@ai-dev-methodologies/rlp-desk 0.14.5 → 0.15.0

package/docs/plans/polished-gliding-toucan.md

@@ -0,0 +1,234 @@
+# Bug Report #7 — Post-Sentinel Process Race Fix
+
+## Context
+
+BOS 사용자가 19th launch에서 측정한 race window:
+- iter-1 verifier가 verdict detect 후 **1m 43s** 뒤 `verify-verdict.json` 재수정 (file mtime 증거)
+- iter-1 verifier post-verdict 후속 활동 **2m 1s**
+- iter-1 verifier ↔ iter-2 worker 동시 작업 약 **2분**
+
+Bug report:
+`/Users/kyjin/dev/doul/bos/docs/exec-plans/active/2026-05-06-rlp-desk-bug-report-7-post-sentinel-process-race.md`
+
+### Root cause
+
+Leader는 `iter-signal.json` / `verify-verdict.json` 발견 즉시 다음 iter로 진입하지만, 그 sentinel을 쓴 Worker/Verifier process(claude/codex TUI)는 **명시적으로 종료되지 않는다**. tmux pane은 살아 있고 TUI는 idle prompt로 회귀 후 자체 self-review를 수행 → sentinel 재수정·working tree 오염·토큰 낭비.
+
+### 모드 영향 범위 (중요)
+
+`--mode tmux`(zsh runner)와 `--mode agent`(Node leader) **둘 다 영향**. Node leader도 `defaultSendKeys`/`defaultCreatePane`(`src/node/tmux/pane-manager.mjs`)을 통해 실제 tmux pane 위에서 worker/verifier를 실행한다 (`src/node/runner/campaign-main-loop.mjs:1077-1080`, `1116-1133`). Agent 모드 면역이라는 초기 가설은 부정확.
+
+### 비대칭 (현 상태)
+
+| 경로 | Worker 후처리 | Verifier 후처리 |
+|---|---|---|
+| Node leader | 없음 | 없음 |
+| zsh runner | 다음 iter 시작 시 cleanup (`run_ralph_desk.zsh:2948-2956`) — race window 5s+ | dispatch 직전 cleanup (`3160-3180`) — 같은 iter 내에선 보호되나 final iter 종료 후 또는 cross-iter race는 불보호 |
+
+---
+
+## Approach (Fix-Q + Fix-R, 최소 surgical 조합)
+
+| Fix | 효과 | 채택 |
+|---|---|---|
+| **Q** Sentinel detect 즉시 producing pane에 Ctrl+C → process 종료 | race를 ~1초 안에 직접 차단 | **YES (primary)** |
+| **R** Sentinel 파일 chmod 0444로 재수정 차단 | Q가 늦거나 fail해도 mtime 동결 | **YES (defense-in-depth)** |
+| S Pane lifecycle 전면 리팩토링 | 효과는 있으나 surface가 너무 큼. 기존 prep cleanup (zsh 2948-2956)으로 부분 커버됨. Karpathy "surgical changes" 원칙 위반 | NO |
+| T post-sentinel 30s 안전망 timeout | Q가 fail-open이고 다음 iter prep cleanup이 backup이라 중복 | NO |
+
+근거:
+- Q는 producer를 ~1초 내 죽여서 root cause 차단. 기존 패턴 정확히 미러 (zsh `run_ralph_desk.zsh:2384-2397`, Ctrl+C 더블 송신 + `wait_for_pane_ready`).
+- R은 chmod 실패에 관대(EPERM/ENOTSUP 무시 — `scripts/postinstall.js:104` `tryLockFile` 선례). WSL1/NTFS/tmpfs 등 chmod no-op 환경에서도 graceful degradation.
+- S/T 제거로 review surface 최소화.
+
+---
+
+## Concrete code changes
+
+### Node leader
+
+#### 1. `src/node/tmux/pane-manager.mjs` — helper 추가 (line 77 뒤)
+
+신규 export:
+- `sendRawKey(paneId, key)` — `runTmux(['send-keys', '-t', paneId, key])`. `sendKeys`(`-l --` literal text)와 분리: C-c 같은 raw key용.
+- `killPaneProcess(paneId, { sendRawKey, waitForExit, gracePeriodMs=800, exitTimeoutMs=5000, log })`:
+  1. `sendRawKey('C-c')` → `await sleep(gracePeriodMs)` → `sendRawKey('C-c')` (double press, zsh `375-376` 미러).
+  2. `await waitForExit(paneId, { timeoutMs: exitTimeoutMs }).catch(log)` — fail-open.
+  3. raw key 송신 자체의 TmuxError도 catch+log (이미 죽은 pane에 안전).
+
+기존 `waitForProcessExit` (line 55) 그대로 재사용.
+
+#### 2. `src/node/shared/fs.mjs` — helper 추가 (line 61 뒤)
+
+- `lockSentinelFile(filePath, { log })` — `fs.chmod(filePath, 0o444)`, error 시 한 번만 경고 로그. `tryLockFile`(`scripts/postinstall.js:104`) 선례 미러.
+- `unlockSentinelFile(filePath)` — `fs.chmod(filePath, 0o644)`, 실패 무시. iter cleanup 직전에 호출.
+
+#### 3. `src/node/runner/campaign-main-loop.mjs` — wire + call sites
+
+DI 슬롯 추가 (line 1077-1080):
+```
+const sendRawKey = options.sendRawKey ?? defaultSendRawKey;
+const waitForProcessExit = options.waitForProcessExit ?? defaultWaitForProcessExit;
+const killPaneProcess = options.killPaneProcess ?? defaultKillPaneProcess;
+const lockSentinel = options.lockSentinelFile ?? lockSentinelFile;
+```
+
+내부 wrapper:
+```
+async function reapProducer(paneId, sentinelFile) {
+  await killPaneProcess(paneId, { sendRawKey, waitForExit: waitForProcessExit, log: console.error });
+  if (sentinelFile) await lockSentinel(sentinelFile, { log: console.error });
+}
+```
+
+호출 사이트 (성공 + `validateArtifact` 통과 직후):
+
+| Site | Line | 호출 |
+|---|---|---|
+| Flywheel poll | 1267-1277 다음 (1285 앞) | `reapProducer(state.flywheel_pane_id ?? state.verifier_pane_id, paths.flywheelSignalFile)` |
+| Guard poll | 1305-1315 다음 (1323 앞) | `reapProducer(guardPaneId, paths.flywheelGuardVerdictFile)` |
+| Worker poll | 1422-1432 다음 (1456 앞) | `reapProducer(state.worker_pane_id, paths.signalFile)` |
+| Verifier poll | 1489-1513 다음 (1522 앞) | `reapProducer(state.verifier_pane_id, paths.verdictFile)` |
+| Final per-US verifier (`runFinalSequentialVerify`) | 890-894 다음 (896 앞) | `reapProducer(verifierPaneId, paths.verdictFile)` — `runFinalSequentialVerify` 시그니처에 `reapProducer` 추가 + 호출처(1185-1194) 전달 |
+
+iter cleanup unlock — `fs.unlink(...)` 호출 직전 `unlockSentinelFile` 호출:
+- L1291 (`flywheelSignalFile`)
+- L1328 (`flywheelGuardVerdictFile`)
+- 루프 상단 (1145 직후) — Worker `signalFile` / Verifier `verdictFile` 방어적 unlock (다음 iter producer가 atomic rename으로 덮어쓸 때 대비)
+
+### zsh runner
+
+#### 4. `src/scripts/lib_ralph_desk.zsh` — helper 추가 (`atomic_write` 다음, line 245 뒤)
+
+```
+_kill_pane_process() {
+  local pane_id="$1" role="${2:-producer}"
+  log_debug "[bug7] kill_pane_process pane=$pane_id role=$role"
+  tmux send-keys -t "$pane_id" C-c 2>/dev/null
+  sleep 0.5
+  tmux send-keys -t "$pane_id" C-c 2>/dev/null
+  sleep 1
+  wait_for_pane_ready "$pane_id" 5 2>/dev/null || true
+}
+
+_lock_sentinel() {
+  local file="$1"
+  [[ -f "$file" ]] || return 0
+  chmod 0444 "$file" 2>/dev/null || true
+}
+
+_unlock_sentinel() {
+  local file="$1"
+  [[ -f "$file" ]] || return 0
+  chmod 0644 "$file" 2>/dev/null || true
+}
+```
+
+#### 5. `src/scripts/run_ralph_desk.zsh` — call sites
+
+| Site | Line | 호출 |
+|---|---|---|
+| Worker poll 성공 직후 | 3003 (`worker_poll_done=1` 분기 안, `log_debug` 다음) | `_kill_pane_process "$WORKER_PANE" "worker"; _lock_sentinel "$SIGNAL_FILE"` |
