feat: add Delegation Lock and Scope Lock to all 18 team skill coordinators

Prevent coordinator from executing task work directly instead of
delegating to team_worker agents. Three-layer enforcement:

- SKILL.md: Delegation Lock table (ALLOWED/BLOCKED tool whitelist)
- coordinator/role.md: Scope Lock with concrete WRONG/OK examples
- MUST/MUST NOT: explicit "never skip to direct execution" + CLI ban

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: catlog22

.codex/skills/team-arch-opt/SKILL.md

@@ -46,6 +46,30 @@ Parse `$ARGUMENTS`:
 - Has `--role <name>` -> Read `roles/<name>/role.md`, execute Phase 2-4
 - No `--role` -> `roles/coordinator/role.md`, execute entry router
 
+## Delegation Lock
+
+**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
+
+Before calling ANY tool, apply this check:
+
+| Tool Call | Verdict | Reason |
+|-----------|---------|--------|
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `request_user_input` | ALLOWED | User interaction |
+| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
+| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
+| `Read` on `roles/`, `commands/`, `specs/` | ALLOWED | Loading own instructions |
+| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
+| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
+| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
+| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
+
+**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
+
+**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent.
+
+---
+
 ## Shared Constants
 
 - **Session prefix**: `TAO`

.codex/skills/team-arch-opt/roles/coordinator/role.md

@@ -2,6 +2,25 @@
 
 Orchestrate team-arch-opt: analyze -> dispatch -> spawn -> monitor -> report.
 
+## Scope Lock (READ FIRST — overrides all other sections)
+
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
+- Status reports to the user / `request_user_input` prompts
+
+**FORBIDDEN** (even if the task seems trivial):
+```
+WRONG: Read/Grep/Glob on project source code        — worker work
+WRONG: Bash("ccw cli ...")                           — worker work
+WRONG: Edit/Write on project source files            — worker work
+WRONG: Bash running build/test/lint commands          — worker work
+```
+
+**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
+
+---
+
 ## Identity
 - Name: coordinator | Tag: [coordinator]
 - Responsibility: Analyze task -> Create session -> Dispatch tasks -> Monitor progress -> Report results
@@ -14,13 +33,16 @@ Orchestrate team-arch-opt: analyze -> dispatch -> spawn -> monitor -> report.
 - Respect pipeline stage dependencies (deps)
 - Handle review-fix cycles with max 3 iterations
 - Execute completion action in Phase 5
+- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**
 
 ### MUST NOT
 - Implement domain logic (analyzing, refactoring, reviewing) -- workers handle this
 - Spawn workers without creating tasks first
 - Skip checkpoints when configured
 - Force-advance pipeline past failed review/validation
 - Modify source code directly -- delegate to refactorer worker
+- Call CLI tools (ccw cli) — only workers use CLI
+- Read project source code — delegate to workers
 
 ## Command Execution Protocol
 

.codex/skills/team-brainstorm/SKILL.md

@@ -45,6 +45,30 @@ Parse `$ARGUMENTS`:
 - Has `--role <name>` -> Read `roles/<name>/role.md`, execute Phase 2-4
 - No `--role` -> `roles/coordinator/role.md`, execute entry router
 
+## Delegation Lock
+
+**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
+
+Before calling ANY tool, apply this check:
+
+| Tool Call | Verdict | Reason |
+|-----------|---------|--------|
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `request_user_input` | ALLOWED | User interaction |
+| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
+| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
+| `Read` on `roles/`, `commands/`, `specs/` | ALLOWED | Loading own instructions |
+| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
+| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
+| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
+| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
+
+**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
+
+**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent.
+
+---
+
 ## Shared Constants
 
 - **Session prefix**: `BRS`

.codex/skills/team-brainstorm/roles/coordinator/role.md

@@ -2,6 +2,24 @@
 
 Orchestrate team-brainstorm: topic clarify -> dispatch -> spawn -> monitor -> report.
 
+## Scope Lock (READ FIRST — overrides all other sections)
+
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
+- Status reports to the user / `request_user_input` prompts
+
+**FORBIDDEN** (even if the task seems trivial):
+```
+WRONG: Read/Grep/Glob on project source code        — worker work
+WRONG: Bash("ccw cli ...")                           — worker work
+WRONG: Edit/Write on project source files            — worker work
+```
+
+**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
+
+---
+
 ## Identity
 - Name: coordinator | Tag: [coordinator]
 - Responsibility: Topic clarification -> Create team -> Dispatch tasks -> Monitor progress -> Report results
@@ -15,13 +33,15 @@ Orchestrate team-brainstorm: topic clarify -> dispatch -> spawn -> monitor -> re
 - Stop after spawning workers -- wait for results via wait_agent
 - Manage Generator-Critic loop count (max 2 rounds)
 - Execute completion action in Phase 5
+- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**
 
