test_result "cbp-skill-context-guard.sh env CBP_CONTEXT_WARN_TOKENS_1M=900000 + [1m] @850K → empty stdout (override keeps allowed)" "passed" "passed"
+  else
+    test_result "cbp-skill-context-guard.sh env CBP_CONTEXT_WARN_TOKENS_1M=900000 + [1m] @850K → empty stdout (override keeps allowed)" "passed" "failed (exit=$EXIT_CODE output=$(echo "$OUTPUT" | head -c 80))"
+  fi
+fi
+
 # ===== STRUCTURAL ASSERTIONS — cbp-clear-* skills (CHK-217) =====
 echo ""
 echo "## Structural Assertions — cbp-clear-* skills (CHK-217)"

package/templates/rules/architecture-map.md

@@ -1,3 +1,9 @@
+---
+paths:
+  - "apps/**"
+  - "packages/**"
+---
+
 # Architecture Map
 
 When `.claude/architecture/` exists in this repo, per-module map files may be present.

package/templates/rules/cbp-operating-gotchas.md

@@ -25,13 +25,11 @@ SHARED tooling behavior only — repo-specific gotchas belong in that repo's own
   clobbers existing `decisions` / `discoveries` / `check_results`. Always read the current row,
   merge your change into the full object/array, then write the whole thing back.
 
-- **User-level locks are invisible until a mutation they block.** `get_checkpoints` /
-  `get_tasks` succeed even when another user holds the assignment; the 403 fires only on
-  `update_*` / `complete_*`. The lock keys on the JWT user (`ctx.userId`) vs the row's
-  `assigned_user_id` (null = open). `caller_worktree_id` / `worktree_id` params are
-  accepted-and-ignored — do not thread them. Verify `assigned_user_id` matches
-  `npx codebyplan whoami` before mutating; recover a stale assignment with
-  `release_assignment` (maintainer).
+- **`resolve-worktree` empty output = a NULL `(device, path, branch)` tuple, not a broken
+  resolver.** When identity is unresolved the server can collapse the caller to the repo's main
+  worktree, so feat-locked writes get rejected. Pass `caller_worktree_id` on every MCP mutation,
+  and confirm ownership by matching the row's repo path + branch to the current directory before
+  mutating.
 
 - **Full-repo lint/type baselines are often pre-existing red.** A round must gate on the files
   it changed, not the whole-repo baseline — scope lint/tsc checks to the round's changed set so a
@@ -40,14 +38,30 @@ SHARED tooling behavior only — repo-specific gotchas belong in that repo's own
 - **`complete_task` checks file approval on the round's `files_changed`, not the task's.**
   Reconcile approvals via `update_round` (set each entry `user_approved: true`), not
   `update_task` alone — updating only the task leaves the round entries unapproved and
-  `complete_task` rejects with "files are not approved".
+  `complete_task` rejects with "files are not approved". After a merge-main pulls in foreign
+  files or carried directory-slash round artifacts, `complete_task` can hard-fail "N files not
+  approved"; fix by re-writing each affected round's `files_changed` via `update_round`.
 
-- **CLI transport uses REST (reads) and OAuth+MCP (writes) — a 502 from `codebyplan round sync-approvals` is transient MCP churn, not an outage.** The CLI exits 0 with a warning and MCP tools still work. A missing `CODEBYPLAN_API_KEY` surfaces as an `ApiError`, not a 502. `sync-approvals` can also drag untracked per-device dirs into `files_changed` — run it from the repo root.
+- **CLI transport uses REST (reads) and OAuth+MCP (writes) — a 502 from `codebyplan round sync-approvals` is transient MCP churn, not an outage.** The CLI exits 0 with a warning and MCP tools still work. A missing `CODEBYPLAN_API_KEY` surfaces as an `ApiError`, not a 502. `sync-approvals` can also drag untracked per-device dirs into `files_changed` — run it from the repo root or pass `--caller-worktree-id`.
 
 - **`codebyplan claude update` requires a TTY.** On non-TTY stdin (CI, piped) it half-applies then errors. Re-run with `--yes` to accept defaults non-interactively.
 