+| Verifier poll 성공 직후 (main path) | 3202 통과 후, 3215 앞 (`ITER_VERIFIER_END`) | `_kill_pane_process "$VERIFIER_PANE" "verifier"; _lock_sentinel "$VERDICT_FILE"` |
+| Final-verify per-US (`run_sequential_final_verify`) | 2524 통과 후, 다음 iter 진입 전 | `_kill_pane_process "$VERIFIER_PANE" "verifier-final"; _lock_sentinel "$VERDICT_FILE"` |
+| Codex grace path | `dispatch_verifier_per_us` (2420 그레이스 종료 직후, 2471 `cp` 앞) | `_kill_pane_process "$VERIFIER_PANE" "verifier-${suffix}"; _lock_sentinel "$VERDICT_FILE"` |
+| Consensus path | `run_consensus_verification` 내 각 `poll_for_signal` 성공 직후 | 동일 패턴 |
+
+prep cleanup unlock — line 2948-2956 cleanup 직전:
+```
+_unlock_sentinel "$SIGNAL_FILE"; _unlock_sentinel "$VERDICT_FILE"
+rm -f "$SIGNAL_FILE" "$DONE_CLAIM_FILE" "$VERDICT_FILE" 2>/dev/null
+```
+
+---
+
+## Files to modify
+
+| 파일 | 변경 |
+|---|---|
+| `src/node/tmux/pane-manager.mjs` | `sendRawKey`, `killPaneProcess` export 추가 |
+| `src/node/shared/fs.mjs` | `lockSentinelFile`, `unlockSentinelFile` export 추가 |
+| `src/node/runner/campaign-main-loop.mjs` | DI + `reapProducer` + 5개 call site + iter cleanup unlock |
+| `src/scripts/lib_ralph_desk.zsh` | `_kill_pane_process`, `_lock_sentinel`, `_unlock_sentinel` 추가 |
+| `src/scripts/run_ralph_desk.zsh` | 4-5개 call site + prep cleanup unlock |
+| `tests/node/us006-campaign-main-loop.test.mjs` | `createTmuxFakes()`에 `killPaneProcess`/`lockSentinelFile` 레코더 추가 + Bug-7 테스트 3건 |
+| `tests/node/test-kill-pane-process.test.mjs` | NEW — helper 단위 테스트 |
+| `tests/node/test-lock-sentinel-file.test.mjs` | NEW — chmod 단위 테스트 |
+| `tests/test-bug7-post-sentinel-race.sh` | NEW — 실제 tmux 통합 테스트 (Bug #6 패턴 미러) |
+
+배포는 단일 PR (helper는 call site 없으면 no-op이라 review surface 작음).
+
+---
+
+## Reused functions (참조)
+
+- Node: `pane-manager.mjs:50` `sendKeys`, `pane-manager.mjs:55` `waitForProcessExit` (5s timeout, shell 감지)
+- Node: `shared/fs.mjs:6-23` `writeFileAtomic`, `42-61` `writeSentinelExclusive`
+- Node: `scripts/postinstall.js:104` `tryLockFile` (chmod 0o444 선례)
+- zsh: `lib_ralph_desk.zsh:240-245` `atomic_write`, `1075-1137` `wait_for_pane_ready`
+- zsh: `run_ralph_desk.zsh:2384-2397` 검증된 verifier-cleanup 패턴 (Ctrl+C + /exit + wait), `375-376/529-530` 더블 Ctrl+C 패턴
+
+---
+
+## Testing strategy
+
+### 단위 테스트 (Node)
+
+`tests/node/test-kill-pane-process.test.mjs` (NEW):
+- AC1 정상: C-c → sleep → C-c → waitForExit 순서 (fake recorder 검증).
+- AC2 fail-open: `waitForExit` 가 TmuxError throw 시 helper resolve.
+- AC3 dead-pane: `sendRawKey` throw 시 resolve.
+- AC4 grace: gracePeriodMs 준수 (fake clock 또는 tolerance 검증).
+
+`tests/node/test-lock-sentinel-file.test.mjs` (NEW):
+- AC1: lock 후 mode `& 0o222 === 0` (chmod 무시 FS는 skip).
+- AC2: 존재하지 않는 path에 lock — throw 안 함.
+- AC3: unlock 후 writable.
+
+### 통합 테스트 (Node)
+
+`tests/node/us006-campaign-main-loop.test.mjs` 확장:
+1. **Bug-7-A**: Worker pollForSignal 성공 → next dispatchVerifier 전에 `killPaneProcess('%worker')` + `lockSentinelFile(signalFile)` 호출 순서 검증.
+2. **Bug-7-B**: Verifier verdict pass 후 next iter dispatchWorker 전에 `killPaneProcess('%verifier')` + `lockSentinelFile(verdictFile)`.
+3. **Bug-7-C**: `killPaneProcess`가 throw해도 run() 정상 완료.
+
+`createTmuxFakes()`(line 83)에 fake `killPaneProcess`/`lockSentinelFile` 레코더 추가 (기존 30+ 테스트 호환 보장).
+
+### 통합 테스트 (zsh)
+
+`tests/test-bug7-post-sentinel-race.sh` (NEW, `test-bug6-worker-idle-false-positive.sh` 패턴 미러):
+- Scenario 1: tmux 세션에 `sleep 600` 띄우고 `_kill_pane_process` 호출 → 2s 안에 `pane_current_command`가 zsh/bash로 회귀.
+- Scenario 2: `_lock_sentinel` → mode 0444 검증 → `_unlock_sentinel` → writable → `rm -f` 성공.
+- Scenario 3 (REAL_E2E gated): 1-iter 캠페인 + stub claude(sentinel write 후 sleep 120) → 10s 후 verdict file mtime delta == 0.
+
+### Self-Verification 시나리오 (CLAUDE.md gate, 3건 필수)
+
+`src/scripts/run_ralph_desk.zsh` 수정 — MEDIUM-HIGH risk:
+- **LOW**: helper 단위 테스트 + 기존 Node/zsh 회귀 테스트 통과.
+- **MEDIUM**: 1-iter 실제 캠페인. Worker → Verifier 전이 시점에 `pane_current_command` 캡처, 2s 내 shell 회귀 검증. Verdict file mtime 동결 검증.
+- **CRITICAL**: 2-iter 캠페인 (verify→fail→verify→pass). iter-N+1 worker dispatch가 iter-N verifier `pane_current_command == zsh` 확인 후에만 발생 — 타임스탬프 로그 캡처. `--mode agent`와 `--mode tmux` 둘 다 실행.
+
+---
+
+## Verification end-to-end
+
+1. **단위**: `node --test tests/node/test-kill-pane-process.test.mjs tests/node/test-lock-sentinel-file.test.mjs` 통과.
+2. **통합 (Node)**: `node --test tests/node/us006-campaign-main-loop.test.mjs` 통과 — call order 단언이 회귀 가드.
+3. **라이브 tmux**: `_kill_pane_process` 호출 후 2s 내 `tmux display-message -p '#{pane_current_command}' -t $pane`가 `zsh`/`bash` 반환.
+4. **mtime 동결**: `stat -f %m verify-verdict.json`을 detect 시점과 +10s 시점에 측정해 delta == 0. Bug report의 1m43s 증거를 직접 반박.
+5. **Pane 출력**: `tmux capture-pane -p` 결과에 `Worked for Xm Ys` / `esc to interrupt` 신규 표식 없음.
+6. **두 모드**: 스모크 테스트를 `--mode tmux`(zsh runner)와 `--mode agent`(Node leader) 각각 실행 — 둘 다 4초 내 shell 회귀 검증.
+7. **재현 시나리오**: 19th launch와 동일 조건(claude opus 1m worker + gpt-5.5:high codex verifier)으로 캠페인 1회 실행 후 leader log + file mtime 비교 — race 0.
+
+---
+
+## Risk / mitigation
+
+| Risk | 가능성 | 완화 |
+|---|---|---|
+| C-c가 producer artifact 쓰기 중간 인터럽트 | LOW — sentinel은 detect 시점에 이미 디스크에 존재 | `MalformedArtifactError` 경로가 partial write 처리 |
+| chmod 0444가 다음 iter cleanup의 `unlink` 차단 | LOW | `_unlock_sentinel` / `unlockSentinelFile`이 unlink 직전 실행. 대부분 Unix FS는 dir-perms 기준이라 0444 파일도 unlink 가능 |
+| Producer가 atomic rename으로 sentinel 재기록 (chmod 우회) | POSSIBLE | Q(kill)이 ~1s 내 producer 죽이므로 rewrite window가 2분 → 1초로 축소. 게다가 leader는 이미 in-band로 sentinel 소비 |
+| `killPaneProcess`가 죽은 pane에 throw | POSSIBLE | helper 내부 catch + 단위 테스트 AC2/AC3로 회귀 가드 |
+| chmod 0444 silent no-op (WSL1/NTFS/tmpfs) | OBSERVED (postinstall.js 선례) | 한 번만 경고 로그. Q(kill)이 primary defense라 graceful degradation |
+| 기존 us006 테스트 회귀 | MEDIUM | `createTmuxFakes()`에 fake helper 레코더 추가 — 기존 호출자는 자동 주입 받음 |

