@ai-dev-methodologies/rlp-desk 0.4.0 → 0.5.1

package/src/scripts/run_ralph_desk.zsh

@@ -69,14 +69,18 @@ CODEX_BIN=""  # resolved by check_dependencies when engine=codex
 # --- Verify Mode ---
 VERIFY_MODE="${VERIFY_MODE:-per-us}"        # per-us|batch
 VERIFY_CONSENSUS="${VERIFY_CONSENSUS:-0}"   # 0|1
+FINAL_CONSENSUS="${FINAL_CONSENSUS:-0}"     # 0|1 — consensus for final ALL verify only (independent of VERIFY_CONSENSUS)
 CONSENSUS_SCOPE="${CONSENSUS_SCOPE:-all}"   # all|final-only
-CB_THRESHOLD="${CB_THRESHOLD:-3}"           # consecutive failures before BLOCKED (default: 3)
+CONSENSUS_FAIL_FAST="${CONSENSUS_FAIL_FAST:-0}" # 0|1 — skip second verifier if first fails
+CB_THRESHOLD="${CB_THRESHOLD:-6}"           # consecutive failures before BLOCKED (default: 6)
 # Effective CB threshold: doubled when consensus mode active (AC2 auto-double)
 if [[ "${VERIFY_CONSENSUS:-0}" = "1" ]]; then
   EFFECTIVE_CB_THRESHOLD=$(( CB_THRESHOLD * 2 ))
 else
   EFFECTIVE_CB_THRESHOLD=$CB_THRESHOLD
 fi
+_API_MAX_RETRIES="${_API_MAX_RETRIES:-5}"
+_API_RETRY_INTERVAL_S="${_API_RETRY_INTERVAL_S:-30}"
 
 # --- Derived Paths ---
 DESK="$ROOT/.claude/ralph-desk"
@@ -84,6 +88,14 @@ PROMPTS_DIR="$DESK/prompts"
 CONTEXT_DIR="$DESK/context"
 MEMOS_DIR="$DESK/memos"
 LOGS_DIR="$DESK/logs/$SLUG"
+RUNTIME_DIR="$LOGS_DIR/runtime"
+PRD_FILE="$DESK/plans/prd-$SLUG.md"
+TEST_SPEC_FILE="$DESK/plans/test-spec-$SLUG.md"
+# --- Analytics Directory (user-level, cross-project) ---
+ANALYTICS_SLUG_HASH=$(echo -n "$ROOT" | md5 -q 2>/dev/null || md5sum <<< "$ROOT" | cut -d' ' -f1)
+ANALYTICS_DIR="$HOME/.claude/ralph-desk/analytics/${SLUG}--${ANALYTICS_SLUG_HASH:0:8}"
+CAMPAIGN_JSONL="$ANALYTICS_DIR/campaign.jsonl"
+METADATA_FILE="$ANALYTICS_DIR/metadata.json"
 WORKER_PROMPT_BASE="$PROMPTS_DIR/${SLUG}.worker.prompt.md"
 VERIFIER_PROMPT_BASE="$PROMPTS_DIR/${SLUG}.verifier.prompt.md"
 CONTEXT_FILE="$CONTEXT_DIR/${SLUG}-latest.md"
@@ -93,10 +105,11 @@ DONE_CLAIM_FILE="$MEMOS_DIR/${SLUG}-done-claim.json"
 VERDICT_FILE="$MEMOS_DIR/${SLUG}-verify-verdict.json"
 COMPLETE_SENTINEL="$MEMOS_DIR/${SLUG}-complete.md"
 BLOCKED_SENTINEL="$MEMOS_DIR/${SLUG}-blocked.md"
-STATUS_FILE="$LOGS_DIR/status.json"
-SESSION_CONFIG="$LOGS_DIR/session-config.json"
-WORKER_HEARTBEAT="$LOGS_DIR/worker-heartbeat.json"
-VERIFIER_HEARTBEAT="$LOGS_DIR/verifier-heartbeat.json"
+LOCKFILE_PATH="$DESK/logs/.rlp-desk-${SLUG}.lock"
+STATUS_FILE="$RUNTIME_DIR/status.json"
+SESSION_CONFIG="$RUNTIME_DIR/session-config.json"
+WORKER_HEARTBEAT="$RUNTIME_DIR/worker-heartbeat.json"
+VERIFIER_HEARTBEAT="$RUNTIME_DIR/verifier-heartbeat.json"
 COST_LOG="$LOGS_DIR/cost-log.jsonl"
 
 # --- Session Naming ---
@@ -112,43 +125,265 @@ HEARTBEAT_STALE_COUNT=0
 MONITOR_FAILURE_COUNT=0
 CONSECUTIVE_FAILURES=0
 PREV_CONTEXT_HASH=""
+PREV_PRD_HASH=""
+PREV_PRD_US_LIST=""
+_PRD_CHANGED=0
 ITERATION=0
 START_TIME=$(date +%s)
 BASELINE_COMMIT=""       # git HEAD at campaign start (captured before loop)
 CAMPAIGN_REPORT_GENERATED=0  # guard against double-generation in cleanup trap
+SV_REPORT_GENERATED=0       # guard against double-generation in generate_sv_report
 VERIFIED_US=""           # comma-separated list of verified US IDs (per-us mode)
 CONSENSUS_ROUND=0        # current consensus round for current US
 US_LIST=""               # comma-separated US IDs from PRD (per-us mode)
+LOCKFILE_ACQUIRED=0
+LOCK_WORKER_MODEL="${LOCK_WORKER_MODEL:-0}"  # 0|1 — set by --lock-worker-model; disables progressive upgrade
+_SAME_US_FAIL_COUNT=0         # consecutive same-US fail counter (upgrade trigger at >= 2)
+_LAST_FAILED_US=""            # last failed US ID (same-US tracking for upgrade logic)
+_MODEL_UPGRADED=0             # 1 if Worker model was auto-upgraded during campaign
+_ORIGINAL_WORKER_MODEL=""     # WORKER_MODEL saved before first upgrade (for restore on pass)
+_ORIGINAL_WORKER_CODEX_REASONING=""  # WORKER_CODEX_REASONING saved before first upgrade
 
 # =============================================================================
 # Utility Functions
 # =============================================================================
 
 DEBUG="${DEBUG:-0}"
-DEBUG_LOG="$ROOT/.claude/ralph-desk/logs/${LOOP_NAME:-unknown}/debug.log"
+DEBUG_LOG="$ANALYTICS_DIR/debug.log"
 
-log() {
-  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"
+# Source shared business logic
+LIB_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$LIB_DIR/lib_ralph_desk.zsh"
+
+# A16: Warn if running in foreground (may conflict with Claude Code pane)
+if [[ -z "${RLP_BACKGROUND:-}" ]]; then
+  echo "⚠ WARNING: Running in foreground. This may conflict with Claude Code's pane." >&2
+  echo "  Recommended: launch via Bash tool with run_in_background: true" >&2
+  echo "  Set RLP_BACKGROUND=1 to suppress this warning." >&2
+fi
+
+# check_dead_pane() — determine if pane command indicates a dead/exited process
+# Engine-aware: bash is normal for codex workers (trigger runs in bash),
+# but indicates dead pane for claude workers.
+# Args: $1=pane_current_command  $2=engine (claude|codex)  $3=role (worker|verifier)
+# Returns: 0 if dead, 1 if alive
+check_dead_pane() {
+  local poll_cmd="$1"
+  local engine="${2:-claude}"
+  local role="${3:-worker}"
+
+  if [[ -z "$poll_cmd" ]]; then
+    return 0  # empty = dead
+  elif [[ "$poll_cmd" == "zsh" ]]; then
+    return 0  # bare zsh = dead
+  elif [[ "$poll_cmd" == "bash" && "$engine" != "codex" ]]; then
+    return 0  # bash = dead for claude (codex uses bash trigger)
+  fi
+  return 1  # alive
 }
 
-log_debug() {
-  if (( DEBUG )); then
-    mkdir -p "$(dirname "$DEBUG_LOG")" 2>/dev/null
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] DEBUG: $*" >> "$DEBUG_LOG"
+# launch_worker_codex() — launch codex Worker via trigger script (non-interactive exec)
+# Args: $1=pane_id  $2=trigger_file  $3=iteration
+# Returns: 0 always (codex failures detected by poll_for_signal)
+launch_worker_codex() {
+  local pane_id="$1"
+  local trigger_file="$2"
+  local iter="$3"
+
+  log "  Launching Worker codex via trigger script in pane $pane_id..."
+  paste_to_pane "$pane_id" "bash $trigger_file"
+  tmux send-keys -t "$pane_id" C-m
+  log_debug "Worker codex trigger sent: $trigger_file"
+  sleep 3  # brief wait for codex to start
+  return 0
+}
+
+# launch_worker_claude() — launch claude Worker TUI, send instruction, verify submission
+# Handles: TUI startup, wait_for_pane_ready, instruction send, 15-iteration submit loop,
+#          restart recovery on submit failure.
+# Args: $1=pane_id  $2=prompt_file  $3=iteration  $4=worker_launch_cmd
+# Returns: 0 on success, 1 on fatal failure (caller writes BLOCKED)
+launch_worker_claude() {
+  local pane_id="$1"
+  local prompt_file="$2"
+  local iter="$3"
+  local worker_launch="$4"
+
+  log "  Launching Worker claude in pane $pane_id..."
+  paste_to_pane "$pane_id" "$worker_launch"
+  tmux send-keys -t "$pane_id" C-m
+
+  # Wait for claude TUI to be ready
+  if ! wait_for_pane_ready "$pane_id" 30; then
+    log_error "Worker claude failed to start"
+    return 1
+  fi
+
+  # Send instruction to claude TUI
+  sleep 3
+  local worker_instruction="Read and execute the instructions in $prompt_file"
+  paste_to_pane "$pane_id" "$worker_instruction"
+  tmux send-keys -t "$pane_id" C-m
+  log_debug "Worker instruction sent directly (${#worker_instruction} chars)"
+
+  # 15-iteration submit loop — verify claude started working
+  local submit_attempts=0
+  while (( submit_attempts < 15 )); do
+    sleep 2
+    local pane_check
+    pane_check=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null)
+    if echo "$pane_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored\|Prestidigitating\|Undulating\|Reading\|Bash\|Edit\|Write\|Grep\|Glob" 2>/dev/null; then
+      log_debug "Worker started working after $((submit_attempts + 1)) submit checks"
+      log_debug "[FLOW] iter=$iter worker_submit_check=OK attempts=$((submit_attempts + 1))"
+      break
+    fi
+    # Every 3 failed attempts, re-send full instruction
+    if (( submit_attempts > 0 && submit_attempts % 3 == 0 )); then
+      log_debug "Re-sending full worker instruction (attempt $submit_attempts)"
+      tmux send-keys -t "$pane_id" C-u 2>/dev/null
+      sleep 0.2
+      paste_to_pane "$pane_id" "$worker_instruction"
+      sleep 0.15
+      tmux send-keys -t "$pane_id" C-m
+      sleep 1
+    fi
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    sleep 0.3
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    (( submit_attempts++ ))
+  done
+
+  # If 15 attempts failed, restart claude and retry
+  if (( submit_attempts >= 15 )); then
+    log "  WARNING: Worker instruction not consumed after 15 attempts — restarting claude"
+    log_debug "[GOV] iter=$iter worker_instruction_failed=true attempts=15 action=restart_claude"
+    tmux send-keys -t "$pane_id" C-c 2>/dev/null
+    sleep 0.5
+    tmux send-keys -t "$pane_id" "/exit" C-m 2>/dev/null
+    sleep 2
+    wait_for_pane_ready "$pane_id" 10 2>/dev/null || true
+    paste_to_pane "$pane_id" "$worker_launch"
+    tmux send-keys -t "$pane_id" C-m
+    if wait_for_pane_ready "$pane_id" 30; then
+      sleep 3
+      paste_to_pane "$pane_id" "$worker_instruction"
+      tmux send-keys -t "$pane_id" C-m
+      log "  Worker restarted and instruction re-sent"
+      log_debug "[FLOW] iter=$iter worker_restart_recovery=success"
+    else
+      log_error "Worker restart failed — pane not ready"
+      log_debug "[FLOW] iter=$iter worker_restart_recovery=failed"
+    fi
   fi
+
+  return 0
 }
 