+- **Checkpoint locks are invisible until a mutation they block.** `get_checkpoints` / `get_tasks` succeed even when another worktree holds the lock; the 403 fires only on `update_*` / `complete_*`. Verify the row's `worktree_id` matches the caller before mutating. A null-`worktree_id` checkpoint can still be actively shipped by whichever worktree physically holds its feat branch — check `git worktree list` first.
+
+- **`update_task` accepts `caller_worktree_id` for lock-verify only — it does NOT assign ownership.** Ownership assignment goes through the web UI or the dedicated assignment path. Don't conflate `caller_worktree_id` with `assigned_worktree_id`.
+
 - **Re-run config-driven gates after merging main into a feat branch.** A merge can add or change `.codebyplan/shipment.json`, ports, branch config, `e2e.json`, and `eslint.json` — treat the post-merge state as a fresh baseline before continuing.
 
+- **MCP write calls can return 403 via Cloudflare WAF when the JSONB payload contains DDL
+  keywords (table-drop statements, function-drop statements, or raw query clauses).** Paraphrase
+  or base64-encode any user-provided SQL content before embedding it in a JSONB field — never
+  pass raw DDL verbatim in MCP context payloads.
+
+- **A "Merge origin/main" commit can integrate ZERO commits if it merged a stale local ref.**
+  Always `git fetch` and re-check the behind-count before treating a merge as complete — a
+  clean merge with no new commits is a sign the local ref was stale, not that the branch was
+  already up to date.
+
 ## Behavioral Preferences
 
 - **Never `git stash`** — for any reason. To inspect or compare other state use

package/templates/rules/e2e-mandatory.md

@@ -1,3 +1,8 @@
+---
+paths:
+  - "apps/**"
+---
+
 # E2E Mandatory Run Contract
 
 E2E is **opt-out, not opt-in**. Whenever a framework configured in `.codebyplan/e2e.json`

package/templates/rules/model-invocation-convention.md

@@ -32,7 +32,7 @@ not via `disable-model-invocation`:
    under what condition, so the intent is auditable and overridable.
 
 See `.claude/skills/cbp-build-cc-settings/reference/cbp-permission-policy.md` for the full
-`allow` vs `ask` split and the auto-trigger + 200K context-guard model.
+`allow` vs `ask` split and the auto-trigger + model-aware context-guard (200K standard / 800K on `[1m]` sessions).
 
 ## Related
 

package/templates/rules/scope-vocabulary.md

@@ -1,3 +1,8 @@
+---
+paths:
+  - ".claude/**"
+---
+
 # Scope Vocabulary
 
 Canonical scope-marker enum for `.claude/` files. The marker classifies a structural file's distribution scope — but it is **required only on user-created files**, not on the assets the `codebyplan` package distributes.

package/templates/rules/task-routing-recommendation.md

@@ -45,7 +45,7 @@ After task completion, routes use single-directive form (never A/B/C menus):
 
 **Checkpoint-bound task complete:**
 - More tasks in checkpoint → auto-triggers next task (same context)
-- Last task in checkpoint → auto-triggers `cbp-checkpoint-check` (ask-tier permission prompt is the human gate; the 200K context guard handles oversized contexts)
+- Last task in checkpoint → auto-triggers `cbp-checkpoint-check` (ask-tier permission prompt is the human gate; the model-aware context guard handles oversized contexts — 200K standard, 800K on `[1m]` sessions)
 
