@ai-dev-methodologies/rlp-desk 0.14.6 → 0.15.1

package/src/scripts/lib_ralph_desk.zsh

@@ -244,6 +244,158 @@ atomic_write() {
   mv "$tmp" "$target"
 }
 
+# =============================================================================
+# Bug #7 Fix-Q/R: Post-sentinel pane reaper + sentinel write-lock
+# =============================================================================
+# Without explicit teardown the claude/codex TUI returns to its idle prompt and
+# self-reviews for ~2min after writing iter-signal.json or verify-verdict.json.
+# Observed: verdict mtime drift 1m43s post-detect; iter-N verifier overlapped
+# iter-N+1 worker for 2min. _kill_pane_process closes the race; _lock_sentinel
+# is defense-in-depth that freezes the file mtime. Mirror of run_ralph_desk.zsh
+# verifier-cleanup pattern at L2384-2397 (Ctrl+C + /exit + wait_for_pane_ready).
+# Both helpers are fail-open: pane may already be dead, FS may ignore chmod.
+_kill_pane_process() {
+  local pane_id="$1"
+  local role="${2:-producer}"
+  [[ -n "$pane_id" ]] || return 0
+  if typeset -f log_debug >/dev/null 2>&1; then
+    log_debug "[bug7] kill_pane_process pane=$pane_id role=$role"
+  fi
+  tmux send-keys -t "$pane_id" C-c 2>/dev/null
+  sleep 0.5
+  tmux send-keys -t "$pane_id" C-c 2>/dev/null
+  sleep 1
+  if typeset -f wait_for_pane_ready >/dev/null 2>&1; then
+    wait_for_pane_ready "$pane_id" 5 2>/dev/null || true
+  fi
+  return 0
+}
+
+_lock_sentinel() {
+  local file="$1"
+  [[ -n "$file" && -f "$file" ]] || return 0
+  chmod 0444 "$file" 2>/dev/null || true
+  return 0
+}
+
+_unlock_sentinel() {
+  local file="$1"
+  [[ -n "$file" && -f "$file" ]] || return 0
+  chmod 0644 "$file" 2>/dev/null || true
+  return 0
+}
+
+# PR-A (Bug #10) — validate operator-written manual recovery artifacts.
+# Returns 0 when all 5 checks pass; 1 otherwise. Sets RECOVERY_FAIL_REASON
+# (global) on failure for caller logging. Mirrors the Node-side helper
+# `_validateOperatorRecoveryArtifacts` in `src/node/runner/campaign-main-loop.mjs`.
+#
+# Args:
+#   $1  iter-signal.json path
+#   $2  done-claim.json path
+#   $3  status.json path
+#   $4  iter-NNN.worker-prompt.md path (may not exist for iter-1 fresh start)
+_validate_operator_recovery_artifacts() {
+  local sig_file="$1" done_file="$2" status_file="$3" prompt_file="$4"
+  RECOVERY_FAIL_REASON=""
+
+  # Check 1: both artifacts exist + parse as JSON
+  if [[ ! -f "$sig_file" ]]; then
+    RECOVERY_FAIL_REASON="iter-signal.json missing"; return 1
+  fi
+  if [[ ! -f "$done_file" ]]; then
+    RECOVERY_FAIL_REASON="done-claim.json missing"; return 1
+  fi
+  if ! command -v jq >/dev/null 2>&1; then
+    RECOVERY_FAIL_REASON="jq unavailable; cannot validate"; return 1
+  fi
+  if ! jq -e . "$sig_file" >/dev/null 2>&1; then
+    RECOVERY_FAIL_REASON="iter-signal.json parse error"; return 1
+  fi
+  if ! jq -e . "$done_file" >/dev/null 2>&1; then
+    RECOVERY_FAIL_REASON="done-claim.json parse error"; return 1
+  fi
+  if [[ ! -f "$status_file" ]] || ! jq -e . "$status_file" >/dev/null 2>&1; then
+    RECOVERY_FAIL_REASON="status.json missing or invalid"; return 1
+  fi
+
+  # Check 2: us_id match in both artifacts
+  local current_us sig_us done_us
+  current_us=$(jq -r '.current_us // ""' "$status_file" 2>/dev/null)
+  sig_us=$(jq -r '.us_id // ""' "$sig_file" 2>/dev/null)
+  done_us=$(jq -r '.us_id // ""' "$done_file" 2>/dev/null)
+  if [[ "$sig_us" != "$current_us" ]]; then