-log_error() {
-  echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $*" >&2
+# launch_verifier_codex() — launch codex Verifier in pane (non-interactive)
+# Args: $1=pane_id  $2=prompt_file  $3=iteration  $4=launch_cmd
+# Returns: 0 always
+launch_verifier_codex() {
+  local pane_id="$1"
+  local prompt_file="$2"
+  local iter="$3"
+  local verifier_launch="$4"
+
+  log "  Launching Verifier codex in pane $pane_id..."
+  paste_to_pane "$pane_id" "$verifier_launch"
+  tmux send-keys -t "$pane_id" C-m
+  sleep 3
+  return 0
 }
 
-# --- governance.md s7: Atomic file writes (tmux pattern) ---
-# All file writes by the Leader use tmp+mv to prevent corruption.
-atomic_write() {
-  local target="$1"
-  local tmp="${target}.tmp.$$"
-  cat > "$tmp"
-  mv "$tmp" "$target"
+# launch_verifier_claude() — launch claude Verifier TUI, send instruction, verify submission
+# Args: $1=pane_id  $2=prompt_file  $3=iteration  $4=launch_cmd
+# Returns: 0 on success
+launch_verifier_claude() {
+  local pane_id="$1"
+  local prompt_file="$2"
+  local iter="$3"
+  local verifier_launch="$4"
+
+  log "  Launching Verifier claude in pane $pane_id..."
+  paste_to_pane "$pane_id" "$verifier_launch"
+  tmux send-keys -t "$pane_id" C-m
+
+  if ! wait_for_pane_ready "$pane_id" 30; then
+    log_error "Verifier failed to start"
+    return 1
+  fi
+
+  sleep 3
+  local verifier_instruction="Read and execute the instructions in $prompt_file"
+  paste_to_pane "$pane_id" "$verifier_instruction"
+  tmux send-keys -t "$pane_id" C-m
+  log_debug "Verifier instruction sent directly"
+
+  # Submit loop — verify verifier started working
+  local submit_attempts=0
+  while (( submit_attempts < 15 )); do
+    sleep 2
+    local vs_check
+    vs_check=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null)
+    if echo "$vs_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored" 2>/dev/null; then
+      log_debug "Verifier started working after $((submit_attempts + 1)) checks"
+      break
+    fi
+    if (( submit_attempts == 8 )); then
+      log_debug "Adaptive instruction retry: clearing line and re-typing"
+      tmux send-keys -t "$pane_id" C-u 2>/dev/null
+      sleep 0.1
+      paste_to_pane "$pane_id" "$verifier_instruction"
+      tmux send-keys -t "$pane_id" C-m
+    fi
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    sleep 0.3
+    tmux send-keys -t "$pane_id" C-m 2>/dev/null
+    (( submit_attempts++ ))
+  done
+  return 0
+}
+
+# handle_worker_exit_codex() — handle codex worker process exit (1-shot exec)
+# On exit: check done-claim, auto-generate iter-signal.
+# Args: $1=iteration  $2=signal_file
+# Returns: 0 (signal generated), 1 (error)
+handle_worker_exit_codex() {
+  local iter="$1"
+  local signal_file="$2"
+
+  log "  Codex worker process exited. Checking for done-claim..."
+  if [[ -f "$DONE_CLAIM_FILE" ]]; then
+    local dc_us_id
+    dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
+    log "  Codex worker completed with done-claim (us_id=$dc_us_id). Auto-generating signal."
+    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated after codex exec exit","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+  else
+    log "  WARNING: Codex worker exited without done-claim. Generating verify signal for current US."
+    local current_us
+    current_us=$(jq -r '.us_id // "US-001"' "$DESK/memos/${SLUG}-iter-signal.json" 2>/dev/null || echo "US-001")
+    local mem_us
+    mem_us=$(sed -n 's/.*Next.*US-\([0-9]*\).*/US-\1/p' "$DESK/memos/${SLUG}-memory.md" 2>/dev/null | head -1)
+    [[ -n "$mem_us" ]] && current_us="$mem_us"
+    echo '{"iteration":'"$iter"',"status":"verify","us_id":"'"$current_us"'","summary":"auto-generated after codex exec exit (no done-claim)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+  fi
+  return 0
+}
+
+# handle_worker_exit_claude() — handle claude worker process exit (restart with backoff)
+# Args: $1=pane_id  $2=iteration  $3=trigger_file
+# Returns: 0 (restarted), 1 (max restarts exceeded)
+handle_worker_exit_claude() {
+  local pane_id="$1"
+  local iter="$2"
+  local trigger_file="$3"
+
+  log_error "Worker exited without writing signal file"
+  if restart_worker "$pane_id" "$iter" "$trigger_file"; then
+    return 0
+  else
+    return 1
+  fi
 }
 
 # --- omc-teams pattern: Kill-and-replace dead/stuck worker panes ---
@@ -205,9 +440,13 @@ check_dependencies() {
     missing=1
   fi
 
-  if ! command -v claude >/dev/null 2>&1; then
-    log_error "claude CLI is required but not found. See: https://docs.anthropic.com/en/docs/claude-cli"
-    missing=1
+  # claude required only when claude engine is used for Worker or Verifier execution;
+  # codex-only campaigns can run without claude — generate_sv_report degrades gracefully
+  if [[ "$WORKER_ENGINE" != "codex" || "$VERIFIER_ENGINE" != "codex" ]]; then
+    if ! command -v claude >/dev/null 2>&1; then
+      log_error "claude CLI is required but not found. See: https://docs.anthropic.com/en/docs/claude-cli"
+      missing=1
+    fi
   fi
 
   if ! command -v jq >/dev/null 2>&1; then
@@ -216,14 +455,9 @@ check_dependencies() {
   fi
 
   # Codex binary required only when engine=codex or consensus verification is enabled
-  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" ]]; then
+  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" || "$FINAL_CONSENSUS" = "1" ]]; then
     if ! command -v codex >/dev/null 2>&1; then
-      if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-        log_error "codex CLI is required for consensus verification (VERIFY_CONSENSUS=1)."
-      else
-        log_error "codex CLI is required when WORKER_ENGINE or VERIFIER_ENGINE is 'codex'."
-      fi
-      log_error "Install with: npm install -g @openai/codex"
+      log_error "codex CLI not found. Install: npm install -g @openai/codex"
       missing=1
     fi
   fi
@@ -232,52 +466,19 @@ check_dependencies() {
     exit 1
   fi
 
-  # Resolve full path to claude binary for reliable launches
-  CLAUDE_BIN=$(command -v claude 2>/dev/null || echo "claude")
-  log "  Claude binary: $CLAUDE_BIN"
+  # Resolve full path to claude binary when claude engine is in use
+  if [[ "$WORKER_ENGINE" != "codex" || "$VERIFIER_ENGINE" != "codex" ]]; then
+    CLAUDE_BIN=$(command -v claude 2>/dev/null || echo "claude")
+    log "  Claude binary: $CLAUDE_BIN"
+  fi
 
   # Resolve codex binary if needed
-  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" ]]; then
+  if [[ "$WORKER_ENGINE" = "codex" || "$VERIFIER_ENGINE" = "codex" || "$VERIFY_CONSENSUS" = "1" || "$FINAL_CONSENSUS" = "1" ]]; then
     CODEX_BIN=$(command -v codex 2>/dev/null || echo "codex")
     log "  Codex binary:  $CODEX_BIN"
   fi
 }
 
-# =============================================================================
-# Scaffold Validation
-# =============================================================================
-
-validate_scaffold() {
-  local errors=0
-
-  if [[ ! -f "$WORKER_PROMPT_BASE" ]]; then
-    log_error "Worker prompt not found: $WORKER_PROMPT_BASE"
-    errors=1
-  fi
-
-  if [[ ! -f "$VERIFIER_PROMPT_BASE" ]]; then
-    log_error "Verifier prompt not found: $VERIFIER_PROMPT_BASE"
-    errors=1
-  fi
-
-  if [[ ! -f "$CONTEXT_FILE" ]]; then
-    log_error "Context file not found: $CONTEXT_FILE"
-    errors=1
-  fi
-
-  if [[ ! -f "$MEMORY_FILE" ]]; then
-    log_error "Memory file not found: $MEMORY_FILE"
-    errors=1
-  fi
-
-  if (( errors )); then
-    log_error "Scaffold validation failed. Run init_ralph_desk.zsh first."
-    exit 1
-  fi
-
-  mkdir -p "$LOGS_DIR"
-}
-
 # =============================================================================
 # Session Management (tmux pattern: pane IDs)
 # =============================================================================
@@ -423,6 +624,17 @@ check_copy_mode() {
 # Verification-Based Send Retry (tmux pattern)
 # =============================================================================
 
+# --- Reliable text paste via tmux buffer (avoids send-keys -l char-by-char issues) ---
+paste_to_pane() {
+  local pane_id="$1"
+  local text="$2"
+  local tmpbuf="/tmp/.rlp-desk-paste-$$.tmp"
+  echo -n "$text" > "$tmpbuf"
+  tmux load-buffer -b rlp-paste "$tmpbuf" 2>/dev/null
+  tmux paste-buffer -b rlp-paste -d -t "$pane_id" 2>/dev/null
+  rm -f "$tmpbuf"
+}
+
 # --- governance.md s7 step 5: Send with copy-mode guard and retry ---
 safe_send_keys() {
   local pane_id="$1"
@@ -451,18 +663,18 @@ safe_send_keys() {
   # Auto-approve permission prompts ("Do you want to create/overwrite X?")
   if echo "$initial_capture" | grep -q "Do you want to" 2>/dev/null; then
     log_debug " Permission prompt detected, auto-approving"
-    tmux send-keys -t "$pane_id" Enter
+    tmux send-keys -t "$pane_id" C-m
     sleep 0.3
   fi
   # Auto-dismiss codex update prompt (select Skip)
   if echo "$initial_capture" | grep -qi "new version\|update.*codex\|codex.*update" 2>/dev/null; then
     log_debug " Codex update prompt detected, selecting Skip"
-    tmux send-keys -t "$pane_id" "2" Enter
+    tmux send-keys -t "$pane_id" "2" C-m
     sleep 0.2
   fi
-  # Send text in literal mode with -- separator
-  log_debug " Sending text to pane $pane_id (${#text} chars)"
-  tmux send-keys -t "$pane_id" -l -- "$text"
+  # Send text via buffer paste (reliable for long strings)
+  log_debug " Pasting text to pane $pane_id (${#text} chars)"
+  paste_to_pane "$pane_id" "$text"
 
   # Allow input buffer to settle (tmux: 150ms)
   sleep 0.15
@@ -472,9 +684,7 @@ safe_send_keys() {
   while (( round < 6 )); do
     sleep 0.1
     if (( round == 0 && pane_busy )); then
-      # Busy pane: Tab+C-m queue semantics (tmux pattern)
-      tmux send-keys -t "$pane_id" Tab
-      sleep 0.08
+      # Busy pane: just C-m (DO NOT send Tab — it toggles Claude Code permission mode)
       tmux send-keys -t "$pane_id" C-m
     else
       tmux send-keys -t "$pane_id" C-m
@@ -507,7 +717,7 @@ safe_send_keys() {
   if ! check_copy_mode "$pane_id"; then
     return 1
   fi
-  tmux send-keys -t "$pane_id" -l -- "$text"
+  paste_to_pane "$pane_id" "$text"
   sleep 0.12
   local retry_round=0
   while (( retry_round < 4 )); do
@@ -551,9 +761,9 @@ wait_for_pane_ready() {
     # Auto-dismiss trust prompt (tmux pattern: paneHasTrustPrompt)
     if echo "$captured" | grep -q "Do you trust" 2>/dev/null; then
       log "  Trust prompt detected, auto-dismissing..."
-      tmux send-keys -t "$pane_id" Enter
+      tmux send-keys -t "$pane_id" C-m
       sleep 0.12
-      tmux send-keys -t "$pane_id" Enter
+      tmux send-keys -t "$pane_id" C-m
       sleep 2
       continue
     fi
@@ -561,7 +771,7 @@ wait_for_pane_ready() {
     # Auto-approve permission prompts ("Do you want to create/overwrite X?")
     if echo "$captured" | grep -q "Do you want to" 2>/dev/null; then
       log "  Permission prompt detected, auto-approving..."
-      tmux send-keys -t "$pane_id" Enter
+      tmux send-keys -t "$pane_id" C-m
       sleep 0.5
       continue
     fi
@@ -569,7 +779,7 @@ wait_for_pane_ready() {
     # Auto-dismiss codex update prompt (select Skip = option 2)
     if echo "$captured" | grep -qi "new version\|update.*codex\|codex.*update" 2>/dev/null; then
       log "  Codex update prompt detected, selecting Skip..."
-      tmux send-keys -t "$pane_id" "2" Enter
+      tmux send-keys -t "$pane_id" "2" C-m
       sleep 0.5
       continue
     fi
@@ -655,12 +865,19 @@ check_and_nudge_idle_pane() {
     local now
     now=$(date +%s)
     if (( now - idle_since > IDLE_NUDGE_THRESHOLD )); then
-      local count=${(P)nudge_count_var}
-      if (( count < MAX_NUDGES )); then
-        log "  Nudging idle pane $pane_id (nudge $((count + 1))/$MAX_NUDGES)"
-        safe_send_keys "$pane_id" ""
-        (( count++ ))
-        eval "$nudge_count_var=$count"
+      # A12 fix: NEVER nudge if pane is busy (thinking/working) — nudge interrupts claude
+      local _nudge_capture
+      _nudge_capture=$(tmux capture-pane -t "$pane_id" -p -S -5 2>/dev/null)
+      if echo "$_nudge_capture" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|razzle\|bunning\|zesting\|fermenting\|actualizing\|composing\|evaporating\|churning" 2>/dev/null; then
+        log_debug "  Pane $pane_id appears busy (thinking/working), skipping nudge"
+      else
+        local count=${(P)nudge_count_var}
+        if (( count < MAX_NUDGES )); then
+          log "  Nudging idle pane $pane_id (nudge $((count + 1))/$MAX_NUDGES)"
+          safe_send_keys "$pane_id" ""
+          (( count++ ))
+          eval "$nudge_count_var=$count"
+        fi
       fi
     fi
   else
@@ -678,6 +895,13 @@ restart_worker() {
   local pane_id="$1"
   local iter="$2"
   local trigger_file="$3"
+
+  # Codex workers are 1-shot exec; restart is not applicable
+  if [[ "$WORKER_ENGINE" = "codex" ]]; then
+    log_debug "restart_worker called for codex engine — no-op (1-shot exec)"
+    return 1
+  fi
+
   local restart_count="${WORKER_RESTARTS[$iter]:-0}"
 