 **Standalone task complete:**
 - Always → `Next: /cbp-session-end` (or `/cbp-standalone-task-create` for new work)

package/templates/settings.project.base.json

@@ -147,22 +147,16 @@
       "mcp__codebyplan__get_checkpoints",
       "mcp__codebyplan__get_current_task",
       "mcp__codebyplan__get_eslint_presets",
-      "mcp__codebyplan__get_eslint_repo_config",
       "mcp__codebyplan__get_file_changes",
-      "mcp__codebyplan__get_library_doc_job",
       "mcp__codebyplan__get_repos",
       "mcp__codebyplan__get_rounds",
       "mcp__codebyplan__get_server_config",
       "mcp__codebyplan__get_session_log",
       "mcp__codebyplan__get_session_logs",
       "mcp__codebyplan__get_session_state",
-      "mcp__codebyplan__get_task_template",
-      "mcp__codebyplan__get_task_templates",
       "mcp__codebyplan__get_tasks",
       "mcp__codebyplan__get_todos",
-      "mcp__codebyplan__list_tech_stack_sync_sessions",
       "mcp__codebyplan__get_chunk",
-      "mcp__codebyplan__get_library_toc",
       "mcp__codebyplan__list_migrations",
       "mcp__codebyplan__lookup_symbol",
       "mcp__codebyplan__resolve_library_id",
@@ -184,7 +178,15 @@
       "mcp__codebyplan__flag_stale_chunk",
       "mcp__codebyplan__update_eslint_repo_config",
       "mcp__codebyplan__update_server_config",
-      "mcp__codebyplan__update_task_template",
+      "mcp__codebyplan__get_standalone_tasks",
+      "mcp__codebyplan__get_current_standalone_task",
+      "mcp__codebyplan__get_standalone_rounds",
+      "mcp__codebyplan__create_standalone_task",
+      "mcp__codebyplan__update_standalone_task",
+      "mcp__codebyplan__complete_standalone_task",
+      "mcp__codebyplan__add_standalone_round",
+      "mcp__codebyplan__update_standalone_round",
+      "mcp__codebyplan__complete_standalone_round",
       "Bash(codebyplan check:*)",
       "Bash(npx codebyplan check:*)",
       "Bash(codebyplan session:*)",

package/templates/skills/cbp-build-cc-agent/SKILL.md

@@ -77,6 +77,7 @@ Check each against the task and include only when they add value:
 | Background execution | `background: true`                                              | Agent should always run concurrently                   |
 | Bounded turns        | `maxTurns: N`                                                   | Cap runaway loops                                      |
 | Subagent spawning    | `tools: Agent(worker, researcher)`                              | Only if run as main thread via `--agent`               |
+| Memory store         | `memory: user \| project \| local`                              | Which memory store the agent reads/writes              |
 
 Cross-references for complex cases:
 
@@ -136,5 +137,7 @@ Report:
 - Subagents cannot spawn other subagents — the `Agent` tool only applies when the agent runs as the main thread
 - `bypassPermissions` and `acceptEdits` inherited from the parent cannot be weakened by the child
 - Preloaded skills inject _full content_ at startup — don't preload `disable-model-invocation: true` skills
+- `Task(` was renamed to `Agent(` in v2.1.63 — use `Agent(...)` in `tools:` allowlists; `Task()` is a stale alias that still works but should not appear in new agents
+- Plugin agents (`.claude/agents/`) ignore `hooks`, `mcpServers`, and `permissionMode` — these fields parse without error but have no runtime effect for plugin agents
 - Restart the session or use `/agents` to load a newly written agent file
 - Flat form `.claude/agents/{name}.md` is the default and matches all 12 existing CBP agents; folder form `{name}/AGENT.md` is optional and only for agents that bundle supporting files alongside them

package/templates/skills/cbp-build-cc-agent/reference/frontmatter-fields.md

@@ -18,6 +18,7 @@ Source: official Claude Code sub-agents spec. Only `name` and `description` are
 | `effort` | string | `low` \| `medium` \| `high` \| `xhigh` \| `max`. **Plugin agents authored in CBP MUST set this explicitly** (no commented-out placeholder); see [/cbp-build-cc-mode](../../build-cc-mode/SKILL.md) for the matrix |
 | `isolation` | string | `worktree` — gives the agent a temporary git worktree |
 | `color` | string | `red` \| `blue` \| `green` \| `yellow` \| `purple` \| `orange` \| `pink` \| `cyan` |
+| `memory` | string | Which memory store the agent reads/writes: `user` \| `project` \| `local` |
 | `initialPrompt` | string | Auto-submitted first user turn when the agent is the main session agent |
 