package/docs/rlp-desk/signal-protocol.md

@@ -0,0 +1,93 @@
+# Signal Protocol — current contract + alternatives
+
+**Spec version:** `signal-protocol-v1`
+**Source consensus:** ralplan iter 6 — Architect synthesis, Critic codex APPROVED (P0=0, P1=0)
+**Audience:** maintainers evaluating whether to adopt mailbox-dir, daemon, or in-process IPC alternatives.
+
+---
+
+## 1. Current Contract
+
+rlp-desk routes Worker → Verifier handoff through a **single sentinel file per role per iteration**. The contract has four invariants:
+
+1. **Sentinel = artifact.** Every transition step (`verify`, `verdict`, `flywheel`, `flywheel-guard`) is encoded as a JSON file at a deterministic path under `.rlp-desk/memos/`. The Leader polls the path with `fs.access` + atomic JSON-parse; any partial write is rejected (`jq -e .` gate, see `tests/test-bug7-poll-partial-write.sh`).
+2. **`reapProducer` = lifecycle.** Once the Leader accepts a sentinel (validateArtifact passes), it MUST kill the producing TUI pane and chmod-lock the file. Skipping the reap leaves a self-reviewing claude/codex pane that overwrites the artifact mid-poll (Bug #7).
+3. **Strict ordering: detect → reap → wait shell → next dispatch.** The Leader does NOT dispatch the next role (Verifier after Worker, next-iter Worker after Verifier) until the producing pane's `pane_current_command` has returned to `zsh|bash|sh`. AC-H1 of PR-0b-narrow strengthens this with `waitForProcessExit`.
+4. **First-writer-wins for terminal sentinels.** `blocked.md` and `complete.md` are written via `O_EXCL` (`writeSentinelExclusive`); concurrent error paths cannot trample the canonical exit reason.
+
+The same contract is implemented twice (`src/node/runner/campaign-main-loop.mjs` for `--mode agent`, `src/scripts/run_ralph_desk.zsh` for `--mode tmux`) with bit-for-bit parity on `(reason_text, reason_category, failure_category)` — verified by `tests/test-bug8-refuse-synthesis.sh` Scenario 4.
+
+---
+
+## 2. omc-teams Comparison (mailbox dir, daemon-backed CLI)
+
+[omc-teams](https://github.com/oh-my-claudecode) delivers multi-agent coordination over a **daemon-backed CLI** (`omc team api ...`). Producers append to a per-team mailbox directory; consumers tail it. The reliability contract is enforced by the daemon process, not by file polling.
+
+**What omc-teams gives you:**
+
+- Crash-safe append-only message log (no truncated JSON window).
+- Per-team subscription with backpressure.
+- Cross-process delivery guarantees (daemon survives subprocess restart).
+
+**What's load-bearing in the reliability gain — and what's not:**
+
+The reliability gain is the **daemon**, not the mailbox dir. A bare file-mailbox (without daemon) inherits the same partial-write and self-review failure modes that rlp-desk's sentinel path already guards against, plus a new failure mode: a Worker prompt that misbehaves and dumps multiple JSON files into the mailbox (no single-writer invariant). Architect findings recorded in ralplan iter 6:
+
+> Mailbox-dir without a daemon = same polling reliability as the sentinel approach + worker-prompt failure-mode increase. Adopting it as an intermediate step is strictly worse than the current contract.
+
+So if rlp-desk wants the actual omc-teams reliability profile, it must adopt the **daemon**, not just the directory layout. That is the `Track B` work, not a sentinel rewrite.
+
+---
+
+## 3. claude code `/team` Comparison (in-process TeamCreate + SendMessage)
+
+The Claude Code SDK exposes `TeamCreate` + `SendMessage` for in-process subagent coordination. This is fundamentally different:
+
+| Property | rlp-desk sentinel | claude `/team` |
+|---|---|---|
+| Process model | Standalone tmux runner | Single-process subagent tree |
+| IPC channel | Filesystem | In-memory message bus |
+| Failure mode | Pane death, partial write | Subagent throw |
+| Lifetime | Survives leader exit | Dies with parent |
+
+`/team` is **not applicable** to a standalone tmux runner. rlp-desk explicitly supports the use case where the Leader can crash, the user can detach the tmux session, and a fresh Leader process can resume against the on-disk sentinel state. `/team` cannot be paused, snapshotted, or resumed across processes — by design.
+
+---
+
+## 4. Why rlp-desk does NOT adopt mailbox-dir
+
+Architect/Critic codex consensus iter 6 rejected swapping the sentinel contract for a mailbox-dir for three concrete reasons:
+
+1. **No reliability gain without the daemon.** Section 2 above. The daemon is the load-bearing piece; the directory is a side-effect of the daemon's protocol.
+2. **Increased Worker-prompt failure surface.** Today the Worker is held to a single-writer contract: it MUST write `iter-signal.json` exactly once. A mailbox flips this to "append any number of messages and the daemon picks the latest" — a much weaker prompt-side invariant that empirically breaks under the kind of multi-pass self-review failures that Bug #7 was created to fix.
+3. **Migration cost without commensurate benefit.** Two implementations (Node + zsh), Self-Verification Gate matrix (LOW/MEDIUM/CRITICAL × `--mode tmux/agent`), backwards compatibility for in-flight campaigns, and downstream wrapper tools (analytics, blueprints, Test Spec) all assume the sentinel contract. Replacing it is a multi-PR migration with no incremental win until the daemon ships.
+
+The bug-fix track (Bug #6 worker-dead, Bug #7 post-sentinel-race, Bug #8 refuse-synthesize) closes the actual reliability gaps inside the sentinel contract and is strictly cheaper than the mailbox migration.
+
+---
+
+## 5. Track B Roadmap — daemon-backed `rlp-desk team api`
+
+When the project is ready to adopt the omc-teams reliability profile, the migration looks like this:
+
+**Track B — Phase 1 (PoC, separate ralplan):**
+- New CLI: `rlp-desk team api start|stop|status|send|recv`
+- Daemon process (`rlp-desk-teamd`) owns a per-campaign mailbox under `~/.rlp-desk/team/{slug}/`.
+- Leader and Workers route through the CLI; no direct file polling.
+- File-system fallback retained for the migration window — daemon down ⇒ degrade to sentinel mode.
+
+**Track B — Phase 2 (cutover):**
+- Sentinel reads behind a feature flag (`RLP_TEAM_API=1`).
+- Self-Verification Gate matrix extended: each scenario runs once per backend (sentinel + team-api).
+- Wrapper tools (analytics, blueprints) updated to consume the new event stream.
+
+**Track B — Phase 3 (deprecation):**
+- Sentinel path removed from runtime once team-api has burned in for ≥1 release.
+- Documentation rolled forward; `signal-protocol-v1` archived.
+
+Dependencies:
+- Daemon implementation (~600 LoC Node, drawing on Bun's IPC primitives or plain `node:net`).
+- Integration test harness for daemon crash recovery.
+- Self-Verification Gate parity matrix (Node × zsh × team-api).
+
+This track is **explicitly out of scope** for the Bug #6/#7/#8 plan v6. It is captured here so future maintainers do not interpret "rlp-desk does not use a mailbox" as an oversight — it is a deliberate architectural decision with a known successor path.

package/install.sh

@@ -115,6 +115,8 @@ fetch "$REPO_URL/docs/rlp-desk/getting-started.md" "$DESK_DIR/docs/rlp-desk/gett
 fetch "$REPO_URL/docs/rlp-desk/protocol-reference.md" "$DESK_DIR/docs/rlp-desk/protocol-reference.md"
 fetch "$REPO_URL/docs/rlp-desk/TODO-verification-next.md" "$DESK_DIR/docs/rlp-desk/TODO-verification-next.md"
 fetch "$REPO_URL/docs/rlp-desk/multi-mission-orchestration.md" "$DESK_DIR/docs/rlp-desk/multi-mission-orchestration.md"
+# Plan v6 PR-0a: signal protocol documentation
+fetch "$REPO_URL/docs/rlp-desk/signal-protocol.md" "$DESK_DIR/docs/rlp-desk/signal-protocol.md"
 # Dev meta docs (v5.7 §4.15: under docs/rlp-desk/ to avoid mixing with user docs)
 fetch "$REPO_URL/docs/rlp-desk/internal/verification-policy-gap-analysis.md" "$DESK_DIR/docs/rlp-desk/internal/verification-policy-gap-analysis.md"
 fetch "$REPO_URL/docs/rlp-desk/internal/verification-strategy-research.md" "$DESK_DIR/docs/rlp-desk/internal/verification-strategy-research.md"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ai-dev-methodologies/rlp-desk",
-  "version": "0.14.5",
+  "version": "0.15.0",
   "description": "Fresh-context iterative loops for Claude Code — autonomous task completion with independent verification",
   "scripts": {
     "postinstall": "node scripts/postinstall.js",

package/scripts/postinstall.js

@@ -33,6 +33,8 @@ const runtimeSources = [
   ["docs/rlp-desk/protocol-reference.md", path.join(docsDir, "rlp-desk", "protocol-reference.md")],
   ["docs/rlp-desk/TODO-verification-next.md", path.join(docsDir, "rlp-desk", "TODO-verification-next.md")],
   ["docs/rlp-desk/multi-mission-orchestration.md", path.join(docsDir, "rlp-desk", "multi-mission-orchestration.md")],
+  // Plan v6 PR-0a: signal protocol documentation (Architect/Critic codex iter 6).
+  ["docs/rlp-desk/signal-protocol.md", path.join(docsDir, "rlp-desk", "signal-protocol.md")],
 ];
 // v0.14.0: legacy-deletion list cleared. The Node-canonical era (v5.7+)
 // removed zsh after install; v0.14.0 reverts that — the zsh runner is the

package/src/commands/rlp-desk.md

@@ -89,6 +89,14 @@ Ask about these items one by one (or in small groups):
    - **gpt-5.5:medium** — default recommendation (full context window, progressive upgrade handles harder US)
    - **spark:high** — only when US is small enough for spark's 100k context (single-file, AC count <= 4, simple logic). Do NOT use as primary recommendation — spark context window is too small for most tasks
 
+   **Context window behavior (claude models — v0.14.6+)**:
+   - All claude models default to **200K**. `sonnet` and `opus` aliases both run at the standard window.
+   - To request 1M, append the explicit `[1m]` suffix on the full model id:
+     - `claude-opus-4-7[1m]` — 1M attempted via `ANTHROPIC_BETA=context-1m-2025-08-07`. Works on most Claude Max accounts.
+     - `claude-sonnet-4-6[1m]` — 1M attempted, **but** requires the Anthropic "Extra usage" toggle at https://claude.ai/settings/usage. Without that toggle the worker fails at the first API call with `Extra usage is required for 1M context`.
+   - rlp-desk does NOT pre-check entitlement — the explicit `[1m]` is honored as-is. If the API rejects it, you will see the error immediately and can re-run with the standard alias or the opus 1M form.
+   - **Default recommendation when 1M is genuinely needed:** prefer `claude-opus-4-7[1m]` over `claude-sonnet-4-6[1m]` because opus 1M does not require a separate entitlement toggle.
+
    Present complexity score with evidence to the user, e.g.: "I rate this MEDIUM because: US count=4 (MEDIUM), file scope=2 (MEDIUM), logic=conditionals (MEDIUM), deps=none (LOW), impact=modify (MEDIUM). Highest=MEDIUM."
 
