npm - @ai-dev-methodologies/rlp-desk - Versions diffs - 0.3.6 → 0.5.0 - Mend

@ai-dev-methodologies/rlp-desk 0.3.6 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +145 -69
package/docs/blueprints/blueprint-v0.4-evolution.md +347 -0
package/docs/plans/cozy-gliding-trinket.md +53 -0
package/docs/plans/toasty-whistling-diffie-agent-a6814625642e956da.md +201 -0
package/docs/plans/toasty-whistling-diffie.md +117 -0
package/docs/prompts/ralplan-codex-review.md +55 -0
package/install.sh +5 -0
package/package.json +1 -1
package/scripts/postinstall.js +5 -0
package/scripts/uninstall.js +1 -0
package/src/commands/rlp-desk.md +252 -70
package/src/governance.md +63 -28
package/src/model-upgrade-table.md +50 -0
package/src/scripts/init_ralph_desk.zsh +329 -13
package/src/scripts/lib_ralph_desk.zsh +837 -0
package/src/scripts/run_ralph_desk.zsh +978 -482

package/src/scripts/run_ralph_desk.zsh CHANGED Viewed

@@ -55,6 +55,7 @@ HEARTBEAT_STALE_THRESHOLD="${HEARTBEAT_STALE_THRESHOLD:-120}"
 MAX_RESTARTS="${MAX_RESTARTS:-3}"
 IDLE_NUDGE_THRESHOLD="${IDLE_NUDGE_THRESHOLD:-30}"
 MAX_NUDGES="${MAX_NUDGES:-3}"
+WITH_SELF_VERIFICATION="${WITH_SELF_VERIFICATION:-0}"
 # --- Engine Selection ---
 WORKER_ENGINE="${WORKER_ENGINE:-claude}"    # claude|codex
@@ -68,7 +69,18 @@ CODEX_BIN=""  # resolved by check_dependencies when engine=codex
 # --- Verify Mode ---
 VERIFY_MODE="${VERIFY_MODE:-per-us}"        # per-us|batch
 VERIFY_CONSENSUS="${VERIFY_CONSENSUS:-0}"   # 0|1
+FINAL_CONSENSUS="${FINAL_CONSENSUS:-0}"     # 0|1 — consensus for final ALL verify only (independent of VERIFY_CONSENSUS)
 CONSENSUS_SCOPE="${CONSENSUS_SCOPE:-all}"   # all|final-only
+CONSENSUS_FAIL_FAST="${CONSENSUS_FAIL_FAST:-0}" # 0|1 — skip second verifier if first fails
+CB_THRESHOLD="${CB_THRESHOLD:-3}"           # consecutive failures before BLOCKED (default: 3)
+# Effective CB threshold: doubled when consensus mode active (AC2 auto-double)
+if [[ "${VERIFY_CONSENSUS:-0}" = "1" ]]; then
+  EFFECTIVE_CB_THRESHOLD=$(( CB_THRESHOLD * 2 ))
+else
+  EFFECTIVE_CB_THRESHOLD=$CB_THRESHOLD
+fi
+_API_MAX_RETRIES="${_API_MAX_RETRIES:-5}"
+_API_RETRY_INTERVAL_S="${_API_RETRY_INTERVAL_S:-30}"
 # --- Derived Paths ---
 DESK="$ROOT/.claude/ralph-desk"
@@ -76,6 +88,14 @@ PROMPTS_DIR="$DESK/prompts"
 CONTEXT_DIR="$DESK/context"
 MEMOS_DIR="$DESK/memos"
 LOGS_DIR="$DESK/logs/$SLUG"
+RUNTIME_DIR="$LOGS_DIR/runtime"
+PRD_FILE="$DESK/plans/prd-$SLUG.md"
+TEST_SPEC_FILE="$DESK/plans/test-spec-$SLUG.md"
+# --- Analytics Directory (user-level, cross-project) ---
+ANALYTICS_SLUG_HASH=$(echo -n "$ROOT" | md5 -q 2>/dev/null || md5sum <<< "$ROOT" | cut -d' ' -f1)
+ANALYTICS_DIR="$HOME/.claude/ralph-desk/analytics/${SLUG}--${ANALYTICS_SLUG_HASH:0:8}"
+CAMPAIGN_JSONL="$ANALYTICS_DIR/campaign.jsonl"
+METADATA_FILE="$ANALYTICS_DIR/metadata.json"
 WORKER_PROMPT_BASE="$PROMPTS_DIR/${SLUG}.worker.prompt.md"
 VERIFIER_PROMPT_BASE="$PROMPTS_DIR/${SLUG}.verifier.prompt.md"
 CONTEXT_FILE="$CONTEXT_DIR/${SLUG}-latest.md"
@@ -85,10 +105,12 @@ DONE_CLAIM_FILE="$MEMOS_DIR/${SLUG}-done-claim.json"
 VERDICT_FILE="$MEMOS_DIR/${SLUG}-verify-verdict.json"
 COMPLETE_SENTINEL="$MEMOS_DIR/${SLUG}-complete.md"
 BLOCKED_SENTINEL="$MEMOS_DIR/${SLUG}-blocked.md"
-STATUS_FILE="$LOGS_DIR/status.json"
-SESSION_CONFIG="$LOGS_DIR/session-config.json"
-WORKER_HEARTBEAT="$LOGS_DIR/worker-heartbeat.json"
-VERIFIER_HEARTBEAT="$LOGS_DIR/verifier-heartbeat.json"
+LOCKFILE_PATH="$DESK/logs/.rlp-desk-${SLUG}.lock"
+STATUS_FILE="$RUNTIME_DIR/status.json"
+SESSION_CONFIG="$RUNTIME_DIR/session-config.json"
+WORKER_HEARTBEAT="$RUNTIME_DIR/worker-heartbeat.json"
+VERIFIER_HEARTBEAT="$RUNTIME_DIR/verifier-heartbeat.json"
+COST_LOG="$LOGS_DIR/cost-log.jsonl"
 # --- Session Naming ---
 TIMESTAMP=$(date +%Y%m%d-%H%M%S)
@@ -103,41 +125,265 @@ HEARTBEAT_STALE_COUNT=0
 MONITOR_FAILURE_COUNT=0
 CONSECUTIVE_FAILURES=0
 PREV_CONTEXT_HASH=""
+PREV_PRD_HASH=""
+PREV_PRD_US_LIST=""
+_PRD_CHANGED=0
 ITERATION=0
 START_TIME=$(date +%s)
+BASELINE_COMMIT=""       # git HEAD at campaign start (captured before loop)
+CAMPAIGN_REPORT_GENERATED=0  # guard against double-generation in cleanup trap
+SV_REPORT_GENERATED=0       # guard against double-generation in generate_sv_report
 VERIFIED_US=""           # comma-separated list of verified US IDs (per-us mode)
 CONSENSUS_ROUND=0        # current consensus round for current US
 US_LIST=""               # comma-separated US IDs from PRD (per-us mode)
+LOCKFILE_ACQUIRED=0
+LOCK_WORKER_MODEL="${LOCK_WORKER_MODEL:-0}"  # 0|1 — set by --lock-worker-model; disables progressive upgrade
+_SAME_US_FAIL_COUNT=0         # consecutive same-US fail counter (upgrade trigger at >= 2)
+_LAST_FAILED_US=""            # last failed US ID (same-US tracking for upgrade logic)
+_MODEL_UPGRADED=0             # 1 if Worker model was auto-upgraded during campaign
+_ORIGINAL_WORKER_MODEL=""     # WORKER_MODEL saved before first upgrade (for restore on pass)
+_ORIGINAL_WORKER_CODEX_REASONING=""  # WORKER_CODEX_REASONING saved before first upgrade
 # =============================================================================
 # Utility Functions
 # =============================================================================
 DEBUG="${DEBUG:-0}"
-DEBUG_LOG="$ROOT/.claude/ralph-desk/logs/${LOOP_NAME:-unknown}/debug.log"
+DEBUG_LOG="$ANALYTICS_DIR/debug.log"
+# Source shared business logic
+LIB_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$LIB_DIR/lib_ralph_desk.zsh"
+# A16: Warn if running in foreground (may conflict with Claude Code pane)
+if [[ -z "${RLP_BACKGROUND:-}" ]]; then
+  echo "⚠ WARNING: Running in foreground. This may conflict with Claude Code's pane." >&2
+  echo "  Recommended: launch via Bash tool with run_in_background: true" >&2
+  echo "  Set RLP_BACKGROUND=1 to suppress this warning." >&2
+fi
-log() {
-  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"
+# check_dead_pane() — determine if pane command indicates a dead/exited process
+# Engine-aware: bash is normal for codex workers (trigger runs in bash),
+# but indicates dead pane for claude workers.
+# Args: $1=pane_current_command  $2=engine (claude|codex)  $3=role (worker|verifier)
+# Returns: 0 if dead, 1 if alive
+check_dead_pane() {
+  local poll_cmd="$1"
+  local engine="${2:-claude}"
+  local role="${3:-worker}"
+  if [[ -z "$poll_cmd" ]]; then
+    return 0  # empty = dead
+  elif [[ "$poll_cmd" == "zsh" ]]; then
+    return 0  # bare zsh = dead
+  elif [[ "$poll_cmd" == "bash" && "$engine" != "codex" ]]; then
+    return 0  # bash = dead for claude (codex uses bash trigger)
+  fi
+  return 1  # alive
 }
-log_debug() {
-  if (( DEBUG )); then
-    mkdir -p "$(dirname "$DEBUG_LOG")" 2>/dev/null
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] DEBUG: $*" >> "$DEBUG_LOG"
+# launch_worker_codex() — launch codex Worker via trigger script (non-interactive exec)
+# Args: $1=pane_id  $2=trigger_file  $3=iteration
+# Returns: 0 always (codex failures detected by poll_for_signal)
+launch_worker_codex() {
+  local pane_id="$1"
+  local trigger_file="$2"
+  local iter="$3"
+  log "  Launching Worker codex via trigger script in pane $pane_id..."
+  paste_to_pane "$pane_id" "bash $trigger_file"
+  tmux send-keys -t "$pane_id" Enter
+  log_debug "Worker codex trigger sent: $trigger_file"
+  sleep 3  # brief wait for codex to start
+  return 0
+}
+# launch_worker_claude() — launch claude Worker TUI, send instruction, verify submission
+# Handles: TUI startup, wait_for_pane_ready, instruction send, 15-iteration submit loop,
+#          restart recovery on submit failure.
+# Args: $1=pane_id  $2=prompt_file  $3=iteration  $4=worker_launch_cmd
+# Returns: 0 on success, 1 on fatal failure (caller writes BLOCKED)
+launch_worker_claude() {
+  local pane_id="$1"
+  local prompt_file="$2"
+  local iter="$3"
+  local worker_launch="$4"
+  log "  Launching Worker claude in pane $pane_id..."
+  paste_to_pane "$pane_id" "$worker_launch"
+  tmux send-keys -t "$pane_id" Enter
+  # Wait for claude TUI to be ready
+  if ! wait_for_pane_ready "$pane_id" 30; then
+    log_error "Worker claude failed to start"
+    return 1
+  fi
+  # Send instruction to claude TUI
+  sleep 3
+  local worker_instruction="Read and execute the instructions in $prompt_file"
+  paste_to_pane "$pane_id" "$worker_instruction"
+  tmux send-keys -t "$pane_id" Enter
+  log_debug "Worker instruction sent directly (${#worker_instruction} chars)"
+  # 15-iteration submit loop — verify claude started working
+  local submit_attempts=0
+  while (( submit_attempts < 15 )); do
+    sleep 2
+    local pane_check
+    pane_check=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null)
+    if echo "$pane_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored\|Prestidigitating\|Undulating\|Reading\|Bash\|Edit\|Write\|Grep\|Glob" 2>/dev/null; then
+      log_debug "Worker started working after $((submit_attempts + 1)) submit checks"
+      log_debug "[FLOW] iter=$iter worker_submit_check=OK attempts=$((submit_attempts + 1))"
+      break
+    fi
+    # Every 3 failed attempts, re-send full instruction
+    if (( submit_attempts > 0 && submit_attempts % 3 == 0 )); then
+      log_debug "Re-sending full worker instruction (attempt $submit_attempts)"
+      tmux send-keys -t "$pane_id" C-u 2>/dev/null
+      sleep 0.2
+      paste_to_pane "$pane_id" "$worker_instruction"
+      sleep 0.15
+      tmux send-keys -t "$pane_id" Enter
+      sleep 1
+    fi
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    sleep 0.3
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    (( submit_attempts++ ))
+  done
+  # If 15 attempts failed, restart claude and retry
+  if (( submit_attempts >= 15 )); then
+    log "  WARNING: Worker instruction not consumed after 15 attempts — restarting claude"
+    log_debug "[GOV] iter=$iter worker_instruction_failed=true attempts=15 action=restart_claude"
+    tmux send-keys -t "$pane_id" C-c 2>/dev/null
+    sleep 0.5
+    tmux send-keys -t "$pane_id" "/exit" Enter 2>/dev/null
+    sleep 2
+    wait_for_pane_ready "$pane_id" 10 2>/dev/null || true
+    paste_to_pane "$pane_id" "$worker_launch"
+    tmux send-keys -t "$pane_id" Enter
+    if wait_for_pane_ready "$pane_id" 30; then
+      sleep 3
+      paste_to_pane "$pane_id" "$worker_instruction"
+      tmux send-keys -t "$pane_id" Enter
+      log "  Worker restarted and instruction re-sent"
+      log_debug "[FLOW] iter=$iter worker_restart_recovery=success"
+    else
+      log_error "Worker restart failed — pane not ready"
+      log_debug "[FLOW] iter=$iter worker_restart_recovery=failed"
+    fi
+  fi
+  return 0
+}
+# launch_verifier_codex() — launch codex Verifier in pane (non-interactive)
+# Args: $1=pane_id  $2=prompt_file  $3=iteration  $4=launch_cmd
+# Returns: 0 always
+launch_verifier_codex() {
+  local pane_id="$1"
+  local prompt_file="$2"
+  local iter="$3"
+  local verifier_launch="$4"
+  log "  Launching Verifier codex in pane $pane_id..."