 ## Tool-allowlist special forms
@@ -34,3 +35,33 @@ Source: official Claude Code sub-agents spec. Only `name` and `description` are
 2. Per-invocation `model` parameter passed by Claude
 3. The `model` field in this file
 4. Main conversation's model
+
+## Task( → Agent( rename (v2.1.63)
+
+The `Agent` tool replaces the older `Task` tool. `Task()` still works as a stale alias but new agents should use `Agent(...)` in their `tools:` allowlists. Example: `tools: Agent(worker, researcher)` — not `Task(worker, researcher)`. The runtime accepts both forms; prefer `Agent`.
+
+## Plugin agent limitations
+
+Plugin agents (those defined in `.claude/agents/`) ignore the following fields — they are parsed without error but have **no runtime effect**:
+
+- `hooks` — lifecycle hooks are silently no-opped for plugin agents
+- `mcpServers` — scoped MCP server definitions are ignored
+- `permissionMode` — the parent session's permission mode applies unchanged; the child cannot set its own
+
+This is distinct from agents run as the main thread via `claude --agent`, where these fields take full effect.
+
+## Skills-preload constraint
+
+Skills listed in `skills:` are preloaded — their full content is injected into the agent's context at startup. Do NOT preload skills that carry `disable-model-invocation: true`. A preloaded skill with that flag is loaded at startup but can never be invoked at runtime, so its content wastes context and its intent cannot be fulfilled.
+
+## CBP-only fields (not read by Claude Code)
+
+`scope:` is **CBP framework metadata** — it is NOT part of the official Claude Code sub-agents spec and is not read by the Claude Code runtime. It declares the agent's distribution class:
+
+| Value | Meaning |
+|-------|---------|
+| `org-shared` | Ships identically to every consuming repo via the `codebyplan` package |
+| `project-shared` | Shared across repos in a single project family |
+| `repo-only:<name>` | Bound to one repo; `<name>` is the repo slug |
+
+Required only on user-created agents (no template twin). Package-managed agents are `org-shared` by default — no marker needed. See [rules/scope-vocabulary.md](../../../../rules/scope-vocabulary.md).

package/templates/skills/cbp-build-cc-agent/reference/permission-modes.md

@@ -16,3 +16,9 @@ Source: official Claude Code sub-agents and permission-modes specs.
 - If parent is `bypassPermissions` or `acceptEdits`, child cannot weaken it
 - If parent is `auto`, child inherits `auto` and its `permissionMode` is ignored
 - Otherwise the child's `permissionMode` takes effect as declared
+
+## Plugin agents
+
+Plugin agents (those defined in `.claude/agents/` and loaded by the runtime, not run via `claude --agent`) **ignore `permissionMode` entirely**. The field is valid YAML and parses without error, but has no runtime effect — the parent session's permission mode applies unchanged.
+
+Likewise, `hooks` and `mcpServers` are ignored for plugin agents regardless of the parent session's permission mode. These fields only take effect when the agent runs as the main thread via `claude --agent`.

package/templates/skills/cbp-build-cc-agent/templates/agent.md

@@ -6,6 +6,7 @@ tools: Read, Grep, Glob, Bash
 # disallowedTools: Write, Edit  # alternative to tools — inherits then removes
 # review with /cbp-build-cc-mode if defaults don't fit this agent's purpose
 model: sonnet
+# memory: user  # user | project | local — which memory store this agent reads/writes
 # permissionMode: default  # default | acceptEdits | auto | dontAsk | bypassPermissions | plan
 # maxTurns: 20
 effort: xhigh

package/templates/skills/cbp-build-cc-settings/reference/cbp-permission-policy.md

@@ -24,8 +24,8 @@ Precedence is `deny > ask > allow`; arrays union across scopes (managed/user/pro
 
