@ai-dev-methodologies/rlp-desk 0.3.6 → 0.5.0

package/src/governance.md

@@ -11,6 +11,7 @@ The Leader orchestrates, while Worker/Verifier run in isolated fresh contexts ev
 - **Filesystem = memory**: State exists only on the filesystem (PRD, memory, context, memos).
 - **Worker claim ≠ complete**: A Worker's DONE is merely a claim. The Verifier must independently verify before it's confirmed.
 - **Worker scope is bounded**: Worker implements only the contracted US per iteration (Scope Lock). Out-of-scope changes are flagged by the Verifier.
+- **Worker must NEVER modify Claude Code settings** (settings.json, settings.local.json). Permission prompts must be reported as blocked, not bypassed by editing settings.
 - **Verifier is independent**: The Verifier judges based on evidence alone, without knowledge of the Worker's reasoning process.
 - **Sentinels are Leader-owned**: Only the Leader writes COMPLETE/BLOCKED sentinels.
 - **Supported engines**: claude (default; models: haiku, sonnet, opus) and codex (opt-in via `--worker-engine codex` / `--verifier-engine codex`).
@@ -199,14 +200,27 @@ This is the default behavior, not an optional flag. Without it, IL-1 (Evidence M
 ### Worker: execution_steps in done-claim.json
 Worker records what was done, in what order, with command evidence in `done-claim.json`:
 - Each step includes: what action, which AC, command executed, exit code, summary
-- Step types: `write_test`, `verify_red`, `implement`, `verify_green`, `refactor`, `commit`, `verify`
+- Step types: `write_test`, `verify_red`, `implement`, `verify_green`, `refactor`, `commit`, `verify`, `verify_existing`
 - This proves the Worker followed test-first approach and did not skip steps
+- **Existing implementation rule**: When code already exists from a prior iteration/campaign, Worker MAY use `verify_existing` instead of `write_test → verify_red → implement → verify_green`. `verify_existing` requires: run all existing tests, record exit codes, confirm all AC are covered by passing tests. Worker MUST NOT skip recording evidence — `verify_existing` is evidence that existing code satisfies AC, not a shortcut to skip verification.
 
 ### Verifier: reasoning in verify-verdict.json
 Verifier records WHY each judgment was made in `verify-verdict.json`:
 - Each check includes: what was checked, decision (pass/fail), and the specific evidence basis
-- Checks include: IL-1 Evidence Gate, Layer Enforcement, Test Sufficiency, Anti-Gaming, Worker Process Audit
+- Checks include: IL-1 Evidence Gate, Layer Enforcement, Test Sufficiency, Anti-Gaming, Worker Process Audit, Test Coverage Audit
 - This proves the Verifier actually performed each check rather than rubber-stamping
+- **Test Coverage Audit (mandatory)**: Verifier MUST check that tests cover ALL code paths, not just happy paths. Specifically:
+  - Every branch in `case` statements must have a test (e.g., all model types in get_next_model)
+  - Every engine/model combination must be tested (claude, codex 5.4, spark — not just 1-2)
+  - Every ceiling/boundary must be tested (not just "opus ceiling" — also spark ceiling, 5.4 ceiling)
+  - If Worker's tests cover only 2 of 3 engine paths, verdict MUST be fail with "test coverage gap" issue
+  - "Tests pass" is NOT sufficient — "tests cover all code paths" is required
+- **Integration Test (mandatory when functions call other functions)**: Verifier MUST check that function call chains produce correct end-to-end results, not just that each function works in isolation. Specifically:
+  - If function A's output is function B's input, there MUST be a test that runs A→B together and verifies the result
+  - Example: `get_model_string()` returns "gpt-5.3-codex-spark:medium" — `get_next_model()` must accept that exact value and return the correct upgrade. A test must verify this chain.
+  - Unit tests (extract_fn + isolated run) are necessary but NOT sufficient for refactored code
+  - Structural tests (grep for function existence) are necessary but NOT sufficient
+  - "All unit tests pass" does NOT prove the system works — integration tests prove it
 
