baldart 4.24.1 → 4.24.3

package/CHANGELOG.md

@@ -5,6 +5,35 @@ All notable changes to BALDART will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.24.3] - 2026-06-10
+
+**`new2`: two follow-ups from the v4.24.2 logic review — epic closure no longer misses deferred cards, and the owner-gated classification reaches the final review.** Both are "parallel location" gaps of earlier fixes (the v4.17.2 meta-lesson): v4.22.1's epic-closure and v4.24.1's owner-gated deferral each missed one site. **PATCH** (bug-fix to the EXPERIMENTAL `new2` surface only; no config key, no change to `/new`).
+
+### Fixed
+
+- **`new2/SKILL.md` (Step 5.2) — epic-closure re-check after deferred-DONE.** The merge agent's epic-closure (Phase 6b step 5e) runs BEFORE the skill marks deferred cards DONE post-run — so an epic whose last open child was a deferred card stayed TODO forever (nothing re-checked it). The skill now re-runs the all-children-DONE check for the parents of the cards it just marked DONE, closing the epic in the same reconciliation commit.
+- **`new2.js` (Phase Final) — owner-gated deferrals no longer block the merge at final review.** The `merge-blocker`/`qa-fail` resolves checked only `.status`: a finding whose sole remedy is an external/infra step (e.g. the same pending remote `db:push` a reviewer re-raises batch-wide) set `mergeBlocked` and stranded a complete batch. The `deferralClass` check from the per-card loops (v4.24.1/v4.24.2) now applies here too: `owner-gated`/`not-a-code-defect` → follow-up tracked + `DEFERRED-OWNER-GATED` ledger row, merge proceeds; a genuine unresolved code defect still blocks.
+
+## [4.24.2] - 2026-06-10
+
+**`new2`: holistic logic review — deterministic owner_agent routing, a merge gate that no longer strands the batch, `deferralClass` end-to-end, and −N agent spawns per run.** A full logic review of `new2.js`/`new2-resolve.js`/`SKILL.md` against `/new`'s reference modules found four correctness defects and five sources of wasted spawns. The headline routing bug: the pre-flight's `ownerAgent` was passed RAW as `agentType` — the G25 "unknown→coder" rule lived only in the prompt, so any freeform value (`claude`, `backend`, a typo) was a PERMANENT spawn error → card `failed` → (combined with the merge-gate bug) the whole batch unmerged. **PATCH** (bug-fix/hardening of the EXPERIMENTAL `new2` surface only; **no `baldart.config.yml` key**, **no change to `/new`** — the schema-change propagation rule does not apply).
+
+### Fixed
+
+- **`new2.js` (A1) — deterministic owner_agent clamp in JS, not prompt.** After the pre-flight, `cardGraph[].ownerAgent` is clamped through the exact `/new` router table (`implement.md` §6b): `coder`/`ui-expert` pass through; `plan`/`visual-designer`/`motion-expert`/unknown/missing degrade to `coder`, each with a `[ROUTER]` ledger row (audit trail). The RAW value is kept for the security-relevance heuristic. Fixes the "wrong agent for the card" failure class at the code level.
+- **`new2.js` (A2) — the merge integrity gate matches its own comment.** `followup`/`blocked` cards (rolled back + tracked in the offline-safe residual ledger) no longer count as "incomplete": one failed card used to strand every committed card in an orphaned worktree with no resume path (the run wasn't `degraded`, so the skill never resumed). `failed` (crash) counts as complete ONLY when its cleanup verified the worktree clean.
+- **`new2.js` + `new2/SKILL.md` (A3) — `deferralClass` end-to-end (v4.24.1 covered only the review-blocks loop).** The ac-unmet loop now records WHY each deferral happened; `residuals[]` carry `deferralClass` and committed cards carry `deferredClasses[]`. The skill marks a deferred card DONE post-run ONLY when every class is `owner-gated`/`not-a-code-defect`/`policy-deferred-ac`; an `unresolved` class (an AC the workflow tried and failed to implement) keeps the card IN_PROGRESS and is surfaced explicitly — a genuinely unmet DoD can no longer be auto-DONE'd with a follow-up as a fig leaf (F-029).
+- **`new2.js` (A4) — crashed cards clean up after themselves.** `crashResult` now runs the rollback (whole-worktree scope — safe: all committed work lives in HEAD), so a crashed card's dirty files no longer poison the next card's E4 reconcile with a misleading `out-of-ownership` revert.
+- **`new2.js` (A5) — `${paths.backlog_dir}` instead of a hardcoded `backlog/*.yml`** in the epic-closure merge prompt (consumer portability).
+
+### Changed
+
+- **`new2.js` (B1) — per-card idempotency probe removed (−N Haiku spawns/run).** `cardGraph[].alreadyCommitted` is now probed once by the pre-flight (git-authoritative: commit in `trunk..HEAD` + validations green + no open follow-up); on a fresh worktree it costs nothing, and resume stays covered by the journal cache.
+- **`new2.js` (B2) — `security-reviewer` fan-out only when the card's files intersect `high_risk_modules`** (the bare `highRisk.length` fired it on every card of every project that configures the list); the owner-agent and brief-token triggers are unchanged.
+- **`new2.js` (B3) — review blocks and scope-expansion findings batched per kind+domain → ONE `resolve()` per group** via the existing `findings[]` contract (the same F-007 batching the final review already used). One-by-one routing was the dominant per-card cost driver (each resolve = fixer + judge + possible Tier-2 fan-out).
+- **`new2.js` (B4) — `executionMode`/`groups` removed from the pre-flight contract**: the DAG scheduler is strictly sequential (single worktree) and nothing ever read them; telemetry now reports the honest constant. Real parallelism is a future release, after A/B data.
+- **`new2.js` (B5/C) — dead code removed**: the never-populated `lessons` mechanism (every cardBrief promised batch lessons that were always `(none)`), the unreachable `resolve()` `'fatal'` branch (`new2-resolve` never returns it — v4.17.2 G1 rule), the always-empty per-card `telemetry` stub (per_card now reports `deferred`/`deferredClasses`/gate count), and the now-unused `batchFatal` flag.
+
 ## [4.24.1] - 2026-06-10
 