    **If codex IS installed** — say: "Codex is installed. I recommend cross-engine Worker for cost savings (Pro token pool separation) and cross-engine blind-spot coverage (claude Verifier catches issues codex Worker misses)."

package/src/node/cli/command-builder.mjs

@@ -1,5 +1,5 @@
 import { shellQuote } from '../util/shell-quote.mjs';
-import { OPUS_1M_BETA, isOpusModel } from '../constants.mjs';
+import { ONE_MILLION_BETA, wantsOneMillionContext } from '../constants.mjs';
 
 const CLAUDE_BIN = 'claude';
 const CODEX_BIN = 'codex';
@@ -32,12 +32,14 @@ function assertTuiMode(mode, builderName) {
 export function buildClaudeCmd(mode, model, options = {}) {
   assertTuiMode(mode, 'buildClaudeCmd');
 
-  // v5.7 §4.9: auto-enable 1M-token context for Opus models. Long campaigns
-  // no longer silently truncate at 200K. Header is benign for non-Opus calls
-  // but we omit it there to keep the cmdline tidy.
+  // v0.14.6: 1M context is opt-in only via the explicit '[1m]' suffix.
+  // opus / sonnet / claude-opus-4-7 (no suffix) all run at the standard
+  // 200K context. Adding '[1m]' on either opus or sonnet model id injects
+  // the ANTHROPIC_BETA header and attempts the 1M window — sonnet[1m] still
+  // requires Anthropic "Extra usage" entitlement at the API layer.
   const parts = ['DISABLE_OMC=1'];
-  if (isOpusModel(model)) {
-    parts.push(`ANTHROPIC_BETA=${shellQuote(OPUS_1M_BETA)}`);
+  if (wantsOneMillionContext(model)) {
+    parts.push(`ANTHROPIC_BETA=${shellQuote(ONE_MILLION_BETA)}`);
   }
   parts.push(
     CLAUDE_BIN,

package/src/node/constants.mjs

@@ -1,19 +1,21 @@
 // Shared runtime constants. Single-source for cross-module values.
 
-// Anthropic Claude API beta header that activates the 1M-token context window
-// for Opus models. Auto-prepended to every claude CLI invocation that uses
-// --model opus so long campaigns no longer silently truncate at 200K.
+// Anthropic Claude API beta header for the 1M-token context window. Injected
+// only when the user explicitly opts in via the '[1m]' suffix on the model
+// id — see wantsOneMillionContext() below.
 //
 // Docs: https://docs.anthropic.com/en/docs/build-with-claude/context-windows
 // (search "1M context") — header rotates with each beta phase.
-export const OPUS_1M_BETA = 'context-1m-2025-08-07';
+export const ONE_MILLION_BETA = 'context-1m-2025-08-07';
 
-// Model id that triggers Opus 1M auto-enable. Plain string match against the
-// --model value (post-shellQuote stripping). Bracketed form
-// 'claude-opus-4-7[1m]' is also Opus and benefits from this; pattern match
-// covers both.
-export function isOpusModel(model) {
+// v0.14.6: 1M context is opt-in only via the explicit '[1m]' suffix on the
+// model id. Previously rlp-desk auto-injected ANTHROPIC_BETA for any opus
+// model; in practice that produced surprising results (opus alias still
+// reported a 200K window in real CLI calls, and sonnet[1m] requires a
+// separate "Extra usage" entitlement). New rule: user is the source of
+// truth. Type the suffix to opt in; otherwise both opus and sonnet run at
+// the standard 200K context.
+export function wantsOneMillionContext(model) {
   if (!model) return false;
-  const m = String(model).toLowerCase();
-  return m === 'opus' || m.startsWith('claude-opus-');
+  return String(model).toLowerCase().endsWith('[1m]');
 }

package/src/node/runner/campaign-main-loop.mjs

@@ -7,10 +7,15 @@ import { promisify } from 'node:util';
 
 import { buildClaudeCmd, buildCodexCmd, parseModelFlag } from '../cli/command-builder.mjs';
 import { shellQuote } from '../util/shell-quote.mjs';
-import { OPUS_1M_BETA, isOpusModel } from '../constants.mjs';
+import { ONE_MILLION_BETA, wantsOneMillionContext } from '../constants.mjs';
 import { initCampaign } from '../init/campaign-initializer.mjs';
 import { LEGACY_DESK_REL, resolveDeskRoot } from '../util/desk-root.mjs';
-import { writeSentinelExclusive } from '../shared/fs.mjs';
+import {
+  lockSentinelFile as defaultLockSentinelFile,
+  stampAckField as defaultStampAckField,
+  unlockSentinelFile,
+  writeSentinelExclusive,
+} from '../shared/fs.mjs';
 import {
   TimeoutError,
   WorkerExitedError,
@@ -29,7 +34,10 @@ import {
 } from '../reporting/campaign-reporting.mjs';
 import {
   createPane as defaultCreatePane,
+  killPaneProcess as defaultKillPaneProcess,
   sendKeys as defaultSendKeys,
+  sendRawKey as defaultSendRawKey,
+  waitForProcessExit as defaultWaitForProcessExit,
 } from '../tmux/pane-manager.mjs';
 
 const execFileAsync = promisify(execFile);
@@ -128,6 +136,39 @@ function buildPaths(rootDir, slug, env = process.env) {
 };
 }
 
+// Bug #8 PR-B: default git working-tree probe. Inline (~20 LoC) — no new
+// module per Architect/Critic codex iter 6 consensus. Tests inject a stub via
+// run() option `checkWorkingTree`.
+//   - returns { ok: false, error } when git rev-parse fails (not a repo, etc).
+//   - returns { ok: true, dirty: bool, dirtyFiles[] } otherwise.
+//   - dirtyFiles are raw `git status --porcelain` lines (caller truncates).
+async function _defaultCheckWorkingTree(rootDir) {
+  try {
+    const { stdout: top } = await execFileAsync('git', ['-C', rootDir, 'rev-parse', '--show-toplevel']);
+    const trimmed = top.trim();
+    // macOS `/var` resolves to `/private/var`; symlinks elsewhere too. Compare
+    // canonical realpaths via fs.realpath so the comparison does not fire on
+    // symlink-equivalent paths.
+    const [topCanon, rootCanon] = await Promise.all([
+      fs.realpath(trimmed).catch(() => trimmed),
+      fs.realpath(rootDir).catch(() => rootDir),
+    ]);
+    if (topCanon !== rootCanon) {
+      // Worker is in a sub-tree, not the campaign root. Refuse to classify.
+      return { ok: false, error: `git toplevel ${trimmed} != ${rootDir}` };
+    }
+  } catch (err) {
+    return { ok: false, error: err?.message ?? String(err) };
+  }
+  try {
+    const { stdout } = await execFileAsync('git', ['-C', rootDir, 'status', '--porcelain']);
+    const lines = stdout.split('\n').filter(Boolean);
+    return { ok: true, dirty: lines.length > 0, dirtyFiles: lines };
+  } catch (err) {
+    return { ok: false, error: err?.message ?? String(err) };
+  }
+}
+
 async function exists(targetPath) {
   try {
     await fs.access(targetPath);
@@ -534,6 +575,12 @@ export const BLOCK_TAGS = Object.freeze({
   MALFORMED_ARTIFACT: 'malformed_artifact',
   // Backstop (run() try/finally)
   LEADER_EXITED_WITHOUT_TERMINAL_STATE: 'leader_exited_without_terminal_state',
+  // Bug #8 (Plan v6 PR-B): refuse to synthesize verify signal when codex
+  // worker exited without committing. Three new tags route through
+  // _handlePollFailure with reasonOverride/categoryOverride.
+  CODEX_EXIT_NO_DONE_CLAIM: 'codex_exit_no_done_claim',
+  GIT_STATE_UNVERIFIABLE: 'git_state_unverifiable',
+  WORKER_INCOMPLETE_UNCOMMITTED: 'worker_incomplete_uncommitted',
 });
 
 // P1-D Failure Taxonomy classifier. governance §1f locks the reason_category
@@ -619,6 +666,32 @@ function _classifyBlock(source, { verdict, state, slug } = {}) {
       action = 'investigate_leader_logs';
       failureCategory = 'leader_exited_without_terminal_state';
       break;
+    // Bug #8 PR-B — codex worker exited but did not write done-claim. Refuse
+    // to synthesize a verify signal; surface as infra_failure so wrapper does
+    // not retry blindly.
+    case BLOCK_TAGS.CODEX_EXIT_NO_DONE_CLAIM:
+      category = 'infra_failure';
+      recoverable = false;
+      action = 'investigate_pane_logs';
+      failureCategory = 'codex_exit_no_done_claim';
+      break;
+    // Bug #8 PR-B — git status could not be resolved (not a repo, git binary
+    // missing, etc). Without git we cannot prove the working tree is clean,
+    // so refuse to synthesize.
+    case BLOCK_TAGS.GIT_STATE_UNVERIFIABLE:
+      category = 'infra_failure';
+      recoverable = false;
+      action = 'investigate_git_state';
+      failureCategory = 'git_state_unverifiable';
+      break;
+    // Bug #8 PR-B — worker said it was done (done-claim present) but the tree
+    // is dirty. Recoverable: next iteration's worker can finish committing.
+    case BLOCK_TAGS.WORKER_INCOMPLETE_UNCOMMITTED:
+      category = 'metric_failure';
+      recoverable = true;
+      action = 'retry_after_fix';
+      failureCategory = 'worker_incomplete_uncommitted';
+      break;
     default:
       category = 'metric_failure';
       recoverable = false;
@@ -650,9 +723,41 @@ async function _handlePollFailure(error, ctx) {
     options,
     role, // 'worker' | 'verifier' | 'final_verifier' | 'flywheel' | 'guard'
     usIdOverride,
+    // Bug #8 PR-B: when the caller has already classified the failure (e.g.
+    // codex done-claim/git gate), forward an explicit BLOCK_TAGS value as
+    // categoryOverride and a reason string. Named `categoryOverride` per
+    // Plan v6 PRD (it overrides the tag→reason_category mapping). Existing 5
+    // callers omit both and the legacy error→tag mapping below runs unchanged.
+    categoryOverride,
+    reasonOverride,
   } = ctx;
   const usId = usIdOverride ?? state.current_us;
 