 - **Non-lifecycle, non-shipment `/cbp-*` skills** — authoring (`cbp-build-cc-*`), frontend (`cbp-frontend-*`), git (`cbp-git-*`, `cbp-merge-main`, `cbp-refresh-infra`), round work (`cbp-round-plan`, `cbp-verify` — `cbp-verify` is the autonomous verify stage that runs deterministic gates, proves execution, spawns the fresh-context reviewer, and routes to `cbp-round-complete` or `cbp-round-plan`, so it runs without a prompt), setup/configure (`cbp-setup-*`, `cbp-ship-configure`, `cbp-supabase-*`), task prep (`cbp-task-create`/`-start`, `cbp-standalone-task-check`/`-testing`), planning (`cbp-checkpoint-plan`/`-update`), plus `cbp-session-start` and `cbp-todo`. Invoking a skill is the intended mode of operation; the gated side effects happen inside via the Bash/MCP tools the skill calls, which carry their own tiering. The lifecycle/state-transition and plan-approval skills are the exception — they live in `ask` (next section).
 - **All `mcp__codebyplan__*` reads** (`get_*`, `list_*`, `search_*`, `health_check`, `lookup_symbol`, `resolve_library_id`, `get_chunk`).
-- **Routine workflow-write MCP tools** the pipeline calls many times per task: create/update/complete checkpoint, task, and round; session log + session-state writes; `create_worktree`, `add_library`, `flag_stale_chunk`, `update_server_config`, `update_eslint_repo_config`, `update_task_template`. Gating these with `ask` would make the autonomous workflow unusable.
-- **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
+- **Routine workflow-write MCP tools** the pipeline calls many times per task: create/update/complete checkpoint, task, and round; session log + session-state writes; `create_worktree`, `add_library`, `flag_stale_chunk`, `update_server_config`, `update_eslint_repo_config`. Gating these with `ask` would make the autonomous workflow unusable.
+- **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `resolve-worktree`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
 
 ### `ask` — the deliberate confirm-gate
 
@@ -66,11 +66,18 @@ This means:
 - A skill in `ask` that is auto-triggered shows a permission prompt — that prompt is the gate;
   say so in the routing prose.
 
-### The 200K context guard
+### The model-aware context guard
 
 The `cbp-skill-context-guard.sh` PreToolUse hook denies heavy close-out skills when the
-context window exceeds `CBP_CONTEXT_WARN_TOKENS` (default 200 000 tokens). The heavy allowlist
-is: `cbp-round-build`, `cbp-verify`, `cbp-standalone-task-testing`,
+context window exceeds the model-aware threshold:
+
+- **Standard models**: `CBP_CONTEXT_WARN_TOKENS` (default 200 000 tokens)
+- **1M-context models** (model id contains `[1m]`): `CBP_CONTEXT_WARN_TOKENS_1M` (default 800 000 tokens)
+
+When no model id is found in the transcript the hook fails conservative to the standard 200K
+tier. Each env var overrides only its own tier — the other tier is unaffected.
+
+The heavy allowlist is: `cbp-round-build`, `cbp-verify`, `cbp-standalone-task-testing`,
 `cbp-checkpoint-check`, `cbp-checkpoint-end`.
 
 When the guard fires, it directs the model to run `/cbp-clear-prep` instead. The flow is:

package/templates/skills/cbp-build-cc-skill/SKILL.md

@@ -97,6 +97,7 @@ Key fields by use case:
 | Manual-only workflow                                 | `disable-model-invocation: true`                                                                                                                                                                                                 |
 | Hide from `/` menu                                   | `user-invocable: false`                                                                                                                                                                                                          |
 | Pre-approve tools                                    | `allowed-tools: Bash(git add *) Bash(git commit *)`                                                                                                                                                                              |
+| Block specific tools                                 | `disallowed-tools: Write, Edit` (denylist applied before `allowed-tools`; blocks those tools for the duration of the skill)                                                                                                       |
 | Accept arguments                                     | `argument-hint: [file] [mode]`, optionally `arguments: [file mode]` for named `$file`/`$mode`                                                                                                                                    |
 | Set model + effort                                   | `model: inherit` (the standard value — explicitly signals session-model inheritance) and `effort: xhigh` (default for plugin skills; lower tiers `high`/`medium`/`low` per [/cbp-build-cc-mode](../build-cc-mode/SKILL.md)). A non-`inherit` model pin forces a model the user didn't choose and can carry the session's 1M `[1m]` tier onto the skill (→ "usage credits required for 1M context"), so pin only as a deliberate, documented exception |
 | Path-scoped auto-load                                | `paths: ["src/api/**/*.ts"]`                                                                                                                                                                                                     |