   if (( restart_count >= MAX_RESTARTS )); then
@@ -693,7 +917,7 @@ restart_worker() {
 
   # Kill existing claude, wait for shell prompt
   tmux send-keys -t "$pane_id" C-c 2>/dev/null
-  tmux send-keys -t "$pane_id" "/exit" Enter 2>/dev/null
+  tmux send-keys -t "$pane_id" "/exit" C-m 2>/dev/null
   sleep 2
 
   # Re-launch worker (tmux interactive pattern)
@@ -710,6 +934,25 @@ restart_worker() {
 # Write-Then-Notify: Trigger Script Generation (tmux CRITICAL pattern)
 # =============================================================================
 
+# Per-US PRD injection helper
+# Substitutes the full PRD path with a per-US split path in the Worker prompt base.
+# Falls back to the full PRD with a stderr warning if the split file is missing.
+# Args: $1=prompt_base_file $2=full_prd_path $3=per_us_prd_path (empty = no substitution)
+inject_per_us_prd() {
+  local prompt_base="$1"
+  local full_prd="$2"
+  local per_us_prd="${3:-}"
+
+  if [[ -n "$per_us_prd" && -f "$per_us_prd" ]]; then
+    sed "s|$full_prd|$per_us_prd|g" "$prompt_base"
+  else
+    if [[ -n "$per_us_prd" ]]; then
+      echo "WARNING: per-US split file not found: $per_us_prd — falling back to full PRD injection" >&2
+    fi
+    cat "$prompt_base"
+  fi
+}
+
 # --- governance.md s7 step 4+5: Write prompt and trigger to files ---
 # NEVER send prompt content through tmux send-keys.
 # Write payloads to files, send only short trigger commands (<200 chars).
@@ -727,14 +970,31 @@ write_worker_trigger() {
   local prev_iter=$((iter - 1))
   local fix_contract_file="$LOGS_DIR/iter-$(printf '%03d' $prev_iter).fix-contract.md"
 
+  # Compute next unverified US before prompt assembly (required for per-US PRD injection)
+  local next_us=""
+  if [[ "$VERIFY_MODE" = "per-us" && -n "$US_LIST" ]]; then
+    for us in $(echo "$US_LIST" | tr ',' ' '); do
+      if ! echo ",$VERIFIED_US," | grep -q ",$us,"; then
+        next_us="$us"
+        break
+      fi
+    done
+  fi
+
   {
-    cat "$WORKER_PROMPT_BASE"
+    # Per-US PRD injection: substitute full PRD path with per-US split path when available
+    local per_us_prd=""
+    [[ -n "$next_us" ]] && per_us_prd="$DESK/plans/prd-${SLUG}-${next_us}.md"
+    inject_per_us_prd "$WORKER_PROMPT_BASE" "$DESK/plans/prd-${SLUG}.md" "$per_us_prd"
     echo ""
     echo "---"
     echo "## Iteration Context"
     echo "- **Iteration**: $iter"
     echo "- **Memory Stop Status**: $(sed -n '/^## Stop Status$/,/^$/{ /^## /d; /^$/d; p; }' "$MEMORY_FILE" 2>/dev/null | head -1)"
     echo "- **Next Iteration Contract**: ${contract:-Start from the beginning}"
+    if (( _PRD_CHANGED )); then
+      echo "NOTE: PRD was updated since last iteration. New/changed US may exist."
+    fi
 
     # Include fix contract if previous verifier failed
     if [[ -f "$fix_contract_file" ]]; then
@@ -749,15 +1009,6 @@ write_worker_trigger() {
 
     # Per-US mode: tell Worker exactly which US to work on
     if [[ "$VERIFY_MODE" = "per-us" && -n "$US_LIST" ]]; then
-      # Find next unverified US
-      local next_us=""
-      for us in $(echo "$US_LIST" | tr ',' ' '); do
-        if ! echo ",$VERIFIED_US," | grep -q ",$us,"; then
-          next_us="$us"
-          break
-        fi
-      done
-
       if [[ -n "$next_us" ]]; then
         echo ""
         echo "---"
@@ -766,6 +1017,13 @@ write_worker_trigger() {
         echo "The Leader has determined that **${next_us}** is the next unverified story."
         echo "You MUST implement ONLY **${next_us}** in this iteration."
         echo "Do NOT implement any other user stories."
+        # Per-US test-spec injection: point Worker to scoped test-spec if available
+        local per_us_test_spec="$DESK/plans/test-spec-${SLUG}-${next_us}.md"
+        if [[ -f "$per_us_test_spec" ]]; then
+          echo "- **Test Spec**: Read ONLY \`$per_us_test_spec\` (scoped to ${next_us})"
+        else
+          echo "- **Test Spec**: Read \`$DESK/plans/test-spec-${SLUG}.md\` (full — find ${next_us} section)"
+        fi
         echo "When done, signal verify with us_id=\"${next_us}\" (not \"ALL\")."
         echo "Signal format: {\"iteration\": N, \"status\": \"verify\", \"us_id\": \"${next_us}\", ...}"
         echo ""
@@ -793,12 +1051,12 @@ write_worker_trigger() {
   # Write trigger script (DO NOT use exec -- breaks heartbeat cleanup)
   # Engine-specific launch command (expanded at write time)
   if [[ "$WORKER_ENGINE" = "codex" ]]; then
-    local engine_cmd="${CODEX_BIN:-codex} -m $WORKER_CODEX_MODEL \\
+    local engine_cmd="${CODEX_BIN:-codex} exec \\
+  -m $WORKER_CODEX_MODEL \\
   -c model_reasoning_effort=\"$WORKER_CODEX_REASONING\" \\
   --dangerously-bypass-approvals-and-sandbox \\
-  \"\$(cat $prompt_file)\" \\
-  2>&1 | tee $output_log"
-    local engine_comment="# Run codex with fresh context (governance.md s7 step 5)"
+  \"\$(cat $prompt_file)\""
+    local engine_comment="# Run codex exec with fresh context (no pipe — codex requires terminal)"
   else
     local engine_cmd="$CLAUDE_BIN -p \"\$(cat $prompt_file)\" \\
   --model $WORKER_MODEL \\
@@ -929,282 +1187,6 @@ TRIGGER_EOF
   log "  Verifier trigger: $trigger_file"
 }
 