+  paste_to_pane "$pane_id" "$verifier_launch"
+  tmux send-keys -t "$pane_id" Enter
+  sleep 3
+  return 0
+}
+# launch_verifier_claude() — launch claude Verifier TUI, send instruction, verify submission
+# Args: $1=pane_id  $2=prompt_file  $3=iteration  $4=launch_cmd
+# Returns: 0 on success
+launch_verifier_claude() {
+  local pane_id="$1"
+  local prompt_file="$2"
+  local iter="$3"
+  local verifier_launch="$4"
+  log "  Launching Verifier claude in pane $pane_id..."
+  paste_to_pane "$pane_id" "$verifier_launch"
+  tmux send-keys -t "$pane_id" Enter
+  if ! wait_for_pane_ready "$pane_id" 30; then
+    log_error "Verifier failed to start"
+    return 1
   fi
+  sleep 3
+  local verifier_instruction="Read and execute the instructions in $prompt_file"
+  paste_to_pane "$pane_id" "$verifier_instruction"
+  tmux send-keys -t "$pane_id" Enter
+  log_debug "Verifier instruction sent directly"
+  # Submit loop — verify verifier started working
+  local submit_attempts=0
+  while (( submit_attempts < 15 )); do
+    sleep 2
+    local vs_check
+    vs_check=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null)
+    if echo "$vs_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored" 2>/dev/null; then
+      log_debug "Verifier started working after $((submit_attempts + 1)) checks"
+      break
+    fi
+    if (( submit_attempts == 8 )); then
+      log_debug "Adaptive instruction retry: clearing line and re-typing"
+      tmux send-keys -t "$pane_id" C-u 2>/dev/null
+      sleep 0.1
+      paste_to_pane "$pane_id" "$verifier_instruction"
+      tmux send-keys -t "$pane_id" Enter
+    fi
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    sleep 0.3
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    (( submit_attempts++ ))
+  done
+  return 0
 }
-log_error() {
-  echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $*" >&2
+# handle_worker_exit_codex() — handle codex worker process exit (1-shot exec)
+# On exit: check done-claim, auto-generate iter-signal.
+# Args: $1=iteration  $2=signal_file
+# Returns: 0 (signal generated), 1 (error)
+handle_worker_exit_codex() {
+  local iter="$1"
+  local signal_file="$2"
+  log "  Codex worker process exited. Checking for done-claim..."
+  if [[ -f "$DONE_CLAIM_FILE" ]]; then
+    local dc_us_id
+    dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
+    log "  Codex worker completed with done-claim (us_id=$dc_us_id). Auto-generating signal."
+    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated after codex exec exit","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+  else
+    log "  WARNING: Codex worker exited without done-claim. Generating verify signal for current US."
+    local current_us
+    current_us=$(jq -r '.us_id // "US-001"' "$DESK/memos/${SLUG}-iter-signal.json" 2>/dev/null || echo "US-001")
+    local mem_us
+    mem_us=$(sed -n 's/.*Next.*US-\([0-9]*\).*/US-\1/p' "$DESK/memos/${SLUG}-memory.md" 2>/dev/null | head -1)
+    [[ -n "$mem_us" ]] && current_us="$mem_us"
+    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$current_us"'","summary":"auto-generated after codex exec exit (no done-claim)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+  fi
+  return 0
 }
-# --- governance.md s7: Atomic file writes (tmux pattern) ---
-# All file writes by the Leader use tmp+mv to prevent corruption.
-atomic_write() {
-  local target="$1"
-  local tmp="${target}.tmp.$$"
-  cat > "$tmp"
-  mv "$tmp" "$target"
+# handle_worker_exit_claude() — handle claude worker process exit (restart with backoff)
+# Args: $1=pane_id  $2=iteration  $3=trigger_file
+# Returns: 0 (restarted), 1 (max restarts exceeded)
+handle_worker_exit_claude() {
+  local pane_id="$1"
+  local iter="$2"
+  local trigger_file="$3"
+  log_error "Worker exited without writing signal file"
+  if restart_worker "$pane_id" "$iter" "$trigger_file"; then
+    return 0
+  else
+    return 1
+  fi
 }
 # --- omc-teams pattern: Kill-and-replace dead/stuck worker panes ---
@@ -148,12 +394,28 @@ replace_worker_pane() {
   log "  Replacing dead $role pane $old_pane..."
   tmux kill-pane -t "$old_pane" 2>/dev/null
-  # Create fresh pane via split-window off leader (omc-teams kill-and-replace pattern)
+  # Create fresh pane maintaining original layout: worker(top-right) / verifier(bottom-right)
   local new_pane
-  new_pane=$(tmux split-window -h -d -t "$LEADER_PANE" -P -F '#{pane_id}' -c "$ROOT")
+  if [[ "$role" == "verifier" ]]; then
+    # Verifier goes below worker: split vertically from worker pane
+    if tmux display-message -t "$WORKER_PANE" -p '#{pane_id}' &>/dev/null; then
+      new_pane=$(tmux split-window -v -d -t "$WORKER_PANE" -P -F '#{pane_id}' -c "$ROOT")
+    else
+      # Fallback: worker pane also dead, split horizontally from leader
+      new_pane=$(tmux split-window -h -d -t "$LEADER_PANE" -P -F '#{pane_id}' -c "$ROOT")
+    fi
+  else
+    # Worker goes above verifier: split vertically before verifier pane
+    if tmux display-message -t "$VERIFIER_PANE" -p '#{pane_id}' &>/dev/null; then
+      new_pane=$(tmux split-window -v -b -d -t "$VERIFIER_PANE" -P -F '#{pane_id}' -c "$ROOT")
+    else
+      # Fallback: verifier pane also dead, split horizontally from leader
+      new_pane=$(tmux split-window -h -d -t "$LEADER_PANE" -P -F '#{pane_id}' -c "$ROOT")
+    fi
+  fi
   log "  New $role pane: $new_pane (replaced $old_pane)"
-  log_debug "[EXEC] iter=$ITERATION pane_replaced=${role} old=$old_pane new=$new_pane"
+  log_debug "[FLOW] iter=$ITERATION pane_replaced=${role} old=$old_pane new=$new_pane"
   # Update session-config.json with new pane ID
   if [[ -f "$SESSION_CONFIG" ]]; then
@@ -178,9 +440,13 @@ check_dependencies() {
     missing=1
   fi
-  if ! command -v claude >/dev/null 2>&1; then
-    log_error "claude CLI is required but not found. See: https://docs.anthropic.com/en/docs/claude-cli"
-    missing=1
+  # claude required only when claude engine is used for Worker or Verifier execution;
+  # codex-only campaigns can run without claude — generate_sv_report degrades gracefully
+  if [[ "$WORKER_ENGINE" != "codex" || "$VERIFIER_ENGINE" != "codex" ]]; then
+    if ! command -v claude >/dev/null 2>&1; then
+      log_error "claude CLI is required but not found. See: https://docs.anthropic.com/en/docs/claude-cli"
+      missing=1
+    fi
   fi
   if ! command -v jq >/dev/null 2>&1; then
@@ -189,14 +455,9 @@ check_dependencies() {
   fi
   # Codex binary required only when engine=codex or consensus verification is enabled
-  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" ]]; then
+  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" || "$FINAL_CONSENSUS" = "1" ]]; then
     if ! command -v codex >/dev/null 2>&1; then
-      if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-        log_error "codex CLI is required for consensus verification (VERIFY_CONSENSUS=1)."
-      else
-        log_error "codex CLI is required when WORKER_ENGINE or VERIFIER_ENGINE is 'codex'."
-      fi
-      log_error "Install with: npm install -g @openai/codex"
+      log_error "codex CLI not found. Install: npm install -g @openai/codex"
       missing=1
     fi
   fi
@@ -205,52 +466,19 @@ check_dependencies() {
     exit 1
   fi
-  # Resolve full path to claude binary for reliable launches
-  CLAUDE_BIN=$(command -v claude 2>/dev/null || echo "claude")
-  log "  Claude binary: $CLAUDE_BIN"
+  # Resolve full path to claude binary when claude engine is in use
+  if [[ "$WORKER_ENGINE" != "codex" || "$VERIFIER_ENGINE" != "codex" ]]; then
+    CLAUDE_BIN=$(command -v claude 2>/dev/null || echo "claude")
+    log "  Claude binary: $CLAUDE_BIN"
+  fi
   # Resolve codex binary if needed
-  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" ]]; then
+  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" || "$FINAL_CONSENSUS" = "1" ]]; then
     CODEX_BIN=$(command -v codex 2>/dev/null || echo "codex")
     log "  Codex binary:  $CODEX_BIN"
   fi
 }
-# =============================================================================
-# Scaffold Validation
-# =============================================================================
-validate_scaffold() {
-  local errors=0
-  if [[ ! -f "$WORKER_PROMPT_BASE" ]]; then
-    log_error "Worker prompt not found: $WORKER_PROMPT_BASE"
-    errors=1
-  fi
-  if [[ ! -f "$VERIFIER_PROMPT_BASE" ]]; then
-    log_error "Verifier prompt not found: $VERIFIER_PROMPT_BASE"
-    errors=1
-  fi
-  if [[ ! -f "$CONTEXT_FILE" ]]; then
-    log_error "Context file not found: $CONTEXT_FILE"
-    errors=1
-  fi
-  if [[ ! -f "$MEMORY_FILE" ]]; then
-    log_error "Memory file not found: $MEMORY_FILE"
-    errors=1
-  fi
-  if (( errors )); then
-    log_error "Scaffold validation failed. Run init_ralph_desk.zsh first."
-    exit 1
-  fi
-  mkdir -p "$LOGS_DIR"
-}
 # =============================================================================
 # Session Management (tmux pattern: pane IDs)
 # =============================================================================
@@ -300,15 +528,42 @@ create_session() {
   fi
+  # Set pane titles and enable border labels for visual distinction
+  local worker_label="Worker ($WORKER_ENGINE:$WORKER_MODEL)"
+  local verifier_label="Verifier ($VERIFIER_ENGINE:$VERIFIER_MODEL)"
+  [[ "$VERIFY_CONSENSUS" = "1" ]] && verifier_label="Verifier ($VERIFIER_ENGINE:$VERIFIER_MODEL + codex:$VERIFIER_CODEX_MODEL)"
+  tmux select-pane -t "$LEADER_PANE" -T "Leader" 2>/dev/null
+  tmux select-pane -t "$WORKER_PANE" -T "$worker_label" 2>/dev/null
+  tmux select-pane -t "$VERIFIER_PANE" -T "$verifier_label" 2>/dev/null
+  # Color-coded pane borders: green=leader, blue=worker, yellow=verifier
+  tmux set-option -p -t "$LEADER_PANE" pane-border-style "fg=green" 2>/dev/null
+  tmux set-option -p -t "$WORKER_PANE" pane-border-style "fg=blue" 2>/dev/null
+  tmux set-option -p -t "$VERIFIER_PANE" pane-border-style "fg=yellow" 2>/dev/null
+  # Show pane titles in border
+  tmux set-option pane-border-status top 2>/dev/null
+  tmux set-option pane-border-format "#{?pane_active,#[fg=white bold],#[fg=grey]} #{pane_title} " 2>/dev/null
   log "  Leader pane:   $LEADER_PANE"
   log "  Worker pane:   $WORKER_PANE"
   log "  Verifier pane: $VERIFIER_PANE"
+  # AC12: Capture baseline commit before writing session config
+  BASELINE_COMMIT=$(git -C "$ROOT" rev-parse HEAD 2>/dev/null || echo "none")
+  # Truncate cost-log for fresh run (previous data in versioned campaign reports)
+  > "$COST_LOG"
+  # SV flag warning for tmux mode
+  if (( WITH_SELF_VERIFICATION )); then
+    log "  NOTE: --with-self-verification recorded but SV report generation is Agent-mode only"
+  fi
   # Write session config (atomic write)
   echo '{
   "session_name": "'"$SESSION_NAME"'",
   "slug": "'"$SLUG"'",
   "created_at": "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'",
+  "baseline_commit": "'"$BASELINE_COMMIT"'",
   "panes": {
     "leader": "'"$LEADER_PANE"'",
     "worker": "'"$WORKER_PANE"'",
@@ -340,7 +595,10 @@ create_session() {
     "heartbeat_stale_threshold": '"$HEARTBEAT_STALE_THRESHOLD"',
     "max_restarts": '"$MAX_RESTARTS"',
     "idle_nudge_threshold": '"$IDLE_NUDGE_THRESHOLD"',
-    "max_nudges": '"$MAX_NUDGES"'
+    "max_nudges": '"$MAX_NUDGES"',
+    "cb_threshold": '"$CB_THRESHOLD"',
+    "effective_cb_threshold": '"$EFFECTIVE_CB_THRESHOLD"',
+    "with_self_verification": '"$WITH_SELF_VERIFICATION"'
   }
 }' | atomic_write "$SESSION_CONFIG"
@@ -366,6 +624,17 @@ check_copy_mode() {
 # Verification-Based Send Retry (tmux pattern)
 # =============================================================================
+# --- Reliable text paste via tmux buffer (avoids send-keys -l char-by-char issues) ---
+paste_to_pane() {
+  local pane_id="$1"
+  local text="$2"
+  local tmpbuf="/tmp/.rlp-desk-paste-$$.tmp"
+  echo -n "$text" > "$tmpbuf"
+  tmux load-buffer -b rlp-paste "$tmpbuf" 2>/dev/null
+  tmux paste-buffer -b rlp-paste -d -t "$pane_id" 2>/dev/null
+  rm -f "$tmpbuf"
+}
 # --- governance.md s7 step 5: Send with copy-mode guard and retry ---
 safe_send_keys() {
   local pane_id="$1"
@@ -403,9 +672,9 @@ safe_send_keys() {
     tmux send-keys -t "$pane_id" "2" Enter
     sleep 0.2
   fi
-  # Send text in literal mode with -- separator
-  log_debug " Sending text to pane $pane_id (${#text} chars)"
-  tmux send-keys -t "$pane_id" -l -- "$text"
+  # Send text via buffer paste (reliable for long strings)
+  log_debug " Pasting text to pane $pane_id (${#text} chars)"
+  paste_to_pane "$pane_id" "$text"
   # Allow input buffer to settle (tmux: 150ms)
   sleep 0.15
@@ -415,9 +684,7 @@ safe_send_keys() {
   while (( round < 6 )); do
     sleep 0.1
     if (( round == 0 && pane_busy )); then
-      # Busy pane: Tab+C-m queue semantics (tmux pattern)
-      tmux send-keys -t "$pane_id" Tab
-      sleep 0.08
+      # Busy pane: just C-m (DO NOT send Tab — it toggles Claude Code permission mode)
       tmux send-keys -t "$pane_id" C-m
     else
       tmux send-keys -t "$pane_id" C-m
@@ -450,7 +717,7 @@ safe_send_keys() {
   if ! check_copy_mode "$pane_id"; then
     return 1
   fi
-  tmux send-keys -t "$pane_id" -l -- "$text"
+  paste_to_pane "$pane_id" "$text"
   sleep 0.12
   local retry_round=0
   while (( retry_round < 4 )); do
@@ -598,12 +865,19 @@ check_and_nudge_idle_pane() {
     local now
     now=$(date +%s)
     if (( now - idle_since > IDLE_NUDGE_THRESHOLD )); then
-      local count=${(P)nudge_count_var}
-      if (( count < MAX_NUDGES )); then
-        log "  Nudging idle pane $pane_id (nudge $((count + 1))/$MAX_NUDGES)"
-        safe_send_keys "$pane_id" ""
-        (( count++ ))
-        eval "$nudge_count_var=$count"
+      # A12 fix: NEVER nudge if pane is busy (thinking/working) — nudge interrupts claude
+      local _nudge_capture
+      _nudge_capture=$(tmux capture-pane -t "$pane_id" -p -S -5 2>/dev/null)
+      if echo "$_nudge_capture" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|razzle\|bunning\|zesting\|fermenting\|actualizing\|composing\|evaporating\|churning" 2>/dev/null; then
+        log_debug "  Pane $pane_id appears busy (thinking/working), skipping nudge"
+      else
+        local count=${(P)nudge_count_var}
+        if (( count < MAX_NUDGES )); then
+          log "  Nudging idle pane $pane_id (nudge $((count + 1))/$MAX_NUDGES)"
+          safe_send_keys "$pane_id" ""
+          (( count++ ))
+          eval "$nudge_count_var=$count"
+        fi
       fi
     fi
   else
@@ -621,6 +895,13 @@ restart_worker() {
   local pane_id="$1"
   local iter="$2"
   local trigger_file="$3"
+  # Codex workers are 1-shot exec; restart is not applicable
+  if [[ "$WORKER_ENGINE" = "codex" ]]; then
+    log_debug "restart_worker called for codex engine — no-op (1-shot exec)"
+    return 1
+  fi
   local restart_count="${WORKER_RESTARTS[$iter]:-0}"
   if (( restart_count >= MAX_RESTARTS )); then
@@ -653,6 +934,25 @@ restart_worker() {
 # Write-Then-Notify: Trigger Script Generation (tmux CRITICAL pattern)
 # =============================================================================
+# Per-US PRD injection helper
+# Substitutes the full PRD path with a per-US split path in the Worker prompt base.