 ### Why This Is Default (Not Optional)
 - IL-1 says "no claims without evidence" — this applies to Worker AND Verifier
@@ -373,28 +387,38 @@ Characteristics:
 ```
 .claude/ralph-desk/
 ├── prompts/
-│   ├── <slug>.worker.prompt.md      # Worker base prompt
-│   └── <slug>.verifier.prompt.md    # Verifier base prompt
+│   ├── <slug>.worker.prompt.md      # Worker base prompt (regenerated on re-execution)
+│   └── <slug>.verifier.prompt.md    # Verifier base prompt (regenerated on re-execution)
 ├── context/
-│   └── <slug>-latest.md             # Current frontier (Worker updates)
+│   └── <slug>-latest.md             # Current frontier; Worker updates (reset to template on re-execution)
 ├── memos/
-│   ├── <slug>-memory.md             # Campaign memory (Worker updates)
-│   ├── <slug>-done-claim.json       # Worker's completion claim (runtime)
-│   ├── <slug>-iter-signal.json      # Worker's iteration signal (runtime)
-│   ├── <slug>-verify-verdict.json   # Verifier's verdict (runtime)
-│   ├── <slug>-escalation.md          # Architecture escalation report (tmux mode, §7¾)
-│   ├── <slug>-complete.md           # SENTINEL (Leader only)
-│   └── <slug>-blocked.md            # SENTINEL (Leader only)
+│   ├── <slug>-memory.md             # Campaign memory; Worker updates (reset to template on re-execution)
+│   ├── <slug>-done-claim.json       # Worker's completion claim (runtime; deleted on re-execution)
+│   ├── <slug>-iter-signal.json      # Worker's iteration signal (runtime; deleted on re-execution)
+│   ├── <slug>-verify-verdict.json   # Verifier's verdict (runtime; deleted on re-execution)
+│   ├── <slug>-escalation.md         # Architecture escalation report (tmux mode, §7¾; deleted on re-execution)
+│   ├── <slug>-complete.md           # SENTINEL (Leader only; deleted on re-execution)
+│   └── <slug>-blocked.md            # SENTINEL (Leader only; deleted on re-execution)
 ├── plans/
-│   ├── prd-<slug>.md                # PRD (shared contract)
-│   └── test-spec-<slug>.md          # Verification criteria
-└── logs/<slug>/
-    ├── iter-NNN.worker-prompt.md    # Audit trail prompt copy
-    ├── iter-NNN.verifier-prompt.md  # Audit trail prompt copy
-    ├── iter-NNN.result.md           # Iteration result (leader-measured + git-measured)
-    ├── self-verification-data.json              # Cumulative campaign data (--with-self-verification)
-    ├── self-verification-report-NNN.md          # Versioned campaign analysis report (--with-self-verification)
-    └── status.json                  # Leader's loop state
+│   ├── prd-<slug>.md                # PRD (in-place: --mode improve | deleted: --mode fresh)
+│   └── test-spec-<slug>.md          # Verification criteria (regenerated on re-execution)
+└── logs/<slug>/                          # Project-level operational data
+    ├── campaign-report.md           # Campaign summary (versioned: campaign-report-v{N}.md on re-execution)
+    ├── iter-NNN.worker-prompt.md    # Audit trail prompt copy (deleted on re-execution)
+    ├── iter-NNN.verifier-prompt.md  # Audit trail prompt copy (deleted on re-execution)
+    ├── iter-NNN.result.md           # Iteration result (deleted on re-execution)
+    ├── iter-NNN-done-claim.json     # Archived done-claim per iteration (deleted on re-execution)
+    ├── iter-NNN-verify-verdict.json # Archived verdict per iteration (deleted on re-execution)
+    ├── status.json                  # Leader's loop state (deleted on re-execution)
+    ├── baseline.log                 # Baseline capture (deleted on re-execution)
+    └── cost-log.jsonl               # Per-iteration cost log (deleted on re-execution)
+
+~/.claude/ralph-desk/analytics/<slug>--<root_hash>/  # User-level cross-project analytics
+    ├── metadata.json                # Campaign metadata (slug, project_root, status, times)
+    ├── debug.log                    # Debug output (versioned: debug-v{N}.log on re-execution)
+    ├── campaign.jsonl               # Per-iteration structured data (versioned: campaign-v{N}.jsonl)
+    ├── self-verification-data.json  # Cumulative SV data (agent-mode only, --with-self-verification)
+    └── self-verification-report-NNN.md  # Versioned SV report (--with-self-verification; NNN auto-increment)
 ```
 
 ## 7. Leader Loop Protocol
@@ -443,8 +467,19 @@ for iteration in 1..max_iter:
        • fail + continue → go to ⑧
        • blocked → write BLOCKED sentinel, stop
 
