codebyplan 1.13.66 → 1.13.67

package/dist/cli/worktree/remove.d.ts

@@ -1,18 +1,20 @@
 /**
- * CLI entry point for `codebyplan worktree remove <name|CHK-NNN>`.
+ * CLI entry point for `codebyplan worktree remove <name|CHK-NNN|abs-path>`.
  *
  * Usage: codebyplan worktree remove <name>         (legacy name-based path)
  *        codebyplan worktree remove <CHK-NNN>      (checkpoint path — git rm + Supabase teardown)
  *        codebyplan worktree remove <bare-number>  (same as CHK-NNN)
+ *        codebyplan worktree remove <abs-path>     (direct path — same logic as CHK-NNN without number computation)
  *
  * Legacy path: deregistration retired in CHK-225 TASK-3; returns { mcp_deregistered: false } with no MCP call.
- * CHK-NNN path: performs git worktree remove and Supabase preview-branch teardown; deregistration removed.
+ * CHK-NNN / abs-path: performs git worktree remove and Supabase preview-branch teardown; deregistration removed.
  *
  * Output JSON:
  *   Legacy:  { mcp_deregistered: boolean, warn? }
- *   CHK-NNN: { mcp_deregistered: boolean, git_removed: boolean, supabase_torn_down: boolean, warn? }
+ *   CHK-NNN / abs-path: { mcp_deregistered: boolean, git_removed: boolean, supabase_torn_down: boolean,
+ *                          remote_branch_deleted?: boolean, local_branch_deleted?: boolean, warn? }
  *
- * Exit: 0 on success or non-fatal failure; 1 on usage error.
+ * Exit: 0 on success or non-fatal failure; 1 on usage error; 2 when cwd is inside the target worktree.
  */
 export interface GitRunResult {
     status: number | null;
@@ -40,21 +42,51 @@ export interface RemoveWorktreeDeps {
      * Idempotent: not-found is success ({ deleted: true }).
      */
     deleteSupabaseBranch?: (branchName: string, cwd: string) => Promise<SupabaseTeardownResult>;
+    /**
+     * Guard: returns true when cwd is the worktree being removed or a child of it.
+     * When true, removal is aborted with exit code 2.
+     * Default: cwd === worktreePath || cwd.startsWith(worktreePath + sep)
+     */
+    isInsideWorktreePath?: (worktreePath: string, cwd: string) => boolean;
+    /**
+     * Verify the remote branch exists (ls-remote --exit-code) and delete it when found.
+     * Non-fatal: failures emit warnings and never change the exit code.
+     * Returns { remote_branch_deleted: boolean, warn?: string }.
+     */
+    verifyAndDeleteRemoteBranch?: (branchName: string, cwd: string) => Promise<{
+        remote_branch_deleted: boolean;
+        warn?: string;
+    }>;
+    /**
+     * Delete the local tracking branch after the worktree has been removed.
+     * Attempts `git branch -d` first; escalates to `git branch -D` only when the
+     * remote is confirmed gone (remote_is_gone === true).
+     * Non-fatal: failures emit warnings and never change the exit code.
+     * Returns { local_branch_deleted: boolean, warn?: string }.
+     */
+    deleteFeatBranch?: (branchName: string, cwd: string, remote_is_gone: boolean) => Promise<{
+        local_branch_deleted: boolean;
+        warn?: string;
+    }>;
 }
 export interface RemoveWorktreeResult {
     mcp_deregistered: boolean;
-    /** CHK-NNN path only: whether git worktree remove succeeded. */
+    /** CHK-NNN / abs-path: whether git worktree remove succeeded. */
     git_removed?: boolean;
-    /** CHK-NNN path only: whether the Supabase preview branch was deleted. */
+    /** CHK-NNN / abs-path: whether the Supabase preview branch was deleted. */
     supabase_torn_down?: boolean;
+    /** CHK-NNN / abs-path: whether the remote git branch was deleted. */
+    remote_branch_deleted?: boolean;
+    /** CHK-NNN / abs-path: whether the local git branch was deleted. */
+    local_branch_deleted?: boolean;
     warn?: string;
 }
 /**
  * Run `codebyplan worktree remove`.
  *
- * @param args  Remaining args after "remove" was stripped — e.g. ["my-branch"] or ["CHK-207"]
+ * @param args  Remaining args after "remove" was stripped — e.g. ["my-branch"], ["CHK-207"], or ["/abs/path"]
  * @param deps  Injectable deps for testing.
- * @returns     Exit code: 0 success / non-fatal, 1 usage error.
+ * @returns     Exit code: 0 success / non-fatal, 1 usage error, 2 cwd-inside guard.
  */
 export declare function runWorktreeRemove(args: string[], deps?: RemoveWorktreeDeps): Promise<number>;
 //# sourceMappingURL=remove.d.ts.map