+# Falls back to the full PRD with a stderr warning if the split file is missing.
+# Args: $1=prompt_base_file $2=full_prd_path $3=per_us_prd_path (empty = no substitution)
+inject_per_us_prd() {
+  local prompt_base="$1"
+  local full_prd="$2"
+  local per_us_prd="${3:-}"
+  if [[ -n "$per_us_prd" && -f "$per_us_prd" ]]; then
+    sed "s|$full_prd|$per_us_prd|g" "$prompt_base"
+  else
+    if [[ -n "$per_us_prd" ]]; then
+      echo "WARNING: per-US split file not found: $per_us_prd — falling back to full PRD injection" >&2
+    fi
+    cat "$prompt_base"
+  fi
+}
 # --- governance.md s7 step 4+5: Write prompt and trigger to files ---
 # NEVER send prompt content through tmux send-keys.
 # Write payloads to files, send only short trigger commands (<200 chars).
@@ -670,14 +970,31 @@ write_worker_trigger() {
   local prev_iter=$((iter - 1))
   local fix_contract_file="$LOGS_DIR/iter-$(printf '%03d' $prev_iter).fix-contract.md"
+  # Compute next unverified US before prompt assembly (required for per-US PRD injection)
+  local next_us=""
+  if [[ "$VERIFY_MODE" = "per-us" && -n "$US_LIST" ]]; then
+    for us in $(echo "$US_LIST" | tr ',' ' '); do
+      if ! echo ",$VERIFIED_US," | grep -q ",$us,"; then
+        next_us="$us"
+        break
+      fi
+    done
+  fi
   {
-    cat "$WORKER_PROMPT_BASE"
+    # Per-US PRD injection: substitute full PRD path with per-US split path when available
+    local per_us_prd=""
+    [[ -n "$next_us" ]] && per_us_prd="$DESK/plans/prd-${SLUG}-${next_us}.md"
+    inject_per_us_prd "$WORKER_PROMPT_BASE" "$DESK/plans/prd-${SLUG}.md" "$per_us_prd"
     echo ""
     echo "---"
     echo "## Iteration Context"
     echo "- **Iteration**: $iter"
     echo "- **Memory Stop Status**: $(sed -n '/^## Stop Status$/,/^$/{ /^## /d; /^$/d; p; }' "$MEMORY_FILE" 2>/dev/null | head -1)"
     echo "- **Next Iteration Contract**: ${contract:-Start from the beginning}"
+    if (( _PRD_CHANGED )); then
+      echo "NOTE: PRD was updated since last iteration. New/changed US may exist."
+    fi
     # Include fix contract if previous verifier failed
     if [[ -f "$fix_contract_file" ]]; then
@@ -692,23 +1009,25 @@ write_worker_trigger() {
     # Per-US mode: tell Worker exactly which US to work on
     if [[ "$VERIFY_MODE" = "per-us" && -n "$US_LIST" ]]; then
-      # Find next unverified US
-      local next_us=""
-      for us in $(echo "$US_LIST" | tr ',' ' '); do
-        if ! echo ",$VERIFIED_US," | grep -q ",$us,"; then
-          next_us="$us"
-          break
-        fi
-      done
       if [[ -n "$next_us" ]]; then
         echo ""
         echo "---"
-        echo "## PER-US SCOPE LOCK (this iteration)"
+        echo "## PER-US SCOPE LOCK (this iteration) — OVERRIDES memory contract"
+        echo "**IGNORE the 'Next Iteration Contract' from memory if it references a different story.**"
+        echo "The Leader has determined that **${next_us}** is the next unverified story."
         echo "You MUST implement ONLY **${next_us}** in this iteration."
         echo "Do NOT implement any other user stories."
+        # Per-US test-spec injection: point Worker to scoped test-spec if available
+        local per_us_test_spec="$DESK/plans/test-spec-${SLUG}-${next_us}.md"
+        if [[ -f "$per_us_test_spec" ]]; then
+          echo "- **Test Spec**: Read ONLY \`$per_us_test_spec\` (scoped to ${next_us})"
+        else
+          echo "- **Test Spec**: Read \`$DESK/plans/test-spec-${SLUG}.md\` (full — find ${next_us} section)"
+        fi
         echo "When done, signal verify with us_id=\"${next_us}\" (not \"ALL\")."
         echo "Signal format: {\"iteration\": N, \"status\": \"verify\", \"us_id\": \"${next_us}\", ...}"
+        echo ""
+        echo "**Update the campaign memory's 'Next Iteration Contract' to reflect ${next_us}.**"
       elif [[ -n "$VERIFIED_US" ]]; then
         # All individual US verified — this is the final full verify iteration
         echo ""
@@ -732,12 +1051,12 @@ write_worker_trigger() {
   # Write trigger script (DO NOT use exec -- breaks heartbeat cleanup)
   # Engine-specific launch command (expanded at write time)
   if [[ "$WORKER_ENGINE" = "codex" ]]; then
-    local engine_cmd="${CODEX_BIN:-codex} -m $WORKER_CODEX_MODEL \\
+    local engine_cmd="${CODEX_BIN:-codex} exec \\
+  -m $WORKER_CODEX_MODEL \\
   -c model_reasoning_effort=\"$WORKER_CODEX_REASONING\" \\
   --dangerously-bypass-approvals-and-sandbox \\
-  \"\$(cat $prompt_file)\" \\
-  2>&1 | tee $output_log"
-    local engine_comment="# Run codex with fresh context (governance.md s7 step 5)"
+  \"\$(cat $prompt_file)\""
+    local engine_comment="# Run codex exec with fresh context (no pipe — codex requires terminal)"
   else
     local engine_cmd="$CLAUDE_BIN -p \"\$(cat $prompt_file)\" \\
   --model $WORKER_MODEL \\
@@ -868,106 +1187,6 @@ TRIGGER_EOF
   log "  Verifier trigger: $trigger_file"
 }
-# =============================================================================
-# Status Updates
-# =============================================================================
-# --- governance.md s7 step 8: Update status.json ---
-update_status() {
-  local phase="$1"
-  local last_result="$2"
-  # Build verified_us as JSON array
-  local verified_us_json="[]"
-  if [[ -n "$VERIFIED_US" ]]; then
-    verified_us_json=$(echo "$VERIFIED_US" | tr ',' '\n' | jq -R . | jq -s .)
-  fi
-  # Build consensus fields
-  local consensus_json=""
-  if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-    consensus_json=',
-  "consensus_scope": "'"$CONSENSUS_SCOPE"'",
-  "consensus_round": '"$CONSENSUS_ROUND"',
-  "claude_verdict": "'"${CLAUDE_VERDICT:-}"'",
-  "codex_verdict": "'"${CODEX_VERDICT:-}"'"'
-  fi
-  echo '{
-  "slug": "'"$SLUG"'",
-  "iteration": '"$ITERATION"',
-  "max_iter": '"$MAX_ITER"',
-  "phase": "'"$phase"'",
-  "worker_model": "'"$WORKER_MODEL"'",
-  "verifier_model": "'"$VERIFIER_MODEL"'",
-  "worker_engine": "'"$WORKER_ENGINE"'",
-  "verifier_engine": "'"$VERIFIER_ENGINE"'",
-  "worker_codex_model": "'"$WORKER_CODEX_MODEL"'",
-  "worker_codex_reasoning": "'"$WORKER_CODEX_REASONING"'",
-  "verifier_codex_model": "'"$VERIFIER_CODEX_MODEL"'",
-  "verifier_codex_reasoning": "'"$VERIFIER_CODEX_REASONING"'",
-  "verify_mode": "'"$VERIFY_MODE"'",
-  "verify_consensus": '"$VERIFY_CONSENSUS"',
-  "last_result": "'"$last_result"'",
-  "consecutive_failures": '"$CONSECUTIVE_FAILURES"',
-  "verified_us": '"$verified_us_json"''"$consensus_json"',
-  "updated_at_utc": "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"
-}' | atomic_write "$STATUS_FILE"
-}
-# --- governance.md s7 step 8: Write result log ---
-write_result_log() {
-  local iter="$1"
-  local result="$2"
-  local result_file="$LOGS_DIR/iter-$(printf '%03d' $iter).result.md"
-  local git_diff=""
-  git_diff=$(git diff --stat HEAD~1 HEAD 2>/dev/null || echo "(no git diff available)")
-  {
-    echo "# Iteration $iter Result"
-    echo ""
-    echo "## Status"
-    echo "$result [leader-measured]"
-    echo ""
-    echo "## Files Changed"
-    echo '```'
-    echo "$git_diff"
-    echo '```'
-    echo "[git-measured]"
-    echo ""
-    echo "## Timestamp"
-    echo "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
-  } | atomic_write "$result_file"
-}
-# =============================================================================
-# Sentinel Writers
-# =============================================================================
-# --- governance.md s7: Only the Leader writes sentinels ---
-write_complete_sentinel() {
-  local summary="$1"
-  echo "# Campaign Complete
-Completed at iteration $ITERATION.
-$summary
-Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)" | atomic_write "$COMPLETE_SENTINEL"
-  log "COMPLETE sentinel written: $COMPLETE_SENTINEL"
-}
-write_blocked_sentinel() {
-  local reason="$1"
-  echo "# Campaign Blocked
-Blocked at iteration $ITERATION.
-Reason: $reason
-Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)" | atomic_write "$BLOCKED_SENTINEL"
-  log "BLOCKED sentinel written: $BLOCKED_SENTINEL"
-}
 # =============================================================================
 # Cleanup (trap handler)
 # =============================================================================
@@ -976,7 +1195,11 @@ cleanup() {
   log "Cleaning up..."
   # Remove lockfile
-  rm -f "$DESK/logs/.rlp-desk-$SLUG.lock" 2>/dev/null
+  if (( LOCKFILE_ACQUIRED )); then
+    rm -f "$LOCKFILE_PATH" 2>/dev/null
+  else
+    log_debug "cleanup: lockfile not owned by this process, skipping removal"
+  fi
   # Kill claude processes then kill panes
   log_debug "cleanup: WORKER_PANE=${WORKER_PANE:-unset} VERIFIER_PANE=${VERIFIER_PANE:-unset}"
@@ -1002,6 +1225,12 @@ cleanup() {
   setopt local_options nonomatch 2>/dev/null
   rm -f "$LOGS_DIR"/*.tmp.* "$MEMOS_DIR"/*.tmp.* 2>/dev/null
+  # AC4: Generate campaign report on all terminal states (always-on)
+  generate_campaign_report
+  # US-001: Generate SV report after campaign report (tmux mode)
+  generate_sv_report
   # Print summary
   local end_time
   end_time=$(date +%s)
@@ -1014,17 +1243,24 @@ cleanup() {
   elif [[ -f "$BLOCKED_SENTINEL" ]]; then final_status="BLOCKED"
   else final_status="TIMEOUT"; fi
+  # --- Update metadata.json with final status ---
+  if [[ -f "$METADATA_FILE" ]]; then
+    jq --arg status "$final_status" --arg end_time "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      '.campaign_status = $status | .end_time = $end_time' \
+      "$METADATA_FILE" > "${METADATA_FILE}.tmp" && mv "${METADATA_FILE}.tmp" "$METADATA_FILE"
+  fi
   if (( DEBUG )); then
     local end_ts=$(date +%s)
     local elapsed=$((end_ts - START_TIME))
-    log_debug "[EXEC] final status=$final_status iterations=$ITERATION elapsed=${elapsed}s"
+    log_debug "[FLOW] final status=$final_status iterations=$ITERATION elapsed=${elapsed}s"
     # --- Validation ---
-    log_debug "[VALIDATE] === Execution Validation ==="
+    log_debug "[FLOW] === Execution Validation ==="
     # 1. Did the correct verify mode run?
-    log_debug "[VALIDATE] verify_mode=$VERIFY_MODE configured=true"
+    log_debug "[FLOW] verify_mode=$VERIFY_MODE configured=true"
     # 2. Per-US: were all US individually verified?
     if [[ "$VERIFY_MODE" = "per-us" ]]; then
@@ -1038,39 +1274,39 @@ cleanup() {
       if [[ "$final_status" = "COMPLETE" ]]; then
         if (( verified_count >= expected_count )); then
-          log_debug "[VALIDATE] per_us_coverage=PASS verified=$verified_count/$expected_count us=$VERIFIED_US"
+          log_debug "[FLOW] per_us_coverage=PASS verified=$verified_count/$expected_count us=$VERIFIED_US"
         else
-          log_debug "[VALIDATE] per_us_coverage=FAIL verified=$verified_count/$expected_count expected=$expected_us got=$VERIFIED_US"
+          log_debug "[FLOW] per_us_coverage=FAIL verified=$verified_count/$expected_count expected=$expected_us got=$VERIFIED_US"
         fi
       else
-        log_debug "[VALIDATE] per_us_coverage=INCOMPLETE verified=$verified_count/$expected_count status=$final_status"
+        log_debug "[FLOW] per_us_coverage=INCOMPLETE verified=$verified_count/$expected_count status=$final_status"
       fi
     fi
     # 3. Consensus: were both engines used?
     if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
       if [[ -n "${CLAUDE_VERDICT:-}" && -n "${CODEX_VERDICT:-}" ]]; then
-        log_debug "[VALIDATE] consensus=USED claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT rounds=$CONSENSUS_ROUND"
+        log_debug "[FLOW] consensus=USED claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT rounds=$CONSENSUS_ROUND"
       else
-        log_debug "[VALIDATE] consensus=NOT_TRIGGERED claude=${CLAUDE_VERDICT:-none} codex=${CODEX_VERDICT:-none}"
+        log_debug "[FLOW] consensus=NOT_TRIGGERED claude=${CLAUDE_VERDICT:-none} codex=${CODEX_VERDICT:-none}"
       fi
     fi
     # 4. Engine match: did the configured engines actually run?
-    local worker_dispatches=$(grep -c '\[EXEC\].*phase=worker.*dispatched=true' "$DEBUG_LOG" 2>/dev/null || echo 0)
-    local verifier_dispatches=$(grep -c '\[EXEC\].*phase=verifier.*dispatched=true' "$DEBUG_LOG" 2>/dev/null || echo 0)
-    log_debug "[VALIDATE] dispatches worker=$worker_dispatches verifier=$verifier_dispatches"
+    local worker_dispatches=$(grep -c '\[FLOW\].*phase=worker.*dispatched=true' "$DEBUG_LOG" 2>/dev/null || echo 0)
+    local verifier_dispatches=$(grep -c '\[FLOW\].*phase=verifier.*dispatched=true' "$DEBUG_LOG" 2>/dev/null || echo 0)
+    log_debug "[FLOW] dispatches worker=$worker_dispatches verifier=$verifier_dispatches"
     # 5. Fix loops: how many fix contracts were generated?
-    local fix_count=$(grep -c '\[EXEC\].*phase=fix_loop' "$DEBUG_LOG" 2>/dev/null || echo 0)
-    log_debug "[VALIDATE] fix_loops=$fix_count consecutive_failures=$CONSECUTIVE_FAILURES"
+    local fix_count=$(grep -c '\[DECIDE\].*phase=fix_loop' "$DEBUG_LOG" 2>/dev/null || echo 0)
+    log_debug "[FLOW] fix_loops=$fix_count consecutive_failures=$CONSECUTIVE_FAILURES"
     # 6. Circuit breakers: any triggered?
-    local cb_count=$(grep -c '\[EXEC\].*circuit_breaker=' "$DEBUG_LOG" 2>/dev/null || echo 0)
-    log_debug "[VALIDATE] circuit_breakers_triggered=$cb_count"
+    local cb_count=$(grep -c '\[GOV\].*circuit_breaker=' "$DEBUG_LOG" 2>/dev/null || echo 0)
+    log_debug "[FLOW] circuit_breakers_triggered=$cb_count"
     # 7. Overall result
-    log_debug "[VALIDATE] result=$final_status iterations=$ITERATION elapsed=${elapsed}s verified_us=$VERIFIED_US"
+    log_debug "[FLOW] result=$final_status iterations=$ITERATION elapsed=${elapsed}s verified_us=$VERIFIED_US"
   fi
   echo ""
@@ -1110,6 +1346,7 @@ poll_for_signal() {
   local trigger_file="$4"
   local role="$5"  # "worker" or "verifier"
   local nudge_count=0
+  local api_retry_count=0
   local poll_start
   poll_start=$(date +%s)
@@ -1134,6 +1371,54 @@ poll_for_signal() {
       return 0  # success
     fi
+    # A4 fallback: done-claim exists but no signal → Worker forgot iter-signal
+    # ONLY for Worker polling — Verifier waits for verdict file, not done-claim
+    if [[ "$role" != *erifier* && -f "$DONE_CLAIM_FILE" && ! -f "$signal_file" ]]; then
+      local dc_us_id
+      dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
+      if [[ -n "$dc_us_id" && "$dc_us_id" != "null" ]]; then
+        log "  WARNING: done-claim exists for $dc_us_id but no iter-signal. Auto-generating signal (A4 fallback)."
+        log_debug "[GOV] iter=$ITERATION done_claim_without_signal=true us_id=$dc_us_id action=auto_generate_signal"
+        echo '{"iteration":'"$ITERATION"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated by A4 fallback (done-claim without signal)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+        return 0
+      fi
+    fi
+    # API transient-error recovery with bounded backoff
+    local pane_output_for_retry
+    pane_output_for_retry=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null || true)
+    local is_api_text_retry=0
+    if [[ -n "$pane_output_for_retry" ]] &&
+       ( echo "$pane_output_for_retry" | grep -qiE '(^|[^[:digit:]])500([^[:digit:]]|$)' \
+      || echo "$pane_output_for_retry" | grep -qiE '(^|[^[:digit:]])529([^[:digit:]]|$)' \
+      || echo "$pane_output_for_retry" | grep -qi 'overloaded' \
+      || echo "$pane_output_for_retry" | grep -qi 'too many requests' \
+      || echo "$pane_output_for_retry" | grep -qi 'service unavailable' ); then
+      is_api_text_retry=1
+    fi
+    if (( is_api_text_retry )) || is_api_error "$pane_id"; then
+      (( api_retry_count++ ))
+      log_debug "[FLOW] iter=$ITERATION api_retry=${api_retry_count}/${_API_MAX_RETRIES} role=${role} reason=tmux_pane_api_error"
+      if (( api_retry_count >= _API_MAX_RETRIES )); then
+        log_error "API unavailable after ${_API_MAX_RETRIES} retries"
+        write_blocked_sentinel "API unavailable after ${_API_MAX_RETRIES} retries"
+        return 2
+      fi
+      # A5: If pane shows "queued messages" or rate-limit corruption, restart pane
+      if echo "$pane_output_for_retry" | grep -qi 'queued messages'; then
+        log "  A5: Rate-limited pane shows 'queued messages' — restarting $role pane"
+        log_debug "[GOV] iter=$ITERATION phase=rate_limit_pane_restart role=$role reason=queued_messages"
+        tmux send-keys -t "$pane_id" C-c 2>/dev/null; sleep 0.5
+        tmux send-keys -t "$pane_id" "/exit" Enter 2>/dev/null; sleep 2
+        wait_for_pane_ready "$pane_id" 10 2>/dev/null || true
+      fi
+      sleep "$_API_RETRY_INTERVAL_S"
+      continue
+    else
+      api_retry_count=0
+    fi
     # Check heartbeat freshness (tmux pattern)
     if [[ -f "$heartbeat_file" ]]; then
       if check_heartbeat_exited "$heartbeat_file"; then
@@ -1143,9 +1428,13 @@ poll_for_signal() {
           log "  Signal file detected after process exit: $signal_file"
           return 0
         fi
-        log_error "$role exited without writing signal file"
-        # Attempt restart with exponential backoff
-        if restart_worker "$pane_id" "$ITERATION" "$trigger_file"; then
+        # Dispatch to engine-specific exit handler
+        if [[ "$WORKER_ENGINE" = "codex" && "$role" != *erifier* ]]; then
+          handle_worker_exit_codex "$ITERATION" "$signal_file"
+          return 0
+        fi
+        # Claude path (or verifier of any engine)
+        if handle_worker_exit_claude "$pane_id" "$ITERATION" "$trigger_file"; then
           # Reset poll timer for the restart
           poll_start=$(date +%s)
           nudge_count=0
@@ -1163,7 +1452,7 @@ poll_for_signal() {
         (( HEARTBEAT_STALE_COUNT++ ))
         # Circuit breaker: 3 consecutive heartbeat stale events
         if (( HEARTBEAT_STALE_COUNT >= 3 )); then
-          log_debug "[EXEC] iter=$ITERATION circuit_breaker=heartbeat_stale detail=\"3 consecutive heartbeat stale events\""
+          log_debug "[GOV] iter=$ITERATION circuit_breaker=heartbeat_stale detail=\"3 consecutive heartbeat stale events\""
           log_error "Circuit breaker: 3 consecutive heartbeat stale events"
           return 1
         fi
@@ -1181,12 +1470,23 @@ poll_for_signal() {
       fi
     fi
+    # Dead pane detection during poll: check if claude/codex process died
+    local poll_cmd
+    poll_cmd=$(tmux display-message -p -t "$pane_id" '#{pane_current_command}' 2>/dev/null)
+    # Dead pane detection — delegates to check_dead_pane() for engine-aware logic
+    if check_dead_pane "$poll_cmd" "$WORKER_ENGINE" "$role"; then
+      log "  WARNING: $role pane $pane_id has bare shell ($poll_cmd) — process died during execution"
+      log_debug "[GOV] iter=$ITERATION pane_dead_during_poll=true pane=$pane_id cmd=$poll_cmd role=$role"
+      # Return failure so caller can handle recovery
+      return 1
+    fi
     # Auto-approve permission prompts during poll
     local poll_capture
     poll_capture=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null)
     if echo "$poll_capture" | grep -q "Do you want to" 2>/dev/null; then
       log "  Permission prompt detected during poll, auto-approving..."
-      log_debug "[EXEC] iter=$ITERATION permission_prompt_auto_approved=true"
+      log_debug "[FLOW] iter=$ITERATION permission_prompt_auto_approved=true"
       tmux send-keys -t "$pane_id" Enter
       sleep 0.5
     fi
@@ -1198,38 +1498,6 @@ poll_for_signal() {
   done
 }
-# =============================================================================
-# Circuit Breaker: Stale Context Detection
-# =============================================================================
-# --- governance.md s7 step 8: Stale context detection ---
-compute_context_hash() {
-  if [[ -f "$CONTEXT_FILE" ]]; then
-    md5 -q "$CONTEXT_FILE" 2>/dev/null || md5sum "$CONTEXT_FILE" 2>/dev/null | cut -d' ' -f1
-  else
-    echo "no-context"
-  fi
-}
-check_stale_context() {
-  local current_hash
-  current_hash=$(compute_context_hash)
-  if [[ "$current_hash" == "$PREV_CONTEXT_HASH" ]]; then
-    (( STALE_CONTEXT_COUNT++ ))
-    log "  WARNING: Context unchanged ($STALE_CONTEXT_COUNT/3 stale iterations)"
-    if (( STALE_CONTEXT_COUNT >= 3 )); then
-      log_error "Circuit breaker: context unchanged for 3 consecutive iterations"
-      return 1
-    fi
-  else
-    STALE_CONTEXT_COUNT=0
-  fi
-  PREV_CONTEXT_HASH="$current_hash"
-  return 0
-}
 # =============================================================================
 # Consensus Verification (run two verifiers sequentially in same pane)
 # =============================================================================
@@ -1247,10 +1515,23 @@ run_single_verifier() {
   local trigger_file="$LOGS_DIR/iter-$(printf '%03d' $iter).verifier${suffix}-trigger.sh"
   local prompt_file="$LOGS_DIR/iter-$(printf '%03d' $iter).verifier${suffix}-prompt.md"
-  # Clean previous Verifier session
+  # Clean previous Verifier session (with dead pane detection)
   local verifier_cmd
   verifier_cmd=$(tmux display-message -p -t "$VERIFIER_PANE" '#{pane_current_command}' 2>/dev/null)
-  if [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
+  if [[ -z "$verifier_cmd" ]]; then
+    log "  Verifier pane $VERIFIER_PANE is gone — replacing..."
+    log_debug "[GOV] iter=$iter pane_dead=true pane_id=$VERIFIER_PANE action=replace_pane"
+    replace_worker_pane "$VERIFIER_PANE" "verifier"
+    VERIFIER_PANE=$(jq -r '.panes.verifier' "$SESSION_CONFIG")
+    log "  New verifier pane: $VERIFIER_PANE"
+  elif [[ "$verifier_cmd" == "zsh" || "$verifier_cmd" == "bash" ]]; then
+    log "  Verifier pane $VERIFIER_PANE has bare shell ($verifier_cmd) — resetting..."
+    log_debug "[GOV] iter=$iter pane_dead=true pane_id=$VERIFIER_PANE cmd=$verifier_cmd action=reset_shell"
+    tmux send-keys -t "$VERIFIER_PANE" C-c C-u 2>/dev/null
+    sleep 0.2
+    tmux send-keys -t "$VERIFIER_PANE" "clear" Enter 2>/dev/null
+    sleep 0.3
+  elif [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
     tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null
     sleep 0.5
     tmux send-keys -t "$VERIFIER_PANE" "/exit" Enter 2>/dev/null
@@ -1265,55 +1546,19 @@ run_single_verifier() {
   # Remove previous verdict file
   rm -f "$VERDICT_FILE" 2>/dev/null
-  # Launch verifier
+  # Launch verifier — dispatch to engine-specific function
+  local verifier_launch
   if [[ "$engine" = "codex" ]]; then
-    # Codex: use non-interactive exec mode in pane (more reliable than TUI for sequential runs)
-    local codex_cmd="${CODEX_BIN:-codex} exec \"\$(cat $prompt_file)\" -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
-    log "  Running $suffix verifier (codex exec) in pane $VERIFIER_PANE..."
-    tmux send-keys -t "$VERIFIER_PANE" -l -- "$codex_cmd"
-    tmux send-keys -t "$VERIFIER_PANE" Enter
-    log_debug "Verifier$suffix codex exec sent directly"
+    verifier_launch="${CODEX_BIN:-codex} exec \"\$(cat $prompt_file)\" -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
+    launch_verifier_codex "$VERIFIER_PANE" "$prompt_file" "$iter" "$verifier_launch"
+    log_debug "Verifier$suffix codex exec dispatched"
   else
-    # Claude: use interactive TUI
-    local verifier_launch="$CLAUDE_BIN --model $model --dangerously-skip-permissions"
-    log "  Launching $suffix verifier (claude) in pane $VERIFIER_PANE..."
-    tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_launch"
-    tmux send-keys -t "$VERIFIER_PANE" Enter
-    if ! wait_for_pane_ready "$VERIFIER_PANE" 30; then
+    verifier_launch="$CLAUDE_BIN --model $model --dangerously-skip-permissions"
+    if ! launch_verifier_claude "$VERIFIER_PANE" "$prompt_file" "$iter" "$verifier_launch"; then
       log_error "Verifier$suffix failed to start"
       return 1
     fi
-    sleep 3
-    local verifier_instruction="Read and execute the instructions in $prompt_file"
-    tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-    tmux send-keys -t "$VERIFIER_PANE" Enter
-    log_debug "Verifier$suffix instruction sent directly"
-    # Verify claude actually started working
-    local v_submit=0
-    while (( v_submit < 15 )); do
-      sleep 2
-      local v_check
-      v_check=$(tmux capture-pane -t "$VERIFIER_PANE" -p 2>/dev/null)
-      if echo "$v_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut" 2>/dev/null; then
-        log_debug "Verifier$suffix started working after $((v_submit + 1)) checks"
-        break
-      fi
-      # After 8 failed attempts, try C-u clear + re-type (omc-teams adaptive retry)
-      if (( v_submit == 8 )); then
-        log_debug "Adaptive instruction retry: clearing line and re-typing"
-        tmux send-keys -t "$VERIFIER_PANE" C-u 2>/dev/null
-        sleep 0.1
-        tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-        tmux send-keys -t "$VERIFIER_PANE" Enter
-      fi
-      tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-      sleep 0.3
-      tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-      (( v_submit++ ))
-    done
+    log_debug "Verifier$suffix claude dispatched"
   fi
   # Poll for verdict
@@ -1341,6 +1586,10 @@ run_single_verifier() {
     # Claude: use full poll_for_signal with heartbeat/nudge
     log "  Polling for verify-verdict.json ($suffix)..."
     if ! poll_for_signal "$VERDICT_FILE" "$VERIFIER_HEARTBEAT" "$VERIFIER_PANE" "$verifier_launch" "Verifier$suffix"; then
+      local verifier_poll_rc=$?
+      if (( verifier_poll_rc == 2 )); then
+        return 1
+      fi
       log_error "Verifier$suffix poll failed"
       return 1
     fi
@@ -1352,6 +1601,110 @@ run_single_verifier() {
   return 0
 }
+# --- Sequential final verify: run per-US scoped verifiers instead of one big ALL verify ---
+# Returns 0 if all US pass + integration check pass, 1 if any US fails, 2 if integration fails.
+# Sets FAILED_US global on failure.
+run_sequential_final_verify() {
+  local iter="$1"
+  FAILED_US=""
+  log "  Sequential final verify: ${US_LIST} (${VERIFY_MODE} mode)"
+  log_debug "[FLOW] iter=$iter phase=sequential_final_verify us_list=$US_LIST"
+  for us in $(echo "$US_LIST" | tr ',' ' '); do
+    log "  Final verify: checking $us..."
+    # Temporarily override signal file to scope verifier to this US
+    local orig_signal
+    orig_signal=$(cat "$SIGNAL_FILE" 2>/dev/null)
+    echo "{\"status\":\"verify\",\"us_id\":\"$us\",\"summary\":\"sequential final verify\"}" | atomic_write "$SIGNAL_FILE"
+    # Write scoped verifier trigger
+    write_verifier_trigger "$iter"
+    local verifier_prompt="$LOGS_DIR/iter-$(printf '%03d' $iter).verifier-prompt.md"
+    # Clean verifier pane
+    local verifier_cmd
+    verifier_cmd=$(tmux display-message -p -t "$VERIFIER_PANE" '#{pane_current_command}' 2>/dev/null)
+    if [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
+      tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null; sleep 0.5
+      tmux send-keys -t "$VERIFIER_PANE" "/exit" Enter 2>/dev/null; sleep 2
+    fi
+    wait_for_pane_ready "$VERIFIER_PANE" 10 2>/dev/null || true
+    # Launch verifier
+    local verifier_launch
+    if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
+      verifier_launch="${CODEX_BIN:-codex} -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
+      launch_verifier_codex "$VERIFIER_PANE" "$verifier_prompt" "$iter" "$verifier_launch"
+    else
+      verifier_launch="$CLAUDE_BIN --model $VERIFIER_MODEL --dangerously-skip-permissions"
+      launch_verifier_claude "$VERIFIER_PANE" "$verifier_prompt" "$iter" "$verifier_launch" || {
+        log_error "Failed to launch verifier for $us"
+        FAILED_US="$us"
+        return 1
+      }
+    fi
+    # Poll for verdict
+    rm -f "$VERDICT_FILE"
+    local poll_rc=0
+    poll_for_signal "$VERDICT_FILE" "$ITER_TIMEOUT" "verdict" || poll_rc=$?
+    if (( poll_rc != 0 )); then
+      log_error "Verifier poll failed for $us (rc=$poll_rc)"
+      FAILED_US="$us"
+      return 1
+    fi
+    # Check verdict
+    local verdict
+    verdict=$(jq -r '.verdict' "$VERDICT_FILE" 2>/dev/null)
+    if [[ "$verdict" != "pass" ]]; then
+      FAILED_US="$us"
+      log "  Sequential final verify FAILED at $us"
+      log_debug "[FLOW] iter=$iter phase=sequential_final_verify failed_us=$us verdict=$verdict"
+      return 1
+    fi
+    log "  Sequential final verify: $us PASSED"
+    # Archive per-US final verdict
+    cp "$VERDICT_FILE" "$LOGS_DIR/iter-$(printf '%03d' $iter).final-verdict-${us}.json" 2>/dev/null
+  done
+  # Integration check: run tests if VERIFICATION_CMD is set
+  if [[ -n "${VERIFICATION_CMD:-}" ]]; then
+    log "  Running integration test suite after sequential verify..."
+    log_debug "[FLOW] iter=$iter phase=integration_check cmd=$VERIFICATION_CMD"
+    if ! eval "$VERIFICATION_CMD" > /dev/null 2>&1; then
+      log "  Integration test suite FAILED"
+      FAILED_US="integration"
+      return 2
+    fi
+    log "  Integration test suite PASSED"
+  fi
+  log "  Sequential final verify: ALL PASSED"
+  return 0
+}
+# --- US-005: Determine whether consensus verification should run for this signal ---
+# Returns 0 (use consensus) or 1 (single engine).
+# VERIFY_CONSENSUS + CONSENSUS_SCOPE handles per-US consensus.
+# FINAL_CONSENSUS independently enables consensus for the final ALL verify only.
+_should_use_consensus() {
+  local signal_us_id="${1:-}"
+  if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
+    case "$CONSENSUS_SCOPE" in
+      all) return 0 ;;
+      final-only) [[ "$signal_us_id" == "ALL" ]] && return 0 ;;
+    esac
+  fi
+  if [[ "$FINAL_CONSENSUS" = "1" && "$signal_us_id" == "ALL" ]]; then
+    return 0
+  fi
+  return 1
+}
 # --- US-004: Run consensus verification (claude + codex sequentially) ---
 run_consensus_verification() {
   local iter="$1"
@@ -1362,32 +1715,59 @@ run_consensus_verification() {
   CLAUDE_VERDICT=""
   CODEX_VERDICT=""
-  while (( CONSENSUS_ROUND < 3 )); do
+  while (( CONSENSUS_ROUND < 6 )); do
     (( CONSENSUS_ROUND++ ))
-    log "  Consensus round $CONSENSUS_ROUND/3..."
+    log "  Consensus round $CONSENSUS_ROUND/6..."
     # Run claude verifier first
+    local _claude_t0=$(date +%s)
     if ! run_single_verifier "$iter" "claude" "$VERIFIER_MODEL" "-claude" "$claude_verdict_file"; then
       log_error "Claude verifier failed in consensus round $CONSENSUS_ROUND"
       return 1
     fi
+    ITER_VERIFIER_CLAUDE_DURATION_S=$(( $(date +%s) - _claude_t0 ))
     CLAUDE_VERDICT=$(jq -r '.verdict' "$claude_verdict_file" 2>/dev/null)
-    log_debug "[EXEC] iter=$iter phase=consensus_claude verdict=$CLAUDE_VERDICT model=$VERIFIER_MODEL"
+    # A12 fix: validate claude verdict is not null/empty — if so, retry once before proceeding
+    if [[ -z "$CLAUDE_VERDICT" || "$CLAUDE_VERDICT" == "null" ]]; then
+      log "  WARNING: Claude verdict is '$CLAUDE_VERDICT' — likely interrupted. Retrying claude verifier..."
+      log_debug "[GOV] iter=$iter phase=consensus_claude_retry reason=null_verdict"
+      rm -f "$claude_verdict_file" 2>/dev/null
+      if ! run_single_verifier "$iter" "claude" "$VERIFIER_MODEL" "-claude" "$claude_verdict_file"; then
+        log_error "Claude verifier retry also failed"
+        return 1
+      fi
+      CLAUDE_VERDICT=$(jq -r '.verdict' "$claude_verdict_file" 2>/dev/null)
+      if [[ -z "$CLAUDE_VERDICT" || "$CLAUDE_VERDICT" == "null" ]]; then
+        log_error "Claude verdict still null after retry — consensus cannot proceed"
+        return 1
+      fi
+    fi
+    log_debug "[GOV] iter=$iter phase=consensus_claude verdict=$CLAUDE_VERDICT model=$VERIFIER_MODEL"
+    # F8: --consensus-fail-fast — skip second verifier if first fails
+    if [[ "$CONSENSUS_FAIL_FAST" = "1" && "$CLAUDE_VERDICT" = "fail" ]]; then
+      log "  Consensus fail-fast: claude=fail, skipping codex verifier"
+      log_debug "[GOV] iter=$iter phase=consensus_fail_fast claude=fail codex=skipped"
+      CODEX_VERDICT="skipped"
+      return 2  # disagreement/fail signal
+    fi
     # Run codex verifier second
+    local _codex_t0=$(date +%s)
     if ! run_single_verifier "$iter" "codex" "$VERIFIER_CODEX_MODEL" "-codex" "$codex_verdict_file"; then
       log_error "Codex verifier failed in consensus round $CONSENSUS_ROUND"
       return 1
     fi
+    ITER_VERIFIER_CODEX_DURATION_S=$(( $(date +%s) - _codex_t0 ))
     CODEX_VERDICT=$(jq -r '.verdict' "$codex_verdict_file" 2>/dev/null)
-    log_debug "[EXEC] iter=$iter phase=consensus_codex verdict=$CODEX_VERDICT model=$VERIFIER_CODEX_MODEL reasoning=$VERIFIER_CODEX_REASONING"
+    log_debug "[GOV] iter=$iter phase=consensus_codex verdict=$CODEX_VERDICT model=$VERIFIER_CODEX_MODEL reasoning=$VERIFIER_CODEX_REASONING"
     log "  Consensus: claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT"
     local _combined_action="retry"
     if [[ "$CLAUDE_VERDICT" = "pass" && "$CODEX_VERDICT" = "pass" ]]; then _combined_action="pass"
-    elif (( CONSENSUS_ROUND >= 3 )); then _combined_action="blocked"
+    elif (( CONSENSUS_ROUND >= 6 )); then _combined_action="blocked"
     fi
-    log_debug "[EXEC] iter=$iter phase=consensus round=$CONSENSUS_ROUND claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT combined_action=$_combined_action"
+    log_debug "[GOV] iter=$iter phase=consensus round=$CONSENSUS_ROUND claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT combined_action=$_combined_action"
     # Both pass → success
     if [[ "$CLAUDE_VERDICT" = "pass" && "$CODEX_VERDICT" = "pass" ]]; then
@@ -1409,7 +1789,7 @@ run_consensus_verification() {
     fi
     # Consensus disagreement
-    log_debug "[EXEC] iter=$iter phase=consensus_disagreement round=$CONSENSUS_ROUND claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT action=fix_contract"
+    log_debug "[GOV] iter=$iter phase=consensus_disagreement round=$CONSENSUS_ROUND claude=$CLAUDE_VERDICT codex=$CODEX_VERDICT action=fix_contract"
     # NOTE: pre_existing_failure heuristic was removed (v0.3.5).
     # It used unreliable grep-in-description string matching to classify
@@ -1442,14 +1822,19 @@ run_consensus_verification() {
     # If this is not the last round, the caller will dispatch the Worker with the fix contract
     # For now, write a fail verdict so the main loop can handle the fix loop
-    if (( CONSENSUS_ROUND < 3 )); then
-      # Create a merged fail verdict for the main loop
+    if (( CONSENSUS_ROUND < 6 )); then
+      # Create a merged fail verdict for the main loop — include issues from BOTH verdicts
+      local merged_issues="[]"
+      local claude_issues codex_issues
+      claude_issues=$(jq -c '[.issues[]? | . + {"source": "claude"}]' "$claude_verdict_file" 2>/dev/null || echo '[]')
+      codex_issues=$(jq -c '[.issues[]? | . + {"source": "codex"}]' "$codex_verdict_file" 2>/dev/null || echo '[]')
+      merged_issues=$(echo "$claude_issues $codex_issues" | jq -s 'add // []')
       {
         echo '{'
         echo '  "verdict": "fail",'
         echo '  "verified_at_utc": "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'",'
-        echo '  "summary": "Consensus disagreement (round '"$CONSENSUS_ROUND"'/3): claude='"$CLAUDE_VERDICT"' codex='"$CODEX_VERDICT"'",'
-        echo '  "issues": [],'
+        echo '  "summary": "Consensus disagreement (round '"$CONSENSUS_ROUND"'/6): claude='"$CLAUDE_VERDICT"' codex='"$CODEX_VERDICT"'",'
+        echo '  "issues": '"$merged_issues"','
         echo '  "recommended_state_transition": "continue",'
         echo '  "consensus": { "claude": "'"$CLAUDE_VERDICT"'", "codex": "'"$CODEX_VERDICT"'", "round": '"$CONSENSUS_ROUND"' }'
         echo '}'
@@ -1458,56 +1843,91 @@ run_consensus_verification() {
     fi
   done
-  # Max consensus rounds exceeded
-  log_error "Consensus failed after 3 rounds"
+  # Max consensus rounds exceeded — include issues from both verdicts
+  log_error "Consensus failed after 6 rounds"
+  local final_claude_issues final_codex_issues final_merged_issues
+  final_claude_issues=$(jq -c '[.issues[]? | . + {"source": "claude"}]' "$claude_verdict_file" 2>/dev/null || echo '[]')
+  final_codex_issues=$(jq -c '[.issues[]? | . + {"source": "codex"}]' "$codex_verdict_file" 2>/dev/null || echo '[]')
+  final_merged_issues=$(echo "$final_claude_issues $final_codex_issues" | jq -s 'add // []')
   {
     echo '{'
     echo '  "verdict": "fail",'
     echo '  "verified_at_utc": "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'",'
-    echo '  "summary": "Consensus failed after 3 rounds: claude='"$CLAUDE_VERDICT"' codex='"$CODEX_VERDICT"'",'
-    echo '  "issues": [],'
+    echo '  "summary": "Consensus failed after 6 rounds: claude='"$CLAUDE_VERDICT"' codex='"$CODEX_VERDICT"'",'
+    echo '  "issues": '"$final_merged_issues"','
     echo '  "recommended_state_transition": "blocked",'
-    echo '  "consensus": { "claude": "'"$CLAUDE_VERDICT"'", "codex": "'"$CODEX_VERDICT"'", "round": 3 }'
+    echo '  "consensus": { "claude": "'"$CLAUDE_VERDICT"'", "codex": "'"$CODEX_VERDICT"'", "round": 6 }'
     echo '}'
   } | atomic_write "$VERDICT_FILE"
   return 1
 }
-# =============================================================================
-# Security Warning
-# =============================================================================
-print_security_warning() {
-  echo ""
-  echo "================================================================"
-  echo "  WARNING: Running with --dangerously-skip-permissions"
-  echo ""
-  echo "  The claude CLI will execute tools (file writes, shell commands)"
-  echo "  without asking for confirmation. Only run this on code you"
-  echo "  trust in an environment you control."
-  echo "================================================================"
-  echo ""
-}
 # =============================================================================
 # Main Leader Loop
 # =============================================================================
 main() {
   # --- Lockfile: prevent duplicate execution ---
-  local lockfile="$DESK/logs/.rlp-desk-$SLUG.lock"
+  local lockfile="$LOCKFILE_PATH"
   mkdir -p "$(dirname "$lockfile")" 2>/dev/null
   if ! (set -C; echo $$ > "$lockfile") 2>/dev/null; then
     local lock_pid
     lock_pid=$(cat "$lockfile" 2>/dev/null)
     if kill -0 "$lock_pid" 2>/dev/null; then
-      log_error "Another instance is already running (PID $lock_pid)"
+      log_error "Another instance is already running (PID $lock_pid). Kill $lock_pid or rm $lockfile"
       exit 1
     fi
     # Stale lock — overwrite
+    log "Stale lock detected (PID ${lock_pid:-unknown} not running), recovering"
     echo $$ > "$lockfile"
+    LOCKFILE_ACQUIRED=1
+  else
+    LOCKFILE_ACQUIRED=1
+  fi
+  trap cleanup EXIT INT TERM
+  mkdir -p "$LOGS_DIR" "$RUNTIME_DIR" 2>/dev/null
+  # --- Analytics directory: create only when --debug or --with-self-verification ---
+  if (( DEBUG )) || (( WITH_SELF_VERIFICATION )); then
+    mkdir -p "$ANALYTICS_DIR" 2>/dev/null
+  fi
+  # --- debug.log versioning (in analytics dir) ---
+  if (( DEBUG )) && [[ -f "$DEBUG_LOG" ]]; then
+    local dbg_n=1
+    while [[ -f "${DEBUG_LOG%.log}-v${dbg_n}.log" ]]; do
+      (( dbg_n++ ))
+    done
+    mv "$DEBUG_LOG" "${DEBUG_LOG%.log}-v${dbg_n}.log"
+  fi
+  # --- campaign.jsonl versioning (in analytics dir, after mkdir) ---
+  if (( DEBUG )) || (( WITH_SELF_VERIFICATION )); then
+    if [[ -f "$CAMPAIGN_JSONL" ]]; then
+      local cj_n=1
+      while [[ -f "${CAMPAIGN_JSONL%.jsonl}-v${cj_n}.jsonl" ]]; do
+        (( cj_n++ ))
+      done
+      mv "$CAMPAIGN_JSONL" "${CAMPAIGN_JSONL%.jsonl}-v${cj_n}.jsonl"
+    fi
+  fi
+  # --- metadata.json: write at campaign start ---
+  if (( DEBUG )) || (( WITH_SELF_VERIFICATION )); then
+    jq -n \
+      --arg slug "$SLUG" \
+      --arg project_root "$ROOT" \
+      --arg campaign_status "running" \
+      --arg start_time "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      --arg end_time "" \
+      --arg worker_model "$WORKER_MODEL" \
+      --arg verifier_model "$VERIFIER_MODEL" \
+      --argjson debug "$DEBUG" \
+      --argjson with_sv "$WITH_SELF_VERIFICATION" \
+      --argjson consensus "$VERIFY_CONSENSUS" \
+      '{slug: $slug, project_root: $project_root, campaign_status: $campaign_status, start_time: $start_time, end_time: $end_time, worker_model: $worker_model, verifier_model: $verifier_model, debug: $debug, with_self_verification: $with_sv, consensus: $consensus}' \
+      > "$METADATA_FILE"
   fi
-  mkdir -p "$LOGS_DIR" 2>/dev/null
   # --- Startup ---
   log "Ralph Desk Tmux Runner starting..."
@@ -1518,6 +1938,7 @@ main() {
   log "  Verifier model:  $VERIFIER_MODEL"
   log "  Verify mode:     $VERIFY_MODE"
   log "  Verify consensus:$VERIFY_CONSENSUS"
+  log "  Final consensus: $FINAL_CONSENSUS"
   log "  Consensus scope: $CONSENSUS_SCOPE"
   log "  Poll interval:   ${POLL_INTERVAL}s"
   log "  Iter timeout:    ${ITER_TIMEOUT}s"
@@ -1531,10 +1952,11 @@ main() {
     fi
     local us_count=$(echo "$us_list" | tr ',' '\n' | grep -c 'US-')
-    log_debug "[PLAN] slug=$SLUG us_count=$us_count us_list=$us_list"
-    log_debug "[PLAN] worker_engine=$WORKER_ENGINE worker_model=$WORKER_MODEL"
-    log_debug "[PLAN] verifier_engine=$VERIFIER_ENGINE verifier_model=$VERIFIER_MODEL"
-    log_debug "[PLAN] verify_mode=$VERIFY_MODE consensus=$VERIFY_CONSENSUS consensus_scope=$CONSENSUS_SCOPE max_iter=$MAX_ITER"
+    log_debug "[OPTION] slug=$SLUG us_count=$us_count us_list=$us_list"
+    log_debug "[OPTION] worker_engine=$WORKER_ENGINE worker_model=$WORKER_MODEL"
+    log_debug "[OPTION] verifier_engine=$VERIFIER_ENGINE verifier_model=$VERIFIER_MODEL"
+    log_debug "[OPTION] verify_mode=$VERIFY_MODE consensus=$VERIFY_CONSENSUS consensus_scope=$CONSENSUS_SCOPE max_iter=$MAX_ITER"
+    log_debug "[OPTION] cb_threshold=$CB_THRESHOLD effective_cb_threshold=$EFFECTIVE_CB_THRESHOLD iter_timeout=$ITER_TIMEOUT with_self_verification=$WITH_SELF_VERIFICATION debug=$DEBUG"
     if [[ "$VERIFY_MODE" = "per-us" ]]; then
       # Build expected flow
@@ -1543,13 +1965,13 @@ main() {
         expected_flow="${expected_flow}worker->verify($us)->"
       done
       expected_flow="${expected_flow}verify(ALL)->COMPLETE"
-      log_debug "[PLAN] expected_flow=$expected_flow"
+      log_debug "[OPTION] expected_flow=$expected_flow"
     else
-      log_debug "[PLAN] expected_flow=worker(all)->verify(ALL)->COMPLETE"
+      log_debug "[OPTION] expected_flow=worker(all)->verify(ALL)->COMPLETE"
     fi
     if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-      log_debug "[PLAN] consensus_flow=each_verify_runs_claude+codex_both_must_pass"
+      log_debug "[OPTION] consensus_flow=each_verify_runs_claude+codex_both_must_pass"
     fi
   fi
@@ -1559,8 +1981,35 @@ main() {
     if [[ -f "$prd_file" ]]; then
       US_LIST=$(grep -oE 'US-[0-9]+' "$prd_file" | sort -u | tr '\n' ',' | sed 's/,$//')
     fi
+  # Initialize VERIFIED_US from memory's Completed Stories (carry over previous runs)
+  local memory_file="$DESK/memos/${SLUG}-memory.md"
+  if [[ -f "$memory_file" ]]; then
+      local completed_us
+      completed_us=$(sed -n '/^## Completed Stories$/,/^## /p' "$memory_file" 2>/dev/null | grep '^- US-' | sed 's/^- \(US-[0-9]*\):.*/\1/' | sort -u | tr '\n' ',' | sed 's/,$//')
+      if [[ -n "$completed_us" ]]; then
+        VERIFIED_US="$completed_us"
+        log "  Loaded completed stories from memory: $VERIFIED_US"
+        log_debug "[FLOW] loaded_verified_us_from_memory=$VERIFIED_US"
+      fi
+    fi
+    # D1: Fallback — restore verified_us from status.json if memory had none
+    if [[ -z "$VERIFIED_US" && -f "$STATUS_FILE" ]]; then
+      local status_verified
+      status_verified=$(jq -r '.verified_us // [] | join(",")' "$STATUS_FILE" 2>/dev/null)
+      if [[ -n "$status_verified" ]]; then
+        VERIFIED_US="$status_verified"
+        log "  Restored verified_us from status.json: $VERIFIED_US"
+        log_debug "[FLOW] restored_verified_us_from_status=$VERIFIED_US"
+      fi
+    fi
   fi
+  # Initialize PRD snapshot state for live update detection
+  PREV_PRD_HASH=$(compute_prd_hash)
+  PREV_PRD_US_LIST=$(count_prd_us)
   # Dependency checks
   check_dependencies
@@ -1583,7 +2032,7 @@ main() {
   PREV_CONTEXT_HASH=$(compute_context_hash)
   # --- governance.md s7: Leader Loop ---
-  local HARD_CEILING=$(( ITER_TIMEOUT * 3 ))  # absolute max per iteration (no extensions beyond this)
+  local HARD_CEILING=$(( ITER_TIMEOUT * 3 ))  # logged but NOT enforced — Worker extends indefinitely when active
   for (( ITERATION = 1; ITERATION <= MAX_ITER; ITERATION++ )); do
     log ""
@@ -1592,7 +2041,7 @@ main() {
     ITER_START_TIME=$(date +%s)
     local _iter_contract=""
     _iter_contract=$(sed -n '/^## Next Iteration Contract$/,/^## /{ /^## Next/d; /^## [^N]/d; p; }' "$MEMORY_FILE" 2>/dev/null | head -1 | tr '\n' ' ')
-    log_debug "[EXEC] iter=$ITERATION start contract=\"${_iter_contract:-none}\""
+    log_debug "[FLOW] iter=$ITERATION start contract=\"${_iter_contract:-none}\""
     # --- governance.md s7 step 1: Check sentinels ---
     if [[ -f "$COMPLETE_SENTINEL" ]]; then
@@ -1625,122 +2074,92 @@ main() {
     # Reset per-iteration state
     local worker_nudge_count=0
     local verifier_nudge_count=0
+    ITER_VERIFIER_START=""
+    ITER_VERIFIER_END=""
+    # --- US-004: detect PRD changes for live update + re-split ---
+    check_prd_update
     # --- governance.md s7 step 4: Build worker prompt + trigger ---
     write_worker_trigger "$ITERATION"
     local worker_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-prompt.md"
+    # AC1: capture worker start timestamp
+    ITER_WORKER_START=$(date +%s)
     update_status "worker" "running"
-    # --- governance.md s7 step 5: Execute Worker (interactive TUI, tmux pattern) ---
-    # Step 5a: Launch interactive worker engine in Worker pane
+    # --- governance.md s7 step 5: Execute Worker (dispatched to engine-specific function) ---
+    log_debug "[FLOW] iter=$ITERATION phase=worker engine=$WORKER_ENGINE model=$WORKER_MODEL dispatched=true"
     local worker_launch
     if [[ "$WORKER_ENGINE" = "codex" ]]; then
-      worker_launch="${CODEX_BIN:-codex} -m $WORKER_CODEX_MODEL -c model_reasoning_effort=\"$WORKER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
-      log "  Launching Worker codex in pane $WORKER_PANE..."