+  if (categoryOverride) {
+    state.phase = 'blocked';
+    const classification = _classifyBlock(categoryOverride, { state, slug });
+    const reasonText = reasonOverride ?? `${role} blocked: ${categoryOverride}`;
+    await writeSentinel(paths.blockedSentinel, 'blocked', usId, reasonText, classification, paths);
+    await writeStatus(paths, state, options.onStatusChange, options.now);
+    await generateCampaignReport({
+      slug,
+      reportFile: paths.reportFile,
+      prdFile: paths.prdFile,
+      statusFile: paths.statusFile,
+      analyticsFile: paths.analyticsFile,
+      now: resolveNow(options.now),
+      blockedReason: reasonText,
+      blockedCategory: classification.reason_category,
+    });
+    return {
+      status: 'blocked',
+      usId,
+      reason: reasonText,
+      category: classification.reason_category,
+      statusFile: paths.statusFile,
+    };
+  }
+
   let tag;
   let reason;
   if (error instanceof WorkerExitedError) {
@@ -872,6 +977,10 @@ async function runFinalSequentialVerify({
   pollForSignal,
   runIntegrationCheck,
   iterTimeoutMs,
+  // Bug #7 Fix-Q/R: optional reaper. Passed from _runCampaignBody so each
+  // per-US verdict kills the verifier TUI before the next per-US dispatch
+  // reuses the same pane. No-op when undefined (legacy/test callers).
+  reapProducer,
 }) {
   const verifierModel = state.final_verifier_model;
 
@@ -893,6 +1002,10 @@ async function runFinalSequentialVerify({
       timeoutMs: iterTimeoutMs,
     });
 
+    if (typeof reapProducer === 'function') {
+      await reapProducer(verifierPaneId, paths.verdictFile);
+    }
+
     if (verdict.verdict !== 'pass') {
       return {
         status: 'continue',
@@ -933,9 +1046,11 @@ async function runFinalSequentialVerify({
 const HOME_DESK_DIR = path.join(os.homedir(), '.claude', 'ralph-desk');
 
 function buildAutonomousClaudeCmd({ promptFile, model, rootDir, homeDeskDir = HOME_DESK_DIR }) {
-  // §4.9: ANTHROPIC_BETA prefix for Opus 1M context.
-  const betaPrefix = isOpusModel(model)
-    ? `ANTHROPIC_BETA=${shellQuote(OPUS_1M_BETA)} `
+  // v0.14.6: ANTHROPIC_BETA prefix injected only when the model id ends
+  // with explicit '[1m]' suffix. opus / sonnet / claude-opus-4-7 (no
+  // suffix) all run at the standard 200K context.
+  const betaPrefix = wantsOneMillionContext(model)
+    ? `ANTHROPIC_BETA=${shellQuote(ONE_MILLION_BETA)} `
     : '';
   // §4.11.a: --add-dir whitelist (home rlp-desk + campaign cwd) for true autonomy.
   const addDirParts = [];
@@ -1076,6 +1191,46 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
   const createPane = options.createPane ?? defaultCreatePane;
   const createSession = options.createSession ?? defaultCreateSession;
   const pollForSignal = options.pollForSignal ?? defaultPollForSignal;
+  // Bug #7 Fix-Q/R: post-sentinel reaper. Producer (claude/codex TUI) must be
+  // interrupted the moment leader has consumed the sentinel; otherwise the
+  // pane lingers in idle prompt and self-reviews for ~2min. lockSentinel
+  // freezes the file mtime as defense-in-depth. All four are injectable so
+  // existing tests with fake sendKeys keep working (us006 createTmuxFakes).
+  const sendRawKey = options.sendRawKey ?? defaultSendRawKey;
+  const waitForProcessExit = options.waitForProcessExit ?? defaultWaitForProcessExit;
+  const killPaneProcess = options.killPaneProcess ?? defaultKillPaneProcess;
+  const lockSentinel = options.lockSentinelFile ?? defaultLockSentinelFile;
+  const stampAckField = options.stampAckField ?? defaultStampAckField;
+  const reapProducer = async (paneId, sentinelFile) => {
+    if (!paneId) return;
+    await killPaneProcess(paneId, {
+      sendRawKey,
+      waitForExit: waitForProcessExit,
+      log: (msg) => console.error(msg),
+    });
+    // PR-0b-narrow AC-H1: after killPaneProcess, wait for the producing
+    // process to actually exit before continuing. waitForProcessExit returns
+    // when pane_current_command resolves to a shell (zsh/bash/sh). Wrapped
+    // in try/catch — failure here is non-fatal but emits a log entry.
+    try {
+      await waitForProcessExit(paneId, { timeoutMs: 5000 });
+    } catch (err) {
+      console.error(`[handshake] waitForProcessExit failed on ${paneId} (${err?.message ?? err}); continuing`);
+    }
+    if (sentinelFile) {
+      await lockSentinel(sentinelFile, { log: (msg) => console.error(msg) });
+      // PR-0b-narrow AC-H2: stamp the leader_ack audit field. Best-effort,
+      // does not block subsequent dispatch.
+      await stampAckField(sentinelFile, {
+        acked_by: 'leader',
+        acked_at: new Date(resolveNow(options.now)).toISOString(),
+        ack_pane_state: 'shell',
+      }, { log: (msg) => console.error(msg) });
+    }
+  };
+  // Bug #8 PR-B: working-tree probe injected (or default execFile git).
+  // Returns { ok: boolean, dirty?: boolean, dirtyFiles?: string[], error?: string }.
+  const checkWorkingTree = options.checkWorkingTree ?? _defaultCheckWorkingTree;
   const runIntegrationCheck = options.runIntegrationCheck ?? (async () => ({ exitCode: 0, summary: 'integration skipped' }));
   const maxIterations = options.maxIterations ?? 100;
   // v5.7 §4.19: campaign-level pollForSignal timeout (Node leader fix).
@@ -1141,6 +1296,11 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
   let _laneSnapshot = await _snapshotLaneMtimes(paths);
 
   while (state.iteration <= maxIterations) {
+    // Bug #7 Fix-R defensive unlock: a 0o444 sentinel left from the previous
+    // iteration must not block the next producer's atomic-rename write.
+    // Idempotent: missing-file calls are no-ops.
+    await unlockSentinelFile(paths.signalFile);
+    await unlockSentinelFile(paths.verdictFile);
     // Audit drift from the prior iteration before doing anything new.
     const _laneSnapshotAfter = await _snapshotLaneMtimes(paths);
     const _laneViolations = await _checkLaneViolations(paths, _laneSnapshot, _laneSnapshotAfter, state, options);
@@ -1189,6 +1349,7 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
           pollForSignal,
           runIntegrationCheck,
           iterTimeoutMs,
+          reapProducer,
         });
       } catch (error) {
         // v5.7 §4.25 — uniform poll-failure handling for final verifier.
@@ -1280,12 +1441,17 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
         });
       }
 
+      // Bug #7 Fix-Q/R: reap flywheel pane before consuming the signal.
+      await reapProducer(state.flywheel_pane_id ?? state.verifier_pane_id, paths.flywheelSignalFile);
+
       state.last_flywheel_decision = flywheelSignal.decision;
       // P0-A multi-mission orchestration: optionally captured from flywheel signal.
       // null when the flywheel did not suggest a next mission. Consumer wrappers
       // poll status.next_mission_candidate to chain missions without code edits.
       // See docs/multi-mission-orchestration.md.
       state.next_mission_candidate = flywheelSignal.next_mission_candidate ?? null;
+      // Bug #7 Fix-R cleanup: unlock before unlink so 0o444 doesn't block.
+      await unlockSentinelFile(paths.flywheelSignalFile);
       await fs.unlink(paths.flywheelSignalFile).catch(() => {});
 
       // Flywheel Guard (independent validation of flywheel decision)
@@ -1318,11 +1484,15 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
           });
         }
 
+        // Bug #7 Fix-Q/R: reap guard pane before mutating state.
+        await reapProducer(guardPaneId, paths.flywheelGuardVerdictFile);
+
         if (!state.flywheel_guard_count[state.current_us]) {
           state.flywheel_guard_count[state.current_us] = 0;
         }
         state.flywheel_guard_count[state.current_us] += 1;
 