package/dist/cli/worktree/remove.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remove.d.ts","sourceRoot":"","sources":["../../../src/cli/worktree/remove.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAUH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IAIb,gEAAgE;IAChE,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,KAAK,YAAY,CAAC;IACvD;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IAChE;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CACrB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,KACR,OAAO,CAAC,sBAAsB,CAAC,CAAC;CACtC;AAiJD,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,gEAAgE;IAChE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,0EAA0E;IAC1E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAgGD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,MAAM,EAAE,EACd,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,MAAM,CAAC,CA2BjB"}
+{"version":3,"file":"remove.d.ts","sourceRoot":"","sources":["../../../src/cli/worktree/remove.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAWH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IAIb,gEAAgE;IAChE,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,KAAK,YAAY,CAAC;IACvD;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;IAChE;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CACrB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,KACR,OAAO,CAAC,sBAAsB,CAAC,CAAC;IACrC;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IACtE;;;;OAIG;IACH,2BAA2B,CAAC,EAAE,CAC5B,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,KACR,OAAO,CAAC;QAAE,qBAAqB,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAChE;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,CACjB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,EACX,cAAc,EAAE,OAAO,KACpB,OAAO,CAAC;QAAE,oBAAoB,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChE;AAoOD,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,iEAAiE;IACjE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2EAA2E;IAC3E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,qEAAqE;IACrE,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,oEAAoE;IACpE,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AA4LD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,MAAM,EAAE,EACd,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,MAAM,CAAC,CAgCjB"}

package/dist/cli.js

@@ -48,7 +48,7 @@ var VERSION, PACKAGE_NAME;
 var init_version = __esm({
   "src/lib/version.ts"() {
     "use strict";
-    VERSION = "1.13.66";
+    VERSION = "1.13.67";
     PACKAGE_NAME = "codebyplan";
   }
 });
@@ -39272,6 +39272,7 @@ var init_create = __esm({
 });
 