+      local worker_trigger="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-trigger.sh"
+      worker_launch="bash $worker_trigger"
+      launch_worker_codex "$WORKER_PANE" "$worker_trigger" "$ITERATION"
     else
       worker_launch="$CLAUDE_BIN --model $WORKER_MODEL --dangerously-skip-permissions"
-      log "  Launching Worker claude in pane $WORKER_PANE..."
-    fi
-    tmux send-keys -t "$WORKER_PANE" -l -- "$worker_launch"
-    tmux send-keys -t "$WORKER_PANE" Enter
-    log_debug "[EXEC] iter=$ITERATION phase=worker engine=$WORKER_ENGINE model=$WORKER_MODEL dispatched=true"
-    # Step 5b: Wait for claude TUI to be ready (tmux pattern)
-    if ! wait_for_pane_ready "$WORKER_PANE" 30; then
-      log_error "Worker claude failed to start"
-      write_blocked_sentinel "Worker claude failed to start in pane"
-      update_status "blocked" "worker_start_failed"
-      return 1
-    fi
-    # Step 5c: Wait for claude to fully initialize, then send instruction directly
-    sleep 3
-    local worker_instruction="Read and execute the instructions in $worker_prompt"
-    tmux send-keys -t "$WORKER_PANE" -l -- "$worker_instruction"
-    tmux send-keys -t "$WORKER_PANE" Enter
-    log_debug "Worker instruction sent directly (${#worker_instruction} chars)"
-    # Verify claude actually started working — keep sending C-m until activity detected
-    local submit_attempts=0
-    while (( submit_attempts < 15 )); do
-      sleep 2
-      local pane_check
-      pane_check=$(tmux capture-pane -t "$WORKER_PANE" -p 2>/dev/null)
-      if echo "$pane_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored" 2>/dev/null; then
-        log_debug "Worker started working after $((submit_attempts + 1)) submit checks"
-        log_debug "[EXEC] iter=$ITERATION worker_submit_check=OK attempts=$((submit_attempts + 1))"
-        break
-      fi
-      # After 8 failed attempts, try C-u clear + re-type (omc-teams adaptive retry)
-      if (( submit_attempts == 8 )); then
-        log_debug "Adaptive instruction retry: clearing line and re-typing"
-        tmux send-keys -t "$WORKER_PANE" C-u 2>/dev/null
-        sleep 0.1
-        tmux send-keys -t "$WORKER_PANE" -l -- "$worker_instruction"
-        tmux send-keys -t "$WORKER_PANE" Enter
+      if ! launch_worker_claude "$WORKER_PANE" "$worker_prompt" "$ITERATION" "$worker_launch"; then
+        write_blocked_sentinel "Worker claude failed to start in pane"
+        update_status "blocked" "worker_start_failed"
+        return 1
       fi
-      tmux send-keys -t "$WORKER_PANE" C-m 2>/dev/null
-      sleep 0.3
-      tmux send-keys -t "$WORKER_PANE" C-m 2>/dev/null
-      (( submit_attempts++ ))
-    done
-    if (( submit_attempts >= 15 )); then
-      log "  WARNING: Could not confirm Worker started working after 15 attempts"
-      log_debug "[EXEC] iter=$ITERATION worker_submit_check=FAILED attempts=15"
     fi
     # --- governance.md s7 step 5+6: Poll for Worker completion ---
     log "  Polling for iter-signal.json..."
     local worker_poll_done=0
     while (( ! worker_poll_done )); do
+      local worker_poll_rc=0
       if poll_for_signal "$SIGNAL_FILE" "$WORKER_HEARTBEAT" "$WORKER_PANE" "$worker_launch" "Worker"; then
         worker_poll_done=1
-        log_debug "[EXEC] iter=$ITERATION poll_signal_received=true"
+        log_debug "[FLOW] iter=$ITERATION poll_signal_received=true"
       else
+        worker_poll_rc=$?
+        if (( worker_poll_rc == 2 )); then
+          return 1
+        fi
         # Check if Worker is still actively running (not stuck)
         local worker_cmd
         worker_cmd=$(tmux display-message -p -t "$WORKER_PANE" '#{pane_current_command}' 2>/dev/null)
         if [[ "$worker_cmd" == "node" || "$worker_cmd" == "claude" || "$worker_cmd" == "codex" ]]; then
-          # Check hard ceiling before extending
+          # Process alive — extend indefinitely (no hard ceiling kill)
+          # Stale-context breaker and nudge system handle truly stuck workers
           local iter_elapsed=$(( $(date +%s) - ITER_START_TIME ))
+          local ceiling_exceeded=""
           if (( iter_elapsed >= HARD_CEILING )); then
-            log_error "Worker hit hard ceiling (${HARD_CEILING}s = 3x iter_timeout). Killing iteration."
-            log_debug "[EXEC] iter=$ITERATION hard_ceiling_hit=true elapsed=${iter_elapsed}s ceiling=${HARD_CEILING}s process=$worker_cmd"
-            tmux send-keys -t "$WORKER_PANE" C-c 2>/dev/null
-            sleep 1
-            WORKER_PANE=$(replace_worker_pane "$WORKER_PANE" "worker")
-            update_status "worker" "hard_timeout"
-            worker_poll_done=1
-            break
+            ceiling_exceeded=" [EXCEEDED hard_ceiling=${HARD_CEILING}s — not enforced, logged only]"
+            log "  WARNING: Worker exceeded soft hard-ceiling (${iter_elapsed}s >= ${HARD_CEILING}s) but still active. Continuing..."
+            log_debug "[GOV] iter=$ITERATION hard_ceiling_exceeded=true elapsed=${iter_elapsed}s ceiling=${HARD_CEILING}s process=$worker_cmd action=log_only_no_kill"
           fi
-          log "  Worker timed out but still active ($worker_cmd). Extending poll... (${iter_elapsed}s/${HARD_CEILING}s)"
-          log_debug "[EXEC] iter=$ITERATION timeout_active=true process=$worker_cmd elapsed=${iter_elapsed}s ceiling=${HARD_CEILING}s"
-          log_debug "[EXEC] iter=$ITERATION poll_extended=true worker_cmd=$worker_cmd"
+          log "  Worker timed out but still active ($worker_cmd). Extending poll... (${iter_elapsed}s, no ceiling)${ceiling_exceeded}"
+          log_debug "[GOV] iter=$ITERATION timeout_active=true process=$worker_cmd elapsed=${iter_elapsed}s action=extend_indefinitely"
+          log_debug "[FLOW] iter=$ITERATION poll_extended=true worker_cmd=$worker_cmd"
           update_status "worker" "slow"
           # Loop continues — re-poll same iteration
         else
           # Worker is truly dead/stuck
           (( MONITOR_FAILURE_COUNT++ ))
-          log_debug "[EXEC] iter=$ITERATION monitor_failure=$MONITOR_FAILURE_COUNT/3"
+          log_debug "[GOV] iter=$ITERATION monitor_failure=$MONITOR_FAILURE_COUNT/3"
           if (( MONITOR_FAILURE_COUNT >= 3 )); then
-            log_debug "[EXEC] iter=$ITERATION circuit_breaker=monitor_failures detail=\"3 consecutive monitor failures\""
+            log_debug "[GOV] iter=$ITERATION circuit_breaker=monitor_failures detail=\"3 consecutive monitor failures\""
             write_blocked_sentinel "3 consecutive monitor failures (worker not active)"
             update_status "blocked" "monitor_failures"
             return 1
           fi
           log "  WARNING: Worker poll failed (monitor failure $MONITOR_FAILURE_COUNT/3)"
           update_status "worker" "poll_failed"
-          worker_poll_done=1  # exit poll loop, continue to next iteration
-          log_debug "[EXEC] iter=$ITERATION poll_worker_dead=true worker_cmd=$worker_cmd"
-          # Worker is truly dead/stuck — kill and replace pane (omc-teams pattern)
-          WORKER_PANE=$(replace_worker_pane "$WORKER_PANE" "worker")
+          log_debug "[FLOW] iter=$ITERATION poll_worker_dead=true worker_cmd=$worker_cmd"
+          # Worker is truly dead/stuck — BLOCK and let user decide
+          write_blocked_sentinel "Worker process dead/stuck (poll failed). Pane preserved for inspection."
+          update_status "blocked" "worker_dead"
+          return 1
         fi
       fi
     done
     if [[ ! -f "$SIGNAL_FILE" ]]; then
-      log_debug "[EXEC] iter=$ITERATION no_signal_after_poll=true continuing"
+      log_debug "[FLOW] iter=$ITERATION no_signal_after_poll=true continuing"
       # No signal — monitor failure, go to next iteration
       continue
     fi
@@ -1748,6 +2167,11 @@ main() {
     # Reset monitor failure count on success
     MONITOR_FAILURE_COUNT=0
+    # AC1: capture worker end timestamp; reset consensus timing
+    ITER_WORKER_END=$(date +%s)
+    ITER_VERIFIER_CLAUDE_DURATION_S=""
+    ITER_VERIFIER_CODEX_DURATION_S=""
     # --- governance.md s7 step 6: Read iter-signal.json via jq (JSON only, no markdown) ---
     local signal_status
     signal_status=$(jq -r '.status' "$SIGNAL_FILE" 2>/dev/null)
@@ -1759,7 +2183,7 @@ main() {
     # Read us_id early for EXEC logging (also used later in verify branch)
     local signal_us_id_early=""
     signal_us_id_early=$(jq -r '.us_id // empty' "$SIGNAL_FILE" 2>/dev/null)
-    log_debug "[EXEC] iter=$ITERATION phase=worker_signal status=$signal_status us_id=${signal_us_id_early:-none} summary=\"$signal_summary\""
+    log_debug "[FLOW] iter=$ITERATION phase=worker_signal status=$signal_status us_id=${signal_us_id_early:-none} summary=\"$signal_summary\""
     case "$signal_status" in
       continue)
@@ -1774,17 +2198,34 @@ main() {
         signal_us_id=$(jq -r '.us_id // empty' "$SIGNAL_FILE" 2>/dev/null)
         log "  Worker claims done (us_id=${signal_us_id:-all}). Dispatching Verifier..."
+        # AC1: capture verifier start timestamp
+        ITER_VERIFIER_START=$(date +%s)
         update_status "verifier" "running"
-        # --- Consensus scope check ---
-        local use_consensus=0
-        if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-          case "$CONSENSUS_SCOPE" in
-            all) use_consensus=1 ;;
-            final-only) [[ "$signal_us_id" == "ALL" ]] && use_consensus=1 ;;
-          esac
+        # --- Sequential final verify: per-US scoped checks instead of one big ALL verify ---
+        if [[ "$signal_us_id" == "ALL" && "$VERIFY_MODE" == "per-us" && -n "$US_LIST" ]]; then
+          log "  Final ALL verify: using sequential per-US strategy (timeout prevention)"
+          local seq_rc=0
+          run_sequential_final_verify "$ITERATION" || seq_rc=$?
+          if (( seq_rc == 0 )); then
+            write_complete_sentinel "Sequential final verify passed (all US verified individually)"
+            update_status "complete" "pass"
+            write_campaign_jsonl "$ITERATION" "ALL" "pass"
+            return 0
+          else
+            # Sequential verify failed — fall through to fix loop with failed US
+            log "  Sequential final verify failed at ${FAILED_US:-unknown}. Entering fix loop."
+            signal_us_id="${FAILED_US:-ALL}"
+            # Synthesize a fail verdict for the fix loop
+            echo "{\"verdict\":\"fail\",\"summary\":\"Sequential final verify failed at ${FAILED_US:-unknown}\",\"issues\":[{\"severity\":\"critical\",\"criterion\":\"${FAILED_US:-ALL}\",\"description\":\"Failed during sequential final verification\"}]}" | atomic_write "$VERDICT_FILE"
+          fi
         fi
+        # --- Consensus scope check (US-005: _should_use_consensus handles VERIFY_CONSENSUS + FINAL_CONSENSUS) ---
+        local use_consensus=0
+        _should_use_consensus "$signal_us_id" && use_consensus=1
         # --- Consensus vs single verification ---
         if (( use_consensus )); then
           # US-004: Run consensus verification (claude + codex sequentially)
@@ -1806,78 +2247,65 @@ main() {
           write_verifier_trigger "$ITERATION"
           local verifier_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).verifier-prompt.md"
-          # Step 7a: Clean previous Verifier session if running
+          # Step 7a: Clean previous Verifier session (with dead pane detection)
           local verifier_cmd
           verifier_cmd=$(tmux display-message -p -t "$VERIFIER_PANE" '#{pane_current_command}' 2>/dev/null)
-          if [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
+          if [[ -z "$verifier_cmd" ]]; then
+            log "  Verifier pane $VERIFIER_PANE is gone — replacing..."