-# =============================================================================
-# Status Updates
-# =============================================================================
-
-# --- governance.md s7 step 8: Update status.json ---
-update_status() {
-  local phase="$1"
-  local last_result="$2"
-
-  # Build verified_us as JSON array
-  local verified_us_json="[]"
-  if [[ -n "$VERIFIED_US" ]]; then
-    verified_us_json=$(echo "$VERIFIED_US" | tr ',' '\n' | jq -R . | jq -s .)
-  fi
-
-  # Build consensus fields
-  local consensus_json=""
-  if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-    consensus_json=',
-  "consensus_scope": "'"$CONSENSUS_SCOPE"'",
-  "consensus_round": '"$CONSENSUS_ROUND"',
-  "claude_verdict": "'"${CLAUDE_VERDICT:-}"'",
-  "codex_verdict": "'"${CODEX_VERDICT:-}"'"'
-  fi
-
-  echo '{
-  "slug": "'"$SLUG"'",
-  "baseline_commit": "'"${BASELINE_COMMIT:-none}"'",
-  "iteration": '"$ITERATION"',
-  "max_iter": '"$MAX_ITER"',
-  "phase": "'"$phase"'",
-  "worker_model": "'"$WORKER_MODEL"'",
-  "verifier_model": "'"$VERIFIER_MODEL"'",
-  "worker_engine": "'"$WORKER_ENGINE"'",
-  "verifier_engine": "'"$VERIFIER_ENGINE"'",
-  "worker_codex_model": "'"$WORKER_CODEX_MODEL"'",
-  "worker_codex_reasoning": "'"$WORKER_CODEX_REASONING"'",
-  "verifier_codex_model": "'"$VERIFIER_CODEX_MODEL"'",
-  "verifier_codex_reasoning": "'"$VERIFIER_CODEX_REASONING"'",
-  "verify_mode": "'"$VERIFY_MODE"'",
-  "verify_consensus": '"$VERIFY_CONSENSUS"',
-  "last_result": "'"$last_result"'",
-  "consecutive_failures": '"$CONSECUTIVE_FAILURES"',
-  "verified_us": '"$verified_us_json"''"$consensus_json"',
-  "updated_at_utc": "'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"
-}' | atomic_write "$STATUS_FILE"
-}
-
-# --- governance.md s7 step 8: Write result log ---
-write_result_log() {
-  local iter="$1"
-  local result="$2"
-  local result_file="$LOGS_DIR/iter-$(printf '%03d' $iter).result.md"
-
-  local git_diff=""
-  if git -C "$ROOT" rev-parse HEAD &>/dev/null; then
-    git_diff=$(git -C "$ROOT" diff --stat HEAD 2>/dev/null || echo "(no git diff available)")
-  else
-    git_diff="(no commits in repo — cannot diff)"
-  fi
-  # Include untracked new files in result log
-  local result_untracked
-  result_untracked=$(git -C "$ROOT" ls-files --others --exclude-standard 2>/dev/null | head -20)
-  if [[ -n "$result_untracked" ]]; then
-    git_diff="${git_diff}
-
-Untracked new files:
-${result_untracked}"
-  fi
-
-  {
-    echo "# Iteration $iter Result"
-    echo ""
-    echo "## Status"
-    echo "$result [leader-measured]"
-    echo ""
-    echo "## Files Changed"
-    echo '```'
-    echo "$git_diff"
-    echo '```'
-    echo "[git-measured]"
-    echo ""
-    echo "## Timestamp"
-    echo "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
-  } | atomic_write "$result_file"
-}
-
-# --- step 7d: Archive iteration artifacts (done-claim + verdict) to logs/ ---
-archive_iter_artifacts() {
-  local iter="$1"
-  local iter_padded
-  iter_padded=$(printf '%03d' "$iter")
-  if [[ -f "$DONE_CLAIM_FILE" ]]; then
-    cp "$DONE_CLAIM_FILE" "$LOGS_DIR/iter-${iter_padded}-done-claim.json" 2>/dev/null
-  fi
-  if [[ -f "$VERDICT_FILE" ]]; then
-    cp "$VERDICT_FILE" "$LOGS_DIR/iter-${iter_padded}-verify-verdict.json" 2>/dev/null
-  fi
-}
-
-# --- AC5: Write per-iteration cost estimate to cost-log.jsonl ---
-write_cost_log() {
-  local iter="$1"
-  local iter_padded
-  iter_padded=$(printf '%03d' "$iter")
-
-  local prompt_bytes=0 claim_bytes=0 verdict_bytes=0
-  local worker_prompt_file="$LOGS_DIR/iter-${iter_padded}.worker-prompt.md"
-  [[ -f "$worker_prompt_file" ]] && prompt_bytes=$(wc -c < "$worker_prompt_file" 2>/dev/null || echo 0)
-  [[ -f "$DONE_CLAIM_FILE" ]]   && claim_bytes=$(wc -c < "$DONE_CLAIM_FILE" 2>/dev/null || echo 0)
-  [[ -f "$VERDICT_FILE" ]]      && verdict_bytes=$(wc -c < "$VERDICT_FILE" 2>/dev/null || echo 0)
-
-  local estimated_tokens=$(( (prompt_bytes + claim_bytes + verdict_bytes) / 4 ))
-
-  echo '{"iteration":'"$iter"',"estimated_tokens":'"$estimated_tokens"',"token_source":"estimated","prompt_bytes":'"$prompt_bytes"',"claim_bytes":'"$claim_bytes"',"verdict_bytes":'"$verdict_bytes"',"timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' >> "$COST_LOG"
-}
-
-# --- AC4: Generate campaign-report.md on all terminal states ---
-generate_campaign_report() {
-  # Guard: idempotent — only generate once per campaign run
-  if (( CAMPAIGN_REPORT_GENERATED )); then return 0; fi
-  CAMPAIGN_REPORT_GENERATED=1
-
-  local final_status="UNKNOWN"
-  if [[ -f "$COMPLETE_SENTINEL" ]]; then final_status="COMPLETE"
-  elif [[ -f "$BLOCKED_SENTINEL" ]]; then final_status="BLOCKED"
-  else final_status="TIMEOUT"; fi
-
-  local report_file="$LOGS_DIR/campaign-report.md"
-
-  # AC9: Version existing report before writing new one
-  if [[ -f "$report_file" ]]; then
-    local v=1
-    while [[ -f "${report_file%.md}-v${v}.md" ]]; do (( v++ )); done
-    mv "$report_file" "${report_file%.md}-v${v}.md"
-  fi
-
-  local end_time
-  end_time=$(date +%s)
-  local elapsed=$(( end_time - START_TIME ))
-
-  local baseline_commit_val="${BASELINE_COMMIT:-none}"
-  local files_changed=""
-  if [[ "$baseline_commit_val" != "none" ]]; then
-    files_changed=$(git -C "$ROOT" diff --stat "${baseline_commit_val}" 2>/dev/null || echo "(git diff unavailable)")
-  elif git -C "$ROOT" rev-parse HEAD &>/dev/null; then
-    files_changed=$(git -C "$ROOT" diff --stat HEAD 2>/dev/null || echo "(git diff unavailable)")
-  else
-    files_changed="(no commits in repo — cannot diff)"
-  fi
-  # Include untracked new files
-  local untracked
-  untracked=$(git -C "$ROOT" ls-files --others --exclude-standard 2>/dev/null | head -20)
-  if [[ -n "$untracked" ]]; then
-    files_changed="${files_changed}
-
-Untracked new files:
-${untracked}"
-  fi
-
-  local sv_summary=""
-  if (( WITH_SELF_VERIFICATION )); then
-    local sv_report
-    sv_report=$(ls -t "$LOGS_DIR"/self-verification-report-*.md 2>/dev/null | head -1)
-    if [[ -n "$sv_report" ]]; then
-      sv_summary="See: $(basename "$sv_report")"
-    else
-      sv_summary="SV report generation requires Agent mode. Flag recorded in session-config."
-    fi
-  else
-    sv_summary="N/A — --with-self-verification not enabled"
-  fi
-
-  {
-    echo "# Campaign Report: $SLUG"
-    echo ""
-    echo "Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ) | Status: $final_status | Iterations: $ITERATION"
-    echo ""
-    echo "## Objective"
-    local prd_file="$DESK/plans/prd-$SLUG.md"
-    if [[ -f "$prd_file" ]]; then
-      grep '^## Objective' -A3 "$prd_file" 2>/dev/null | tail -n +2 | head -3
-    else
-      echo "(PRD not found)"
-    fi
-    echo ""
-    echo "## Execution Summary"
-    echo "- Terminal state: $final_status"
-    echo "- Iterations run: $ITERATION / $MAX_ITER"
-    echo "- Elapsed: ${elapsed}s"
-    echo "- Worker model: $WORKER_MODEL ($WORKER_ENGINE)"
-    echo "- Verifier model: $VERIFIER_MODEL ($VERIFIER_ENGINE)"
-    echo ""
-    echo "## US Status"
-    echo "- Verified: ${VERIFIED_US:-none}"
-    echo "- Consecutive failures at end: $CONSECUTIVE_FAILURES"
-    echo ""
-    echo "## Verification Results"
-    local ri=1
-    while (( ri <= ITERATION )); do
-      local iter_dc="$LOGS_DIR/iter-$(printf '%03d' $ri)-done-claim.json"
-      if [[ -f "$iter_dc" ]]; then
-        local us_id
-        us_id=$(jq -r '.us_id // "unknown"' "$iter_dc" 2>/dev/null)
-        echo "- $(basename "$iter_dc"): us_id=$us_id"
-      fi
-      (( ri++ ))
-    done
-    echo ""
-    echo "## Issues Encountered"
-    local fi_found=0
-    local fi_i=1
-    while (( fi_i <= ITERATION )); do
-      local fix_f="$LOGS_DIR/iter-$(printf '%03d' $fi_i).fix-contract.md"
-      if [[ -f "$fix_f" ]]; then
-        echo "- $(basename "$fix_f")"
-        fi_found=1
-      fi
-      (( fi_i++ ))
-    done
-    (( fi_found == 0 )) && echo "- None"
-    echo ""
-    echo "## Cost & Performance"
-    if [[ -f "$COST_LOG" ]]; then
-      local total_tokens=0
-      while IFS= read -r line; do
-        local t
-        t=$(echo "$line" | jq -r '.estimated_tokens // 0' 2>/dev/null || echo 0)
-        total_tokens=$(( total_tokens + t ))
-      done < "$COST_LOG"
-      echo "- Total estimated tokens: $total_tokens (source: estimated, tmux mode)"
-      echo "- See: cost-log.jsonl for per-iteration breakdown"
-    else
-      echo "- No cost data available"
-    fi
-    echo ""
-    echo "## SV Summary"
-    echo "$sv_summary"
-    echo ""
-    echo "## Files Changed"
-    echo '```'
-    echo "$files_changed"
-    echo '```'
-    echo "Note: Files Changed may include pre-existing uncommitted changes if the campaign started in a dirty worktree."
-  } | atomic_write "$report_file"
-
-  log "Campaign report written: $report_file"
-}
-
-# =============================================================================
-# Sentinel Writers
-# =============================================================================
-
-# --- governance.md s7: Only the Leader writes sentinels ---
-write_complete_sentinel() {
-  local summary="$1"
-  echo "# Campaign Complete
-
-Completed at iteration $ITERATION.
-$summary
-
-Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)" | atomic_write "$COMPLETE_SENTINEL"
-  log "COMPLETE sentinel written: $COMPLETE_SENTINEL"
-}
-
-write_blocked_sentinel() {
-  local reason="$1"
-  echo "# Campaign Blocked
-
-Blocked at iteration $ITERATION.
-Reason: $reason
-
-Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)" | atomic_write "$BLOCKED_SENTINEL"
-  log "BLOCKED sentinel written: $BLOCKED_SENTINEL"
-}
-
 # =============================================================================
 # Cleanup (trap handler)
 # =============================================================================
@@ -1213,17 +1195,21 @@ cleanup() {
   log "Cleaning up..."
 
   # Remove lockfile
-  rm -f "$DESK/logs/.rlp-desk-$SLUG.lock" 2>/dev/null
+  if (( LOCKFILE_ACQUIRED )); then
+    rm -f "$LOCKFILE_PATH" 2>/dev/null
+  else
+    log_debug "cleanup: lockfile not owned by this process, skipping removal"
+  fi
 
   # Kill claude processes then kill panes
   log_debug "cleanup: WORKER_PANE=${WORKER_PANE:-unset} VERIFIER_PANE=${VERIFIER_PANE:-unset}"
   if [[ -n "${WORKER_PANE:-}" ]]; then
     tmux send-keys -t "$WORKER_PANE" C-c 2>/dev/null
-    tmux send-keys -t "$WORKER_PANE" "/exit" Enter 2>/dev/null
+    tmux send-keys -t "$WORKER_PANE" "/exit" C-m 2>/dev/null
   fi
   if [[ -n "${VERIFIER_PANE:-}" ]]; then
     tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null
-    tmux send-keys -t "$VERIFIER_PANE" "/exit" Enter 2>/dev/null
+    tmux send-keys -t "$VERIFIER_PANE" "/exit" C-m 2>/dev/null
   fi
   sleep 2
   # Kill panes on completion
@@ -1242,6 +1228,9 @@ cleanup() {
   # AC4: Generate campaign report on all terminal states (always-on)
   generate_campaign_report
 
+  # US-001: Generate SV report after campaign report (tmux mode)
+  generate_sv_report
+
   # Print summary
   local end_time
   end_time=$(date +%s)
@@ -1254,6 +1243,13 @@ cleanup() {
   elif [[ -f "$BLOCKED_SENTINEL" ]]; then final_status="BLOCKED"
   else final_status="TIMEOUT"; fi
 
+  # --- Update metadata.json with final status ---
+  if [[ -f "$METADATA_FILE" ]]; then
+    jq --arg status "$final_status" --arg end_time "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+      '.campaign_status = $status | .end_time = $end_time' \
+      "$METADATA_FILE" > "${METADATA_FILE}.tmp" && mv "${METADATA_FILE}.tmp" "$METADATA_FILE"
+  fi
+
   if (( DEBUG )); then
     local end_ts=$(date +%s)
     local elapsed=$((end_ts - START_TIME))
@@ -1350,6 +1346,7 @@ poll_for_signal() {
   local trigger_file="$4"
   local role="$5"  # "worker" or "verifier"
   local nudge_count=0
+  local api_retry_count=0
   local poll_start
   poll_start=$(date +%s)
 
@@ -1374,6 +1371,54 @@ poll_for_signal() {
       return 0  # success
     fi
 
+    # A4 fallback: done-claim exists but no signal → Worker forgot iter-signal
+    # ONLY for Worker polling — Verifier waits for verdict file, not done-claim
+    if [[ "$role" != *erifier* && -f "$DONE_CLAIM_FILE" && ! -f "$signal_file" ]]; then
+      local dc_us_id
+      dc_us_id=$(jq -r '.us_id // "unknown"' "$DONE_CLAIM_FILE" 2>/dev/null)
+      if [[ -n "$dc_us_id" && "$dc_us_id" != "null" ]]; then
+        log "  WARNING: done-claim exists for $dc_us_id but no iter-signal. Auto-generating signal (A4 fallback)."
+        log_debug "[GOV] iter=$ITERATION done_claim_without_signal=true us_id=$dc_us_id action=auto_generate_signal"
+        echo '{"iteration":'"$ITERATION"',"status":"verify","us_id":"'"$dc_us_id"'","summary":"auto-generated by A4 fallback (done-claim without signal)","timestamp":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' > "$signal_file"
+        return 0
+      fi
+    fi
+
+    # API transient-error recovery with bounded backoff
+    local pane_output_for_retry
+    pane_output_for_retry=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null || true)
+    local is_api_text_retry=0
+    if [[ -n "$pane_output_for_retry" ]] &&
+       ( echo "$pane_output_for_retry" | grep -qiE '(^|[^[:digit:]])500([^[:digit:]]|$)' \
+      || echo "$pane_output_for_retry" | grep -qiE '(^|[^[:digit:]])529([^[:digit:]]|$)' \
+      || echo "$pane_output_for_retry" | grep -qi 'overloaded' \
+      || echo "$pane_output_for_retry" | grep -qi 'too many requests' \
+      || echo "$pane_output_for_retry" | grep -qi 'service unavailable' ); then
+      is_api_text_retry=1
+    fi
+
+    if (( is_api_text_retry )) || is_api_error "$pane_id"; then
+      (( api_retry_count++ ))
+      log_debug "[FLOW] iter=$ITERATION api_retry=${api_retry_count}/${_API_MAX_RETRIES} role=${role} reason=tmux_pane_api_error"
+      if (( api_retry_count >= _API_MAX_RETRIES )); then
+        log_error "API unavailable after ${_API_MAX_RETRIES} retries"
+        write_blocked_sentinel "API unavailable after ${_API_MAX_RETRIES} retries"
+        return 2
+      fi
+      # A5: If pane shows "queued messages" or rate-limit corruption, restart pane
+      if echo "$pane_output_for_retry" | grep -qi 'queued messages'; then
+        log "  A5: Rate-limited pane shows 'queued messages' — restarting $role pane"
+        log_debug "[GOV] iter=$ITERATION phase=rate_limit_pane_restart role=$role reason=queued_messages"
+        tmux send-keys -t "$pane_id" C-c 2>/dev/null; sleep 0.5
+        tmux send-keys -t "$pane_id" "/exit" C-m 2>/dev/null; sleep 2
+        wait_for_pane_ready "$pane_id" 10 2>/dev/null || true
+      fi
+      sleep "$_API_RETRY_INTERVAL_S"
+      continue
+    else
+      api_retry_count=0
+    fi
+
     # Check heartbeat freshness (tmux pattern)
     if [[ -f "$heartbeat_file" ]]; then
       if check_heartbeat_exited "$heartbeat_file"; then
@@ -1383,9 +1428,13 @@ poll_for_signal() {
           log "  Signal file detected after process exit: $signal_file"
           return 0
         fi
-        log_error "$role exited without writing signal file"
-        # Attempt restart with exponential backoff
-        if restart_worker "$pane_id" "$ITERATION" "$trigger_file"; then
+        # Dispatch to engine-specific exit handler
+        if [[ "$WORKER_ENGINE" = "codex" && "$role" != *erifier* ]]; then
+          handle_worker_exit_codex "$ITERATION" "$signal_file"
+          return 0
+        fi
+        # Claude path (or verifier of any engine)
+        if handle_worker_exit_claude "$pane_id" "$ITERATION" "$trigger_file"; then
           # Reset poll timer for the restart
           poll_start=$(date +%s)
           nudge_count=0
@@ -1421,13 +1470,24 @@ poll_for_signal() {
       fi
     fi
 