 // src/cli/worktree/remove.ts
+import { isAbsolute as isAbsolute4, sep as sep3 } from "node:path";
 import { spawnSync as spawnSync21 } from "node:child_process";
 function defaultGitRun2(args, cwd) {
   const result = spawnSync21("git", args, {
@@ -39387,6 +39388,51 @@ async function defaultDeleteSupabaseBranch(branchName, cwd) {
     };
   }
 }
+function defaultIsInsideWorktreePath(worktreePath, cwd) {
+  return cwd === worktreePath || cwd.startsWith(worktreePath + sep3);
+}
+function defaultVerifyAndDeleteRemoteBranch(branchName, cwd) {
+  const gitRun = defaultGitRun2;
+  const lsResult = gitRun(
+    ["ls-remote", "--exit-code", "origin", branchName],
+    cwd
+  );
+  if (lsResult.status !== 0) {
+    return Promise.resolve({ remote_branch_deleted: false });
+  }
+  const pushResult = gitRun(["push", "origin", "--delete", branchName], cwd);
+  if (pushResult.status !== 0) {
+    const errMsg = pushResult.stderr.trim() || pushResult.error?.message || "unknown error";
+    return Promise.resolve({
+      remote_branch_deleted: false,
+      warn: `Remote branch delete failed (non-fatal): git push origin --delete ${branchName}: ${errMsg}`
+    });
+  }
+  return Promise.resolve({ remote_branch_deleted: true });
+}
+function defaultDeleteFeatBranch(branchName, cwd, remote_is_gone) {
+  const gitRun = defaultGitRun2;
+  const safeResult = gitRun(["branch", "-d", branchName], cwd);
+  if (safeResult.status === 0) {
+    return Promise.resolve({ local_branch_deleted: true });
+  }
+  const safeErrMsg = safeResult.stderr.trim() || safeResult.error?.message || "unknown error";
+  if (remote_is_gone) {
+    const forceResult = gitRun(["branch", "-D", branchName], cwd);
+    if (forceResult.status === 0) {
+      return Promise.resolve({ local_branch_deleted: true });
+    }
+    const forceErrMsg = forceResult.stderr.trim() || forceResult.error?.message || "unknown error";
+    return Promise.resolve({
+      local_branch_deleted: false,
+      warn: `Local branch force-delete failed (non-fatal): git branch -D ${branchName}: ${forceErrMsg}`
+    });
+  }
+  return Promise.resolve({
+    local_branch_deleted: false,
+    warn: `Local branch delete failed (non-fatal, remote still present \u2014 skipping force-delete): git branch -d ${branchName}: ${safeErrMsg}`
+  });
+}
 function parseChkNumber(name) {
   const chkMatch = /^CHK-(\d+)$/i.exec(name);
   if (chkMatch?.[1]) {
@@ -39399,12 +39445,23 @@ function parseChkNumber(name) {
   }
   return null;
 }
-async function runWorktreeRemoveChk(checkpointNumber, deps) {
+async function runWorktreeRemoveAtPath(worktreePath, deps) {
   const cwd = deps.cwd ?? process.cwd();
   const gitRun = deps.gitRun ?? defaultGitRun2;
   const getWorktreeBranchName = deps.getWorktreeBranchName ?? defaultGetWorktreeBranchName;
   const deleteSupabaseBranch = deps.deleteSupabaseBranch ?? defaultDeleteSupabaseBranch;
-  const worktreePath = computeWorktreePath(cwd, checkpointNumber);
+  const isInsideWorktreePath = deps.isInsideWorktreePath ?? defaultIsInsideWorktreePath;
+  const verifyAndDeleteRemoteBranch = deps.verifyAndDeleteRemoteBranch ?? defaultVerifyAndDeleteRemoteBranch;
+  const deleteFeatBranch = deps.deleteFeatBranch ?? defaultDeleteFeatBranch;
+  if (isInsideWorktreePath(worktreePath, cwd)) {
+    process.stderr.write(
+      JSON.stringify({
+        error: "session is inside the target worktree",
+        directive: `Switch to your main checkout, then re-run: codebyplan worktree remove ${worktreePath}`
+      }) + "\n"
+    );
+    return 2;
+  }
   const warnings = [];
   const branchName = getWorktreeBranchName(worktreePath);
   const removeResult = gitRun(["worktree", "remove", worktreePath], cwd);
@@ -39425,15 +39482,45 @@ async function runWorktreeRemoveChk(checkpointNumber, deps) {
       `Could not read the branch name for '${worktreePath}' (directory may already be deleted) \u2014 the Supabase preview branch was NOT torn down. Delete it manually in the Supabase dashboard if it still exists.`
     );
   }
+  let remote_branch_deleted;
+  let local_branch_deleted;
+  let remote_is_gone = false;
+  if (branchName && git_removed) {
+    const remoteResult = await verifyAndDeleteRemoteBranch(branchName, cwd);
+    remote_branch_deleted = remoteResult.remote_branch_deleted;
+    if (remoteResult.warn) {
+      warnings.push(remoteResult.warn);
+    }
+    remote_is_gone = remote_branch_deleted === true || remote_branch_deleted === false && !remoteResult.warn;
+    const localResult = await deleteFeatBranch(branchName, cwd, remote_is_gone);
+    local_branch_deleted = localResult.local_branch_deleted;
+    if (localResult.warn) {
+      warnings.push(localResult.warn);
+    }
+  } else if (branchName && !git_removed) {
+    warnings.push(
+      `Skipped remote/local branch cleanup for '${branchName}': the worktree at '${worktreePath}' was not removed.`
+    );
+  }
   const result = {
     mcp_deregistered: false,
     git_removed,
     supabase_torn_down,
+    ...remote_branch_deleted !== void 0 ? { remote_branch_deleted } : {},
+    ...local_branch_deleted !== void 0 ? { local_branch_deleted } : {},
     ...warnings.length > 0 ? { warn: warnings.join("; ") } : {}
   };
   process.stdout.write(JSON.stringify(result) + "\n");
   return 0;
 }
+async function runWorktreeRemoveChk(checkpointNumber, deps) {
+  const cwd = deps.cwd ?? process.cwd();
+  const worktreePath = computeWorktreePath(cwd, checkpointNumber);
+  return runWorktreeRemoveAtPath(worktreePath, deps);
+}
+async function runWorktreeRemoveByPath(worktreePath, deps) {
+  return runWorktreeRemoveAtPath(worktreePath, deps);
+}
 async function runWorktreeRemove(args, deps = {}) {
   const name = args.find((a) => !a.startsWith("--"));
   if (!name) {
@@ -39444,6 +39531,9 @@ async function runWorktreeRemove(args, deps = {}) {
     );
     return 1;
   }
+  if (isAbsolute4(name)) {
+    return runWorktreeRemoveByPath(name, deps);
+  }
   const chkNumber = parseChkNumber(name);
   if (chkNumber !== null) {
     return runWorktreeRemoveChk(chkNumber, deps);
@@ -42152,7 +42242,7 @@ import {
   readdir as readdir9
 } from "node:fs/promises";
 import { existsSync as existsSync21 } from "node:fs";
-import { join as join58, resolve as resolve15, dirname as dirname17, sep as sep4 } from "node:path";
+import { join as join58, resolve as resolve15, dirname as dirname17, sep as sep5 } from "node:path";
 import { homedir as homedir8 } from "node:os";
 function encodeProjectPath(absPath) {
   return resolve15(absPath).replace(/[/\\]/g, "-");
@@ -42320,7 +42410,7 @@ async function applyPlan(plan, opts) {
     const relPath = entry.suggested_target.slice("nested:".length);
     const targetDir = resolve15(join58(projectDir, relPath));
     const targetFile = join58(targetDir, "CLAUDE.md");
-    if (!targetDir.startsWith(resolve15(projectDir) + sep4)) {
+    if (!targetDir.startsWith(resolve15(projectDir) + sep5)) {
       process.stderr.write(
         `migrate-memory: skipping unsafe suggested_target "${entry.suggested_target}" \u2014 resolves outside projectDir
 `
@@ -42339,7 +42429,7 @@ ${anchor}
       process.stdout.write(`[dry-run] Would create/append: ${targetFile}
 `);
       if (resolve15(entry.source_path).startsWith(
-        resolve15(plan.auto_memory_dir) + sep4
+        resolve15(plan.auto_memory_dir) + sep5
       )) {
         process.stdout.write(
           `[dry-run] Would delete migrated keep source: ${entry.source_path}
@@ -42357,7 +42447,7 @@ ${anchor}
     if (!existing.includes(anchor)) {
       await writeFile22(targetFile, existing + appendContent, "utf-8");
     }
-    if (resolve15(entry.source_path).startsWith(resolve15(plan.auto_memory_dir) + sep4)) {
+    if (resolve15(entry.source_path).startsWith(resolve15(plan.auto_memory_dir) + sep5)) {
       try {
         await unlink8(entry.source_path);
       } catch {
@@ -42395,7 +42485,7 @@ ${IMPORT_LINE}
   for (const entry of plan.entries) {
     if (entry.suggested_action !== "drop") continue;
     if (!resolve15(entry.source_path).startsWith(
-      resolve15(plan.auto_memory_dir) + sep4
+      resolve15(plan.auto_memory_dir) + sep5
     )) {
       process.stderr.write(
         `migrate-memory: skipping delete of "${entry.source_path}" \u2014 resolves outside auto_memory_dir
@@ -42419,7 +42509,7 @@ ${IMPORT_LINE}
     process.stdout.write(`[dry-run] Would delete MEMORY.md: ${memoryMd}
 `);
   } else {
-    if (resolve15(plan.auto_memory_dir).startsWith(safeRmdirBase + sep4)) {
+    if (resolve15(plan.auto_memory_dir).startsWith(safeRmdirBase + sep5)) {
       try {
         await unlink8(memoryMd);
       } catch {
@@ -42437,7 +42527,7 @@ ${IMPORT_LINE}
 `
     );
   } else {
-    if (!resolve15(plan.auto_memory_dir).startsWith(safeRmdirBase + sep4)) {
+    if (!resolve15(plan.auto_memory_dir).startsWith(safeRmdirBase + sep5)) {
       process.stderr.write(
         `migrate-memory: skipping rmdir of "${plan.auto_memory_dir}" \u2014 not under ~/.claude/projects
 `