+    RECOVERY_FAIL_REASON="iter-signal.us_id ($sig_us) != status.current_us ($current_us)"; return 1
+  fi
+  if [[ "$done_us" != "$current_us" ]]; then
+    RECOVERY_FAIL_REASON="done-claim.us_id ($done_us) != status.current_us ($current_us)"; return 1
+  fi
+
+  # Check 3: iteration match in both artifacts
+  local current_iter sig_iter done_iter
+  current_iter=$(jq -r '.iteration // 0' "$status_file" 2>/dev/null)
+  sig_iter=$(jq -r '.iteration // 0' "$sig_file" 2>/dev/null)
+  done_iter=$(jq -r '.iteration // 0' "$done_file" 2>/dev/null)
+  if [[ "$sig_iter" != "$current_iter" ]]; then
+    RECOVERY_FAIL_REASON="iter-signal.iteration ($sig_iter) != status.iteration ($current_iter)"; return 1
+  fi
+  if [[ "$done_iter" != "$current_iter" ]]; then
+    RECOVERY_FAIL_REASON="done-claim.iteration ($done_iter) != status.iteration ($current_iter)"; return 1
+  fi
+
+  # Check 4: iter_signal_quality must equal 'specific'
+  local sig_quality
+  sig_quality=$(jq -r '.iter_signal_quality // ""' "$sig_file" 2>/dev/null)
+  if [[ "$sig_quality" != "specific" ]]; then
+    RECOVERY_FAIL_REASON="iter-signal.iter_signal_quality ($sig_quality) != 'specific'"; return 1
+  fi
+
+  # Check 5: artifact mtimes must be strictly newer than worker-prompt mtime.
+  # Vacuously passes when the prompt file does not exist (fresh iter-1 start
+  # before any leader-written prompt).
+  if [[ -f "$prompt_file" ]]; then
+    local prompt_mtime sig_mtime done_mtime
+    prompt_mtime=$(stat -f %m "$prompt_file" 2>/dev/null || stat -c %Y "$prompt_file" 2>/dev/null || print 0)
+    sig_mtime=$(stat -f %m "$sig_file" 2>/dev/null || stat -c %Y "$sig_file" 2>/dev/null || print 0)
+    done_mtime=$(stat -f %m "$done_file" 2>/dev/null || stat -c %Y "$done_file" 2>/dev/null || print 0)
+    if (( sig_mtime <= prompt_mtime )); then
+      RECOVERY_FAIL_REASON="iter-signal.json mtime ($sig_mtime) not strictly newer than worker-prompt mtime ($prompt_mtime)"; return 1
+    fi
+    if (( done_mtime <= prompt_mtime )); then
+      RECOVERY_FAIL_REASON="done-claim.json mtime ($done_mtime) not strictly newer than worker-prompt mtime ($prompt_mtime)"; return 1
+    fi
+  fi
+
+  return 0
+}
+
+# PR-0b-narrow (Plan v6) — stamp leader handshake ack onto the sentinel.
+# Mirror of src/node/shared/fs.mjs::stampAckField. Best-effort, audit-only:
+# any failure is silently swallowed. Sequence:
+#   1. chmod 0644 (so jq + mv can write)
+#   2. jq merge .leader_ack
+#   3. atomic rename via tmp file
+#   4. chmod 0444 (re-lock)
+# Tolerant of jq absence (graceful degrade — no stamp, no error).
+_stamp_ack_field() {
+  local file="$1"
+  [[ -n "$file" && -f "$file" ]] || return 0
+  command -v jq >/dev/null 2>&1 || return 0
+  local now_iso
+  now_iso=$(date -u +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || echo "")
+  local tmp="${file}.ack.tmp"
+  chmod 0644 "$file" 2>/dev/null || true
+  if jq --arg ts "$now_iso" \
+        '. + {leader_ack: {acked_by: "leader", acked_at: $ts, ack_pane_state: "shell"}}' \
+        "$file" > "$tmp" 2>/dev/null; then
+    mv "$tmp" "$file" 2>/dev/null || rm -f "$tmp" 2>/dev/null
+  else
+    rm -f "$tmp" 2>/dev/null
+  fi
+  chmod 0444 "$file" 2>/dev/null || true
+  return 0
+}
+
 # =============================================================================
 # Scaffold Validation
 # =============================================================================