package/templates/skills/cbp-build-cc-skill/reference/frontmatter-fields.md

@@ -12,6 +12,7 @@ Source: official Claude Code skills spec. All fields are optional; `description`
 | `disable-model-invocation` | `true` → only user can invoke (via `/name`). Upstream skills that auto-trigger this skill MUST emit a `Next: /name` directive instead — model invocation is blocked by the runtime; see SKILL.md Step 4 "Convention: User-only / permission-gated finalizer" |
 | `user-invocable` | `false` → hidden from `/` menu, Claude-only |
 | `allowed-tools` | Pre-approve tools while the skill is active |
+| `disallowed-tools` | Denylist tools blocked while the skill is active — complement to `allowed-tools`. Applied before `allowed-tools`; e.g. `disallowed-tools: Write, Edit` prevents those tools even if the session allows them |
 | `model` | Model for this skill's turn. **CBP skills set `model: inherit`** (the standard value — explicitly signals session-model inheritance). A non-`inherit` pin (e.g. `sonnet`) forces that model and can carry the session's 1M `[1m]` context tier onto the skill, triggering "usage credits required for 1M context"; use only as a deliberate, documented exception — see [/cbp-build-cc-mode](../../build-cc-mode/SKILL.md) |
 | `effort` | Override effort level (`low`/`medium`/`high`/`xhigh`/`max`). **Plugin skills authored in CBP MUST set this explicitly** (no commented-out placeholder); defaults to `xhigh`. See [/cbp-build-cc-mode](../../build-cc-mode/SKILL.md) for the matrix |
 | `context` | `fork` → run in a subagent |
@@ -39,3 +40,16 @@ Total skill-description budget in context: 1% of the context window (fallback 8,
 | `user-invocable: false` | No | Yes | Description in context; body loads on auto-invoke |
 
 > **Upstream-directive rule**: a skill with `disable-model-invocation: true` cannot be invoked by another skill. Any upstream skill that auto-triggers it MUST emit a `Next: /skill-name` close-out directive and stop. See "Convention: User-only / permission-gated finalizer" in SKILL.md Step 4 for the full pattern and canonical example.
+
+## `context: fork` + `agent:` interplay
+
+`agent:` is **ignored by the runtime unless `context: fork` is also set**. When both are present, the skill body runs in the named agent's context (isolated subagent). Built-in agent types: `Explore`, `Plan`, `general-purpose`, or any custom agent name. Note that `Explore`/`Plan` subagents skip the project `CLAUDE.md` — they have no inherited session context. Use `general-purpose` (or a custom agent) when the forked skill needs CLAUDE.md to be in scope.
+
+## CBP-only fields (not read by Claude Code)
+
+Two fields in CBP `.claude/` structural files are **CBP framework metadata** — they are NOT part of the official Claude Code skills spec and are not read by the Claude Code runtime:
+
+| Field | Purpose |
+|-------|---------|
+| `scope:` | Distribution class — `org-shared` \| `project-shared` \| `repo-only:<repo-name>`. Required only on user-created skills (no template twin). Package-managed skills are `org-shared` by default and need no marker. See [rules/scope-vocabulary.md](../../../../rules/scope-vocabulary.md) |
+| `triggers:` | CBP pipeline routing documentation only — describes when the skill auto-fires in the CBP pipeline. Has no runtime effect; Claude Code does not read it |

package/templates/skills/cbp-build-cc-skill/templates/skill.md

@@ -8,6 +8,7 @@ description: What this skill does and when to use it. Front-load the key use cas
 # disable-model-invocation: false  # true = only user can invoke via /name
 # user-invocable: true  # false = only Claude can invoke (hidden from / menu)
 # allowed-tools: Read, Grep, Glob, Bash(git status *)
+# disallowed-tools: Write, Edit  # tools blocked while the skill is active (complement to allowed-tools)
 # model:  # OMIT to inherit the session model (recommended). A pinned model can carry the session's 1M [1m] tier and require usage credits — pin only as a documented exception (see /cbp-build-cc-mode)
 # review effort with /cbp-build-cc-mode if the default doesn't fit this skill's purpose
 effort: xhigh