 **`new2`: an owner-gated gate no longer destroys a completed card (silent work-loss → commit + defer).** A real `/new2` run on a schema-change card produced **zero output** despite 52 min of work: the card's only obstacle was an *owner-gated* step (`db:check-sync` needs an approved remote `db:push`). That step was correctly `policy-deferred` up front — but the **same** condition was *also* re-raised by a reviewer as a fresh `MIGRATION_NOT_DEPLOYED` blocker, which (via the review-block branch's `s !== 'resolved' → cardBlocked`) triggered `rollbackCard`'s `git clean -fd` and **erased the completed migration**. Compounding it: the `E4-file-diff` gate logged `AUTO-REVERTED` while reverting *nothing* (leaving the card's DoD-mandated ADR/ER-doc edits orphaned in the worktree — its MAY-EDIT map was narrower than the DoD), and the residual follow-up was written *inside the worktree* and marked `materialized:true` without disk proof, so it vanished when the batch didn't merge. Root cause confirmed via the gate ledger + on-disk state + two rounds of adversarial review (the obvious "E4 reverted it" diagnosis was **wrong** — E4 was a no-op; `rollbackCard` was the eraser). **PATCH** (bug-fix to the EXPERIMENTAL `new2` skill + its workflows; **no `baldart.config.yml` key** and **no change to shared `/new` prose** — the DONE-deferral is handled entirely inside `new2`'s own merge prompt + skill, so `/new` interactive is provably unaffected; the schema-change propagation rule does not apply).