package/src/scripts/run_ralph_desk.zsh

@@ -635,27 +635,82 @@ launch_verifier_claude() {
 # On exit: check done-claim, auto-generate iter-signal.
 # Args: $1=iteration  $2=signal_file
 # Returns: 0 (signal generated), 1 (error)
+# Bug #8 PR-B (codex critic P1.2 fix): shared 4-way gate used by both
+# handle_worker_exit_codex and the inline-polling A4 path. Returns:
+#   0 = synthesize allowed (caller writes signal_file + emits audit)
+#   1 = BLOCKED (this function already wrote sentinel + emitted audit)
+# Args: $1=iter  $2=us_id  $3=audit_clean_code (e.g. codex_exit_with_done_claim
+#       or inline_polling_a4_clean)
+_bug8_check_synth_allowed() {
+  local iter="$1"
+  local us_id="${2:-${CURRENT_US:-ALL}}"
+  local audit_clean="$3"
+
+  # Gate 1: done-claim must exist.
+  if [[ ! -f "$DONE_CLAIM_FILE" ]]; then
+    log_error "  Bug #8: no done-claim. Refusing to synthesize verify signal."
+    log_debug "[GOV] iter=$iter bug8=block_codex_exit_no_done_claim"
+    write_blocked_sentinel \
+      "Codex worker exited without writing done-claim (refusing to synthesize verify signal)" \
+      "$us_id" \
+      "infra_failure"
+    _emit_a4_fallback_audit "$us_id" "$iter" "blocked_codex_exit_no_done_claim"
+    return 1
+  fi
+
+  # Gate 2: git toplevel must equal $ROOT (canonicalized — macOS resolves
+  # /var → /private/var, NTFS may have 8.3 short paths; compare realpaths).
+  local _bug8_top _bug8_top_canon _bug8_root_canon
+  _bug8_top=$(git -C "$ROOT" rev-parse --show-toplevel 2>/dev/null)
+  _bug8_top_canon=$(cd "$_bug8_top" 2>/dev/null && pwd -P 2>/dev/null)
+  _bug8_root_canon=$(cd "$ROOT" 2>/dev/null && pwd -P 2>/dev/null)
+  if [[ -z "$_bug8_top" || "$_bug8_top_canon" != "$_bug8_root_canon" ]]; then
+    log_error "  Bug #8: git unverifiable at \$ROOT=$ROOT (toplevel='$_bug8_top'). Refusing synthesis."
+    log_debug "[GOV] iter=$iter bug8=block_git_unverifiable root=$ROOT toplevel=$_bug8_top"
+    write_blocked_sentinel \
+      "git status unverifiable at $ROOT (toplevel='$_bug8_top'); refusing to synthesize verify signal" \
+      "$us_id" \
+      "infra_failure"
+    _emit_a4_fallback_audit "$us_id" "$iter" "blocked_git_unverifiable"
+    return 1
+  fi
+
+  # Gate 3: tree must be clean.
+  local _bug8_dirty
+  _bug8_dirty=$(git -C "$ROOT" status --porcelain 2>/dev/null)
+  if [[ -n "$_bug8_dirty" ]]; then
+    local _bug8_first5
+    _bug8_first5=$(printf '%s\n' "$_bug8_dirty" | head -n 5 | tr '\n' '|' | sed 's/|$//')
+    log_error "  Bug #8: done-claim present but tree dirty. Refusing synthesis. dirty: $_bug8_first5"
+    log_debug "[GOV] iter=$iter bug8=block_dirty_tree us_id=$us_id dirty='$_bug8_first5'"
+    write_blocked_sentinel \
+      "worker_incomplete_uncommitted: done-claim present but tree dirty ($_bug8_first5)" \
+      "$us_id" \
+      "metric_failure"
+    _emit_a4_fallback_audit "$us_id" "$iter" "blocked_dirty_tree"
+    return 1
+  fi
+
+  # All gates passed — synthesize allowed.
+  return 0
+}
+
 handle_worker_exit_codex() {
   local iter="$1"
   local signal_file="$2"
 