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebyplan",
-  "version": "1.13.66",
+  "version": "1.13.67",
   "description": "CLI for CodeByPlan — AI-powered development planning and tracking",
   "type": "module",
   "bin": {

package/templates/hooks/cbp-test-hooks.sh

@@ -374,87 +374,6 @@ fi
 
 echo ""
 
-# ===== HOOK SMOKE TESTS — cbp-mcp-caller-worktree-inject =====
-echo "## Hook Smoke Tests — cbp-mcp-caller-worktree-inject (CHK-198)"
-
-INJECT_HOOK="$HOOKS_DIR/cbp-mcp-caller-worktree-inject.sh"
-# Absolute path — the fail-open test runs the hook from a temp cwd (to isolate it
-# from this repo's git context), where the relative "$HOOKS_DIR" no longer resolves.
-INJECT_HOOK_ABS="$(cd "$HOOKS_DIR" 2>/dev/null && pwd)/cbp-mcp-caller-worktree-inject.sh"
-
-if [ ! -f "$INJECT_HOOK" ]; then
-  test_result "cbp-mcp-caller-worktree-inject.sh present" "passed" "missing"
-else
-  test_result "cbp-mcp-caller-worktree-inject.sh present" "passed" "passed"
-
-  FIRST_LINE=$(head -1 "$INJECT_HOOK")
-  if echo "$FIRST_LINE" | grep -q '^#!/'; then
-    test_result "cbp-mcp-caller-worktree-inject.sh has shebang" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh has shebang" "passed" "missing"
-  fi
-
-  if grep -q '@scope: org-shared' "$INJECT_HOOK"; then
-    test_result "cbp-mcp-caller-worktree-inject.sh has @scope: org-shared" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh has @scope: org-shared" "passed" "missing"
-  fi
-
-  # Fail-open: run from a non-repo temp dir with no worktree cache and no
-  # CLAUDE_PROJECT_DIR — neither the cache nor the CLI fallback can resolve a
-  # worktree, so the hook must exit 0 with empty stdout (no updatedInput).
-  ISO=$(mktemp -d)
-  OUTPUT=$( (cd "$ISO" && env -u CLAUDE_PROJECT_DIR bash "$INJECT_HOOK_ABS" <<< '{"tool_input":{"task_id":"x"}}') 2>/dev/null )
-  EXIT_CODE=$?
-  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
-    test_result "cbp-mcp-caller-worktree-inject.sh fail-open (unresolvable) exits 0 + empty stdout" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh fail-open (unresolvable) exits 0 + empty stdout" "passed" "failed (exit=$EXIT_CODE)"
-  fi
-  rm -rf "$ISO"
-
-  # C6 — input already carries a non-empty caller_worktree_id → never overwrite;
-  # early-return with exit 0 and empty stdout (no resolution attempted).
-  OUTPUT=$(echo '{"tool_input":{"caller_worktree_id":"11111111-1111-1111-1111-111111111111"}}' | bash "$INJECT_HOOK" 2>/dev/null)
-  EXIT_CODE=$?
-  if [ "$EXIT_CODE" = "0" ] && [ -z "$OUTPUT" ]; then
-    test_result "cbp-mcp-caller-worktree-inject.sh C6 keeps existing caller_worktree_id (exit 0 + empty stdout)" "passed" "passed"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh C6 keeps existing caller_worktree_id (exit 0 + empty stdout)" "passed" "failed (exit=$EXIT_CODE)"
-  fi
-
-  # Injection — a worktree.local.json whose .branch matches the current git branch
-  # makes the cache fast-path resolve. Use a synthetic UUID so the assertion proves
-  # the cache value (not the live CLI) was injected. Skipped when no concrete git
-  # branch resolves (detached HEAD / non-git checkout) or jq is unavailable.
-  CUR_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
-  if [ -n "$CUR_BRANCH" ] && [ "$CUR_BRANCH" != "HEAD" ] && command -v jq >/dev/null 2>&1; then
-    ISO=$(mktemp -d)
-    mkdir -p "$ISO/.codebyplan"
-    FAKE_WT="abcdef01-2345-6789-abcd-ef0123456789"
-    jq -n --arg b "$CUR_BRANCH" --arg w "$FAKE_WT" \
-      '{worktree_id:$w, branch:$b}' > "$ISO/.codebyplan/worktree.local.json"
-    OUTPUT=$(CLAUDE_PROJECT_DIR="$ISO" bash "$INJECT_HOOK" <<< '{"tool_input":{"task_id":"x"}}' 2>/dev/null)
-    EXIT_CODE=$?
-    INJECTED=$(echo "$OUTPUT" | jq -r '.hookSpecificOutput.updatedInput.caller_worktree_id // empty' 2>/dev/null)
-    # Sibling-key survival — CC's updatedInput REPLACES tool_input wholesale (it is
-    # not a partial merge), so the hook must echo back every original field merged
-    # with caller_worktree_id. Assert the non-target sibling key (task_id) survives;
-    # this is the assertion gap that let the replace-vs-merge bug ship in round 2.
-    PRESERVED=$(echo "$OUTPUT" | jq -r '.hookSpecificOutput.updatedInput.task_id // empty' 2>/dev/null)
-    if [ "$EXIT_CODE" = "0" ] && [ "$INJECTED" = "$FAKE_WT" ] && [ "$PRESERVED" = "x" ]; then
-      test_result "cbp-mcp-caller-worktree-inject.sh injects caller_worktree_id AND preserves sibling keys" "passed" "passed"
-    else
-      test_result "cbp-mcp-caller-worktree-inject.sh injects caller_worktree_id AND preserves sibling keys" "passed" "failed (exit=$EXIT_CODE injected=$INJECTED preserved=$PRESERVED)"
-    fi
-    rm -rf "$ISO"
-  else
-    test_result "cbp-mcp-caller-worktree-inject.sh injection test (no branch resolvable — skipped)" "passed" "passed"
-  fi
-fi
-
-echo ""
-
 # ===== HOOK SMOKE TESTS — cbp-session-start-hook =====
 echo "## Hook Smoke Tests — cbp-session-start-hook (CHK-178)"
 