+  ⑦d Archive iteration artifacts (after verdict read, before next prep)
+     - Archive done-claim.json → logs/<slug>/iter-NNN-done-claim.json
+     - Archive verify-verdict.json → logs/<slug>/iter-NNN-verify-verdict.json
+     (Preserved across clean; data source for Campaign Report and SV analysis)
+
   ⑧ Write iter-NNN.result.md to logs/<slug>/ (result status + git diff --stat)
      Update status.json, report to user, continue to next iteration
+
+After loop end (COMPLETE, BLOCKED, TIMEOUT):
+  ⑧½ Campaign Report (always — independent of --debug)
+     - Generate logs/<slug>/campaign-report.md with 8 sections
+     - Version existing report to campaign-report-v{N}.md before writing new
+     - Data: status.json (baseline_commit, per-iter), archived iter artifacts, PRD, git diff
 ```
 
 ## 7a. Per-US Verification
@@ -480,7 +515,7 @@ Worker completes US → signal verify
   → Codex Verifier runs (checks AC)
   → Both pass → proceed (next US or COMPLETE)
   → Either fails → combined issues → fix contract → Worker retry
-  → Max 3 consensus rounds per US → BLOCKED if still disagreeing
+  → Max 6 consensus rounds per US → BLOCKED if still disagreeing
 
 **NO ENGINE PRIORITY:** Claude and Codex have equal weight. If one passes and the other fails, the verdict is FAIL. No engine may be prioritized or dismissed. Infrastructure failure = CLI crash, timeout, or verdict file not generated — NOT a valid verdict with verdict=fail.
 ```
@@ -518,12 +553,12 @@ Every change must be justified by the issue it addresses.
 
 ## 7¾. Architecture Escalation
 
-Note: Circuit Breaker (§8) fires first at 2 consecutive failures (model upgrade + retry). If the retry also fails (3rd consecutive failure), Architecture Escalation applies. The CB retry counts toward the consecutive_failures counter.
+Note: Circuit Breaker (§8) fires first at 2 consecutive failures (model upgrade + retry — Path A: Agent-mode only; in tmux mode the shell CB triggers directly without model upgrade). If the retry also fails (`cb_threshold` reached), Architecture Escalation applies. The CB retry counts toward the consecutive_failures counter.
 
-If 3+ consecutive fix attempts fail for the same US:
+If `cb_threshold` or more consecutive fix attempts fail for the same US:
 
 1. **STOP fixing symptoms** — the problem is likely architectural, not a bug.
-2. **Leader reports to user**: "3 consecutive fix attempts failed for US-{id}. This suggests an architectural issue, not a simple bug."
+2. **Leader reports to user**: "`cb_threshold` consecutive fix attempts failed for US-{id}. This suggests an architectural issue, not a simple bug."
 3. **Include in report**:
    - What was attempted in each fix
    - What specifically kept failing
@@ -538,14 +573,14 @@ In tmux mode: Leader writes `<slug>-escalation.md` with the report and sets BLOC
 | Condition | Verdict |
 |-----------|---------|
 | context-latest.md unchanged for 3 consecutive iterations | BLOCKED |
-| Same acceptance criterion fails 2 consecutive iterations | Upgrade model, retry once; if still failing → Architecture Escalation (§7¾) → BLOCKED |
-| 3 consecutive **fail** verdicts on 3 unique criterion IDs | Upgrade to opus, retry once; if still failing → BLOCKED |
+| Same acceptance criterion fails 2 consecutive iterations | Upgrade model, retry once (Agent mode only; tmux: same model retry); if still failing → Architecture Escalation (§7¾) → BLOCKED |
+| `cb_threshold` consecutive **fail** verdicts on `cb_threshold` unique criterion IDs | Upgrade to opus, retry once; if still failing → BLOCKED (adjustable via `--cb-threshold`) |
 | max_iter reached | TIMEOUT (report to user) |
 
 The Leader tracks `consecutive_failures` in `status.json`:
 - Increments on `fail`, resets on `pass`, **unchanged by `request_info`**.
 - "Same error" = same acceptance criterion ID in two consecutive **fail** verdicts (`request_info` does not break or contribute to this chain).
-- "Diverse failures" = 3 most recent `fail` verdicts each have a unique criterion ID.
+- "Diverse failures" = `cb_threshold` most recent `fail` verdicts each have a unique criterion ID.
 