-  log "  Codex worker process exited. Checking for done-claim..."
-  if [[ -f "$DONE_CLAIM_FILE" ]]; then
-    local dc_us_id
-    dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
-    log "  Codex worker completed with done-claim (us_id=$dc_us_id). Auto-generating signal."
-    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated after codex exit","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
-    _emit_a4_fallback_audit "$dc_us_id" "$iter" "codex_exit_with_done_claim"
-  else
-    log "  WARNING: Codex worker exited without done-claim. Generating verify signal for current US."
-    local current_us
-    current_us=$(jq -r '.us_id // "US-001"' "$DESK/memos/${SLUG}-iter-signal.json" 2>/dev/null || echo "US-001")
-    local mem_us
-    mem_us=$(sed -n 's/.*Next.*US-\([0-9]*\).*/US-\1/p' "$DESK/memos/${SLUG}-memory.md" 2>/dev/null | head -1)
-    [[ -n "$mem_us" ]] && current_us="$mem_us"
-    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$current_us"'","summary":"auto-generated after codex exit (no done-claim)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
-    _emit_a4_fallback_audit "$current_us" "$iter" "codex_exit_no_done_claim"
+  log "  Codex worker process exited. Checking for done-claim + clean tree..."
+
+  if ! _bug8_check_synth_allowed "$iter" "${CURRENT_US:-ALL}" "codex_exit_with_done_claim"; then
+    return 1
   fi
+
+  # All 3 gates passed: done-claim present, git OK, tree clean → synthesize.
+  local dc_us_id
+  dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
+  log "  Codex worker completed with done-claim (us_id=$dc_us_id) and clean tree. Auto-generating signal."
+  echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated after codex exit (clean tree)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+  _emit_a4_fallback_audit "$dc_us_id" "$iter" "codex_exit_with_done_claim_clean"
   return 0
 }
 
@@ -2176,8 +2231,22 @@ poll_for_signal() {
 
     # Check if signal file appeared
     if [[ -f "$signal_file" ]]; then
-      log "  Signal file detected: $signal_file"
-      return 0  # success
+      # Bug #7-extra (BOS 2026-05-06): file existence is NOT enough. Worker
+      # (claude opus) writes via Claude Code's Write tool, which is not
+      # guaranteed atomic — the file can appear with empty / partial JSON
+      # before the write completes. Verifier was being dispatched against a
+      # half-written iter-signal.json. Validate that the file holds a single
+      # parseable, non-null JSON value (`jq -e .`) before accepting; any
+      # failure simply continues polling (next tick re-reads). Note: `jq
+      # empty` was rejected because it accepts an EMPTY file as "zero
+      # documents" — the exact race window we need to reject.
+      if jq -e . "$signal_file" >/dev/null 2>&1; then
+        log "  Signal file detected: $signal_file"
+        return 0  # success
+      fi
+      # Empty / truncated / mid-write JSON. Stay in the polling loop and let
+      # the next tick re-read once the writer has finished.
+      log_debug "[bug7-extra] $role signal file present but JSON not yet valid — continue polling"
     fi
 