+        await unlockSentinelFile(paths.flywheelGuardVerdictFile);
         await fs.unlink(paths.flywheelGuardVerdictFile).catch(() => {});
 
         if (guardVerdict.verdict === 'inconclusive') {
@@ -1430,8 +1600,43 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
       });
     } catch (error) {
       if (error instanceof TimeoutError && parseModelFlag(state.worker_model).engine === 'codex') {
-        // v5.7 — codex CLI exits cleanly after writing signal; if pollForSignal
-        // timed out for codex, synthesize a verify signal so the loop continues.
+        // Bug #8 PR-B 4-way gate: refuse to synthesize verify signal when
+        // codex worker exited without committing real work.
+        //   1. done-claim absent          → BLOCKED infra_failure
+        //   2. git unverifiable           → BLOCKED infra_failure
+        //   3. done-claim + dirty tree    → BLOCKED metric_failure
+        //   4. done-claim + clean tree    → synthesize verify (legacy path)
+        const doneClaimExists = await exists(paths.doneClaimFile);
+        if (!doneClaimExists) {
+          return _handlePollFailure(error, {
+            paths, state, slug, options,
+            role: 'worker',
+            categoryOverride: BLOCK_TAGS.CODEX_EXIT_NO_DONE_CLAIM,
+            reasonOverride:
+              'codex worker exited (timeout) without writing done-claim; refusing to synthesize verify signal',
+          });
+        }
+        const tree = await checkWorkingTree(rootDir);
+        if (!tree.ok) {
+          return _handlePollFailure(error, {
+            paths, state, slug, options,
+            role: 'worker',
+            categoryOverride: BLOCK_TAGS.GIT_STATE_UNVERIFIABLE,
+            reasonOverride:
+              `git status unverifiable (${tree.error ?? 'unknown'}); refusing to synthesize verify signal`,
+          });
+        }
+        if (tree.dirty) {
+          const sample = (tree.dirtyFiles ?? []).slice(0, 5).join(', ');
+          return _handlePollFailure(error, {
+            paths, state, slug, options,
+            role: 'worker',
+            categoryOverride: BLOCK_TAGS.WORKER_INCOMPLETE_UNCOMMITTED,
+            reasonOverride:
+              `worker_incomplete_uncommitted: done-claim present but tree dirty (${sample || 'no file list'})`,
+          });
+        }
+        // Clean tree — preserve the legacy synthesize behaviour.
         signal = {
           iteration: state.iteration,
           status: 'verify',
@@ -1448,6 +1653,11 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
       }
     }
 
+    // Bug #7 Fix-Q/R: reap the worker pane the instant we accept the signal so
+    // claude/codex cannot self-review and rewrite iter-signal.json. Runs even
+    // for the codex-fallback synthesized signal (no-op on a dead pane).
+    await reapProducer(state.worker_pane_id, paths.signalFile);
+
     // US-019 R7 P1-G: verify_partial malformed downgrade.
     // verify_partial requires verified_acs[] to be a non-empty array. Otherwise the verifier
     // has nothing to evaluate and we must treat the signal as broken contract → blocked.
@@ -1517,6 +1727,11 @@ async function _runCampaignBody(slug, options, paths, rootDir) {
       });
     }
 
+    // Bug #7 Fix-Q/R: reap verifier pane immediately after accepting the
+    // verdict — without this the codex/claude TUI keeps running for ~2min and
+    // can rewrite verify-verdict.json (mtime drift observed in 19th launch).
+    await reapProducer(state.verifier_pane_id, paths.verdictFile);
+
     if (verdict.verdict === 'pass') {
       state.consecutive_failures = 0;
       if (!state.verified_us.includes(usId)) {

package/src/node/shared/fs.mjs

@@ -59,3 +59,86 @@ export async function writeSentinelExclusive(targetPath, content) {
   }
   return { wrote: true };
 }
+
+// Bug #7 Fix-R: best-effort chmod 0o444 to freeze a sentinel file once the
+// leader has accepted it. Mirror of scripts/postinstall.js tryLockFile (L104).
+// Some filesystems silently ignore chmod (WSL1/NTFS, tmpfs); we log once and
+// continue. Q (process kill) is the primary defense; R is defense-in-depth.
+let _sentinelLockWarningEmitted = false;
+export async function lockSentinelFile(filePath, { log = (msg) => console.error(msg) } = {}) {
+  try {
+    await fs.chmod(filePath, 0o444);
+  } catch (err) {
+    if (err && err.code === 'ENOENT') {
+      // File missing is not an error — sentinel may have been consumed and
+      // unlinked by a concurrent path. Idempotent no-op.
+      return;
+    }
+    if (!_sentinelLockWarningEmitted) {
+      log(`[bug7] chmod 0444 on ${filePath} failed (${err?.code ?? 'unknown'}); post-sentinel write-protection unavailable on this FS.`);
+      _sentinelLockWarningEmitted = true;
+    }
+  }
+}
+
+// Pair to lockSentinelFile. Called before fs.unlink in iter-cleanup paths so
+// subsequent atomic-rename writes never see EACCES on the destination mode.
+// Idempotent — missing file or already-writable is fine.
+export async function unlockSentinelFile(filePath) {
+  try {
+    await fs.chmod(filePath, 0o644);
+  } catch {
+    // best-effort; cleanup proceeds regardless.
+  }
+}
+
+// PR-0b-narrow (Plan v6) — stamp leader handshake ack onto an already-locked
+// sentinel. Best-effort, audit-only: the contract is "if we can write, do; if
+// not, swallow". Callers must NOT depend on the ack landing for hard ordering
+// semantics (use waitForProcessExit + the chmod 0o444 lock for that). The
+// resulting `content.leader_ack` is auxiliary metadata so post-mortem audits
+// can prove which Leader iteration consumed which sentinel.
+//
+// Sequence (mirrored in src/scripts/lib_ralph_desk.zsh::_stamp_ack_field):
+//   1. chmod 0o644 (so we can write — sentinel was locked by lockSentinelFile)
+//   2. JSON.parse
+//   3. merge ack as content.leader_ack
+//   4. atomic write
+//   5. chmod 0o444 (re-lock)
+//
+// All steps wrapped in try/catch; any failure is silently dropped. Failure
+// modes that we deliberately swallow:
+//   - File missing (sentinel was unlinked by a concurrent path).
+//   - Malformed JSON (race with a partial-write window — Bug #7 already gates
+//     this on the read side, but stampAckField may still observe it during
+//     transitional iterations).
+//   - chmod ENOTSUP / WSL1 / NTFS (recorded in Bug #7 fixes).
+export async function stampAckField(filePath, ack, { log = (msg) => console.error(msg) } = {}) {
+  try {
+    await fs.chmod(filePath, 0o644);
+  } catch (err) {
+    if (err && err.code === 'ENOENT') return; // sentinel gone — nothing to stamp
+    // chmod failure is non-fatal — try the write anyway in case the FS already allows it
+  }
+  let content;
+  try {
+    const raw = await fs.readFile(filePath, 'utf8');
+    content = JSON.parse(raw);
+  } catch (err) {
+    log(`[stamp-ack] read/parse failed for ${filePath} (${err?.code ?? err?.message ?? 'unknown'}); ack dropped (audit-only)`);
+    // Re-lock if possible — best-effort.
+    try { await fs.chmod(filePath, 0o444); } catch {}
+    return;
+  }
+  if (!content || typeof content !== 'object') {
+    try { await fs.chmod(filePath, 0o444); } catch {}
+    return;
+  }
+  content.leader_ack = ack;
+  try {
+    await fs.writeFile(filePath, `${JSON.stringify(content, null, 2)}\n`, 'utf8');
+  } catch (err) {
+    log(`[stamp-ack] write failed for ${filePath} (${err?.code ?? err?.message ?? 'unknown'}); ack dropped`);
+  }
+  try { await fs.chmod(filePath, 0o444); } catch {}
+}

package/src/node/tmux/pane-manager.mjs

@@ -52,6 +52,12 @@ export async function sendKeys(paneId, command) {
   await runTmux(['send-keys', '-t', paneId, 'Enter'], { paneId });
 }
 
+// Bug #7 Fix-Q: send a raw tmux key (e.g. C-c) without the `-l --` literal-text
+// flag. Distinct from sendKeys() so callers can interrupt a running TUI.
+export async function sendRawKey(paneId, key) {
+  await runTmux(['send-keys', '-t', paneId, key], { paneId });
+}
+
 export async function waitForProcessExit(
   paneId,
   { pollIntervalMs = 100, timeoutMs = 5000 } = {},
@@ -75,3 +81,36 @@ export async function waitForProcessExit(
     paneId,
   });
 }
+
+// Bug #7 Fix-Q: terminate the TUI process producing a sentinel file the moment
+// the leader has accepted it. Without this, claude/codex returns to its idle
+// prompt and continues self-review for 1-2 minutes, racing the next iteration.
+// Mirror of zsh pattern at run_ralph_desk.zsh:2384-2397, 375-376, 529-530.
+// Fail-open: pane may already be dead from prior teardown, or waitForExit may
+// time out — neither aborts the iteration.
+export async function killPaneProcess(
+  paneId,
+  {
+    sendRawKey: sendRawKeyImpl = sendRawKey,
+    waitForExit = waitForProcessExit,
+    gracePeriodMs = 800,
+    exitTimeoutMs = 5000,
+    log = () => {},
+  } = {},
+) {
+  const safeSend = async (key) => {
+    try {
+      await sendRawKeyImpl(paneId, key);
+    } catch (err) {
+      log(`[bug7] killPaneProcess sendRawKey ${key} failed for ${paneId}: ${err?.message ?? err}`);
+    }
+  };
+  await safeSend('C-c');
+  await new Promise((resolve) => setTimeout(resolve, gracePeriodMs));
+  await safeSend('C-c');
+  try {
+    await waitForExit(paneId, { timeoutMs: exitTimeoutMs });
+  } catch (err) {
+    log(`[bug7] killPaneProcess waitForExit failed for ${paneId}: ${err?.message ?? err}`);
+  }
+}