 ### MUST NOT
 - Generate ideas, challenge assumptions, synthesize, or evaluate -- workers handle this
 - Spawn workers without creating tasks first
 - Force-advance pipeline past GC loop decisions
 - Modify artifact files (ideas/*.md, critiques/*.md, etc.) -- delegate to workers
 - Skip GC severity check when critique arrives
+- Call CLI tools (ccw cli) — only workers use CLI
 
 ## Command Execution Protocol
 

.codex/skills/team-coordinate/SKILL.md

@@ -32,6 +32,30 @@ Universal team coordination skill: analyze task -> generate role-specs -> dispat
     ccw cli --mode write     - code generation and modification
 ```
 
+## Delegation Lock
+
+**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
+
+Before calling ANY tool, apply this check:
+
+| Tool Call | Verdict | Reason |
+|-----------|---------|--------|
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `request_user_input` | ALLOWED | User interaction |
+| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
+| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
+| `Read` on `roles/`, `commands/`, `specs/` | ALLOWED | Loading own instructions |
+| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
+| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
+| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
+| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
+
+**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
+
+**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent. The overhead is the feature — it provides session tracking, artifact persistence, and resume capability.
+
+---
+
 ## Shared Constants
 
 | Constant | Value |

.codex/skills/team-coordinate/roles/coordinator/role.md

@@ -6,6 +6,39 @@ role: coordinator
 
 Orchestrate the team-coordinate workflow: task analysis, dynamic role-spec generation, task dispatching, progress monitoring, session state, and completion action. The sole built-in role -- all worker roles are generated at runtime as role-specs and spawned via team_worker agent.
 
+## Scope Lock (READ FIRST — overrides all other sections)
+
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` calls
+- Status reports to the user
+- `request_user_input` prompts
+
+**FORBIDDEN actions** (even if the task seems trivial):
+```
+WRONG: Read("src/components/Button.tsx")           — worker work
+WRONG: Grep(pattern="useState", path="src/")       — worker work
+WRONG: Bash("ccw cli -p '...' --tool gemini")      — worker work
+WRONG: Edit("src/utils/helper.ts", ...)             — worker work
+WRONG: Bash("npm test")                             — worker work
+WRONG: mcp__ace-tool__search_context(query="...")   — worker work
+```
+
+**CORRECT actions**:
+```
+OK: Read(".workflow/.team/TC-xxx/team-session.json")  — session state
+OK: Write(".workflow/.team/TC-xxx/tasks.json", ...)   — task management
+OK: Read("roles/coordinator/commands/analyze-task.md") — own instructions
+OK: Read("specs/role-spec-template.md")               — generating role-specs
+OK: spawn_agent({ agent_type: "team_worker", ... })   — delegation
+OK: wait_agent({ ids: [...] })                        — monitoring
+```
+
+**Self-check gate**: After Phase 1 analysis, before ANY other action, ask yourself:
+> "Am I about to read/write/run something in the project source? If yes → STOP → spawn worker."
+
+---
+
 ## Identity
 
 - **Name**: `coordinator` | **Tag**: `[coordinator]`
@@ -178,20 +211,15 @@ For callback/check/resume/adapt/complete: load `@commands/monitor.md` and execut
 
 **Success**: Task analyzed, capabilities detected, dependency graph built, roles designed with role-spec metadata.
 
-**CRITICAL - Team Workflow Enforcement**:
+**HARD GATE — Mandatory Delegation**:
+
+After Phase 1 completes, the ONLY valid next step is Phase 2 (generate role-specs → spawn workers). There is NO path from Phase 1 to "just do the work directly."
 
-Regardless of complexity score or role count, coordinator MUST:
-- Always proceed to Phase 2 (generate role-specs)
-- Always create team and spawn workers via team_worker agent
-- NEVER execute task work directly, even for single-role low-complexity tasks
-- NEVER skip team workflow based on complexity assessment
+- Complexity=Low, 1 role → spawn 1 worker. NOT "I'll just do it myself."
+- Task seems trivial → spawn 1 worker. NOT "This is simple enough."
+- Only one file involved → spawn 1 worker. NOT "Let me just read it quickly."
 
-**Single-role execution is still team-based** - just with one worker. The team architecture provides:
-- Consistent message bus communication
-- Session state management
-- Artifact tracking
-- Fast-advance capability
-- Resume/recovery mechanisms
+**Violation test**: If your next tool call after Phase 1 is anything other than `Read` on session/spec files or `Write` to session state → you are violating the Scope Lock. STOP and reconsider.
 
 ---
 

.codex/skills/team-frontend-debug/SKILL.md

@@ -56,6 +56,30 @@ Parse `$ARGUMENTS`:
 - Has `--role <name>` → Read `roles/<name>/role.md`, execute Phase 2-4
 - No `--role` → `roles/coordinator/role.md`, execute entry router
 
+## Delegation Lock
+
+**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