package/templates/rules/cbp-operating-gotchas.md

@@ -25,11 +25,13 @@ SHARED tooling behavior only — repo-specific gotchas belong in that repo's own
   clobbers existing `decisions` / `discoveries` / `check_results`. Always read the current row,
   merge your change into the full object/array, then write the whole thing back.
 
-- **`resolve-worktree` empty output = a NULL `(device, path, branch)` tuple, not a broken
-  resolver.** When identity is unresolved the server can collapse the caller to the repo's main
-  worktree, so feat-locked writes get rejected. Pass `caller_worktree_id` on every MCP mutation,
-  and confirm ownership by matching the row's repo path + branch to the current directory before
-  mutating.
+- **User-level locks are invisible until a mutation they block.** `get_checkpoints` /
+  `get_tasks` succeed even when another user holds the assignment; the 403 fires only on
+  `update_*` / `complete_*`. The lock keys on the JWT user (`ctx.userId`) vs the row's
+  `assigned_user_id` (null = open). `caller_worktree_id` / `worktree_id` params are
+  accepted-and-ignored — do not thread them. Verify `assigned_user_id` matches
+  `npx codebyplan whoami` before mutating; recover a stale assignment with
+  `release_assignment` (maintainer).
 
 - **Full-repo lint/type baselines are often pre-existing red.** A round must gate on the files
   it changed, not the whole-repo baseline — scope lint/tsc checks to the round's changed set so a
@@ -42,14 +44,10 @@ SHARED tooling behavior only — repo-specific gotchas belong in that repo's own
   files or carried directory-slash round artifacts, `complete_task` can hard-fail "N files not
   approved"; fix by re-writing each affected round's `files_changed` via `update_round`.
 
-- **CLI transport uses REST (reads) and OAuth+MCP (writes) — a 502 from `codebyplan round sync-approvals` is transient MCP churn, not an outage.** The CLI exits 0 with a warning and MCP tools still work. A missing `CODEBYPLAN_API_KEY` surfaces as an `ApiError`, not a 502. `sync-approvals` can also drag untracked per-device dirs into `files_changed` — run it from the repo root or pass `--caller-worktree-id`.
+- **CLI transport uses REST (reads) and OAuth+MCP (writes) — a 502 from `codebyplan round sync-approvals` is transient MCP churn, not an outage.** The CLI exits 0 with a warning and MCP tools still work. A missing `CODEBYPLAN_API_KEY` surfaces as an `ApiError`, not a 502. `sync-approvals` can also drag untracked per-device dirs into `files_changed` — run it from the repo root.
 