+    # Dead pane detection during poll: check if claude/codex process died
+    local poll_cmd
+    poll_cmd=$(tmux display-message -p -t "$pane_id" '#{pane_current_command}' 2>/dev/null)
+    # Dead pane detection — delegates to check_dead_pane() for engine-aware logic
+    if check_dead_pane "$poll_cmd" "$WORKER_ENGINE" "$role"; then
+      log "  WARNING: $role pane $pane_id has bare shell ($poll_cmd) — process died during execution"
+      log_debug "[GOV] iter=$ITERATION pane_dead_during_poll=true pane=$pane_id cmd=$poll_cmd role=$role"
+      # Return failure so caller can handle recovery
+      return 1
+    fi
+
     # Auto-approve permission prompts during poll
     local poll_capture
     poll_capture=$(tmux capture-pane -t "$pane_id" -p 2>/dev/null)
     if echo "$poll_capture" | grep -q "Do you want to" 2>/dev/null; then
       log "  Permission prompt detected during poll, auto-approving..."
       log_debug "[FLOW] iter=$ITERATION permission_prompt_auto_approved=true"
-      tmux send-keys -t "$pane_id" Enter
+      tmux send-keys -t "$pane_id" C-m
       sleep 0.5
     fi
 
@@ -1438,38 +1498,6 @@ poll_for_signal() {
   done
 }
 
-# =============================================================================
-# Circuit Breaker: Stale Context Detection
-# =============================================================================
-
-# --- governance.md s7 step 8: Stale context detection ---
-compute_context_hash() {
-  if [[ -f "$CONTEXT_FILE" ]]; then
-    md5 -q "$CONTEXT_FILE" 2>/dev/null || md5sum "$CONTEXT_FILE" 2>/dev/null | cut -d' ' -f1
-  else
-    echo "no-context"
-  fi
-}
-
-check_stale_context() {
-  local current_hash
-  current_hash=$(compute_context_hash)
-
-  if [[ "$current_hash" == "$PREV_CONTEXT_HASH" ]]; then
-    (( STALE_CONTEXT_COUNT++ ))
-    log "  WARNING: Context unchanged ($STALE_CONTEXT_COUNT/3 stale iterations)"
-    if (( STALE_CONTEXT_COUNT >= 3 )); then
-      log_error "Circuit breaker: context unchanged for 3 consecutive iterations"
-      return 1
-    fi
-  else
-    STALE_CONTEXT_COUNT=0
-  fi
-
-  PREV_CONTEXT_HASH="$current_hash"
-  return 0
-}
-
 # =============================================================================
 # Consensus Verification (run two verifiers sequentially in same pane)
 # =============================================================================
@@ -1487,13 +1515,26 @@ run_single_verifier() {
   local trigger_file="$LOGS_DIR/iter-$(printf '%03d' $iter).verifier${suffix}-trigger.sh"
   local prompt_file="$LOGS_DIR/iter-$(printf '%03d' $iter).verifier${suffix}-prompt.md"
 
-  # Clean previous Verifier session
+  # Clean previous Verifier session (with dead pane detection)
   local verifier_cmd
   verifier_cmd=$(tmux display-message -p -t "$VERIFIER_PANE" '#{pane_current_command}' 2>/dev/null)
-  if [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
+  if [[ -z "$verifier_cmd" ]]; then
+    log "  Verifier pane $VERIFIER_PANE is gone — replacing..."
+    log_debug "[GOV] iter=$iter pane_dead=true pane_id=$VERIFIER_PANE action=replace_pane"
+    replace_worker_pane "$VERIFIER_PANE" "verifier"
+    VERIFIER_PANE=$(jq -r '.panes.verifier' "$SESSION_CONFIG")
+    log "  New verifier pane: $VERIFIER_PANE"
+  elif [[ "$verifier_cmd" == "zsh" || "$verifier_cmd" == "bash" ]]; then
+    log "  Verifier pane $VERIFIER_PANE has bare shell ($verifier_cmd) — resetting..."
+    log_debug "[GOV] iter=$iter pane_dead=true pane_id=$VERIFIER_PANE cmd=$verifier_cmd action=reset_shell"
+    tmux send-keys -t "$VERIFIER_PANE" C-c C-u 2>/dev/null
+    sleep 0.2
+    tmux send-keys -t "$VERIFIER_PANE" "clear" C-m 2>/dev/null
+    sleep 0.3
+  elif [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
     tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null
     sleep 0.5
-    tmux send-keys -t "$VERIFIER_PANE" "/exit" Enter 2>/dev/null
+    tmux send-keys -t "$VERIFIER_PANE" "/exit" C-m 2>/dev/null
     sleep 2
   fi
   # Always ensure clean shell state before launching new verifier
@@ -1505,55 +1546,19 @@ run_single_verifier() {
   # Remove previous verdict file
   rm -f "$VERDICT_FILE" 2>/dev/null
 
-  # Launch verifier
+  # Launch verifier — dispatch to engine-specific function
+  local verifier_launch
   if [[ "$engine" = "codex" ]]; then
-    # Codex: use non-interactive exec mode in pane (more reliable than TUI for sequential runs)
-    local codex_cmd="${CODEX_BIN:-codex} exec \"\$(cat $prompt_file)\" -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
-    log "  Running $suffix verifier (codex exec) in pane $VERIFIER_PANE..."
-    tmux send-keys -t "$VERIFIER_PANE" -l -- "$codex_cmd"
-    tmux send-keys -t "$VERIFIER_PANE" Enter
-    log_debug "Verifier$suffix codex exec sent directly"
+    verifier_launch="${CODEX_BIN:-codex} exec \"\$(cat $prompt_file)\" -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
+    launch_verifier_codex "$VERIFIER_PANE" "$prompt_file" "$iter" "$verifier_launch"
+    log_debug "Verifier$suffix codex exec dispatched"
   else
-    # Claude: use interactive TUI
-    local verifier_launch="$CLAUDE_BIN --model $model --dangerously-skip-permissions"
-    log "  Launching $suffix verifier (claude) in pane $VERIFIER_PANE..."
-    tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_launch"
-    tmux send-keys -t "$VERIFIER_PANE" Enter
-
-    if ! wait_for_pane_ready "$VERIFIER_PANE" 30; then
+    verifier_launch="$CLAUDE_BIN --model $model --dangerously-skip-permissions"
+    if ! launch_verifier_claude "$VERIFIER_PANE" "$prompt_file" "$iter" "$verifier_launch"; then
       log_error "Verifier$suffix failed to start"
       return 1
     fi
-
-    sleep 3
-    local verifier_instruction="Read and execute the instructions in $prompt_file"
-    tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-    tmux send-keys -t "$VERIFIER_PANE" Enter
-    log_debug "Verifier$suffix instruction sent directly"
-
-    # Verify claude actually started working
-    local v_submit=0
-    while (( v_submit < 15 )); do
-      sleep 2
-      local v_check
-      v_check=$(tmux capture-pane -t "$VERIFIER_PANE" -p 2>/dev/null)
-      if echo "$v_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut" 2>/dev/null; then
-        log_debug "Verifier$suffix started working after $((v_submit + 1)) checks"
-        break
-      fi
-      # After 8 failed attempts, try C-u clear + re-type (omc-teams adaptive retry)
-      if (( v_submit == 8 )); then
-        log_debug "Adaptive instruction retry: clearing line and re-typing"
-        tmux send-keys -t "$VERIFIER_PANE" C-u 2>/dev/null
-        sleep 0.1
-        tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-        tmux send-keys -t "$VERIFIER_PANE" Enter
-      fi
-      tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-      sleep 0.3
-      tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-      (( v_submit++ ))
-    done
+    log_debug "Verifier$suffix claude dispatched"
   fi
 
   # Poll for verdict
@@ -1581,6 +1586,10 @@ run_single_verifier() {
     # Claude: use full poll_for_signal with heartbeat/nudge
     log "  Polling for verify-verdict.json ($suffix)..."
     if ! poll_for_signal "$VERDICT_FILE" "$VERIFIER_HEARTBEAT" "$VERIFIER_PANE" "$verifier_launch" "Verifier$suffix"; then
+      local verifier_poll_rc=$?
+      if (( verifier_poll_rc == 2 )); then
+        return 1
+      fi
       log_error "Verifier$suffix poll failed"
       return 1
     fi
@@ -1592,6 +1601,110 @@ run_single_verifier() {
   return 0
 }
 
+# --- Sequential final verify: run per-US scoped verifiers instead of one big ALL verify ---
+# Returns 0 if all US pass + integration check pass, 1 if any US fails, 2 if integration fails.
+# Sets FAILED_US global on failure.
+run_sequential_final_verify() {
+  local iter="$1"
+  FAILED_US=""
+
+  log "  Sequential final verify: ${US_LIST} (${VERIFY_MODE} mode)"
+  log_debug "[FLOW] iter=$iter phase=sequential_final_verify us_list=$US_LIST"
+
+  for us in $(echo "$US_LIST" | tr ',' ' '); do
+    log "  Final verify: checking $us..."
+
+    # Temporarily override signal file to scope verifier to this US
+    local orig_signal
+    orig_signal=$(cat "$SIGNAL_FILE" 2>/dev/null)
+    echo "{\"status\":\"verify\",\"us_id\":\"$us\",\"summary\":\"sequential final verify\"}" | atomic_write "$SIGNAL_FILE"
+
+    # Write scoped verifier trigger
+    write_verifier_trigger "$iter"
+    local verifier_prompt="$LOGS_DIR/iter-$(printf '%03d' $iter).verifier-prompt.md"
+
+    # Clean verifier pane
+    local verifier_cmd
+    verifier_cmd=$(tmux display-message -p -t "$VERIFIER_PANE" '#{pane_current_command}' 2>/dev/null)
+    if [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
+      tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null; sleep 0.5
+      tmux send-keys -t "$VERIFIER_PANE" "/exit" C-m 2>/dev/null; sleep 2
+    fi
+    wait_for_pane_ready "$VERIFIER_PANE" 10 2>/dev/null || true
+
+    # Launch verifier
+    local verifier_launch
+    if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
+      verifier_launch="${CODEX_BIN:-codex} -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
+      launch_verifier_codex "$VERIFIER_PANE" "$verifier_prompt" "$iter" "$verifier_launch"
+    else
+      verifier_launch="$CLAUDE_BIN --model $VERIFIER_MODEL --dangerously-skip-permissions"
+      launch_verifier_claude "$VERIFIER_PANE" "$verifier_prompt" "$iter" "$verifier_launch" || {
+        log_error "Failed to launch verifier for $us"
+        FAILED_US="$us"
+        return 1
+      }
+    fi
+
+    # Poll for verdict
+    rm -f "$VERDICT_FILE"
+    local poll_rc=0
+    poll_for_signal "$VERDICT_FILE" "$ITER_TIMEOUT" "verdict" || poll_rc=$?
+    if (( poll_rc != 0 )); then
+      log_error "Verifier poll failed for $us (rc=$poll_rc)"
+      FAILED_US="$us"
+      return 1
+    fi
+
+    # Check verdict
+    local verdict
+    verdict=$(jq -r '.verdict' "$VERDICT_FILE" 2>/dev/null)
+    if [[ "$verdict" != "pass" ]]; then
+      FAILED_US="$us"
+      log "  Sequential final verify FAILED at $us"
+      log_debug "[FLOW] iter=$iter phase=sequential_final_verify failed_us=$us verdict=$verdict"
+      return 1
+    fi
+    log "  Sequential final verify: $us PASSED"
+
+    # Archive per-US final verdict
+    cp "$VERDICT_FILE" "$LOGS_DIR/iter-$(printf '%03d' $iter).final-verdict-${us}.json" 2>/dev/null
+  done
+
+  # Integration check: run tests if VERIFICATION_CMD is set
+  if [[ -n "${VERIFICATION_CMD:-}" ]]; then
+    log "  Running integration test suite after sequential verify..."
+    log_debug "[FLOW] iter=$iter phase=integration_check cmd=$VERIFICATION_CMD"
+    if ! eval "$VERIFICATION_CMD" > /dev/null 2>&1; then
+      log "  Integration test suite FAILED"
+      FAILED_US="integration"
+      return 2
+    fi
+    log "  Integration test suite PASSED"
+  fi
+
+  log "  Sequential final verify: ALL PASSED"
+  return 0
+}
+
+# --- US-005: Determine whether consensus verification should run for this signal ---
+# Returns 0 (use consensus) or 1 (single engine).
+# VERIFY_CONSENSUS + CONSENSUS_SCOPE handles per-US consensus.
+# FINAL_CONSENSUS independently enables consensus for the final ALL verify only.
+_should_use_consensus() {
+  local signal_us_id="${1:-}"
+  if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
+    case "$CONSENSUS_SCOPE" in
+      all) return 0 ;;
+      final-only) [[ "$signal_us_id" == "ALL" ]] && return 0 ;;
+    esac
+  fi
+  if [[ "$FINAL_CONSENSUS" = "1" && "$signal_us_id" == "ALL" ]]; then
+    return 0
+  fi
+  return 1
+}
+
 # --- US-004: Run consensus verification (claude + codex sequentially) ---
 run_consensus_verification() {
   local iter="$1"
@@ -1607,18 +1720,45 @@ run_consensus_verification() {
     log "  Consensus round $CONSENSUS_ROUND/6..."
 
     # Run claude verifier first
+    local _claude_t0=$(date +%s)
     if ! run_single_verifier "$iter" "claude" "$VERIFIER_MODEL" "-claude" "$claude_verdict_file"; then
       log_error "Claude verifier failed in consensus round $CONSENSUS_ROUND"
       return 1
     fi
+    ITER_VERIFIER_CLAUDE_DURATION_S=$(( $(date +%s) - _claude_t0 ))
     CLAUDE_VERDICT=$(jq -r '.verdict' "$claude_verdict_file" 2>/dev/null)
+    # A12 fix: validate claude verdict is not null/empty — if so, retry once before proceeding
+    if [[ -z "$CLAUDE_VERDICT" || "$CLAUDE_VERDICT" == "null" ]]; then
+      log "  WARNING: Claude verdict is '$CLAUDE_VERDICT' — likely interrupted. Retrying claude verifier..."
+      log_debug "[GOV] iter=$iter phase=consensus_claude_retry reason=null_verdict"
+      rm -f "$claude_verdict_file" 2>/dev/null
+      if ! run_single_verifier "$iter" "claude" "$VERIFIER_MODEL" "-claude" "$claude_verdict_file"; then
+        log_error "Claude verifier retry also failed"
+        return 1
+      fi
+      CLAUDE_VERDICT=$(jq -r '.verdict' "$claude_verdict_file" 2>/dev/null)
+      if [[ -z "$CLAUDE_VERDICT" || "$CLAUDE_VERDICT" == "null" ]]; then
+        log_error "Claude verdict still null after retry — consensus cannot proceed"
+        return 1
+      fi
+    fi
     log_debug "[GOV] iter=$iter phase=consensus_claude verdict=$CLAUDE_VERDICT model=$VERIFIER_MODEL"
 
+    # F8: --consensus-fail-fast — skip second verifier if first fails
+    if [[ "$CONSENSUS_FAIL_FAST" = "1" && "$CLAUDE_VERDICT" = "fail" ]]; then
+      log "  Consensus fail-fast: claude=fail, skipping codex verifier"
+      log_debug "[GOV] iter=$iter phase=consensus_fail_fast claude=fail codex=skipped"
+      CODEX_VERDICT="skipped"
+      return 2  # disagreement/fail signal
+    fi
+
     # Run codex verifier second
+    local _codex_t0=$(date +%s)
     if ! run_single_verifier "$iter" "codex" "$VERIFIER_CODEX_MODEL" "-codex" "$codex_verdict_file"; then
       log_error "Codex verifier failed in consensus round $CONSENSUS_ROUND"
       return 1
     fi
+    ITER_VERIFIER_CODEX_DURATION_S=$(( $(date +%s) - _codex_t0 ))
     CODEX_VERDICT=$(jq -r '.verdict' "$codex_verdict_file" 2>/dev/null)
     log_debug "[GOV] iter=$iter phase=consensus_codex verdict=$CODEX_VERDICT model=$VERIFIER_CODEX_MODEL reasoning=$VERIFIER_CODEX_REASONING"
 
@@ -1722,43 +1862,35 @@ run_consensus_verification() {
   return 1
 }
 
-# =============================================================================
-# Security Warning
-# =============================================================================
-
-print_security_warning() {
-  echo ""
-  echo "================================================================"
-  echo "  WARNING: Running with --dangerously-skip-permissions"
-  echo ""
-  echo "  The claude CLI will execute tools (file writes, shell commands)"
-  echo "  without asking for confirmation. Only run this on code you"
-  echo "  trust in an environment you control."
-  echo "================================================================"
-  echo ""
-}
-
 # =============================================================================
 # Main Leader Loop
 # =============================================================================
 
 main() {
   # --- Lockfile: prevent duplicate execution ---
-  local lockfile="$DESK/logs/.rlp-desk-$SLUG.lock"
+  local lockfile="$LOCKFILE_PATH"
   mkdir -p "$(dirname "$lockfile")" 2>/dev/null
   if ! (set -C; echo $$ > "$lockfile") 2>/dev/null; then
     local lock_pid
     lock_pid=$(cat "$lockfile" 2>/dev/null)
     if kill -0 "$lock_pid" 2>/dev/null; then
-      log_error "Another instance is already running (PID $lock_pid)"
+      log_error "Another instance is already running (PID $lock_pid). Kill $lock_pid or rm $lockfile"
       exit 1
     fi
     # Stale lock — overwrite
+    log "Stale lock detected (PID ${lock_pid:-unknown} not running), recovering"
     echo $$ > "$lockfile"
+    LOCKFILE_ACQUIRED=1
+  else
+    LOCKFILE_ACQUIRED=1
   fi
-  mkdir -p "$LOGS_DIR" 2>/dev/null
+  trap cleanup EXIT INT TERM
+  mkdir -p "$LOGS_DIR" "$RUNTIME_DIR" 2>/dev/null
+
+  # --- Analytics directory: always create (campaign.jsonl + metadata.json are always-on) ---
+  mkdir -p "$ANALYTICS_DIR" 2>/dev/null
 
-  # --- AC7: debug.log versioning: rename existing debug.log before fresh run ---
+  # --- debug.log versioning (in analytics dir, --debug only) ---
   if (( DEBUG )) && [[ -f "$DEBUG_LOG" ]]; then
     local dbg_n=1
     while [[ -f "${DEBUG_LOG%.log}-v${dbg_n}.log" ]]; do
@@ -1767,6 +1899,31 @@ main() {
     mv "$DEBUG_LOG" "${DEBUG_LOG%.log}-v${dbg_n}.log"
   fi
 
+  # --- campaign.jsonl versioning (always-on) ---
+  if [[ -f "$CAMPAIGN_JSONL" ]]; then
+    local cj_n=1
+    while [[ -f "${CAMPAIGN_JSONL%.jsonl}-v${cj_n}.jsonl" ]]; do
+      (( cj_n++ ))
+    done
+    mv "$CAMPAIGN_JSONL" "${CAMPAIGN_JSONL%.jsonl}-v${cj_n}.jsonl"
+  fi
+
+  # --- metadata.json: always write at campaign start (cross-project identification) ---
+  jq -n \
+    --arg slug "$SLUG" \
+    --arg project_root "$ROOT" \
+    --arg project_name "$(basename "$ROOT")" \
+    --arg campaign_status "running" \
+    --arg start_time "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+    --arg end_time "" \
+    --arg worker_model "$WORKER_MODEL" \
+    --arg verifier_model "$VERIFIER_MODEL" \
+    --argjson debug "$DEBUG" \
+    --argjson with_sv "$WITH_SELF_VERIFICATION" \
+    --argjson consensus "$VERIFY_CONSENSUS" \
+    '{slug: $slug, project_root: $project_root, project_name: $project_name, campaign_status: $campaign_status, start_time: $start_time, end_time: $end_time, worker_model: $worker_model, verifier_model: $verifier_model, debug: $debug, with_self_verification: $with_sv, consensus: $consensus}' \
+    > "$METADATA_FILE"
+
   # --- Startup ---
   log "Ralph Desk Tmux Runner starting..."
   log "  Slug:            $SLUG"
@@ -1776,6 +1933,7 @@ main() {
   log "  Verifier model:  $VERIFIER_MODEL"
   log "  Verify mode:     $VERIFY_MODE"
   log "  Verify consensus:$VERIFY_CONSENSUS"
+  log "  Final consensus: $FINAL_CONSENSUS"
   log "  Consensus scope: $CONSENSUS_SCOPE"
   log "  Poll interval:   ${POLL_INTERVAL}s"
   log "  Iter timeout:    ${ITER_TIMEOUT}s"
@@ -1819,9 +1977,9 @@ main() {
       US_LIST=$(grep -oE 'US-[0-9]+' "$prd_file" | sort -u | tr '\n' ',' | sed 's/,$//')
     fi
 
-    # Initialize VERIFIED_US from memory's Completed Stories (carry over previous runs)
-    local memory_file="$DESK/memos/${SLUG}-memory.md"
-    if [[ -f "$memory_file" ]]; then
+  # Initialize VERIFIED_US from memory's Completed Stories (carry over previous runs)
+  local memory_file="$DESK/memos/${SLUG}-memory.md"
+  if [[ -f "$memory_file" ]]; then
       local completed_us
       completed_us=$(sed -n '/^## Completed Stories$/,/^## /p' "$memory_file" 2>/dev/null | grep '^- US-' | sed 's/^- \(US-[0-9]*\):.*/\1/' | sort -u | tr '\n' ',' | sed 's/,$//')
       if [[ -n "$completed_us" ]]; then
@@ -1830,8 +1988,23 @@ main() {
         log_debug "[FLOW] loaded_verified_us_from_memory=$VERIFIED_US"
       fi
     fi
+
+    # D1: Fallback — restore verified_us from status.json if memory had none
+    if [[ -z "$VERIFIED_US" && -f "$STATUS_FILE" ]]; then
+      local status_verified
+      status_verified=$(jq -r '.verified_us // [] | join(",")' "$STATUS_FILE" 2>/dev/null)
+      if [[ -n "$status_verified" ]]; then
+        VERIFIED_US="$status_verified"
+        log "  Restored verified_us from status.json: $VERIFIED_US"
+        log_debug "[FLOW] restored_verified_us_from_status=$VERIFIED_US"
+      fi
+    fi
   fi
 
+  # Initialize PRD snapshot state for live update detection
+  PREV_PRD_HASH=$(compute_prd_hash)
+  PREV_PRD_US_LIST=$(count_prd_us)
+
   # Dependency checks
   check_dependencies
 
@@ -1854,7 +2027,7 @@ main() {
   PREV_CONTEXT_HASH=$(compute_context_hash)
 
   # --- governance.md s7: Leader Loop ---
-  local HARD_CEILING=$(( ITER_TIMEOUT * 3 ))  # absolute max per iteration (no extensions beyond this)
+  local HARD_CEILING=$(( ITER_TIMEOUT * 3 ))  # logged but NOT enforced — Worker extends indefinitely when active
 
   for (( ITERATION = 1; ITERATION <= MAX_ITER; ITERATION++ )); do
     log ""
@@ -1887,7 +2060,7 @@ main() {
       # Send C-c first (in case claude is mid-task), then /exit
       tmux send-keys -t "$WORKER_PANE" C-c 2>/dev/null
       sleep 1
-      tmux send-keys -t "$WORKER_PANE" "/exit" Enter 2>/dev/null
+      tmux send-keys -t "$WORKER_PANE" "/exit" C-m 2>/dev/null
       sleep 2
       # Wait for shell prompt before proceeding
       wait_for_pane_ready "$WORKER_PANE" 10 2>/dev/null || true
@@ -1896,96 +2069,66 @@ main() {
     # Reset per-iteration state
     local worker_nudge_count=0
     local verifier_nudge_count=0
+    ITER_VERIFIER_START=""
+    ITER_VERIFIER_END=""
+
+    # --- US-004: detect PRD changes for live update + re-split ---
+    check_prd_update
 
     # --- governance.md s7 step 4: Build worker prompt + trigger ---
     write_worker_trigger "$ITERATION"
     local worker_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-prompt.md"
 
+    # AC1: capture worker start timestamp
+    ITER_WORKER_START=$(date +%s)
+
     update_status "worker" "running"
 
-    # --- governance.md s7 step 5: Execute Worker (interactive TUI, tmux pattern) ---
-    # Step 5a: Launch interactive worker engine in Worker pane
+    # --- governance.md s7 step 5: Execute Worker (dispatched to engine-specific function) ---
+    log_debug "[FLOW] iter=$ITERATION phase=worker engine=$WORKER_ENGINE model=$WORKER_MODEL dispatched=true"
+
     local worker_launch
     if [[ "$WORKER_ENGINE" = "codex" ]]; then
-      worker_launch="${CODEX_BIN:-codex} -m $WORKER_CODEX_MODEL -c model_reasoning_effort=\"$WORKER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
-      log "  Launching Worker codex in pane $WORKER_PANE..."
+      local worker_trigger="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).worker-trigger.sh"
+      worker_launch="bash $worker_trigger"
+      launch_worker_codex "$WORKER_PANE" "$worker_trigger" "$ITERATION"
     else
       worker_launch="$CLAUDE_BIN --model $WORKER_MODEL --dangerously-skip-permissions"
-      log "  Launching Worker claude in pane $WORKER_PANE..."
-    fi
-    tmux send-keys -t "$WORKER_PANE" -l -- "$worker_launch"
-    tmux send-keys -t "$WORKER_PANE" Enter
-    log_debug "[FLOW] iter=$ITERATION phase=worker engine=$WORKER_ENGINE model=$WORKER_MODEL dispatched=true"
-
-    # Step 5b: Wait for claude TUI to be ready (tmux pattern)
-    if ! wait_for_pane_ready "$WORKER_PANE" 30; then
-      log_error "Worker claude failed to start"
-      write_blocked_sentinel "Worker claude failed to start in pane"
-      update_status "blocked" "worker_start_failed"
-      return 1
-    fi
-
-    # Step 5c: Wait for claude to fully initialize, then send instruction directly
-    sleep 3
-    local worker_instruction="Read and execute the instructions in $worker_prompt"
-    tmux send-keys -t "$WORKER_PANE" -l -- "$worker_instruction"
-    tmux send-keys -t "$WORKER_PANE" Enter
-    log_debug "Worker instruction sent directly (${#worker_instruction} chars)"
-
-    # Verify claude actually started working — keep sending C-m until activity detected
-    local submit_attempts=0
-    while (( submit_attempts < 15 )); do
-      sleep 2
-      local pane_check
-      pane_check=$(tmux capture-pane -t "$WORKER_PANE" -p 2>/dev/null)
-      if echo "$pane_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored" 2>/dev/null; then
-        log_debug "Worker started working after $((submit_attempts + 1)) submit checks"
-        log_debug "[FLOW] iter=$ITERATION worker_submit_check=OK attempts=$((submit_attempts + 1))"
-        break
-      fi
-      # After 8 failed attempts, try C-u clear + re-type (omc-teams adaptive retry)
-      if (( submit_attempts == 8 )); then
-        log_debug "Adaptive instruction retry: clearing line and re-typing"
-        tmux send-keys -t "$WORKER_PANE" C-u 2>/dev/null
-        sleep 0.1
-        tmux send-keys -t "$WORKER_PANE" -l -- "$worker_instruction"
-        tmux send-keys -t "$WORKER_PANE" Enter
+      if ! launch_worker_claude "$WORKER_PANE" "$worker_prompt" "$ITERATION" "$worker_launch"; then
+        write_blocked_sentinel "Worker claude failed to start in pane"
+        update_status "blocked" "worker_start_failed"
+        return 1
       fi
-      tmux send-keys -t "$WORKER_PANE" C-m 2>/dev/null
-      sleep 0.3
-      tmux send-keys -t "$WORKER_PANE" C-m 2>/dev/null
-      (( submit_attempts++ ))
-    done
-    if (( submit_attempts >= 15 )); then
-      log "  WARNING: Could not confirm Worker started working after 15 attempts"
-      log_debug "[FLOW] iter=$ITERATION worker_submit_check=FAILED attempts=15"
     fi
 
     # --- governance.md s7 step 5+6: Poll for Worker completion ---
     log "  Polling for iter-signal.json..."
     local worker_poll_done=0
     while (( ! worker_poll_done )); do
+      local worker_poll_rc=0
       if poll_for_signal "$SIGNAL_FILE" "$WORKER_HEARTBEAT" "$WORKER_PANE" "$worker_launch" "Worker"; then
         worker_poll_done=1
         log_debug "[FLOW] iter=$ITERATION poll_signal_received=true"
       else
+        worker_poll_rc=$?
+        if (( worker_poll_rc == 2 )); then
+          return 1
+        fi
         # Check if Worker is still actively running (not stuck)
         local worker_cmd
         worker_cmd=$(tmux display-message -p -t "$WORKER_PANE" '#{pane_current_command}' 2>/dev/null)
         if [[ "$worker_cmd" == "node" || "$worker_cmd" == "claude" || "$worker_cmd" == "codex" ]]; then
-          # Check hard ceiling before extending
+          # Process alive — extend indefinitely (no hard ceiling kill)
+          # Stale-context breaker and nudge system handle truly stuck workers
           local iter_elapsed=$(( $(date +%s) - ITER_START_TIME ))
+          local ceiling_exceeded=""
           if (( iter_elapsed >= HARD_CEILING )); then
-            log_error "Worker hit hard ceiling (${HARD_CEILING}s = 3x iter_timeout). Killing iteration."
-            log_debug "[GOV] iter=$ITERATION hard_ceiling_hit=true elapsed=${iter_elapsed}s ceiling=${HARD_CEILING}s process=$worker_cmd"
-            tmux send-keys -t "$WORKER_PANE" C-c 2>/dev/null
-            sleep 1
-            write_blocked_sentinel "Worker hit hard ceiling (${HARD_CEILING}s). Pane preserved for inspection."
-            update_status "blocked" "hard_timeout"
-            return 1
+            ceiling_exceeded=" [EXCEEDED hard_ceiling=${HARD_CEILING}s — not enforced, logged only]"
+            log "  WARNING: Worker exceeded soft hard-ceiling (${iter_elapsed}s >= ${HARD_CEILING}s) but still active. Continuing..."
+            log_debug "[GOV] iter=$ITERATION hard_ceiling_exceeded=true elapsed=${iter_elapsed}s ceiling=${HARD_CEILING}s process=$worker_cmd action=log_only_no_kill"
           fi
-          log "  Worker timed out but still active ($worker_cmd). Extending poll... (${iter_elapsed}s/${HARD_CEILING}s)"
-          log_debug "[GOV] iter=$ITERATION timeout_active=true process=$worker_cmd elapsed=${iter_elapsed}s ceiling=${HARD_CEILING}s"
+          log "  Worker timed out but still active ($worker_cmd). Extending poll... (${iter_elapsed}s, no ceiling)${ceiling_exceeded}"
+          log_debug "[GOV] iter=$ITERATION timeout_active=true process=$worker_cmd elapsed=${iter_elapsed}s action=extend_indefinitely"
           log_debug "[FLOW] iter=$ITERATION poll_extended=true worker_cmd=$worker_cmd"
           update_status "worker" "slow"
           # Loop continues — re-poll same iteration
@@ -2019,6 +2162,11 @@ main() {
     # Reset monitor failure count on success
     MONITOR_FAILURE_COUNT=0
 
+    # AC1: capture worker end timestamp; reset consensus timing
+    ITER_WORKER_END=$(date +%s)
+    ITER_VERIFIER_CLAUDE_DURATION_S=""
+    ITER_VERIFIER_CODEX_DURATION_S=""
+
     # --- governance.md s7 step 6: Read iter-signal.json via jq (JSON only, no markdown) ---
     local signal_status
     signal_status=$(jq -r '.status' "$SIGNAL_FILE" 2>/dev/null)
@@ -2045,17 +2193,34 @@ main() {
         signal_us_id=$(jq -r '.us_id // empty' "$SIGNAL_FILE" 2>/dev/null)
         log "  Worker claims done (us_id=${signal_us_id:-all}). Dispatching Verifier..."
 
+        # AC1: capture verifier start timestamp
+        ITER_VERIFIER_START=$(date +%s)
+
         update_status "verifier" "running"
 
-        # --- Consensus scope check ---
-        local use_consensus=0
-        if [[ "$VERIFY_CONSENSUS" = "1" ]]; then
-          case "$CONSENSUS_SCOPE" in
-            all) use_consensus=1 ;;
-            final-only) [[ "$signal_us_id" == "ALL" ]] && use_consensus=1 ;;
-          esac
+        # --- Sequential final verify: per-US scoped checks instead of one big ALL verify ---
+        if [[ "$signal_us_id" == "ALL" && "$VERIFY_MODE" == "per-us" && -n "$US_LIST" ]]; then
+          log "  Final ALL verify: using sequential per-US strategy (timeout prevention)"
+          local seq_rc=0
+          run_sequential_final_verify "$ITERATION" || seq_rc=$?
+          if (( seq_rc == 0 )); then
+            write_complete_sentinel "Sequential final verify passed (all US verified individually)"
+            update_status "complete" "pass"
+            write_campaign_jsonl "$ITERATION" "ALL" "pass"
+            return 0
+          else
+            # Sequential verify failed — fall through to fix loop with failed US
+            log "  Sequential final verify failed at ${FAILED_US:-unknown}. Entering fix loop."
+            signal_us_id="${FAILED_US:-ALL}"
+            # Synthesize a fail verdict for the fix loop
+            echo "{\"verdict\":\"fail\",\"summary\":\"Sequential final verify failed at ${FAILED_US:-unknown}\",\"issues\":[{\"severity\":\"critical\",\"criterion\":\"${FAILED_US:-ALL}\",\"description\":\"Failed during sequential final verification\"}]}" | atomic_write "$VERDICT_FILE"
+          fi
         fi
 
+        # --- Consensus scope check (US-005: _should_use_consensus handles VERIFY_CONSENSUS + FINAL_CONSENSUS) ---
+        local use_consensus=0
+        _should_use_consensus "$signal_us_id" && use_consensus=1
+
         # --- Consensus vs single verification ---
         if (( use_consensus )); then
           # US-004: Run consensus verification (claude + codex sequentially)
@@ -2077,70 +2242,54 @@ main() {
           write_verifier_trigger "$ITERATION"
           local verifier_prompt="$LOGS_DIR/iter-$(printf '%03d' $ITERATION).verifier-prompt.md"
 