package/src/scripts/lib_ralph_desk.zsh

@@ -46,17 +46,19 @@ build_claude_cmd() {
   # Defends against bracketed model ids like 'claude-opus-4-7[1m]' (zsh char-class glob),
   # spaces, embedded quotes, etc. Plain "$model" would let zsh expand brackets as glob.
   #
-  # v5.7 §4.9: auto-enable Opus 1M context window via ANTHROPIC_BETA env. Mirror
-  # of src/node/constants.mjs OPUS_1M_BETA. Update both on header rotation.
-  local _opus_beta=""
+  # v0.14.6: ANTHROPIC_BETA injected only when the model id ends with the
+  # explicit '[1m]' suffix. opus / sonnet / claude-opus-4-7 (no suffix) all
+  # run at the standard 200K context. Mirror of src/node/constants.mjs
+  # ONE_MILLION_BETA + wantsOneMillionContext(). Update both on rotation.
+  local _onem_beta=""
   case "$model" in
-    opus|claude-opus-*) _opus_beta="ANTHROPIC_BETA='context-1m-2025-08-07' " ;;
+    *\[1m\]) _onem_beta="ANTHROPIC_BETA='context-1m-2025-08-07' " ;;
   esac
   # v5.7 §4.11.a: --add-dir whitelist for autonomous mode. ROOT (campaign cwd)
   # plus home rlp-desk tree authorized for read/write without TUI prompts.
   local _home_desk="$HOME/.claude/ralph-desk"
   local _add_dirs="--add-dir ${(qq)_home_desk} --add-dir ${(qq)ROOT}"
-  local base="DISABLE_OMC=1 ${_opus_beta}$CLAUDE_BIN --model ${(qq)model} --mcp-config '{\"mcpServers\":{}}' --strict-mcp-config --dangerously-skip-permissions ${_add_dirs}"
+  local base="DISABLE_OMC=1 ${_onem_beta}$CLAUDE_BIN --model ${(qq)model} --mcp-config '{\"mcpServers\":{}}' --strict-mcp-config --dangerously-skip-permissions ${_add_dirs}"
   if [[ -n "$effort" ]]; then
     base="$base --effort $effort"
   fi
@@ -242,6 +244,74 @@ atomic_write() {
   mv "$tmp" "$target"
 }
 
+# =============================================================================
+# Bug #7 Fix-Q/R: Post-sentinel pane reaper + sentinel write-lock
+# =============================================================================
+# Without explicit teardown the claude/codex TUI returns to its idle prompt and
+# self-reviews for ~2min after writing iter-signal.json or verify-verdict.json.
+# Observed: verdict mtime drift 1m43s post-detect; iter-N verifier overlapped
+# iter-N+1 worker for 2min. _kill_pane_process closes the race; _lock_sentinel
+# is defense-in-depth that freezes the file mtime. Mirror of run_ralph_desk.zsh
+# verifier-cleanup pattern at L2384-2397 (Ctrl+C + /exit + wait_for_pane_ready).
+# Both helpers are fail-open: pane may already be dead, FS may ignore chmod.
+_kill_pane_process() {
+  local pane_id="$1"
+  local role="${2:-producer}"
+  [[ -n "$pane_id" ]] || return 0
+  if typeset -f log_debug >/dev/null 2>&1; then
+    log_debug "[bug7] kill_pane_process pane=$pane_id role=$role"
+  fi
+  tmux send-keys -t "$pane_id" C-c 2>/dev/null
+  sleep 0.5
+  tmux send-keys -t "$pane_id" C-c 2>/dev/null
+  sleep 1
+  if typeset -f wait_for_pane_ready >/dev/null 2>&1; then
+    wait_for_pane_ready "$pane_id" 5 2>/dev/null || true
+  fi
+  return 0
+}
+
+_lock_sentinel() {
+  local file="$1"
+  [[ -n "$file" && -f "$file" ]] || return 0
+  chmod 0444 "$file" 2>/dev/null || true
+  return 0
+}
+
+_unlock_sentinel() {
+  local file="$1"
+  [[ -n "$file" && -f "$file" ]] || return 0
+  chmod 0644 "$file" 2>/dev/null || true
+  return 0
+}
+
+# PR-0b-narrow (Plan v6) — stamp leader handshake ack onto the sentinel.
+# Mirror of src/node/shared/fs.mjs::stampAckField. Best-effort, audit-only:
+# any failure is silently swallowed. Sequence:
+#   1. chmod 0644 (so jq + mv can write)
+#   2. jq merge .leader_ack
+#   3. atomic rename via tmp file
+#   4. chmod 0444 (re-lock)
+# Tolerant of jq absence (graceful degrade — no stamp, no error).
+_stamp_ack_field() {
+  local file="$1"
+  [[ -n "$file" && -f "$file" ]] || return 0
+  command -v jq >/dev/null 2>&1 || return 0
+  local now_iso
+  now_iso=$(date -u +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || echo "")
+  local tmp="${file}.ack.tmp"
+  chmod 0644 "$file" 2>/dev/null || true
+  if jq --arg ts "$now_iso" \
+        '. + {leader_ack: {acked_by: "leader", acked_at: $ts, ack_pane_state: "shell"}}' \
+        "$file" > "$tmp" 2>/dev/null; then
+    mv "$tmp" "$file" 2>/dev/null || rm -f "$tmp" 2>/dev/null
+  else
+    rm -f "$tmp" 2>/dev/null
+  fi
+  chmod 0444 "$file" 2>/dev/null || true
+  return 0
+}
+
 # =============================================================================
 # Scaffold Validation
 # =============================================================================

package/src/scripts/run_ralph_desk.zsh

@@ -635,27 +635,82 @@ launch_verifier_claude() {
 # On exit: check done-claim, auto-generate iter-signal.
 # Args: $1=iteration  $2=signal_file
 # Returns: 0 (signal generated), 1 (error)
+# Bug #8 PR-B (codex critic P1.2 fix): shared 4-way gate used by both
+# handle_worker_exit_codex and the inline-polling A4 path. Returns:
+#   0 = synthesize allowed (caller writes signal_file + emits audit)
+#   1 = BLOCKED (this function already wrote sentinel + emitted audit)
+# Args: $1=iter  $2=us_id  $3=audit_clean_code (e.g. codex_exit_with_done_claim
+#       or inline_polling_a4_clean)
+_bug8_check_synth_allowed() {
+  local iter="$1"
+  local us_id="${2:-${CURRENT_US:-ALL}}"
+  local audit_clean="$3"
+
+  # Gate 1: done-claim must exist.
+  if [[ ! -f "$DONE_CLAIM_FILE" ]]; then
+    log_error "  Bug #8: no done-claim. Refusing to synthesize verify signal."
+    log_debug "[GOV] iter=$iter bug8=block_codex_exit_no_done_claim"
+    write_blocked_sentinel \
+      "Codex worker exited without writing done-claim (refusing to synthesize verify signal)" \
+      "$us_id" \
+      "infra_failure"
+    _emit_a4_fallback_audit "$us_id" "$iter" "blocked_codex_exit_no_done_claim"
+    return 1
+  fi
+
+  # Gate 2: git toplevel must equal $ROOT (canonicalized — macOS resolves
+  # /var → /private/var, NTFS may have 8.3 short paths; compare realpaths).
+  local _bug8_top _bug8_top_canon _bug8_root_canon
+  _bug8_top=$(git -C "$ROOT" rev-parse --show-toplevel 2>/dev/null)
+  _bug8_top_canon=$(cd "$_bug8_top" 2>/dev/null && pwd -P 2>/dev/null)
+  _bug8_root_canon=$(cd "$ROOT" 2>/dev/null && pwd -P 2>/dev/null)
+  if [[ -z "$_bug8_top" || "$_bug8_top_canon" != "$_bug8_root_canon" ]]; then
+    log_error "  Bug #8: git unverifiable at \$ROOT=$ROOT (toplevel='$_bug8_top'). Refusing synthesis."
+    log_debug "[GOV] iter=$iter bug8=block_git_unverifiable root=$ROOT toplevel=$_bug8_top"
+    write_blocked_sentinel \
+      "git status unverifiable at $ROOT (toplevel='$_bug8_top'); refusing to synthesize verify signal" \
+      "$us_id" \
+      "infra_failure"
+    _emit_a4_fallback_audit "$us_id" "$iter" "blocked_git_unverifiable"
+    return 1
+  fi
+
+  # Gate 3: tree must be clean.
+  local _bug8_dirty
+  _bug8_dirty=$(git -C "$ROOT" status --porcelain 2>/dev/null)
+  if [[ -n "$_bug8_dirty" ]]; then
+    local _bug8_first5
+    _bug8_first5=$(printf '%s\n' "$_bug8_dirty" | head -n 5 | tr '\n' '|' | sed 's/|$//')
+    log_error "  Bug #8: done-claim present but tree dirty. Refusing synthesis. dirty: $_bug8_first5"
+    log_debug "[GOV] iter=$iter bug8=block_dirty_tree us_id=$us_id dirty='$_bug8_first5'"
+    write_blocked_sentinel \
+      "worker_incomplete_uncommitted: done-claim present but tree dirty ($_bug8_first5)" \
+      "$us_id" \
+      "metric_failure"
+    _emit_a4_fallback_audit "$us_id" "$iter" "blocked_dirty_tree"
+    return 1
+  fi
+
+  # All gates passed — synthesize allowed.
+  return 0
+}
+
 handle_worker_exit_codex() {
   local iter="$1"
   local signal_file="$2"
 