 - **`codebyplan claude update` requires a TTY.** On non-TTY stdin (CI, piped) it half-applies then errors. Re-run with `--yes` to accept defaults non-interactively.
 
-- **Checkpoint locks are invisible until a mutation they block.** `get_checkpoints` / `get_tasks` succeed even when another worktree holds the lock; the 403 fires only on `update_*` / `complete_*`. Verify the row's `worktree_id` matches the caller before mutating. A null-`worktree_id` checkpoint can still be actively shipped by whichever worktree physically holds its feat branch — check `git worktree list` first.
-
-- **`update_task` accepts `caller_worktree_id` for lock-verify only — it does NOT assign ownership.** Ownership assignment goes through the web UI or the dedicated assignment path. Don't conflate `caller_worktree_id` with `assigned_worktree_id`.
-
 - **Re-run config-driven gates after merging main into a feat branch.** A merge can add or change `.codebyplan/shipment.json`, ports, branch config, `e2e.json`, and `eslint.json` — treat the post-merge state as a fresh baseline before continuing.
 
 - **MCP write calls can return 403 via Cloudflare WAF when the JSONB payload contains DDL

package/templates/rules/todo-backend.md

@@ -20,8 +20,8 @@ Defined in `supabase/migrations/20260511211900_chk111_workflow_invariants.sql` (
 | 2 | `trg_enforce_standalone_task_workflow_invariants` | A standalone task cannot be moved to `in_progress` without `assigned_user_id` (CHK-225: was `assigned_worktree_id`) |
 | 3 | `trg_enforce_task_workflow_invariants` | ≤ 1 `in_progress` task per checkpoint |
 | 4 | `trg_enforce_single_in_progress_round_per_task` | ≤ 1 `in_progress` round per task |
-| 5 | `trg_enforce_single_active_scope_per_worktree` | ≤ 1 active (checkpoint OR standalone task) per `assigned_user_id` (CHK-225: was per `worktree_id`) |
-| 6 | `trg_enforce_standalone_task_scope_per_worktree` | ≤ 1 `in_progress` standalone task per `assigned_user_id` (CHK-225: was per `assigned_worktree_id`) |
+| 5 | `trg_enforce_single_active_scope_per_worktree` | ≤ 1 active (checkpoint OR standalone task) per `branch_name` (CHK-235: was per `assigned_user_id`) |
+| 6 | `trg_enforce_standalone_task_scope_per_worktree` | ≤ 1 `in_progress` standalone task per `branch_name` (CHK-235: was per `assigned_user_id`) |
 
 The worker is a passive cross-checker (`apps/todo-worker/src/invariants/check.ts`) — if its check disagrees with the DB, the DB wins.
 
@@ -109,6 +109,8 @@ CHK-111 shipped the original todos queue as Postgres triggers + a 583-LOC `regen
 
 CHK-225 updated the invariant triggers from worktree-scoped to user-scoped (`assigned_user_id`). The trigger names were preserved for continuity; only the function bodies changed. Migration: `20260612000000_chk225_task1_user_locks.sql`.
 
+CHK-235 re-scoped the same two trigger functions from per-`assigned_user_id` to per-`branch_name`, restoring multi-worktree concurrency (one active scope per feat branch). Migration: `20260622000000_chk235_task1_active_scope_per_branch.sql`.
+
 ## 8. Deployment — Railway
 
 `apps/todo-worker` runs as a Railway service alongside `apps/backend`. Setup:

package/templates/skills/cbp-build-cc-settings/reference/cbp-permission-policy.md

@@ -24,15 +24,15 @@ Precedence is `deny > ask > allow`; arrays union across scopes (managed/user/pro
 
 - **Non-lifecycle, non-shipment `/cbp-*` skills** — authoring (`cbp-build-cc-*`), frontend (`cbp-frontend-*`), git (`cbp-git-*`, `cbp-merge-main`, `cbp-refresh-infra`), round work (`cbp-round-plan`, `cbp-verify` — `cbp-verify` is the autonomous verify stage that runs deterministic gates, proves execution, spawns the fresh-context reviewer, and routes to `cbp-round-complete` or `cbp-round-plan`, so it runs without a prompt), setup/configure (`cbp-setup-*`, `cbp-ship-configure`, `cbp-supabase-*`), task prep (`cbp-task-create`/`-start`, `cbp-standalone-task-check`/`-testing`), planning (`cbp-checkpoint-plan`/`-update`), plus `cbp-session-start` and `cbp-todo`. Invoking a skill is the intended mode of operation; the gated side effects happen inside via the Bash/MCP tools the skill calls, which carry their own tiering. The lifecycle/state-transition and plan-approval skills are the exception — they live in `ask` (next section).
 - **All `mcp__codebyplan__*` reads** (`get_*`, `list_*`, `search_*`, `health_check`, `lookup_symbol`, `resolve_library_id`, `get_chunk`).
-- **Routine workflow-write MCP tools** the pipeline calls many times per task: create/update/complete checkpoint, task, and round; session log + session-state writes; `create_worktree`, `add_library`, `flag_stale_chunk`, `update_server_config`, `update_eslint_repo_config`. Gating these with `ask` would make the autonomous workflow unusable.
-- **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `resolve-worktree`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
+- **Routine workflow-write MCP tools** the pipeline calls many times per task: create/update/complete checkpoint, task, and round; session log + session-state writes; `add_library`, `flag_stale_chunk`, `update_server_config`, `update_eslint_repo_config`. Gating these with `ask` would make the autonomous workflow unusable.
+- **Read/safe CLI commands** (both `codebyplan X` and `npx codebyplan X`): `whoami`, `docs`, `statusline`, `ports`, `tech-stack`, `eslint`, `round`, `help`, `--version`.
 