 ## 9. Change Policy
 

package/src/model-upgrade-table.md

@@ -0,0 +1,50 @@
+# Model Upgrade Table
+
+Progressive Worker model upgrade on consecutive failure per US.
+CB default: 6. Override: `--cb-threshold N`. Worker only — Verifier fixed at campaign start.
+
+## Rules
+- Each row = 2-attempt window (same model for 2 consecutive fails)
+- Ceiling reached → repeat same model until CB
+- CB < table columns → BLOCKED at that column
+- CB > 6 → repeat ceiling model beyond column 6
+
+## GPT Pro (spark — separate token limit)
+
+| Complexity | 1-2 | 3-4 | 5-6 | 7+ |
+|------------|-----|-----|-----|-----|
+| LOW | spark:low | spark:medium | spark:high | BLOCKED |
+| MEDIUM | spark:medium | spark:high | spark:xhigh | BLOCKED |
+| HIGH | spark:high | spark:xhigh | spark:xhigh | BLOCKED |
+| CRITICAL | spark:xhigh | spark:xhigh | spark:xhigh | BLOCKED |
+
+## Non-Pro (gpt-5.4)
+
+| Complexity | 1-2 | 3-4 | 5-6 | 7+ |
+|------------|-----|-----|-----|-----|
+| LOW | 5.4:low | 5.4:medium | 5.4:high | BLOCKED |
+| MEDIUM | 5.4:medium | 5.4:high | 5.4:xhigh | BLOCKED |
+| HIGH | 5.4:high | 5.4:xhigh | 5.4:xhigh | BLOCKED |
+| CRITICAL | 5.4:xhigh | 5.4:xhigh | 5.4:xhigh | BLOCKED |
+
+## Claude-only
+
+| Complexity | 1-2 | 3-4 | 5-6 | 7+ |
+|------------|-----|-----|-----|-----|
+| LOW | haiku | sonnet | opus | BLOCKED |
+| MEDIUM | sonnet | opus | opus | BLOCKED |
+| HIGH | sonnet | opus | opus | BLOCKED |
+| CRITICAL | opus | opus | opus | BLOCKED |
+
+## Complexity Evaluation (brainstorm determines this)
+
+| Factor | LOW | MEDIUM | HIGH | CRITICAL |
+|--------|-----|--------|------|----------|
+| US count | 1-2 | 3-5 | 6-10 | 10+ |
+| File scope | single | 2-5 | 6+ | cross-repo |
+| Logic | simple CRUD | conditionals | algorithms | security/crypto |
+| Dependencies | none | 1-2 | 3+ API/DB | distributed |
+| Code impact | new only | modify existing | refactor | architecture change |
+
+Overall complexity = highest factor level.
+Campaign starting model = lowest US risk level (progressive upgrade handles harder US).

package/src/scripts/init_ralph_desk.zsh

@@ -8,22 +8,280 @@ set -euo pipefail
 # Creates project-local scaffold in: .claude/ralph-desk/
 #
 # Usage:
-#   ~/.claude/ralph-desk/init_ralph_desk.zsh <slug> [objective]
+#   ~/.claude/ralph-desk/init_ralph_desk.zsh <slug> [objective] [--mode fresh|improve]
 # =============================================================================
 
-SLUG="${1:?Usage: $0 <slug> [objective]}"
-OBJECTIVE="${2:-TBD - fill in the objective}"
+SLUG="${1:?Usage: $0 <slug> [objective] [--mode fresh|improve]}"
+MODE=""
+OBJECTIVE="TBD - fill in the objective"
+
+# Parse remaining arguments: --mode fresh|improve + optional positional objective
+shift
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --mode)
+      MODE="${2:?--mode requires an argument: fresh|improve}"
+      shift 2
+      ;;
+    --mode=*)
+      MODE="${1#--mode=}"
+      shift
+      ;;
+    *)
+      OBJECTIVE="$1"
+      shift
+      ;;
+  esac
+done
+
 ROOT="${ROOT:-$PWD}"
 DESK="$ROOT/.claude/ralph-desk"
 RUNNER_DIR="$(cd "$(dirname "$0")" && pwd)"
 
+# --- Re-execution versioning helpers ---
+# Handles ONLY debug.log and campaign-report.md versioning.
+# SV reports use their own -NNN auto-increment pattern and are NOT handled here.
+
+detect_next_version() {
+  local file_path="$1"
+  local dir base ext n=1
+  dir="$(dirname "$file_path")"
+  base="$(basename "$file_path")"
+  if [[ "$base" == *.* ]]; then
+    ext=".${base##*.}"
+    base="${base%.*}"
+  else
+    ext=""
+  fi
+  while [[ -f "$dir/${base}-v${n}${ext}" ]]; do
+    (( n++ ))
+  done
+  echo "$n"
+}
+
+version_file() {
+  local file_path="$1"
+  if [[ -f "$file_path" ]]; then
+    local n dir base ext
+    n="$(detect_next_version "$file_path")"
+    dir="$(dirname "$file_path")"
+    base="$(basename "$file_path")"
+    if [[ "$base" == *.* ]]; then
+      ext=".${base##*.}"
+      base="${base%.*}"
+    else
+      ext=""
+    fi
+    mv "$file_path" "$dir/${base}-v${n}${ext}"
+    echo "  Versioned: $(basename "$file_path") → ${base}-v${n}${ext}"
+  fi
+  # Non-existent files silently skipped (no error)
+}
+
+# --- PRD/test-spec per-US splitting helpers ---
+
+split_prd_by_us() {
+  local prd_file="$1"
+  local slug="$2"
+  local plans_dir
+  plans_dir="$(dirname "$prd_file")"
+
+  [[ -f "$prd_file" ]] || return 0
+
+  local us_count
+  us_count=$(grep -c "^### US-" "$prd_file" 2>/dev/null) || us_count=0
+  if [[ "$us_count" -eq 0 ]]; then
+    echo "  WARNING: No US markers (### US-NNN:) found in PRD — falling back to full PRD injection" >&2
+    # Clean up any stale per-US split files from previous runs to prevent stale artifacts
+    local stale_count=0
+    for stale in "$plans_dir"/prd-"$slug"-US-*.md(N); do
+      rm "$stale"; stale_count=$(( stale_count + 1 ))
+    done
+    [[ $stale_count -gt 0 ]] && echo "  Cleaned $stale_count stale prd per-US file(s)"
+    return 0
+  fi
+
+  awk -v dir="$plans_dir" -v slug="$slug" '
+    /^### US-[0-9]+:/ {
+      if (out != "") close(out)
+      match($0, /US-[0-9]+/)
+      us_id = substr($0, RSTART, RLENGTH)
+      out = dir "/prd-" slug "-" us_id ".md"
+    }
+    out != "" { print > out }
+  ' "$prd_file"
+
+  local count
+  count=$(ls "$plans_dir"/prd-"$slug"-US-*.md 2>/dev/null | wc -l | tr -d ' ')
+  echo "  Split PRD: $count per-US files"
+}
+
+split_test_spec_by_us() {
+  local ts_file="$1"
+  local slug="$2"
+  local plans_dir
+  plans_dir="$(dirname "$ts_file")"
+
+  [[ -f "$ts_file" ]] || return 0
+
+  local us_count
+  us_count=$(grep -c "^## US-" "$ts_file" 2>/dev/null) || us_count=0
+  if [[ "$us_count" -eq 0 ]]; then
+    echo "  WARNING: No US section markers (## US-NNN:) in test-spec — skipping split" >&2
+    # Clean up any stale per-US test-spec files from previous runs
+    for stale in "$plans_dir"/test-spec-"$slug"-US-*.md(N); do
+      rm "$stale"
+    done
+    return 0
+  fi
+
+  # Extract global header (everything before first ## US- section, e.g. Verification Commands)
+  local header_tmp="${plans_dir}/test-spec-${slug}-header.tmp.$$"
+  awk '/^## US-[0-9]+:/{exit} {print}' "$ts_file" > "$header_tmp"
+
+  awk -v dir="$plans_dir" -v slug="$slug" '
+    /^## US-[0-9]+:/ {
+      if (out != "") close(out)
+      match($0, /US-[0-9]+/)
+      us_id = substr($0, RSTART, RLENGTH)
+      out = dir "/test-spec-" slug "-" us_id ".md"
+    }
+    out != "" { print > out }
+  ' "$ts_file"
+
+  # Prepend global header (Verification Commands etc.) to each split file
+  for split_file in "$plans_dir"/test-spec-"$slug"-US-*.md; do
+    [[ -f "$split_file" ]] || continue
+    local tmp="${split_file}.tmp.$$"
+    cat "$header_tmp" "$split_file" > "$tmp" && mv "$tmp" "$split_file"
+  done
+  rm -f "$header_tmp"
+
+  local count
+  count=$(ls "$plans_dir"/test-spec-"$slug"-US-*.md 2>/dev/null | wc -l | tr -d ' ')
+  echo "  Split test-spec: $count per-US files (with global header)"
+}
+
+# --- Run command presets ---
+# Detects codex CLI availability and shows appropriate run command presets.
+# AC1: codex installed → cross-engine preset first, spark Pro, claude-only, basic
+# AC2: codex not installed → tmux + claude-only first, install recommendation
+# AC3: full options reference with defaults always shown
+print_run_presets() {
+  local slug="$1"
+  local codex_available=0
+  command -v codex &>/dev/null && codex_available=1
+
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  echo "Available run commands (copy the one you want):"
+  echo ""
+  if [[ $codex_available -eq 1 ]]; then
+    echo "# Recommended: cross-engine + final-consensus (cost savings + blind-spot coverage):"
+    echo "/rlp-desk run $slug --worker-model gpt-5.4:high --final-consensus --debug"
+    echo ""
+    echo "# Spark Pro preset (fast codex worker, lower cost):"
+    echo "/rlp-desk run $slug --worker-model gpt-5.3-codex-spark:high --debug"
+    echo ""
+    echo "# Claude-only:"
+    echo "/rlp-desk run $slug --debug"
+    echo ""
+    echo "# Basic agent:"
+    echo "/rlp-desk run $slug"
+  else
+    echo "# Recommended: tmux mode + claude-only (real-time visibility):"
+    echo "/rlp-desk run $slug --mode tmux --debug"
+    echo ""
+    echo "# Agent mode:"
+    echo "/rlp-desk run $slug --debug"
+    echo ""
+    echo "# Install codex for cost savings + cross-engine blind-spot coverage:"
+    echo "npm install -g @openai/codex"
+  fi
+  echo ""
+  echo "# Full options reference:"
+  echo "#   --mode agent|tmux                (default: agent)"
+  echo "#   --worker-model MODEL             haiku|sonnet|opus or gpt-5.4:low|medium|high (default: sonnet)"
+  echo "#   --verifier-model MODEL           haiku|sonnet|opus (default: opus)"
+  echo "#   --verify-consensus               both claude+codex must pass"
+  echo "#   --verify-mode per-us|batch       (default: per-us)"
+  echo "#   --max-iter N                     (default: 100)"
+  echo "#   --debug                          enable debug logging"
+  echo "#   --with-self-verification         post-campaign analysis report"
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+}
+
 echo "Initializing Ralph Desk: $SLUG"
 echo "  Root: $ROOT"
 echo "  Desk: $DESK"
+[[ -n "$MODE" ]] && echo "  Mode: $MODE"
 echo ""
 
