diff --git a/.claude/commands/plan.md b/.claude/commands/plan.md
index 49cd96e22b..d99da4d905 100644
--- a/.claude/commands/plan.md
+++ b/.claude/commands/plan.md
@@ -181,4 +181,4 @@ Agent: Updated PLAN.md:
 - PLAN.md is ephemeral - delete before merging to main
 - Use `/finish` skill to properly cleanup and merge
 - Tasks use standard markdown checkbox format: `- [ ]` and `- [x]`
-- The startup hook auto-injects PLAN.md at session start
+- A startup hook can be configured to auto-inject PLAN.md at session start
diff --git a/.github/workflows/cleanup-ephemeral-docs.yml b/.github/workflows/cleanup-ephemeral-docs.yml
index f2b7503146..58f0176412 100644
--- a/.github/workflows/cleanup-ephemeral-docs.yml
+++ b/.github/workflows/cleanup-ephemeral-docs.yml
@@ -12,6 +12,12 @@
 # These files are tracked on feature branches but should be deleted before
 # merge. If they slip through, this action cleans them up.
 #
+# Security Note: Uses pull_request_target to ensure write permissions for
+# PRs from forks. This is safe because:
+# 1. The workflow only checks out the base branch (not PR code)
+# 2. File paths are validated (hardcoded list of allowed files)
+# 3. No PR-controlled code is executed
+#
 # To use in your repo:
 # 1. Copy this file to .github/workflows/cleanup-ephemeral-docs.yml
 # 2. Update the 'branches' list to match your main branch (master or main)
@@ -20,7 +26,7 @@
 name: Cleanup ephemeral docs
 
 on:
-  pull_request:
+  pull_request_target:
     types: [closed]
     branches:
       - master
@@ -40,7 +46,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
-          fetch-depth: 1
+          fetch-depth: 0
 
       - name: Check for ephemeral files
         id: check
@@ -72,6 +78,14 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
+          # Pull latest changes to avoid non-fast-forward errors
+          # If rebase fails due to conflicts, fall back to regular merge
+          if ! git pull --rebase origin ${{ github.event.pull_request.base.ref }}; then
+            echo "Rebase failed, falling back to merge"
+            git rebase --abort
+            git pull --no-rebase --no-edit origin ${{ github.event.pull_request.base.ref }}
+          fi
+
           # Remove files
           git rm -f ${{ steps.check.outputs.files }}