 ### `ask` — the deliberate confirm-gate
 
 - **Production-shipment skills**: `cbp-ship`, `cbp-ship-main`, `cbp-checkpoint-end` — these promote/deploy to production, so they prompt even in an otherwise auto-allowed setup.
 - **Lifecycle / state-transition skills**: `cbp-checkpoint-start`, `cbp-checkpoint-create`, `cbp-checkpoint-check`, `cbp-checkpoint-complete`, `cbp-round-complete`, `cbp-session-end`, `cbp-finalize`, `cbp-standalone-task-create`, `cbp-standalone-task-start`, `cbp-standalone-task-complete` — these open or close checkpoints, tasks, rounds, and sessions (advancing workflow state in the database), so they stop for explicit confirmation rather than running autonomously. `cbp-round-complete` is the permission-gated round finalizer (reconciles the user's `git add`s, completes the round, routes onward); its `ask` prompt is the human gate downstream of `cbp-verify` — the autonomous, `allow`-tier verify stage whose triage routes here.
 - **Plan-approval gate**: `cbp-round-build` — the round plan is approved by confirming this `ask` prompt rather than via an in-skill AskUserQuestion. `cbp-round-plan` runs its planning Q&A, then hands off to `cbp-round-build`; the permission prompt is the user's go/no-go on the plan.
-- **Destructive / admin MCP tools**: `delete_session_log`, `delete_worktree`, `create_repo`, `release_assignment`. (The launch and member-admin tools were dropped from the MCP surface in CHK-180 — those concerns are web-app only now.)
+- **Destructive / admin MCP tools**: `delete_session_log`, `create_repo`, `release_assignment`. (The launch and member-admin tools were dropped from the MCP surface in CHK-180 — those concerns are web-app only now.)
 - **Mutating / external / clobber-risk CLI commands** (both prefixes): `setup`, `login`, `logout`, `upgrade-auth`, `config` (can overwrite committed `.codebyplan/` files), `branch` (rewrites branch config), `ship`, `claude` (`install`/`update`/`uninstall` overwrite `.claude/`).
 
 ### `deny` — unchanged

package/templates/skills/cbp-checkpoint-end/SKILL.md

@@ -280,15 +280,21 @@ Scan the output for any `worktree` entry whose `branch` field matches `refs/head
 **Case A — the current session is NOT inside that worktree path:**
 
 ```bash
-codebyplan worktree remove <path>
+codebyplan worktree remove <abs-path>   # pass the absolute path from worktree list
 git worktree prune
 ```
 
-Record the removed path in `WORKTREES_REMOVED[]`. If `codebyplan worktree remove` exits
-non-zero, emit a non-blocking warning and continue — a failed removal does not halt shipment.
+`codebyplan worktree remove <abs-path>` handles both the git worktree removal and the
+remote feat-branch deletion (non-fatal). No separate `git push origin --delete` is needed
+here. Parse the JSON output; record `{ path, removed: true, remote_branch_deleted }` in
+`WORKTREES_REMOVED[]`. On any non-zero exit (except exit code 2 — see Case B), emit a
+non-blocking warning and continue — a failed removal does not halt shipment.
 
-**Case B — the current session IS inside that worktree path (i.e. `$PWD` starts with
-`<path>`):**
+**Case B — the current session IS inside that worktree path:**
+
+The CLI self-cwd guard fires and exits with **code 2** when `codebyplan worktree remove`
+is called from inside the target worktree. Detect this via exit code 2, OR pre-check that
+`$PWD` starts with `<path>` before calling the CLI.
 
 Do NOT self-remove. Surface a single directive (no A/B/C menu):
 

package/templates/skills/cbp-finalize/SKILL.md

@@ -169,7 +169,7 @@ Skip the push only when nothing was committed in Step 5 AND `/cbp-merge-main` re
 
 ### Step 7: Complete Task
 
-MCP `complete_task(task_id)` — kept on MCP because the CLI `codebyplan task complete` sends an empty POST body and cannot forward `caller_worktree_id`, which the server uses to enforce the mutate-lock. `caller_worktree_id` is auto-injected by the `cbp-mcp-caller-worktree-inject.sh` PreToolUse hook (CHK-198 TASK-2); the server falls back to the repo `main` worktree only when it is absent, then enforces the mutate-lock. The server auto-clears `assigned_user_id` + `assigned_worktree_id` on the task; if this was the last sibling task, it also clears the parent checkpoint's assignment. (Per CHK-104 hard-lock.)
+MCP `complete_task(task_id)`. The server keys on the JWT user (`ctx.userId`) — no worktree param is needed. The server auto-clears `assigned_user_id` on the task; if this was the last sibling task, it also clears the parent checkpoint's assignment.
 
 ### Step 8: Run Cleanup + Migration (inline)
 
@@ -226,7 +226,7 @@ direct you to run `/cbp-clear-prep` first; otherwise checkpoint-check starts on
 - **Triggered by**: `/cbp-verify` (auto, scope=task, when it writes `verify_verdict.verdict === 'READY'`)
 - **Chain**: `/cbp-verify` (scope=task READY) → `/cbp-finalize`
 - **Reads**: `.codebyplan/state/checkpoints/*.json`, `checkpoints/<id>/tasks/*.json`, `checkpoints/<id>/tasks/<id>/rounds/*.json`, `todos.json` (local-first; `npx codebyplan sync` on miss; MCP `get_current_task`/`get_rounds`/`get_tasks` break-glass) — including each round's `verify_manifest` and `task.context.verify_verdict`
-- **Writes**: `codebyplan task update` for `files_changed` (CLI write-through; MCP `update_task` break-glass); MCP `complete_task` for task completion (kept MCP — CLI cannot forward `caller_worktree_id`)
+- **Writes**: `codebyplan task update` for `files_changed` (CLI write-through; MCP `update_task` break-glass); MCP `complete_task` for task completion
 - **Uses skills (inline, no sub-agent)**: `cleanup` (if deletions), `migration` (if exports renamed)
 - **Triggers**: Same-context transitions auto-trigger via the Skill tool (next task in checkpoint → `cbp-task-start {N}`, `allow`-tier, fires silently). Checkpoint-done → auto-triggers `cbp-checkpoint-check` via Skill tool (`ask`-tier, permission prompt IS the human gate). No-task-anywhere fallback → directive `Next: Run /clear, then /cbp-session-end.`
 - **Checkpoint-bound only** — for standalone tasks use `/cbp-standalone-task-complete`

package/templates/skills/cbp-standalone-task-complete/SKILL.md

@@ -249,6 +249,45 @@ When `branch_deleted === true` in the ship JSON:
 - If the `list_branches` call itself fails (network, auth, or non-success response): emit a non-blocking warning that the Supabase preview branch for `FEAT_BRANCH` may still exist and should be verified in the dashboard. Never treat an API failure as a not-found success.
 - Never delete the branch where `is_default` is true in the `list_branches` response (the production/parent project branch) or any other persistent/long-lived branch.
 
+#### Step 7.4 — Git-worktree cleanup (defensive)
+
+Read `FEAT_BRANCH` from the `feat_branch` field in the ship JSON (same source as Step 7.3).
+
+```bash
+git worktree list --porcelain
+```
+
+Scan for any `worktree` entry whose `branch` field matches `refs/heads/$FEAT_BRANCH`. If NO
+entry matches, skip this step silently — most standalone tasks have no dedicated worktree,
+so a no-match is the normal case.
+
+If a match exists, obtain its absolute path and apply the same Case A / Case B logic:
+
+**Case A — session cwd is NOT inside that worktree path:**
+
+```bash
+codebyplan worktree remove <abs-path>   # absolute path from worktree list
+git worktree prune
+```
+
+The CLI handles both the git removal and remote feat-branch deletion (non-fatal). Parse
+the JSON output; record `{ path, removed: true, remote_branch_deleted }` in
+`WORKTREES_REMOVED[]`. On any non-zero exit other than exit code 2, emit a non-blocking
+warning and continue.
+
+**Case B — session cwd IS inside that worktree path (CLI exits with code 2, or pre-check
+detects `$PWD` starts with `<path>`):**
+
+Do NOT self-remove. Surface a single directive:
+
+> "This session is inside the worktree at `<path>`. After switching to your main checkout,
+> run `codebyplan worktree remove <path>` to clean it up."
+
+Record `{ path, status: 'pending_manual_cleanup' }` in `WORKTREES_REMOVED[]`.
+
+In either case (and when no worktree matched — `WORKTREES_REMOVED` stays empty), include
+`worktrees_removed: WORKTREES_REMOVED` in the Step 9 summary.
+
 ### Step 7.5: Complete Standalone Task
 
 Note: completion is called only after `codebyplan ship` succeeds (no `checks_failed`) — the DB completion record reflects work that has landed in production.
@@ -280,6 +319,7 @@ Apply the `cleanup` skill inline to remove orphan references to deleted/modified
 **Version bumps**: [<name>: <current> → <next> per package, or "none"]
 **Export**: [EXPORT_RESULT.path from Step 5.6, or "skipped: <reason>"]
 **Warnings**: [any QA / file-approval warnings from Step 3, or "none"]
+**Git worktrees cleaned**: [paths from WORKTREES_REMOVED (Step 7.4), or "none"]
 ```
 
 #### Route (single directive — never a menu)