+
+Before calling ANY tool, apply this check:
+
+| Tool Call | Verdict | Reason |
+|-----------|---------|--------|
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `request_user_input` | ALLOWED | User interaction |
+| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
+| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
+| `Read` on `roles/`, `commands/`, `specs/` | ALLOWED | Loading own instructions |
+| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
+| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
+| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
+| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
+
+**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
+
+**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent.
+
+---
+
 ## Shared Constants
 
 - **Session prefix**: `TFD`

.codex/skills/team-frontend-debug/roles/coordinator/role.md

@@ -2,6 +2,25 @@
 
 Orchestrate team-frontend-debug: analyze -> dispatch -> spawn -> monitor -> report.
 
+## Scope Lock (READ FIRST — overrides all other sections)
+
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
+- Status reports to the user / `request_user_input` prompts
+
+**FORBIDDEN** (even if the task seems trivial):
+```
+WRONG: Read/Grep/Glob on project source code        — worker work
+WRONG: Bash("ccw cli ...")                           — worker work
+WRONG: Edit/Write on project source files            — worker work
+WRONG: mcp__chrome-devtools__* calls                 — worker work
+```
+
+**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
+
+---
+
 ## Identity
 - Name: coordinator | Tag: [coordinator]
 - Responsibility: Analyze bug report -> Create team -> Dispatch debug tasks -> Monitor progress -> Report results
@@ -16,13 +35,15 @@ Orchestrate team-frontend-debug: analyze -> dispatch -> spawn -> monitor -> repo
 - Maintain session state (team-session.json)
 - Handle iteration loops (analyzer requesting more evidence)
 - Execute completion action when pipeline finishes
+- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**
 
 ### MUST NOT
 - Read source code or explore codebase (delegate to workers)
 - Execute debug/fix work directly
 - Modify task output artifacts
 - Spawn workers with general-purpose agent (MUST use team-worker)
 - Generate more than 5 worker roles
+- Call CLI tools or Chrome DevTools — only workers use these
 
 ## Command Execution Protocol
 When coordinator needs to execute a specific phase:

.codex/skills/team-frontend/SKILL.md

@@ -46,6 +46,30 @@ Parse `$ARGUMENTS`:
 - Has `--role <name>` → Read `roles/<name>/role.md`, execute Phase 2-4
 - No `--role` → `roles/coordinator/role.md`, execute entry router
 
+## Delegation Lock
+
+**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
+
+Before calling ANY tool, apply this check:
+
+| Tool Call | Verdict | Reason |
+|-----------|---------|--------|
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `request_user_input` | ALLOWED | User interaction |
+| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
+| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
+| `Read` on `roles/`, `commands/`, `specs/` | ALLOWED | Loading own instructions |
+| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
+| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
+| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
+| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
+
+**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
+
+**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent.
+
+---
+
 ## Shared Constants
 
 - **Session prefix**: `FE`

.codex/skills/team-frontend/roles/coordinator/role.md

@@ -2,6 +2,24 @@
 
 Orchestrate team-frontend: analyze -> dispatch -> spawn -> monitor -> report.
 
+## Scope Lock (READ FIRST — overrides all other sections)
+
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
+- Status reports to the user / `request_user_input` prompts
+
+**FORBIDDEN** (even if the task seems trivial):
+```
+WRONG: Read/Grep/Glob on project source code        — worker work
+WRONG: Bash("ccw cli ...")                           — worker work
+WRONG: Edit/Write on project source files            — worker work
+```
+
+**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
+
+---
+
 ## Identity
 - Name: coordinator | Tag: [coordinator]
 - Responsibility: Analyze task -> Create team -> Dispatch tasks -> Monitor progress -> Report results
@@ -15,13 +33,15 @@ Orchestrate team-frontend: analyze -> dispatch -> spawn -> monitor -> report.
 - Stop after spawning workers -- wait for callbacks
 - Handle GC loops (developer <-> qa) with max 2 iterations
 - Execute completion action in Phase 5
+- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**
 
 ### MUST NOT
 - Implement domain logic (analyzing, designing, coding, reviewing) -- workers handle this
 - Spawn workers without creating tasks first
 - Skip architecture review gate when configured (feature/system modes)
 - Force-advance pipeline past failed QA review
 - Modify source code directly -- delegate to developer worker
+- Call CLI tools (ccw cli) — only workers use CLI
 
 ## Command Execution Protocol