     # A4 fallback: done-claim exists but no signal → Worker forgot iter-signal
@@ -2216,11 +2285,24 @@ poll_for_signal() {
         local dc_us_id
         dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
         if [[ -n "$dc_us_id" && "$dc_us_id" != "null" ]]; then
-          log "  WARNING: done-claim exists for $dc_us_id but no iter-signal. Auto-generating signal (A4 fallback)."
-          log_debug "[GOV] iter=$ITERATION done_claim_without_signal=true us_id=$dc_us_id action=auto_generate_signal"
-          echo '{"iteration":'"$ITERATION"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated by A4 fallback (done-claim without signal)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
-          _emit_a4_fallback_audit "$dc_us_id" "$ITERATION" "inline_polling_a4"
-          return 0
+          # Bug #8 PR-B: defer to shared 4-way gate (codex critic P1.2).
+          # _bug8_check_synth_allowed handles done-claim/git/dirty-tree gates
+          # uniformly across handle_worker_exit_codex AND this inline path so
+          # both codex-exit and inline-polling A4 enforce the same contract.
+          if _bug8_check_synth_allowed "$ITERATION" "$dc_us_id" "inline_polling_a4_clean"; then
+            log "  WARNING: done-claim exists for $dc_us_id but no iter-signal. Tree clean — auto-generating signal (A4 fallback)."
+            log_debug "[GOV] iter=$ITERATION done_claim_without_signal=true us_id=$dc_us_id action=auto_generate_signal"
+            echo '{"iteration":'"$ITERATION"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated by A4 fallback (done-claim + clean tree)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+            _emit_a4_fallback_audit "$dc_us_id" "$ITERATION" "inline_polling_a4_clean"
+            return 0
+          else
+            # Bug #8 PR-B (codex critic round-2 P2): hard-stop rc=2 so the
+            # main worker loop (L3119) treats this BLOCKED as terminal,
+            # matching the handle_worker_exit_codex blocked path. rc=1 is
+            # ambiguous — caller may interpret it as a recoverable poll
+            # failure and re-loop while the BLOCKED sentinel is on disk.
+            return 2
+          fi
         fi
       fi
     fi
@@ -2271,8 +2353,16 @@ poll_for_signal() {
         fi
         # Dispatch to engine-specific exit handler
         if [[ "$WORKER_ENGINE" = "codex" && "$role" != *erifier* ]]; then
-          handle_worker_exit_codex "$ITERATION" "$signal_file"
-          return 0
+          # Bug #8 PR-B: handle_worker_exit_codex now returns 1 when it has
+          # written a BLOCKED sentinel (no done-claim, dirty tree, git
+          # unverifiable). Propagate the return so main loop stops, instead
+          # of swallowing it with `return 0` and continuing as if the poll
+          # had succeeded.
+          if handle_worker_exit_codex "$ITERATION" "$signal_file"; then
+            return 0
+          else
+            return 2
+          fi
         fi
         # Claude path (or verifier of any engine)
         if handle_worker_exit_claude "$pane_id" "$ITERATION" "$trigger_file"; then
@@ -2467,8 +2557,16 @@ run_single_verifier() {
     fi
   fi
 
+  # Bug #7 Fix-Q/R: reap verifier pane the moment we accept the verdict so
+  # codex/claude cannot keep self-reviewing and rewrite verify-verdict.json.
+  # Lock applied AFTER cp so the archived snapshot is also frozen at intent.
+  _kill_pane_process "$VERIFIER_PANE" "verifier-${suffix}"
+
   # Copy verdict to destination
   cp "$VERDICT_FILE" "$verdict_dest"
+  _lock_sentinel "$VERDICT_FILE"
+  # PR-0b-narrow: stamp leader handshake ack on the verdict (audit-only).
+  _stamp_ack_field "$VERDICT_FILE"
   log "  Verifier$suffix verdict saved to $verdict_dest"
   return 0
 }
@@ -2528,6 +2626,14 @@ run_sequential_final_verify() {
       return 1
     fi
 
+    # Bug #7 Fix-Q/R: reap verifier pane between per-US final verifications so
+    # the previous codex/claude TUI cannot continue running while the next per-
+    # US verifier dispatch reuses the same pane.
+    _kill_pane_process "$VERIFIER_PANE" "verifier-final"
+    _lock_sentinel "$VERDICT_FILE"
+    # PR-0b-narrow: stamp leader handshake ack on the verdict (audit-only).
+    _stamp_ack_field "$VERDICT_FILE"
+
     # Check verdict
     local verdict
     verdict=$(jq -r '.verdict' "$VERDICT_FILE" 2>/dev/null)
@@ -2939,20 +3045,50 @@ main() {
       return 1
     fi
 