+            log_debug "[GOV] iter=$ITERATION pane_dead=true pane_id=$VERIFIER_PANE action=replace_pane"
+            replace_worker_pane "$VERIFIER_PANE" "verifier"
+            VERIFIER_PANE=$(jq -r '.panes.verifier' "$SESSION_CONFIG")
+            log "  New verifier pane: $VERIFIER_PANE"
+          elif [[ "$verifier_cmd" == "zsh" || "$verifier_cmd" == "bash" ]]; then
+            log "  Verifier pane $VERIFIER_PANE has bare shell ($verifier_cmd) — resetting..."
+            log_debug "[GOV] iter=$ITERATION pane_dead=true pane_id=$VERIFIER_PANE cmd=$verifier_cmd action=reset_shell"
+            tmux send-keys -t "$VERIFIER_PANE" C-c C-u 2>/dev/null
+            sleep 0.2
+            tmux send-keys -t "$VERIFIER_PANE" "clear" Enter 2>/dev/null
+            sleep 0.3
+          elif [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
             tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null
             sleep 0.5
             tmux send-keys -t "$VERIFIER_PANE" "/exit" Enter 2>/dev/null
             sleep 2
-            wait_for_pane_ready "$VERIFIER_PANE" 5 2>/dev/null || true
           fi
+          wait_for_pane_ready "$VERIFIER_PANE" 10 2>/dev/null || true
           local verifier_launch
           if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
             verifier_launch="${CODEX_BIN:-codex} -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
-            log "  Launching Verifier codex in pane $VERIFIER_PANE..."
           else
             verifier_launch="$CLAUDE_BIN --model $VERIFIER_MODEL --dangerously-skip-permissions"
-            log "  Launching Verifier claude in pane $VERIFIER_PANE..."
           fi
-          tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_launch"
-          tmux send-keys -t "$VERIFIER_PANE" Enter
-          log_debug "[EXEC] iter=$ITERATION phase=verifier engine=$VERIFIER_ENGINE model=$VERIFIER_MODEL scope=${signal_us_id:-all} dispatched=true"
-          # Step 7b: Wait for TUI to be ready
-          if ! wait_for_pane_ready "$VERIFIER_PANE" 30; then
-            log_error "Verifier failed to start"
-            update_status "verifier" "start_failed"
-            continue
-          fi
-          # Step 7c: Send instruction
-          sleep 3
-          local verifier_instruction="Read and execute the instructions in $verifier_prompt"
-          tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-          tmux send-keys -t "$VERIFIER_PANE" Enter
-          log_debug "Verifier instruction sent directly"
+          log_debug "[FLOW] iter=$ITERATION phase=verifier engine=$VERIFIER_ENGINE model=$VERIFIER_MODEL scope=${signal_us_id:-all} dispatched=true"
-          # Verify verifier actually started working
-          local vs_submit=0
-          while (( vs_submit < 15 )); do
-            sleep 2
-            local vs_check
-            vs_check=$(tmux capture-pane -t "$VERIFIER_PANE" -p 2>/dev/null)
-            if echo "$vs_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored" 2>/dev/null; then
-              log_debug "Verifier started working after $((vs_submit + 1)) checks"
-              break
-            fi
-            # After 8 failed attempts, try C-u clear + re-type (omc-teams adaptive retry)
-            if (( vs_submit == 8 )); then
-              log_debug "Adaptive instruction retry: clearing line and re-typing"
-              tmux send-keys -t "$VERIFIER_PANE" C-u 2>/dev/null
-              sleep 0.1
-              tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-              tmux send-keys -t "$VERIFIER_PANE" Enter
+          if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
+            launch_verifier_codex "$VERIFIER_PANE" "$verifier_prompt" "$ITERATION" "$verifier_launch"
+          else
+            if ! launch_verifier_claude "$VERIFIER_PANE" "$verifier_prompt" "$ITERATION" "$verifier_launch"; then
+              update_status "verifier" "start_failed"
+              continue
             fi
-            tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-            sleep 0.3
-            tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-            (( vs_submit++ ))
-          done
+          fi
           # Poll for verify-verdict.json
           log "  Polling for verify-verdict.json..."
           if ! poll_for_signal "$VERDICT_FILE" "$VERIFIER_HEARTBEAT" "$VERIFIER_PANE" "$verifier_launch" "Verifier"; then
+            local verifier_poll_rc=$?
+            if (( verifier_poll_rc == 2 )); then
+              return 1
+            fi
             log_error "Verifier poll failed"
-            update_status "verifier" "poll_failed"
-            # Verifier is dead/stuck — kill and replace pane (omc-teams pattern)
-            VERIFIER_PANE=$(replace_worker_pane "$VERIFIER_PANE" "verifier")
-            continue
+            # Verifier is dead/stuck — BLOCK and let user decide
+            write_blocked_sentinel "Verifier process dead/stuck (poll failed). Pane preserved for inspection."
+            update_status "blocked" "verifier_dead"
+            return 1
           fi
         fi
+        # AC1: capture verifier end timestamp
+        ITER_VERIFIER_END=$(date +%s)
         # --- governance.md s7 step 7: Read verdict via jq ---
         local verdict
         verdict=$(jq -r '.verdict' "$VERDICT_FILE" 2>/dev/null)
@@ -1889,12 +2317,24 @@ main() {
         log "  Verifier: verdict=$verdict recommended=$recommended"
         log "  Verifier summary: \"$verdict_summary\""
         local _issues_count=$(jq '.issues | length' "$VERDICT_FILE" 2>/dev/null || echo 0)
-        log_debug "[EXEC] iter=$ITERATION phase=verdict engine=$VERIFIER_ENGINE verdict=$verdict recommended=$recommended us_id=${signal_us_id:-all} issues=$_issues_count"
+        log_debug "[GOV] iter=$ITERATION phase=verdict engine=$VERIFIER_ENGINE verdict=$verdict recommended=$recommended us_id=${signal_us_id:-all} issues=$_issues_count"
         case "$verdict" in
           pass)
             CONSECUTIVE_FAILURES=0
             CONSENSUS_ROUND=0
+            _SAME_US_FAIL_COUNT=0
+            _LAST_FAILED_US=""
+            if (( _MODEL_UPGRADED )); then
+              log "  Worker model restored: ${WORKER_MODEL} → ${_ORIGINAL_WORKER_MODEL} (pass verdict)"
+              log_debug "[DECIDE] iter=$ITERATION phase=model_select model_restore=true from=${WORKER_MODEL} to=${_ORIGINAL_WORKER_MODEL}"
+              WORKER_MODEL="$_ORIGINAL_WORKER_MODEL"
+              if [[ "$WORKER_ENGINE" = "codex" ]]; then
+                WORKER_CODEX_MODEL="$WORKER_MODEL"
+                WORKER_CODEX_REASONING="$_ORIGINAL_WORKER_CODEX_REASONING"
+              fi
+              _MODEL_UPGRADED=0
+            fi
             # --- Per-US tracking ---
             if [[ "$VERIFY_MODE" = "per-us" && -n "$signal_us_id" && "$signal_us_id" != "ALL" ]]; then
@@ -1905,13 +2345,14 @@ main() {
                 VERIFIED_US="$signal_us_id"
               fi
               log "  US $signal_us_id verified. Verified so far: $VERIFIED_US"
-              log_debug "[EXEC] iter=$ITERATION verified_us_update=$signal_us_id verified_us_total=$VERIFIED_US"
+              log_debug "[FLOW] iter=$ITERATION verified_us_update=$signal_us_id verified_us_total=$VERIFIED_US"
               update_status "verifier" "pass_us"
               # Worker will do next US on next iteration
             elif [[ "$recommended" == "complete" || "$signal_us_id" == "ALL" ]]; then
               # Final full verify passed or complete recommended
               write_complete_sentinel "$verdict_summary"
               update_status "complete" "pass"
+              write_campaign_jsonl "$ITERATION" "${signal_us_id:-ALL}" "pass"
               return 0
             else
               log "  Verifier passed but did not recommend complete. Continuing."
@@ -1921,6 +2362,7 @@ main() {
           fail)
             # --- governance.md s7½: Fix Loop (adapted for tmux lean mode) ---
             (( CONSECUTIVE_FAILURES++ ))
+            check_model_upgrade "${signal_us_id:-unknown}"
             local verdict_summary_fail
             verdict_summary_fail=$(jq -r '.summary // "no summary"' "$VERDICT_FILE" 2>/dev/null)
             log "  Verifier FAILED (consecutive: $CONSECUTIVE_FAILURES). Building fix contract..."
@@ -1940,13 +2382,21 @@ main() {
               jq -r '.next_iteration_contract // "Fix the issues listed above."' "$VERDICT_FILE" 2>/dev/null
             } | atomic_write "$fix_contract"
             log "  Fix contract: $fix_contract"
-            log_debug "[EXEC] iter=$ITERATION phase=fix_loop trigger=$verdict consecutive_failures=$CONSECUTIVE_FAILURES fix_contract=$fix_contract"
-            # Circuit breaker: consecutive failures
-            if (( CONSECUTIVE_FAILURES >= 3 )); then
-              log_debug "[EXEC] iter=$ITERATION circuit_breaker=consecutive_failures detail=\"3 consecutive verification failures\""
-              log_error "Circuit breaker: 3 consecutive verification failures"
-              write_blocked_sentinel "3 consecutive verification failures"
+            log_debug "[DECIDE] iter=$ITERATION phase=fix_loop trigger=$verdict consecutive_failures=$CONSECUTIVE_FAILURES fix_contract=$fix_contract"
+            # Circuit breaker: consecutive failures (with architecture escalation when at model ceiling)
+            if (( CONSECUTIVE_FAILURES >= EFFECTIVE_CB_THRESHOLD )); then
+              # For codex: use full model:reasoning string (WORKER_MODEL loses reasoning suffix after upgrade)
+              _ceiling_model_str="$([[ "$WORKER_ENGINE" = "codex" ]] && echo "${WORKER_CODEX_MODEL}:${WORKER_CODEX_REASONING}" || echo "$WORKER_MODEL")"
+              if (( _MODEL_UPGRADED )) && [[ -z "$(get_next_model "$_ceiling_model_str")" ]]; then
+                log_debug "[GOV] iter=$ITERATION circuit_breaker=consecutive_failures detail=\"architecture escalation: Worker at ceiling (${WORKER_MODEL}), ${EFFECTIVE_CB_THRESHOLD} consecutive failures\""
+                log_error "Circuit breaker: architecture escalation — Worker upgraded to ceiling (${WORKER_MODEL}), ${EFFECTIVE_CB_THRESHOLD} consecutive failures"
+                write_blocked_sentinel "architecture escalation: Worker upgraded to ceiling model (${WORKER_MODEL}), ${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+              else
+                log_debug "[GOV] iter=$ITERATION circuit_breaker=consecutive_failures detail=\"${EFFECTIVE_CB_THRESHOLD} consecutive verification failures\""
+                log_error "Circuit breaker: ${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+                write_blocked_sentinel "${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+              fi
               update_status "blocked" "consecutive_failures"
               return 1
             fi
@@ -1985,12 +2435,19 @@ main() {
         ;;
     esac
+    # --- step 7d: Archive iteration artifacts before cleanup ---
+    archive_iter_artifacts "$ITERATION"
+    # --- AC5: Write per-iteration cost estimate ---
+    write_cost_log "$ITERATION"
+    write_campaign_jsonl "$ITERATION" "${signal_us_id:-unknown}" "${signal_status:-unknown}"
     # --- governance.md s7 step 8: Write result log ---
     write_result_log "$ITERATION" "$signal_status"
     # --- governance.md s7 step 8: Circuit breaker - stale context check ---
     if ! check_stale_context; then
-      log_debug "[EXEC] iter=$ITERATION circuit_breaker=stale_context detail=\"context unchanged for 3 consecutive iterations\""
+      log_debug "[GOV] iter=$ITERATION circuit_breaker=stale_context detail=\"context unchanged for 3 consecutive iterations\""
       write_blocked_sentinel "Context unchanged for 3 consecutive iterations (stale)"
       update_status "blocked" "stale_context"
       return 1
@@ -2010,6 +2467,45 @@ main() {
 # Entry Point
 # =============================================================================
+# --- CLI: parse --worker-model / --verifier-model flags ---
+# These flags override env-var defaults (WORKER_ENGINE, WORKER_MODEL, etc.)
+# Format: "model:reasoning" → codex engine; "model-name" → claude engine
+_cli_i=1
+while (( _cli_i <= $# )); do
+  case "${@[$_cli_i]}" in
+    --worker-model)
+      (( _cli_i++ ))
+      _cli_parsed=$(parse_model_flag "${@[$_cli_i]:-}" "worker") || exit 1
+      WORKER_ENGINE="${_cli_parsed%% *}"
+      _cli_rest="${_cli_parsed#* }"
+      WORKER_MODEL="${_cli_rest%% *}"
+      if [[ "$WORKER_ENGINE" = "codex" ]]; then
+        WORKER_CODEX_MODEL="$WORKER_MODEL"
+        WORKER_CODEX_REASONING="${_cli_rest##* }"
+      fi
+      ;;
+    --verifier-model)
+      (( _cli_i++ ))
+      _cli_parsed=$(parse_model_flag "${@[$_cli_i]:-}" "verifier") || exit 1
+      VERIFIER_ENGINE="${_cli_parsed%% *}"
+      _cli_rest="${_cli_parsed#* }"
+      VERIFIER_MODEL="${_cli_rest%% *}"
+      if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
+        VERIFIER_CODEX_MODEL="$VERIFIER_MODEL"
+        VERIFIER_CODEX_REASONING="${_cli_rest##* }"
+      fi
+      ;;
+    --lock-worker-model)
+      LOCK_WORKER_MODEL=1
+      ;;
+    --final-consensus)
+      FINAL_CONSENSUS=1
+      ;;
+  esac
+  (( _cli_i++ ))
+done
+unset _cli_i _cli_parsed _cli_rest
 # Require tmux — tmux mode only works inside an active tmux session
 if [[ -z "${TMUX:-}" ]]; then
   echo "ERROR: tmux mode requires running inside a tmux session."