 mkdir -p "$DESK/prompts" "$DESK/context" "$DESK/memos" "$DESK/plans" "$DESK/logs/$SLUG"
 
+# --- Re-execution lifecycle (--mode handling) ---
+PRD_FILE="$DESK/plans/prd-$SLUG.md"
+LOGS_DIR="$DESK/logs/$SLUG"
+
+if [[ -n "$MODE" ]]; then
+  echo "Re-execution mode: --mode $MODE"
+  echo ""
+
+  DELETED_COUNT=0
+
+  # Version debug.log and campaign-report.md (NOT self-verification-report — uses -NNN)
+  version_file "$LOGS_DIR/debug.log"
+  version_file "$LOGS_DIR/campaign-report.md"
+
+  # Delete iter-* artifacts (archived done-claims, verdicts, prompt logs, results)
+  for f in "$LOGS_DIR"/iter-*(N); do
+    [[ -f "$f" ]] && { rm "$f"; (( ++DELETED_COUNT )); }
+  done
+
+  # Delete runtime memos
+  for f in \
+    "$DESK/memos/$SLUG-done-claim.json" \
+    "$DESK/memos/$SLUG-iter-signal.json" \
+    "$DESK/memos/$SLUG-verify-verdict.json" \
+    "$DESK/memos/$SLUG-complete.md" \
+    "$DESK/memos/$SLUG-blocked.md"; do
+    [[ -f "$f" ]] && { rm "$f"; (( ++DELETED_COUNT )); }
+  done
+
+  # Delete status.json, baseline.log, cost-log.jsonl
+  for f in "$LOGS_DIR/runtime/status.json" "$LOGS_DIR/status.json" "$LOGS_DIR/baseline.log" "$LOGS_DIR/cost-log.jsonl"; do
+    [[ -f "$f" ]] && { rm "$f"; (( ++DELETED_COUNT )); }
+  done
+
+  # Delete test-spec only for fresh re-execution mode; improve preserves custom edits
+  # and reruns split logic on the existing file.
+  for f in \
+    "$DESK/plans/test-spec-$SLUG.md" \
+    "$DESK/prompts/$SLUG.worker.prompt.md" \
+    "$DESK/prompts/$SLUG.verifier.prompt.md"; do
+    [[ -f "$f" ]] &&
+      if [[ "$MODE" == "fresh" ]] || [[ "$f" != "$DESK/plans/test-spec-$SLUG.md" ]]; then
+        rm "$f"; (( ++DELETED_COUNT ));
+      fi
+  done
+
+  # Reset memory and context to fresh templates (rm here; scaffold below regenerates them)
+  rm -f "$DESK/memos/$SLUG-memory.md" "$DESK/context/$SLUG-latest.md"
+
+  # PRD handling: --mode fresh deletes PRD; --mode improve preserves PRD in-place
+  if [[ "$MODE" == "fresh" ]]; then
+    [[ -f "$PRD_FILE" ]] && { rm "$PRD_FILE"; (( ++DELETED_COUNT )); echo "  Deleted: prd-$SLUG.md (--mode fresh: PRD deleted for fresh start)"; }
+  fi
+
+  # Re-execution summary
+  echo "  Re-execution summary:"
+  if [[ "$MODE" == "improve" ]]; then
+    echo "  Preserved: prd-$SLUG.md (--mode improve: PRD kept in-place)"
+  fi
+  echo "  Deleted:   $DELETED_COUNT runtime artifacts"
+  echo "  Reset:     memory.md + context.md (regenerating from templates)"
+  echo ""
+fi
+
 # --- Worker Prompt ---
 F="$DESK/prompts/$SLUG.worker.prompt.md"
 if [[ ! -f "$F" ]]; then
@@ -64,6 +322,8 @@ Read these files in order:
 - Do not say "I'm confident" — confidence is not evidence.
 - Do not say "existing code has no tests" — you are improving it, add tests.
 - Do not write code before tests — if you did, delete it and start with tests.
+- **NEVER modify rlp-desk infrastructure files** (~/.claude/ralph-desk/*, ~/.claude/commands/rlp-desk.md). If you discover a bug in rlp-desk itself, report it in done-claim.json with {"status": "blocked", "reason": "rlp-desk bug: <description>"} and signal blocked. Do NOT attempt to fix rlp-desk — it is the orchestration tool, not your project code.
+- **NEVER modify Claude Code settings** (~/.claude/settings.json, .claude/settings.local.json, or any settings files). Do NOT add permissions, change models, or alter configuration. If a permission prompt blocks you, report it as blocked — do NOT try to edit settings to bypass it.
 