-    # --- governance.md s7 step 8 (cleanup): Clean previous iteration signals ---
-    rm -f "$SIGNAL_FILE" "$DONE_CLAIM_FILE" "$VERDICT_FILE" 2>/dev/null
-    rm -f "$WORKER_HEARTBEAT" "$VERIFIER_HEARTBEAT" 2>/dev/null
+    # PR-A (Bug #10): operator-recovery hygiene check.
+    # When the operator hand-rolls a `phase=verify` recovery (jq-patches
+    # status.json, writes manual iter-signal.json + done-claim.json, deletes
+    # the blocked sentinel), the leader MUST honor that work instead of
+    # deleting the artifacts and resetting to phase=worker. Mirrors the
+    # Node-side guard in src/node/runner/campaign-main-loop.mjs.
+    local SKIP_NEXT_WORKER=0
+    local LAST_PHASE=""
+    if [[ -f "$STATUS_FILE" ]] && command -v jq >/dev/null 2>&1; then
+      LAST_PHASE=$(jq -r '.phase // ""' "$STATUS_FILE" 2>/dev/null)
+    fi
+    if [[ "$LAST_PHASE" == "verify" ]]; then
+      local _iter_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-prompt.md"
+      if _validate_operator_recovery_artifacts \
+           "$SIGNAL_FILE" "$DONE_CLAIM_FILE" "$STATUS_FILE" "$_iter_prompt"; then
+        log "[recovery] Resuming verify phase — operator manual recovery detected (iter=$ITERATION)"
+        log_debug "[recovery] iter=$ITERATION skip_worker=true reason=manual_recovery_validated"
+        SKIP_NEXT_WORKER=1
+      else
+        log "[recovery] phase=verify ignored: ${RECOVERY_FAIL_REASON}"
+        log_debug "[recovery] iter=$ITERATION skip_worker=false reason=\"${RECOVERY_FAIL_REASON}\""
+      fi
+    fi
 
-    # --- Clean previous claude session in panes (one-shot lifecycle) ---
-    # Only needed from iteration 2 onwards (iteration 1 has fresh panes)
-    if (( ITERATION > 1 )); then
-      # Send C-c first (in case claude is mid-task), then /exit
-      tmux send-keys -t "$WORKER_PANE" C-c 2>/dev/null
-      sleep 1
-      tmux send-keys -t "$WORKER_PANE" "/exit" C-m 2>/dev/null
-      sleep 2
-      # Wait for shell prompt before proceeding
-      wait_for_pane_ready "$WORKER_PANE" 10 2>/dev/null || true
+    if (( ! SKIP_NEXT_WORKER )); then
+      # --- governance.md s7 step 8 (cleanup): Clean previous iteration signals ---
+      # Bug #7 Fix-R cleanup: unlock 0o444 sentinels written by the previous
+      # iteration's reaper before rm so cleanup does not log permission noise.
+      _unlock_sentinel "$SIGNAL_FILE"
+      _unlock_sentinel "$VERDICT_FILE"
+      rm -f "$SIGNAL_FILE" "$DONE_CLAIM_FILE" "$VERDICT_FILE" 2>/dev/null
+      rm -f "$WORKER_HEARTBEAT" "$VERIFIER_HEARTBEAT" 2>/dev/null
+
+      # --- Clean previous claude session in panes (one-shot lifecycle) ---
+      # Only needed from iteration 2 onwards (iteration 1 has fresh panes)
+      if (( ITERATION > 1 )); then
+        # Send C-c first (in case claude is mid-task), then /exit
+        tmux send-keys -t "$WORKER_PANE" C-c 2>/dev/null
+        sleep 1
+        tmux send-keys -t "$WORKER_PANE" "/exit" C-m 2>/dev/null
+        sleep 2
+        # Wait for shell prompt before proceeding
+        wait_for_pane_ready "$WORKER_PANE" 10 2>/dev/null || true
+      fi
     fi
 
     # Reset per-iteration state
@@ -2964,33 +3100,44 @@ main() {
     # --- US-004: detect PRD changes for live update + re-split ---
     check_prd_update
 
-    # --- governance.md s7 step 4: Build worker prompt + trigger ---
-    write_worker_trigger "$ITERATION"
-    local worker_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-prompt.md"
-
-    # AC1: capture worker start timestamp
+    # AC1: capture worker start timestamp (still set for downstream telemetry
+    # even when the worker dispatch is skipped — recovery still consumes time).
     ITER_WORKER_START=$(date +%s)
 
-    update_status "worker" "running"
+    local worker_launch=""
+    if (( ! SKIP_NEXT_WORKER )); then
+      # --- governance.md s7 step 4: Build worker prompt + trigger ---
+      write_worker_trigger "$ITERATION"
+      local worker_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-prompt.md"
 
-    # --- governance.md s7 step 5: Execute Worker (dispatched to engine-specific function) ---
-    log_debug "[FLOW] iter=$ITERATION phase=worker engine=$WORKER_ENGINE model=$WORKER_MODEL dispatched=true"
+      update_status "worker" "running"
 