-  log "  Codex worker process exited. Checking for done-claim..."
-  if [[ -f "$DONE_CLAIM_FILE" ]]; then
-    local dc_us_id
-    dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
-    log "  Codex worker completed with done-claim (us_id=$dc_us_id). Auto-generating signal."
-    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated after codex exit","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
-    _emit_a4_fallback_audit "$dc_us_id" "$iter" "codex_exit_with_done_claim"
-  else
-    log "  WARNING: Codex worker exited without done-claim. Generating verify signal for current US."
-    local current_us
-    current_us=$(jq -r '.us_id // "US-001"' "$DESK/memos/${SLUG}-iter-signal.json" 2>/dev/null || echo "US-001")
-    local mem_us
-    mem_us=$(sed -n 's/.*Next.*US-\([0-9]*\).*/US-\1/p' "$DESK/memos/${SLUG}-memory.md" 2>/dev/null | head -1)
-    [[ -n "$mem_us" ]] && current_us="$mem_us"
-    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$current_us"'","summary":"auto-generated after codex exit (no done-claim)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
-    _emit_a4_fallback_audit "$current_us" "$iter" "codex_exit_no_done_claim"
+  log "  Codex worker process exited. Checking for done-claim + clean tree..."
+
+  if ! _bug8_check_synth_allowed "$iter" "${CURRENT_US:-ALL}" "codex_exit_with_done_claim"; then
+    return 1
   fi
+
+  # All 3 gates passed: done-claim present, git OK, tree clean → synthesize.
+  local dc_us_id
+  dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
+  log "  Codex worker completed with done-claim (us_id=$dc_us_id) and clean tree. Auto-generating signal."
+  echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated after codex exit (clean tree)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+  _emit_a4_fallback_audit "$dc_us_id" "$iter" "codex_exit_with_done_claim_clean"
   return 0
 }
 
@@ -2176,8 +2231,22 @@ poll_for_signal() {
 
     # Check if signal file appeared
     if [[ -f "$signal_file" ]]; then
-      log "  Signal file detected: $signal_file"
-      return 0  # success
+      # Bug #7-extra (BOS 2026-05-06): file existence is NOT enough. Worker
+      # (claude opus) writes via Claude Code's Write tool, which is not
+      # guaranteed atomic — the file can appear with empty / partial JSON
+      # before the write completes. Verifier was being dispatched against a
+      # half-written iter-signal.json. Validate that the file holds a single
+      # parseable, non-null JSON value (`jq -e .`) before accepting; any
+      # failure simply continues polling (next tick re-reads). Note: `jq
+      # empty` was rejected because it accepts an EMPTY file as "zero
+      # documents" — the exact race window we need to reject.
+      if jq -e . "$signal_file" >/dev/null 2>&1; then
+        log "  Signal file detected: $signal_file"
+        return 0  # success
+      fi
+      # Empty / truncated / mid-write JSON. Stay in the polling loop and let
+      # the next tick re-read once the writer has finished.
+      log_debug "[bug7-extra] $role signal file present but JSON not yet valid — continue polling"
     fi
 
     # A4 fallback: done-claim exists but no signal → Worker forgot iter-signal
@@ -2216,11 +2285,24 @@ poll_for_signal() {
         local dc_us_id
         dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
         if [[ -n "$dc_us_id" && "$dc_us_id" != "null" ]]; then
-          log "  WARNING: done-claim exists for $dc_us_id but no iter-signal. Auto-generating signal (A4 fallback)."
-          log_debug "[GOV] iter=$ITERATION done_claim_without_signal=true us_id=$dc_us_id action=auto_generate_signal"
-          echo '{"iteration":'"$ITERATION"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated by A4 fallback (done-claim without signal)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
-          _emit_a4_fallback_audit "$dc_us_id" "$ITERATION" "inline_polling_a4"
-          return 0
+          # Bug #8 PR-B: defer to shared 4-way gate (codex critic P1.2).
+          # _bug8_check_synth_allowed handles done-claim/git/dirty-tree gates
+          # uniformly across handle_worker_exit_codex AND this inline path so
+          # both codex-exit and inline-polling A4 enforce the same contract.
+          if _bug8_check_synth_allowed "$ITERATION" "$dc_us_id" "inline_polling_a4_clean"; then
+            log "  WARNING: done-claim exists for $dc_us_id but no iter-signal. Tree clean — auto-generating signal (A4 fallback)."
+            log_debug "[GOV] iter=$ITERATION done_claim_without_signal=true us_id=$dc_us_id action=auto_generate_signal"
+            echo '{"iteration":'"$ITERATION"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated by A4 fallback (done-claim + clean tree)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+            _emit_a4_fallback_audit "$dc_us_id" "$ITERATION" "inline_polling_a4_clean"
+            return 0
+          else
+            # Bug #8 PR-B (codex critic round-2 P2): hard-stop rc=2 so the
+            # main worker loop (L3119) treats this BLOCKED as terminal,
+            # matching the handle_worker_exit_codex blocked path. rc=1 is
+            # ambiguous — caller may interpret it as a recoverable poll
+            # failure and re-loop while the BLOCKED sentinel is on disk.
+            return 2
+          fi
         fi
       fi
     fi
@@ -2271,8 +2353,16 @@ poll_for_signal() {
         fi
         # Dispatch to engine-specific exit handler
         if [[ "$WORKER_ENGINE" = "codex" && "$role" != *erifier* ]]; then
-          handle_worker_exit_codex "$ITERATION" "$signal_file"
-          return 0
+          # Bug #8 PR-B: handle_worker_exit_codex now returns 1 when it has
+          # written a BLOCKED sentinel (no done-claim, dirty tree, git
+          # unverifiable). Propagate the return so main loop stops, instead
+          # of swallowing it with `return 0` and continuing as if the poll
+          # had succeeded.
+          if handle_worker_exit_codex "$ITERATION" "$signal_file"; then
+            return 0
+          else
+            return 2
+          fi
         fi
         # Claude path (or verifier of any engine)
         if handle_worker_exit_claude "$pane_id" "$ITERATION" "$trigger_file"; then
@@ -2467,8 +2557,16 @@ run_single_verifier() {
     fi
   fi
 
+  # Bug #7 Fix-Q/R: reap verifier pane the moment we accept the verdict so
+  # codex/claude cannot keep self-reviewing and rewrite verify-verdict.json.
+  # Lock applied AFTER cp so the archived snapshot is also frozen at intent.
+  _kill_pane_process "$VERIFIER_PANE" "verifier-${suffix}"
+
   # Copy verdict to destination
   cp "$VERDICT_FILE" "$verdict_dest"
+  _lock_sentinel "$VERDICT_FILE"
+  # PR-0b-narrow: stamp leader handshake ack on the verdict (audit-only).
+  _stamp_ack_field "$VERDICT_FILE"
   log "  Verifier$suffix verdict saved to $verdict_dest"
   return 0
 }
@@ -2528,6 +2626,14 @@ run_sequential_final_verify() {
       return 1
     fi
 
+    # Bug #7 Fix-Q/R: reap verifier pane between per-US final verifications so
+    # the previous codex/claude TUI cannot continue running while the next per-
+    # US verifier dispatch reuses the same pane.
+    _kill_pane_process "$VERIFIER_PANE" "verifier-final"
+    _lock_sentinel "$VERDICT_FILE"
+    # PR-0b-narrow: stamp leader handshake ack on the verdict (audit-only).
+    _stamp_ack_field "$VERDICT_FILE"
+
     # Check verdict
     local verdict
     verdict=$(jq -r '.verdict' "$VERDICT_FILE" 2>/dev/null)
@@ -2940,6 +3046,10 @@ main() {
     fi
 
     # --- governance.md s7 step 8 (cleanup): Clean previous iteration signals ---
+    # Bug #7 Fix-R cleanup: unlock 0o444 sentinels written by the previous
+    # iteration's reaper before rm so cleanup does not log permission noise.
+    _unlock_sentinel "$SIGNAL_FILE"
+    _unlock_sentinel "$VERDICT_FILE"
     rm -f "$SIGNAL_FILE" "$DONE_CLAIM_FILE" "$VERDICT_FILE" 2>/dev/null
     rm -f "$WORKER_HEARTBEAT" "$VERIFIER_HEARTBEAT" 2>/dev/null
 
@@ -3003,6 +3113,12 @@ main() {
       if poll_for_signal "$SIGNAL_FILE" "$WORKER_HEARTBEAT" "$WORKER_PANE" "$worker_launch" "Worker"; then
         worker_poll_done=1
         log_debug "[FLOW] iter=$ITERATION poll_signal_received=true"
+        # Bug #7 Fix-Q/R: reap worker pane immediately so claude/codex cannot
+        # self-review and rewrite iter-signal.json (1m43s drift observed).
+        _kill_pane_process "$WORKER_PANE" "worker"
+        _lock_sentinel "$SIGNAL_FILE"
+        # PR-0b-narrow: stamp leader handshake ack on the iter-signal (audit-only).
+        _stamp_ack_field "$SIGNAL_FILE"
       else
         worker_poll_rc=$?
         if (( worker_poll_rc == 2 )); then
@@ -3210,6 +3326,12 @@ main() {
             update_status "blocked" "verifier_dead"
             return 1
           fi
+          # Bug #7 Fix-Q/R: reap verifier pane immediately so codex cannot
+          # rewrite verify-verdict.json post-detect (mtime drift fix).
+          _kill_pane_process "$VERIFIER_PANE" "verifier"
+          _lock_sentinel "$VERDICT_FILE"
+          # PR-0b-narrow: stamp leader handshake ack on the verdict (audit-only).
+          _stamp_ack_field "$VERDICT_FILE"
         fi
 
         # AC1: capture verifier end timestamp