 ## Iteration rules
 - Use fresh context only; do NOT depend on prior chat history.
@@ -169,6 +429,15 @@ Check the iter-signal.json "us_id" field:
    - Test-specific logic: no environment-detection patterns
    - "Code inspection" claims: Worker must run actual commands
    - Tautological tests: expected values that mirror implementation logic
+10¼. **Anti-Rubber-Stamp Self-Check**:
+   - If your verdict history shows a 100% pass rate, re-examine your last verdict with increased scrutiny — a 100% pass rate is a red flag for insufficient rigor
+   - When issuing PASS with explicit warning: note any concerning patterns (e.g., low test diversity, marginal coverage) even if technically passing
+   - Never issue a silent PASS — every pass verdict must cite specific evidence for each AC checked
+10½. **Worker Process Audit**:
+   - Test-first compliance: done-claim execution_steps must show write_test step before implement step for each AC
+   - RED phase evidence: at least one verify_red step with exit_code=1 per AC (proves tests were written before passing)
+   - Forbidden shortcuts: check done-claim claims and summary for forbidden phrases ("code inspection", "I'm confident", "too simple", "already manually tested", "partial check")
+   - Step completeness: each AC should have write_test → verify_red → implement → verify_green sequence in execution_steps
 11. **Reproducibility check**: verify lock file committed, clean install succeeds, security scan passes, env vars documented (per test-spec Reproducibility Gate). Skip if test-spec says "N/A."
 12. Write verdict JSON to: $DESK/memos/$SLUG-verify-verdict.json
 
@@ -185,7 +454,8 @@ Verdict JSON:
     {"check": "IL-1 Evidence Gate", "decision": "pass|fail", "basis": "what command was run, what output confirmed the decision"},
     {"check": "Layer Enforcement", "decision": "pass|fail", "basis": "which layers checked, any TODO found"},
     {"check": "Test Sufficiency", "decision": "pass|fail", "basis": "test count per AC, category coverage"},
-    {"check": "Anti-Gaming", "decision": "pass|fail", "basis": "what was checked, any suspicious patterns"}
+    {"check": "Anti-Gaming", "decision": "pass|fail", "basis": "what was checked, any suspicious patterns"},
+    {"check": "Worker Process Audit", "decision": "pass|fail", "basis": "test-first followed: verify_red present per AC, no forbidden shortcuts in claims, execution_steps complete"}
   ],
   "layer_status": {"L1":"pass|fail|todo|na","L2":"pass|fail|todo|na","L3":"pass|fail|todo|na","L4":"pass|fail|todo|na"},
   "test_quality": {"test_count":0,"ac_count":0,"sufficiency":"pass|fail","anti_patterns_found":[]},
@@ -298,6 +568,9 @@ EOF
   echo "  + $F"
 else echo "  · $F"; fi
 