package/templates/skills/cbp-clear-prep/SKILL.md

@@ -119,4 +119,4 @@ The user must run both commands manually.
 - **Writes**: `.codebyplan/clear/handoff.md`
 - **Next**: user runs `/clear`, then `/cbp-clear-continue`
 - **Companion**: `.claude/skills/cbp-clear-continue/SKILL.md` reads `.codebyplan/clear/handoff.md`
-- **Guard hook**: `.claude/hooks/cbp-skill-context-guard.sh` — fires when context > CBP_CONTEXT_WARN_TOKENS (default 200000)
+- **Guard hook**: `.claude/hooks/cbp-skill-context-guard.sh` — fires when context exceeds the model-aware threshold: `CBP_CONTEXT_WARN_TOKENS` (default 200000) for standard models; `CBP_CONTEXT_WARN_TOKENS_1M` (default 800000) for `[1m]`-context models. No model id found → standard tier (fail-conservative).

package/templates/skills/cbp-finalize/SKILL.md

@@ -133,7 +133,7 @@ Skip the push only when nothing was committed in Step 5 AND `/cbp-merge-main` re
 
 ### Step 7: Complete Task
 
-MCP `complete_task(task_id)`. The server keys on the JWT user (`ctx.userId`) — no worktree param is needed. The server auto-clears `assigned_user_id` on the task; if this was the last sibling task, it also clears the parent checkpoint's assignment.
+MCP `complete_task(task_id)` — kept on MCP because the CLI `codebyplan task complete` sends an empty POST body and cannot forward `caller_worktree_id`, which the server uses to enforce the mutate-lock. `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook (CHK-198 TASK-2); the server falls back to the repo `main` worktree only when it is absent, then enforces the mutate-lock. The server auto-clears `assigned_user_id` + `assigned_worktree_id` on the task; if this was the last sibling task, it also clears the parent checkpoint's assignment. (Per CHK-104 hard-lock.)
 