-    local worker_launch
-    if [[ "$WORKER_ENGINE" = "codex" ]]; then
-      worker_launch="${CODEX_BIN:-codex} -m $WORKER_CODEX_MODEL -c model_reasoning_effort=\"$WORKER_CODEX_REASONING\" --disable plugins --dangerously-bypass-approvals-and-sandbox"
-      if ! launch_worker_codex "$WORKER_PANE" "$worker_prompt" "$ITERATION" "$worker_launch"; then
-        write_blocked_sentinel "Worker codex failed to start in pane" "" "infra_failure"
-        update_status "blocked" "worker_start_failed"
-        return 1
+      # --- governance.md s7 step 5: Execute Worker (dispatched to engine-specific function) ---
+      log_debug "[FLOW] iter=$ITERATION phase=worker engine=$WORKER_ENGINE model=$WORKER_MODEL dispatched=true"
+
+      if [[ "$WORKER_ENGINE" = "codex" ]]; then
+        worker_launch="${CODEX_BIN:-codex} -m $WORKER_CODEX_MODEL -c model_reasoning_effort=\"$WORKER_CODEX_REASONING\" --disable plugins --dangerously-bypass-approvals-and-sandbox"
+        if ! launch_worker_codex "$WORKER_PANE" "$worker_prompt" "$ITERATION" "$worker_launch"; then
+          write_blocked_sentinel "Worker codex failed to start in pane" "" "infra_failure"
+          update_status "blocked" "worker_start_failed"
+          return 1
+        fi
+      else
+        worker_launch="$(build_claude_cmd tui "$WORKER_MODEL" "" "" "$WORKER_EFFORT")"
+        if ! launch_worker_claude "$WORKER_PANE" "$worker_prompt" "$ITERATION" "$worker_launch"; then
+          write_blocked_sentinel "Worker claude failed to start in pane" "" "infra_failure"
+          update_status "blocked" "worker_start_failed"
+          return 1
+        fi
       fi
     else
-      worker_launch="$(build_claude_cmd tui "$WORKER_MODEL" "" "" "$WORKER_EFFORT")"
-      if ! launch_worker_claude "$WORKER_PANE" "$worker_prompt" "$ITERATION" "$worker_launch"; then
-        write_blocked_sentinel "Worker claude failed to start in pane" "" "infra_failure"
-        update_status "blocked" "worker_start_failed"
-        return 1
-      fi
+      # PR-A (Bug #10): one-shot recovery path. The operator's iter-signal.json
+      # is already on disk; polling below picks it up immediately and the loop
+      # transitions cleanly into the verifier phase. Persist phase=verify so a
+      # subsequent crash-and-relaunch sees the same contract. SKIP_NEXT_WORKER
+      # is local to this iteration so iter-N+1 dispatches the worker normally.
+      update_status "verify" "running"
+      log "[recovery] Skipping worker dispatch for iter=$ITERATION (one-shot, honoring operator manual recovery)"
     fi
 
     # --- governance.md s7 step 5+6: Poll for Worker completion ---
@@ -3003,6 +3150,12 @@ main() {
       if poll_for_signal "$SIGNAL_FILE" "$WORKER_HEARTBEAT" "$WORKER_PANE" "$worker_launch" "Worker"; then
         worker_poll_done=1
         log_debug "[FLOW] iter=$ITERATION poll_signal_received=true"
+        # Bug #7 Fix-Q/R: reap worker pane immediately so claude/codex cannot
+        # self-review and rewrite iter-signal.json (1m43s drift observed).
+        _kill_pane_process "$WORKER_PANE" "worker"
+        _lock_sentinel "$SIGNAL_FILE"
+        # PR-0b-narrow: stamp leader handshake ack on the iter-signal (audit-only).
+        _stamp_ack_field "$SIGNAL_FILE"
       else
         worker_poll_rc=$?
         if (( worker_poll_rc == 2 )); then
@@ -3210,6 +3363,12 @@ main() {
             update_status "blocked" "verifier_dead"
             return 1
           fi
+          # Bug #7 Fix-Q/R: reap verifier pane immediately so codex cannot
+          # rewrite verify-verdict.json post-detect (mtime drift fix).
+          _kill_pane_process "$VERIFIER_PANE" "verifier"
+          _lock_sentinel "$VERDICT_FILE"
+          # PR-0b-narrow: stamp leader handshake ack on the verdict (audit-only).
+          _stamp_ack_field "$VERDICT_FILE"
         fi
 
         # AC1: capture verifier end timestamp