+# Split PRD into per-US files (no-op with warning if no US markers)
+split_prd_by_us "$DESK/plans/prd-$SLUG.md" "$SLUG"
+
 # --- Test Spec ---
 F="$DESK/plans/test-spec-$SLUG.md"
 if [[ ! -f "$F" ]]; then
@@ -451,6 +724,9 @@ EOF
   echo "  + $F"
 else echo "  · $F"; fi
 
+# Split test-spec into per-US files (no-op with warning if no US section markers)
+split_test_spec_by_us "$DESK/plans/test-spec-$SLUG.md" "$SLUG"
+
 # --- .gitignore for runtime artifacts ---
 GITIGNORE="$ROOT/.gitignore"
 MARKER="# RLP Desk runtime artifacts"
@@ -473,6 +749,53 @@ GIEOF
   echo "  + .gitignore (created with rlp-desk rules)"
 fi
 
+# --- Claude Code sensitive-file permissions for .claude/ralph-desk/ ---
+# Worker/Verifier need Read/Edit/Write access to .claude/ralph-desk/ files.
+# --dangerously-skip-permissions does NOT cover "sensitive file" access for .claude/ paths.
+# Without these, every file operation triggers an interactive permission prompt that blocks automation.
+SETTINGS_FILE="$ROOT/.claude/settings.local.json"
+PERM_MARKER="Read(.claude/ralph-desk/**)"
+
+if [[ -f "$SETTINGS_FILE" ]] && grep -qF "$PERM_MARKER" "$SETTINGS_FILE" 2>/dev/null; then
+  echo "  · .claude/settings.local.json (rlp-desk permissions already present)"
+else
+  PERMS='["Read(.claude/ralph-desk/**)", "Edit(.claude/ralph-desk/**)", "Write(.claude/ralph-desk/**)"]'
+
+  if [[ -f "$SETTINGS_FILE" ]]; then
+    if command -v jq &>/dev/null; then
+      jq --argjson perms "$PERMS" '
+        .permissions //= {} |
+        .permissions.allow //= [] |
+        .permissions.allow += ($perms - .permissions.allow)
+      ' "$SETTINGS_FILE" > "${SETTINGS_FILE}.tmp" && mv "${SETTINGS_FILE}.tmp" "$SETTINGS_FILE"
+      echo "  + .claude/settings.local.json (rlp-desk permissions merged)"
+    else
+      echo "  ⚠ jq not found. Add to .claude/settings.local.json manually:"
+      echo "    permissions.allow: Read/Edit/Write(.claude/ralph-desk/**)"
+    fi
+  else
+    mkdir -p "$(dirname "$SETTINGS_FILE")"
+    cat > "$SETTINGS_FILE" <<'SETEOF'
+{
+  "permissions": {
+    "allow": [
+      "Read(.claude/ralph-desk/**)",
+      "Edit(.claude/ralph-desk/**)",
+      "Write(.claude/ralph-desk/**)"
+    ]
+  }
+}
+SETEOF
+    echo "  + .claude/settings.local.json (created with rlp-desk permissions)"
+  fi
+  echo ""
+  echo "  NOTE: Added Read/Edit/Write permissions for .claude/ralph-desk/ to"
+  echo "        .claude/settings.local.json (local, not committed to git)."
+  echo "        This prevents Worker/Verifier from being blocked by Claude Code's"
+  echo "        sensitive-file prompts during automated loop execution."
+  echo "        See: https://github.com/ai-dev-methodologies/rlp-desk#project-structure"
+fi
+
 # --- Post-init validation gate ---
 INIT_FAIL=0
 for REQUIRED_FILE in \
@@ -501,13 +824,6 @@ echo ""
 echo "Next:"
 echo "  1. Edit PRD:       $DESK/plans/prd-$SLUG.md"
 echo "  2. Edit test spec: $DESK/plans/test-spec-$SLUG.md"
-echo "  3. Run:"
+echo "  3. Run (copy a command below):"
 echo ""
-echo "  LOOP_NAME=$SLUG \\"
-echo "  PROMPT_FILE=$DESK/prompts/$SLUG.worker.prompt.md \\"
-echo "  VERIFIER_PROMPT_FILE=$DESK/prompts/$SLUG.verifier.prompt.md \\"
-echo "  CONTEXT_FILE=$DESK/context/$SLUG-latest.md \\"
-echo "  EXTRA_REQUIRED_FILES=$DESK/plans/prd-$SLUG.md:$DESK/plans/test-spec-$SLUG.md:$DESK/memos/$SLUG-memory.md \\"
-echo "  MAX_ITER=20 \\"
-echo "  $RUNNER_DIR/run_ralph_desk.zsh"
-echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+print_run_presets "$SLUG"