 ### Step 8: Run Cleanup + Migration (inline)
 
@@ -153,7 +153,7 @@ Show the completion summary:
 **Warnings**: [any QA / file-approval warnings from Step 3, or "none"]
 ```
 
-Then route. Same-context transitions (next task in this checkpoint) auto-trigger `cbp-task-start` via the Skill tool. Checkpoint-done (last task) also auto-triggers `cbp-checkpoint-check` via the Skill tool (`ask`-tier — the permission prompt is the human gate; the 200K context guard handles oversized contexts via the cbp-clear-prep flow). Only the no-task-anywhere session-end fallback surfaces as a single directive (`Next: Run /clear, then /cbp-session-end`) for the user to invoke.
+Then route. Same-context transitions (next task in this checkpoint) auto-trigger `cbp-task-start` via the Skill tool. Checkpoint-done (last task) also auto-triggers `cbp-checkpoint-check` via the Skill tool (`ask`-tier — the permission prompt is the human gate; the model-aware context guard handles oversized contexts via the cbp-clear-prep flow — 200K standard, 800K on `[1m]` sessions). Only the no-task-anywhere session-end fallback surfaces as a single directive (`Next: Run /clear, then /cbp-session-end`) for the user to invoke.
 
 #### 9a — Determine routing context
 
@@ -182,7 +182,7 @@ If no next task is found (no pending work anywhere in the repo), emit directive
 The checkpoint has no remaining tasks. Invoke `cbp-checkpoint-check` via the Skill tool.
 `cbp-checkpoint-check` is `ask`-tier — the harness permission prompt IS the human gate; the
 user confirms (or declines) before checkpoint verification and ship begins. If the context
-window is above the 200K threshold the `cbp-skill-context-guard.sh` hook will block it and
+window is above the model-aware threshold (200K standard, 800K for `[1m]` sessions) the `cbp-skill-context-guard.sh` hook will block it and
 direct you to run `/cbp-clear-prep` first; otherwise checkpoint-check starts on confirmation.
 
 ## Integration
@@ -190,7 +190,7 @@ direct you to run `/cbp-clear-prep` first; otherwise checkpoint-check starts on
 - **Triggered by**: `/cbp-verify` (auto, scope=task, when it writes `verify_verdict.verdict === 'READY'`)
 - **Chain**: `/cbp-verify` (scope=task READY) → `/cbp-finalize`
 - **Reads**: `.codebyplan/state/checkpoints/*.json`, `checkpoints/<id>/tasks/*.json`, `checkpoints/<id>/tasks/<id>/rounds/*.json`, `todos.json` (local-first; `npx codebyplan sync` on miss; MCP `get_current_task`/`get_rounds`/`get_tasks` break-glass) — including each round's `verify_manifest` and `task.context.verify_verdict`
-- **Writes**: `codebyplan task update` for `files_changed` (CLI write-through; MCP `update_task` break-glass); MCP `complete_task` for task completion
+- **Writes**: `codebyplan task update` for `files_changed` (CLI write-through; MCP `update_task` break-glass); MCP `complete_task` for task completion (kept MCP — CLI cannot forward `caller_worktree_id`)
 - **Uses skills (inline, no sub-agent)**: `cleanup` (if deletions), `migration` (if exports renamed)
 - **Triggers**: Same-context transitions auto-trigger via the Skill tool (next task in checkpoint → `cbp-task-start {N}`, `allow`-tier, fires silently). Checkpoint-done → auto-triggers `cbp-checkpoint-check` via Skill tool (`ask`-tier, permission prompt IS the human gate). No-task-anywhere fallback → directive `Next: Run /clear, then /cbp-session-end.`
 - **Checkpoint-bound only** — for standalone tasks use `/cbp-standalone-task-complete`

package/templates/skills/cbp-finalize/reference/checkpoint-done-branching.md

@@ -17,7 +17,7 @@ The skill detects "checkpoint done" at Step 9 by:
 When all siblings are done, the skill invokes `cbp-checkpoint-check` via the Skill tool:
 
 - `cbp-checkpoint-check` is `ask`-tier — the harness permission prompt IS the human gate. The user confirms (or declines) before checkpoint verification and the shipment chain begin.
-- No `/clear` is emitted unconditionally. If the `cbp-skill-context-guard.sh` hook detects the context window is above the 200K threshold it blocks the skill and directs you to run `/cbp-clear-prep` first (which writes a handoff; the user then runs `/clear`, then `/cbp-clear-continue` resumes); otherwise checkpoint-check starts immediately on confirmation.
+- No `/clear` is emitted unconditionally. If the `cbp-skill-context-guard.sh` hook detects the context window is above the model-aware threshold (200K for standard models; 800K for `[1m]`-context models; env vars `CBP_CONTEXT_WARN_TOKENS` / `CBP_CONTEXT_WARN_TOKENS_1M`) it blocks the skill and directs you to run `/cbp-clear-prep` first (which writes a handoff; the user then runs `/clear`, then `/cbp-clear-continue` resumes); otherwise checkpoint-check starts immediately on confirmation.
 
 There is no AskUserQuestion menu. Expanding the checkpoint with more tasks (`/cbp-checkpoint-update`) or wrapping up the session (`/cbp-session-end`) are no longer surfaced as inline alternatives — the deterministic next step on checkpoint-done is `cbp-checkpoint-check`. (The user can still invoke those other skills manually at any time; they are simply not part of the auto-flow.)
 

package/templates/skills/cbp-finalize/reference/next-step-heuristic.md

@@ -19,7 +19,7 @@ No AskUserQuestion, no `/clear`. The skill fires immediately.
 
 Two sub-cases:
 
-**Checkpoint done** (last task in the checkpoint complete): auto-trigger `cbp-checkpoint-check` via the Skill tool. `cbp-checkpoint-check` is `ask`-tier — the permission prompt is the human gate; the 200K context guard handles oversized contexts (via `cbp-clear-prep`) only when context is near the limit. No unconditional `/clear`. (See `checkpoint-done-branching.md`.)
+**Checkpoint done** (last task in the checkpoint complete): auto-trigger `cbp-checkpoint-check` via the Skill tool. `cbp-checkpoint-check` is `ask`-tier — the permission prompt is the human gate; the model-aware context guard handles oversized contexts (via `cbp-clear-prep`) only when context is near the limit — 200K standard, 800K on `[1m]` sessions (env vars `CBP_CONTEXT_WARN_TOKENS` / `CBP_CONTEXT_WARN_TOKENS_1M`). No unconditional `/clear`. (See `checkpoint-done-branching.md`.)
 
 **Session end** (no pending tasks anywhere): emit a single directive line at the end of skill output and stop: