@besales/ops-framework 0.1.31 → 0.1.32

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.1.32
+
+- Required explicit `review-budget-approval.json` before `--force-review-budget` can bypass Check/Verify review budgets.
+- Added external CLI provider timeouts from `reviewBudgets.*.providerTimeoutMs` so Check/Verify provider calls cannot silently exceed the stage SLA.
+- Recorded denied force attempts in Check/Verify timelines as `review_budget_force_denied`.
+- Updated review budget docs and prompts so force review is treated as a human-approved exception, not a normal retry path.
+
 ## 0.1.31
 
 - Added bounded review budgets for Check and Verify: default 3 minute stage SLA and one external provider run per stage.

package/README.md

@@ -194,11 +194,22 @@ External `run-check` and `run-verify` are bounded by default:
 
 - stage SLA: `180000ms`;
 - max external provider runs per stage: `1`.
+- external provider timeout: `180000ms`.
 
 When the budget is exceeded, the framework writes `human_arbitration_required`
 instead of starting another provider loop. Consolidate the remaining findings in
 task artifacts, or rerun with `--force-review-budget` only after explicit human
-approval.
+approval recorded in `review-budget-approval.json`:
+
+```json
+{
+  "approved": true,
+  "stage": "check",
+  "reason": "Human approved one extra external review after consolidated remediation.",
+  "approvedBy": "human",
+  "expiresAt": "2026-06-05T12:00:00.000Z"
+}
+```
 
 ## Learning Loop
 

package/bin/lib/review-budget-utils.mjs

@@ -1,7 +1,11 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
 export function resolveStageReviewBudget(config, stage) {
   const defaults = {
     stageSlaMs: 180000,
     maxExternalRunsPerStage: 1,
+    providerTimeoutMs: 180000,
   };
   const reviewBudgets = config.reviewBudgets || {};
   return {
@@ -68,6 +72,108 @@ export function evaluateReviewBudget({ budget, summary, force = false }) {
   return { ok: true, reason: null };
 }
 
+export function readReviewBudgetApproval({ taskDir, stage, now = new Date() }) {
+  const approvalPath = path.join(taskDir, 'review-budget-approval.json');
+  if (!fs.existsSync(approvalPath)) {
+    return {
+      ok: false,
+      reason: 'missing_review_budget_approval',
+      message: 'Using --force-review-budget requires review-budget-approval.json with approved=true.',
+      path: 'review-budget-approval.json',
+    };
+  }
+
+  let approval;
+  try {
+    approval = JSON.parse(fs.readFileSync(approvalPath, 'utf8'));
+  } catch (error) {
+    return {
+      ok: false,
+      reason: 'invalid_review_budget_approval',
+      message: `review-budget-approval.json is invalid JSON: ${error.message}`,
+      path: 'review-budget-approval.json',
+    };
+  }
+
+  if (approval.approved !== true) {
+    return {
+      ok: false,
+      reason: 'review_budget_approval_not_approved',
+      message: 'review-budget-approval.json must contain approved=true.',
+      path: 'review-budget-approval.json',
+      approval,
+    };
+  }
+
+  if (!['check', 'verify', 'both'].includes(String(approval.stage || ''))) {
+    return {
+      ok: false,
+      reason: 'review_budget_approval_stage_invalid',
+      message: 'review-budget-approval.json stage must be check, verify or both.',
+      path: 'review-budget-approval.json',
+      approval,
+    };
+  }
+
+  if (approval.stage !== stage && approval.stage !== 'both') {
+    return {
+      ok: false,
+      reason: 'review_budget_approval_stage_mismatch',
+      message: `review-budget-approval.json is for stage=${approval.stage}, not ${stage}.`,
+      path: 'review-budget-approval.json',
+      approval,
+    };
+  }
+
+  if (!approval.reason || typeof approval.reason !== 'string') {
+    return {
+      ok: false,
+      reason: 'review_budget_approval_reason_missing',
+      message: 'review-budget-approval.json must contain a human-readable reason.',
+      path: 'review-budget-approval.json',
+      approval,
+    };
+  }
+
+  if (!approval.approvedBy || typeof approval.approvedBy !== 'string') {
+    return {
+      ok: false,
+      reason: 'review_budget_approval_approver_missing',
+      message: 'review-budget-approval.json must contain approvedBy.',
+      path: 'review-budget-approval.json',
+      approval,
+    };
+  }
+
+  if (approval.expiresAt) {
+    const expiresAt = new Date(approval.expiresAt);
+    if (Number.isNaN(expiresAt.getTime())) {
+      return {
+        ok: false,
+        reason: 'review_budget_approval_expiry_invalid',
+        message: 'review-budget-approval.json expiresAt must be a valid ISO timestamp when present.',
+        path: 'review-budget-approval.json',
+        approval,
+      };
+    }
+    if (expiresAt.getTime() <= now.getTime()) {
+      return {
+        ok: false,
+        reason: 'review_budget_approval_expired',
+        message: `review-budget-approval.json expired at ${expiresAt.toISOString()}.`,
+        path: 'review-budget-approval.json',
+        approval,
+      };
+    }
+  }
+
+  return {
+    ok: true,
+    path: 'review-budget-approval.json',
+    approval,
+  };
+}
+
 function firstValidDate(values) {
   for (const value of values) {
     const date = new Date(value);

package/bin/lib/review-budget-utils.test.mjs

@@ -1,6 +1,10 @@
 import { describe, expect, it } from 'vitest';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
 import {
   evaluateReviewBudget,
+  readReviewBudgetApproval,
   resolveStageReviewBudget,
   summarizeReviewBudgetWindow,
 } from './review-budget-utils.mjs';
@@ -80,11 +84,62 @@ describe('review budget utils', () => {
         verify: {
           stageSlaMs: 120000,
           maxExternalRunsPerStage: 2,
+          providerTimeoutMs: 90000,
         },
       },
     }, 'verify')).toEqual({
       stageSlaMs: 120000,
       maxExternalRunsPerStage: 2,
+      providerTimeoutMs: 90000,
+    });
+  });
+
+  it('requires a valid force approval artifact', () => {
+    const taskDir = fs.mkdtempSync(path.join(os.tmpdir(), 'review-budget-approval-'));
+
+    expect(readReviewBudgetApproval({ taskDir, stage: 'verify' })).toMatchObject({
+      ok: false,
+      reason: 'missing_review_budget_approval',
+    });
+
+    fs.writeFileSync(path.join(taskDir, 'review-budget-approval.json'), JSON.stringify({
+      approved: true,
+      stage: 'verify',
+      reason: 'Human approved one extra external Verify after consolidated remediation.',
+      approvedBy: 'human',
+      expiresAt: '2026-06-04T12:30:00.000Z',
+    }, null, 2));
+
+    expect(readReviewBudgetApproval({
+      taskDir,
+      stage: 'verify',
+      now: new Date('2026-06-04T12:00:00.000Z'),
+    })).toMatchObject({
+      ok: true,
+      approval: {
+        approved: true,
+        stage: 'verify',
+      },
+    });
+  });
+
+  it('rejects expired force approval artifacts', () => {
+    const taskDir = fs.mkdtempSync(path.join(os.tmpdir(), 'review-budget-expired-'));
+    fs.writeFileSync(path.join(taskDir, 'review-budget-approval.json'), JSON.stringify({
+      approved: true,
+      stage: 'both',
+      reason: 'Expired approval',
+      approvedBy: 'human',
+      expiresAt: '2026-06-04T12:00:00.000Z',
+    }, null, 2));
+
+    expect(readReviewBudgetApproval({
+      taskDir,
+      stage: 'check',
+      now: new Date('2026-06-04T12:00:01.000Z'),
+    })).toMatchObject({
+      ok: false,
+      reason: 'review_budget_approval_expired',
     });
   });
 });

package/bin/providers/external-cli-checker.mjs

@@ -47,6 +47,7 @@ export async function runExternalCliChecker({
   reasoningEffort,
   prompt,
   cwd,
+  timeoutMs,
 }) {
   if (!providerConfig) {
     const error = new Error(`Unknown external CLI provider: ${providerName}`);
@@ -68,10 +69,11 @@ export async function runExternalCliChecker({
     input: providerConfig.input === 'stdin' ? prompt : undefined,
     encoding: 'utf8',
     maxBuffer: 1024 * 1024 * 20,
+    timeout: timeoutMs || undefined,
   });
 
   if (result.error) {
-    result.error.failureReason = 'provider_unavailable';
+    result.error.failureReason = result.error.code === 'ETIMEDOUT' ? 'timeout' : 'provider_unavailable';
     throw result.error;
   }
   if (result.status !== 0) {

package/bin/run-check.mjs

@@ -47,6 +47,7 @@ import {
 } from './lib/task-manifest-utils.mjs';
 import {
   evaluateReviewBudget,
+  readReviewBudgetApproval,
   resolveStageReviewBudget,
   summarizeReviewBudgetWindow,
 } from './lib/review-budget-utils.mjs';
@@ -239,6 +240,57 @@ async function runMain() {
       return;
     }
 
+    const forceApproval = forceReviewBudget
+      ? readReviewBudgetApproval({ taskDir, stage: 'check' })
+      : { ok: true, approval: null };
+    if (!forceApproval.ok) {
+      const budget = resolveStageReviewBudget(readAgentsConfig(), 'check');
+      const summary = summarizeReviewBudgetWindow({
+        timeline: readTimeline(taskDir, 'check-timeline.json'),
+        stage: 'check',
+        now: new Date(),
+      });
+      writeReviewBudgetReturn({
+        taskDir,
+        taskId,
+        checkContext,
+        checkerConfig,
+        checkerPromptSha,
+        cacheKey,
+        reason: forceApproval.reason,
+        message: forceApproval.message,
+        budget,
+        summary,
+        startedAt: runStartedAt,
+        approval: forceApproval,
+      });
+      appendCheckTimeline(taskDir, {
+        event: 'review_budget_force_denied',
+        verdict: 'human_arbitration_required',
+        reason: forceApproval.reason,
+        message: forceApproval.message,
+        budget,
+        summary,
+        timing: buildTiming(runStartedAt),
+      });
+      recordLlmInputUsage({
+        taskDir,
+        stage: 'check',
+        packMeta: promptPayload.pack.meta,
+        attempts: [
+          ...llmInputAttempts,
+          buildAttemptRecord(promptPayload.pack.meta, `review_budget_force_denied:${forceApproval.reason}`),
+        ],
+        rerunCount,
+        timing: buildTiming(runStartedAt),
+      });
+      refreshTaskManifestAfterCheck(taskDir);
+      runValidator(taskArg);
+      console.log(`Checker force review denied ${taskId}: human_arbitration_required`);
+      console.log(`- reason: ${forceApproval.reason}`);
+      return;
+    }
+
     const reviewBudget = evaluateCurrentReviewBudget({
       taskDir,
       stage: 'check',
@@ -258,6 +310,7 @@ async function runMain() {
         budget: reviewBudget.budget,
         summary: reviewBudget.summary,
         startedAt: runStartedAt,
+        approval: forceApproval,
       });
       appendCheckTimeline(taskDir, {
         event: 'review_budget_blocked',
@@ -304,6 +357,7 @@ async function runMain() {
         checkerConfig,
         messages: promptPayload.messages,
         prompt: promptPayload.prompt,
+        timeoutMs: reviewBudget.budget.providerTimeoutMs,
       });
       appendCheckTimeline(taskDir, {
         event: 'provider_completed',
@@ -434,6 +488,7 @@ function writeReviewBudgetReturn({
   budget,
   summary,
   startedAt,
+  approval = null,
 }) {
   const result = {
     taskId,
@@ -468,6 +523,7 @@ function writeReviewBudgetReturn({
       reason,
       budget,
       summary,
+      approval,
       forceFlag: '--force-review-budget',
     },
     readyForHumanGate: false,
@@ -489,13 +545,13 @@ function writeReviewBudgetReturn({
     '## Budget',
     '',
     '```json',
-    JSON.stringify({ reason, budget, summary }, null, 2),
+    JSON.stringify({ reason, budget, summary, approval }, null, 2),
     '```',
     '',
     '## Required decision',
     '',
     '- Consolidate all remaining Check findings into `plan.md`, `status.md`, and `check-resolution.md`, then run one fresh Check after the window resets; or',
-    '- Ask the human to approve an extra external review and rerun with `--force-review-budget`.',
+    '- Ask the human to approve an extra external review by writing `review-budget-approval.json`, then rerun with `--force-review-budget`.',
     '',
     '## Timing',
     '',
@@ -510,7 +566,7 @@ function writeReviewBudgetReturn({
     checkVerdict: '`human_arbitration_required`',
     checkResult: '- `check.result.json`: current; review budget blocked external Checker invocation',
     supervisorAction: 'Check review budget blocked another external provider loop.',
-    nextStep: 'Human Arbitration: approve one extra external review with `--force-review-budget` or consolidate remaining findings before a fresh Check.',
+    nextStep: 'Human Arbitration: write `review-budget-approval.json` before using `--force-review-budget`, or consolidate remaining findings before a fresh Check.',
     humanApproval: 'yes',
   });
   appendOrchestrationLog(taskDir, `Check review budget blocked external checker; reason=${reason}; elapsedMs=${summary.elapsedMs}; providerStarted=${summary.providerStarted}; maxExternalRuns=${budget.maxExternalRunsPerStage}; stageSlaMs=${budget.stageSlaMs}`);
@@ -927,7 +983,7 @@ function buildCheckerPromptPayload({
   };
 }
 
-async function runProvider({ checkerConfig, messages, prompt }) {
+async function runProvider({ checkerConfig, messages, prompt, timeoutMs }) {
   if (checkerConfig.provider === 'openai') {
     return runOpenAiChecker({
       apiKey: process.env.OPENAI_API_KEY,
@@ -944,6 +1000,7 @@ async function runProvider({ checkerConfig, messages, prompt }) {
       reasoningEffort: checkerConfig.reasoningEffort,
       prompt,
       cwd: repoRoot,
+      timeoutMs,
     });
   }
 

package/bin/run-verify.mjs

@@ -30,6 +30,7 @@ import {
 import { recordLlmInputUsage } from './lib/task-manifest-utils.mjs';
 import {
   evaluateReviewBudget,
+  readReviewBudgetApproval,
   resolveStageReviewBudget,
   summarizeReviewBudgetWindow,
 } from './lib/review-budget-utils.mjs';
@@ -210,6 +211,54 @@ async function runMain() {
       return;
     }
 
+    const forceApproval = forceReviewBudget
+      ? readReviewBudgetApproval({ taskDir, stage: 'verify' })
+      : { ok: true, approval: null };
+    if (!forceApproval.ok) {
+      const budget = resolveStageReviewBudget(readAgentsConfig(), 'verify');
+      const summary = summarizeReviewBudgetWindow({
+        timeline: readTimeline(taskDir, 'verify-timeline.json'),
+        stage: 'verify',
+        now: new Date(),
+      });
+      writeVerifyReviewBudgetReturn({
+        taskDir,
+        taskId,
+        verifierConfig,
+        verifierRunId,
+        planSha,
+        executionSha,
+        reason: forceApproval.reason,
+        message: forceApproval.message,
+        budget,
+        summary,
+        approval: forceApproval,
+      });
+      appendVerifyTimeline(taskDir, {
+        event: 'review_budget_force_denied',
+        verdict: 'human_arbitration_required',
+        reason: forceApproval.reason,
+        message: forceApproval.message,
+        budget,
+        summary,
+        timing: buildTiming(runStartedAt),
+      });
+      recordLlmInputUsage({
+        taskDir,
+        stage: 'verify',
+        packMeta: promptPayload.pack.meta,
+        attempts: [
+          ...llmInputAttempts,
+          buildAttemptRecord(promptPayload.pack.meta, `review_budget_force_denied:${forceApproval.reason}`),
+        ],
+        rerunCount,
+        timing: buildTiming(runStartedAt),
+      });
+      console.log(`Verifier force review denied ${taskId}: human_arbitration_required`);
+      console.log(`- reason: ${forceApproval.reason}`);
+      return;
+    }
+
     const reviewBudget = evaluateCurrentReviewBudget({
       taskDir,
       stage: 'verify',
@@ -228,6 +277,7 @@ async function runMain() {
         message: reviewBudget.message,
         budget: reviewBudget.budget,
         summary: reviewBudget.summary,
+        approval: forceApproval,
       });
       appendVerifyTimeline(taskDir, {
         event: 'review_budget_blocked',
@@ -275,6 +325,7 @@ async function runMain() {
         reasoningEffort: verifierConfig.reasoningEffort,
         prompt: promptPayload.prompt,
         cwd: repoRoot,
+        timeoutMs: reviewBudget.budget.providerTimeoutMs,
       });
       appendVerifyTimeline(taskDir, {
         event: 'provider_completed',
@@ -412,6 +463,7 @@ function writeVerifyReviewBudgetReturn({
   message,
   budget,
   summary,
+  approval = null,
 }) {
   const verifyMarkdown = [
     '# Verify',
@@ -429,13 +481,13 @@ function writeVerifyReviewBudgetReturn({
     '## Budget',
     '',
     '```json',
-    JSON.stringify({ reason, budget, summary }, null, 2),
+    JSON.stringify({ reason, budget, summary, approval }, null, 2),
     '```',
     '',
     '## Required decision',
     '',
     '- Consolidate remaining Verify findings in `execution.md` / evidence artifacts, then run one fresh Verify after the window resets; or',
-    '- Ask the human to approve an extra external review and rerun with `--force-review-budget`.',
+    '- Ask the human to approve an extra external review by writing `review-budget-approval.json`, then rerun with `--force-review-budget`.',
   ].join('\n');
   const result = {
     schemaVersion: 1,
@@ -474,6 +526,7 @@ function writeVerifyReviewBudgetReturn({
       reason,
       budget,
       summary,
+      approval,
       forceFlag: '--force-review-budget',
     },
   };

package/config/default-agents.json

@@ -21,11 +21,13 @@
   "reviewBudgets": {
     "check": {
       "stageSlaMs": 180000,
-      "maxExternalRunsPerStage": 1
+      "maxExternalRunsPerStage": 1,
+      "providerTimeoutMs": 180000
     },
     "verify": {
       "stageSlaMs": 180000,
-      "maxExternalRunsPerStage": 1
+      "maxExternalRunsPerStage": 1,
+      "providerTimeoutMs": 180000
     }
   },
   "checkerProviders": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@besales/ops-framework",
-  "version": "0.1.31",
+  "version": "0.1.32",
   "type": "module",
   "bin": {
     "ops-agent": "bin/ops-agent.mjs"

package/prompts/checker.md

@@ -75,6 +75,7 @@ Project-specific context приходит только через task artifacts
 27. Если plan/task/checker-context показывает golden set/eval/regression fixtures/label cards/ground truth, Checker должен требовать `## Label Card Schema`, `## Coverage Matrix`, `## Negative / Edge Cases` и `## Harness Boundary`. Golden set без schema/coverage/negative cases/source evidence/non-goals/manual-vs-automated boundary является `return_to_plan`, даже если есть общий текст про expected outputs.
 28. Если remaining issue является процессной ясностью, wording polish или удобством статуса, а план уже содержит executable scope, acceptance, risk gates and verification evidence path, не возвращай `return_to_plan`; запиши как non-blocking note или human question. Цель Check - предотвратить дорогие ошибки до Execute, а не создавать повторные внешние циклы ради косметики.
 29. Если видишь несколько related blockers, объедини их в один consolidated finding с полным checklist. Не выдавай только первый найденный blocker, если следующий внешний Check очевидно найдет соседний.
+30. Если review budget уже требует Human Arbitration, не предлагай `--force-review-budget` как обычный retry. Он допустим только при наличии human-approved `review-budget-approval.json`.
 
 ## Контракт выхода
 

package/prompts/planner.md

@@ -54,7 +54,7 @@
 18. Plan должен назвать risk tier (`R0`-`R5`), execution target and execution budget. Для `R1/R2` можно разрешить fast loop inside approved scope, но обязательно назвать stop rules.
 19. План проверки должен быть ladder-based: micro-verify during Execute, slice-verify before completion and external Verify requirement for closeout/high-risk claims.
 20. После `return_to_plan` Planner обязан выполнить один consolidated remediation pass: закрыть все blocking findings, precheck checklist и obvious adjacent gaps в `plan.md`/`check-resolution.md` до следующего Check. Не запускай внешний Check после единичной мелкой правки, если другие known blockers остаются открыты.
-21. Если Check остановлен review budget gate (`human_arbitration_required` с `reviewBudget.reason`), Planner не должен пытаться обойти это повторным запуском. Нужно либо запросить human approval на `--force-review-budget`, либо укрупнить remediation и вернуться к Check после явного решения.
+21. Если Check остановлен review budget gate (`human_arbitration_required` с `reviewBudget.reason`), Planner не должен пытаться обойти это повторным запуском. Нужно либо запросить human approval и записать `review-budget-approval.json` перед `--force-review-budget`, либо укрупнить remediation и вернуться к Check после явного решения.
 20. План должен описывать meaningful slice. Не дроби локальную работу на отдельный Plan/Check/Verify для каждого микрофикса, если риски и target остаются внутри одного approved tier.
 21. Если risk triggers или `checker-context-pack.md` показывают O2/O3 hot-path work, Planner обязан добавить `## Optimization Strategy`: tier, hot paths, expected data size, chosen efficient approach, anti-patterns avoided and bounded optimizer budget/stop rule. Цель gate — предотвратить очевидно неэффективное решение до Execute, а не запускать бесконечную оптимизацию.
 22. Если задача создает golden set/eval/regression fixtures/label cards/ground truth, Planner обязан добавить `## Label Card Schema`, `## Coverage Matrix`, `## Negative / Edge Cases` и `## Harness Boundary`. Golden set должен быть test contract with expected outputs, non-goals, source refs, missing coverage policy and manual-vs-automated boundary.

package/prompts/supervisor.md

@@ -61,8 +61,9 @@ Supervisor является code-level orchestrator по контракту: rou
 27. Если external verifier/checker/browser tooling начинает тратить непропорционально много времени или блокируется окружением, Supervisor обязан остановить loop и вынести human decision: принять internal verify/evidence, запустить external escalation вручную или изменить scope.
 28. Если deterministic Check preflight создал `precheck-remediation.md`, Supervisor не должен запускать повторный Check после точечной правки одного пункта. Сначала Planner/Executor должен закрыть весь checklist или явно отметить not-applicable с evidence/human decision в `plan.md`/`status.md`, затем допускается один fresh Check.
 29. Перед повторным Check после deterministic precheck Supervisor обязан сверить, что `precheck-remediation.md` был использован как consolidated checklist: все listed gates отражены в plan/research/status, а не закрывались по одному через серию precheck loops.
-30. External Check и external Verify имеют stage SLA по умолчанию 3 минуты и максимум один external provider run на фазу. Если `check.result.json` или `verify.result.json` вернул `human_arbitration_required` с `reviewBudget.reason`, Supervisor не запускает еще один внешний review без явного human approval и `--force-review-budget`.
+30. External Check и external Verify имеют stage SLA по умолчанию 3 минуты, максимум один external provider run на фазу и hard provider timeout 3 минуты. Если `check.result.json` или `verify.result.json` вернул `human_arbitration_required` с `reviewBudget.reason`, Supervisor не запускает еще один внешний review без явного human approval, записанного в `review-budget-approval.json`, и `--force-review-budget`.
 31. После `return_to_plan` / `return_to_execute` Supervisor должен требовать один consolidated remediation pass. Запрещено запускать серию внешних Check/Verify для мелких последовательных правок, если их можно закрыть в одном artifact update.
+32. `--force-review-budget` запрещен как обычный retry flag. Он допустим только после human decision и должен быть виден в timeline вместе с approval artifact; без approval artifact команда должна остаться на Human Arbitration.
 
 ## Hard Gate: Material Scope Expansion -> Brief Reset
 

package/prompts/verifier.md

@@ -48,7 +48,8 @@
 24. Environment/tooling failures внешнего verifier/browser smoke не должны превращаться в бесконечный `return_to_execute` loop. Если implementation evidence достаточно, но внешний инструмент заблокирован окружением, используй `pass_with_notes` или `human_arbitration_required` согласно риску.
 25. Если `plan.md` содержит golden set/eval/regression fixture sections, verifier должен проверить `Golden Set / Regression Evidence`: label cards follow schema, coverage matrix is filled, negative/edge cases are selected or documented missing, expected outputs/non-goals are inspectable, source refs/snippets exist and manual-vs-automated harness boundary is explicit.
 26. External Verify должен укладываться в bounded review model: один внешний provider run по умолчанию. Если остаются несколько blockers, верни один consolidated `return_to_execute` finding с полным checklist. Minor documentation/status polish не должен запускать новый внешний цикл, если acceptance/evidence покрыты.
-27. Если review budget gate уже вернул `human_arbitration_required`, не предлагай повторный external Verify как обычный следующий шаг. Следующий шаг: consolidated execution fix, internal evidence decision или явный human approval на `--force-review-budget`.
+27. Если review budget gate уже вернул `human_arbitration_required`, не предлагай повторный external Verify как обычный следующий шаг. Следующий шаг: consolidated execution fix, internal evidence decision или явный human approval, записанный в `review-budget-approval.json`, перед `--force-review-budget`.
+28. External provider timeout является hard gate. Если verifier не успевает уложиться в 3 минуты, верни `verifier_failed`/`timeout` или `human_arbitration_required`; не предлагай бесконечный retry с тем же input.
 
 ## Контракт выхода