-          # Step 7a: Clean previous Verifier session if running
+          # Step 7a: Clean previous Verifier session (with dead pane detection)
           local verifier_cmd
           verifier_cmd=$(tmux display-message -p -t "$VERIFIER_PANE" '#{pane_current_command}' 2>/dev/null)
-          if [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
+          if [[ -z "$verifier_cmd" ]]; then
+            log "  Verifier pane $VERIFIER_PANE is gone — replacing..."
+            log_debug "[GOV] iter=$ITERATION pane_dead=true pane_id=$VERIFIER_PANE action=replace_pane"
+            replace_worker_pane "$VERIFIER_PANE" "verifier"
+            VERIFIER_PANE=$(jq -r '.panes.verifier' "$SESSION_CONFIG")
+            log "  New verifier pane: $VERIFIER_PANE"
+          elif [[ "$verifier_cmd" == "zsh" || "$verifier_cmd" == "bash" ]]; then
+            log "  Verifier pane $VERIFIER_PANE has bare shell ($verifier_cmd) — resetting..."
+            log_debug "[GOV] iter=$ITERATION pane_dead=true pane_id=$VERIFIER_PANE cmd=$verifier_cmd action=reset_shell"
+            tmux send-keys -t "$VERIFIER_PANE" C-c C-u 2>/dev/null
+            sleep 0.2
+            tmux send-keys -t "$VERIFIER_PANE" "clear" C-m 2>/dev/null
+            sleep 0.3
+          elif [[ "$verifier_cmd" == "node" || "$verifier_cmd" == "claude" || "$verifier_cmd" == "codex" ]]; then
             tmux send-keys -t "$VERIFIER_PANE" C-c 2>/dev/null
             sleep 0.5
-            tmux send-keys -t "$VERIFIER_PANE" "/exit" Enter 2>/dev/null
+            tmux send-keys -t "$VERIFIER_PANE" "/exit" C-m 2>/dev/null
             sleep 2
-            wait_for_pane_ready "$VERIFIER_PANE" 5 2>/dev/null || true
           fi
+          wait_for_pane_ready "$VERIFIER_PANE" 10 2>/dev/null || true
 
           local verifier_launch
           if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
             verifier_launch="${CODEX_BIN:-codex} -m $VERIFIER_CODEX_MODEL -c model_reasoning_effort=\"$VERIFIER_CODEX_REASONING\" --dangerously-bypass-approvals-and-sandbox"
-            log "  Launching Verifier codex in pane $VERIFIER_PANE..."
           else
             verifier_launch="$CLAUDE_BIN --model $VERIFIER_MODEL --dangerously-skip-permissions"
-            log "  Launching Verifier claude in pane $VERIFIER_PANE..."
           fi
-          tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_launch"
-          tmux send-keys -t "$VERIFIER_PANE" Enter
           log_debug "[FLOW] iter=$ITERATION phase=verifier engine=$VERIFIER_ENGINE model=$VERIFIER_MODEL scope=${signal_us_id:-all} dispatched=true"
 
-          # Step 7b: Wait for TUI to be ready
-          if ! wait_for_pane_ready "$VERIFIER_PANE" 30; then
-            log_error "Verifier failed to start"
-            update_status "verifier" "start_failed"
-            continue
-          fi
-
-          # Step 7c: Send instruction
-          sleep 3
-          local verifier_instruction="Read and execute the instructions in $verifier_prompt"
-          tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-          tmux send-keys -t "$VERIFIER_PANE" Enter
-          log_debug "Verifier instruction sent directly"
-
-          # Verify verifier actually started working
-          local vs_submit=0
-          while (( vs_submit < 15 )); do
-            sleep 2
-            local vs_check
-            vs_check=$(tmux capture-pane -t "$VERIFIER_PANE" -p 2>/dev/null)
-            if echo "$vs_check" | grep -qi "esc to interrupt\|thinking\|working\|kneading\|crunching\|clauding\|billowing\|brewing\|tinkering\|burrowing\|saut\|Exploring\|Running\|exec\|Explored" 2>/dev/null; then
-              log_debug "Verifier started working after $((vs_submit + 1)) checks"
-              break
-            fi
-            # After 8 failed attempts, try C-u clear + re-type (omc-teams adaptive retry)
-            if (( vs_submit == 8 )); then
-              log_debug "Adaptive instruction retry: clearing line and re-typing"
-              tmux send-keys -t "$VERIFIER_PANE" C-u 2>/dev/null
-              sleep 0.1
-              tmux send-keys -t "$VERIFIER_PANE" -l -- "$verifier_instruction"
-              tmux send-keys -t "$VERIFIER_PANE" Enter
+          if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
+            launch_verifier_codex "$VERIFIER_PANE" "$verifier_prompt" "$ITERATION" "$verifier_launch"
+          else
+            if ! launch_verifier_claude "$VERIFIER_PANE" "$verifier_prompt" "$ITERATION" "$verifier_launch"; then
+              update_status "verifier" "start_failed"
+              continue
             fi
-            tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-            sleep 0.3
-            tmux send-keys -t "$VERIFIER_PANE" C-m 2>/dev/null
-            (( vs_submit++ ))
-          done
+          fi
 
           # Poll for verify-verdict.json
           log "  Polling for verify-verdict.json..."
           if ! poll_for_signal "$VERDICT_FILE" "$VERIFIER_HEARTBEAT" "$VERIFIER_PANE" "$verifier_launch" "Verifier"; then
+            local verifier_poll_rc=$?
+            if (( verifier_poll_rc == 2 )); then
+              return 1
+            fi
             log_error "Verifier poll failed"
             # Verifier is dead/stuck — BLOCK and let user decide
             write_blocked_sentinel "Verifier process dead/stuck (poll failed). Pane preserved for inspection."
@@ -2149,6 +2298,9 @@ main() {
           fi
         fi
 
+        # AC1: capture verifier end timestamp
+        ITER_VERIFIER_END=$(date +%s)
+
         # --- governance.md s7 step 7: Read verdict via jq ---
         local verdict
         verdict=$(jq -r '.verdict' "$VERDICT_FILE" 2>/dev/null)
@@ -2166,6 +2318,18 @@ main() {
           pass)
             CONSECUTIVE_FAILURES=0
             CONSENSUS_ROUND=0
+            _SAME_US_FAIL_COUNT=0
+            _LAST_FAILED_US=""
+            if (( _MODEL_UPGRADED )); then
+              log "  Worker model restored: ${WORKER_MODEL} → ${_ORIGINAL_WORKER_MODEL} (pass verdict)"
+              log_debug "[DECIDE] iter=$ITERATION phase=model_select model_restore=true from=${WORKER_MODEL} to=${_ORIGINAL_WORKER_MODEL}"
+              WORKER_MODEL="$_ORIGINAL_WORKER_MODEL"
+              if [[ "$WORKER_ENGINE" = "codex" ]]; then
+                WORKER_CODEX_MODEL="$WORKER_MODEL"
+                WORKER_CODEX_REASONING="$_ORIGINAL_WORKER_CODEX_REASONING"
+              fi
+              _MODEL_UPGRADED=0
+            fi
 
             # --- Per-US tracking ---
             if [[ "$VERIFY_MODE" = "per-us" && -n "$signal_us_id" && "$signal_us_id" != "ALL" ]]; then
@@ -2183,6 +2347,7 @@ main() {
               # Final full verify passed or complete recommended
               write_complete_sentinel "$verdict_summary"
               update_status "complete" "pass"
+              write_campaign_jsonl "$ITERATION" "${signal_us_id:-ALL}" "pass"
               return 0
             else
               log "  Verifier passed but did not recommend complete. Continuing."
@@ -2192,6 +2357,7 @@ main() {
           fail)
             # --- governance.md s7½: Fix Loop (adapted for tmux lean mode) ---
             (( CONSECUTIVE_FAILURES++ ))
+            check_model_upgrade "${signal_us_id:-unknown}"
             local verdict_summary_fail
             verdict_summary_fail=$(jq -r '.summary // "no summary"' "$VERDICT_FILE" 2>/dev/null)
             log "  Verifier FAILED (consecutive: $CONSECUTIVE_FAILURES). Building fix contract..."
@@ -2213,11 +2379,19 @@ main() {
             log "  Fix contract: $fix_contract"
             log_debug "[DECIDE] iter=$ITERATION phase=fix_loop trigger=$verdict consecutive_failures=$CONSECUTIVE_FAILURES fix_contract=$fix_contract"
 
-            # Circuit breaker: consecutive failures
+            # Circuit breaker: consecutive failures (with architecture escalation when at model ceiling)
             if (( CONSECUTIVE_FAILURES >= EFFECTIVE_CB_THRESHOLD )); then
-              log_debug "[GOV] iter=$ITERATION circuit_breaker=consecutive_failures detail=\"${EFFECTIVE_CB_THRESHOLD} consecutive verification failures\""
-              log_error "Circuit breaker: ${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
-              write_blocked_sentinel "${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+              # For codex: use full model:reasoning string (WORKER_MODEL loses reasoning suffix after upgrade)
+              _ceiling_model_str="$([[ "$WORKER_ENGINE" = "codex" ]] && echo "${WORKER_CODEX_MODEL}:${WORKER_CODEX_REASONING}" || echo "$WORKER_MODEL")"
+              if (( _MODEL_UPGRADED )) && [[ -z "$(get_next_model "$_ceiling_model_str")" ]]; then
+                log_debug "[GOV] iter=$ITERATION circuit_breaker=consecutive_failures detail=\"architecture escalation: Worker at ceiling (${WORKER_MODEL}), ${EFFECTIVE_CB_THRESHOLD} consecutive failures\""
+                log_error "Circuit breaker: architecture escalation — Worker upgraded to ceiling (${WORKER_MODEL}), ${EFFECTIVE_CB_THRESHOLD} consecutive failures"
+                write_blocked_sentinel "architecture escalation: Worker upgraded to ceiling model (${WORKER_MODEL}), ${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+              else
+                log_debug "[GOV] iter=$ITERATION circuit_breaker=consecutive_failures detail=\"${EFFECTIVE_CB_THRESHOLD} consecutive verification failures\""
+                log_error "Circuit breaker: ${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+                write_blocked_sentinel "${EFFECTIVE_CB_THRESHOLD} consecutive verification failures"
+              fi
               update_status "blocked" "consecutive_failures"
               return 1
             fi
@@ -2261,6 +2435,7 @@ main() {
 
     # --- AC5: Write per-iteration cost estimate ---
     write_cost_log "$ITERATION"
+    write_campaign_jsonl "$ITERATION" "${signal_us_id:-unknown}" "${signal_status:-unknown}"
 
     # --- governance.md s7 step 8: Write result log ---
     write_result_log "$ITERATION" "$signal_status"
@@ -2279,7 +2454,6 @@ main() {
 
   # Max iterations reached
   log "Max iterations ($MAX_ITER) reached."
-  generate_campaign_report  # AC4: TIMEOUT terminal path
   update_status "timeout" "max_iter"
   return 1
 }
@@ -2288,6 +2462,45 @@ main() {
 # Entry Point
 # =============================================================================
 
+# --- CLI: parse --worker-model / --verifier-model flags ---
+# These flags override env-var defaults (WORKER_ENGINE, WORKER_MODEL, etc.)
+# Format: "model:reasoning" → codex engine; "model-name" → claude engine
+_cli_i=1
+while (( _cli_i <= $# )); do
+  case "${@[$_cli_i]}" in
+    --worker-model)
+      (( _cli_i++ ))
+      _cli_parsed=$(parse_model_flag "${@[$_cli_i]:-}" "worker") || exit 1
+      WORKER_ENGINE="${_cli_parsed%% *}"
+      _cli_rest="${_cli_parsed#* }"
+      WORKER_MODEL="${_cli_rest%% *}"
+      if [[ "$WORKER_ENGINE" = "codex" ]]; then
+        WORKER_CODEX_MODEL="$WORKER_MODEL"
+        WORKER_CODEX_REASONING="${_cli_rest##* }"
+      fi
+      ;;
+    --verifier-model)
+      (( _cli_i++ ))
+      _cli_parsed=$(parse_model_flag "${@[$_cli_i]:-}" "verifier") || exit 1
+      VERIFIER_ENGINE="${_cli_parsed%% *}"
+      _cli_rest="${_cli_parsed#* }"
+      VERIFIER_MODEL="${_cli_rest%% *}"
+      if [[ "$VERIFIER_ENGINE" = "codex" ]]; then
+        VERIFIER_CODEX_MODEL="$VERIFIER_MODEL"
+        VERIFIER_CODEX_REASONING="${_cli_rest##* }"
+      fi
+      ;;
+    --lock-worker-model)
+      LOCK_WORKER_MODEL=1
+      ;;
+    --final-consensus)
+      FINAL_CONSENSUS=1
+      ;;
+  esac
+  (( _cli_i++ ))
+done
+unset _cli_i _cli_parsed _cli_rest
+
 # Require tmux — tmux mode only works inside an active tmux session
 if [[ -z "${TMUX:-}" ]]; then
   echo "ERROR: tmux mode requires running inside a tmux session."