package/VERSION

@@ -1 +1 @@
-4.24.1
+4.24.3

package/framework/.claude/skills/new2/SKILL.md

@@ -140,15 +140,31 @@ returns when the batch is done. It returns:
    the offline path must match agent-path quality (F-039); it MUST pass the `/new` pre-flight field
    check. If `prd-card-writer` is unavailable (total outage), fall back to a minimal valid stub. This
    main-repo, **disk-verified** write is the SSOT — nothing is dropped even on a non-merged batch.
-2. **Mark deferred cards DONE — only after their follow-up exists (F-040/H).** Some committed cards
-   were intentionally left **NON-DONE** because they carry an open owner-gated/policy-deferred AC
-   (e.g. a pending remote `db:push`): they are `perCardResults[]` entries with `deferred:true` (also
-   `cards_deferred_done_pending` in telemetry + the `F040-deferred` ledger row). For each such card,
-   now that step 1 guaranteed its deferral's follow-up exists on disk in the main repo, set the card
-   `status: DONE` + `completed_date` + an implementation_note (`"DONE post-run (new2) — AC deferred to
-   follow-up <id>"`) in `${paths.backlog_dir}/<card>.yml`, and fold all of them into ONE reconciliation
-   commit in the MAIN repo. **If a card's follow-up could NOT be created in step 1, leave it NON-DONE
-   and surface it** — fail-loud; NEVER mark a card DONE with a silently-dropped requirement (F-029).
+2. **Mark deferred cards DONE — only after their follow-up exists AND every deferral class allows
+   it (F-040/H + A3).** Some committed cards were intentionally left **NON-DONE** because they carry
+   an open deferred AC: they are `perCardResults[]` entries with `deferred:true` plus a
+   `deferredClasses[]` array (also `cards_deferred_done_pending` in telemetry + the `F040-deferred`
+   ledger row). For each such card, **check the classes first**:
+   - **Every class ∈ {`owner-gated`, `not-a-code-defect`, `policy-deferred-ac`}** → the card's own
+     code is complete; the residual is an external/infra step. Now that step 1 guaranteed its
+     deferral's follow-up exists on disk in the main repo, set the card `status: DONE` +
+     `completed_date` + an implementation_note (`"DONE post-run (new2) — AC deferred to follow-up
+     <id>"`) in `${paths.backlog_dir}/<card>.yml`, and fold all of them into ONE reconciliation
+     commit in the MAIN repo.
+   - **ANY class ∈ {`unresolved`, `out-of-ownership`, `outage`} (or missing)** → the card's DoD is
+     genuinely NOT met (an AC the workflow tried and failed to implement). Leave it **IN_PROGRESS**
+     and surface it explicitly in the presentation: `"commit landed, DoD NON soddisfatta —
+     follow-up <id>"`. NEVER auto-DONE it — a follow-up tracks the gap, but DONE would lie (F-029).
+   **If a card's follow-up could NOT be created in step 1, leave it NON-DONE and surface it** —
+   fail-loud; NEVER mark a card DONE with a silently-dropped requirement (F-029).
+   **Then re-run the epic-closure check for the cards just marked DONE.** The merge agent's
+   epic-closure (Phase 6b step 5e) ran BEFORE this step, when the deferred cards were still
+   NON-DONE — so an epic whose last open child was a deferred card is still TODO and nothing
+   else will ever close it. For each distinct `group.parent` of the cards marked DONE here: if
+   `grep -l "parent: <EPIC-ID>" ${paths.backlog_dir}/*.yml | xargs grep -L "status: DONE"`
+   prints nothing, set the epic card `status: DONE` + `completed_date` + note
+   `"epic-closure gate — all children DONE (post-run, new2 skill)"`, folded into the SAME
+   reconciliation commit. If any child is still open, leave the epic untouched.
 3. **Resume if degraded.** If `degraded` is true, re-invoke the workflow with
    `Workflow({ scriptPath, resumeFromRunId })` (same `args` + the new `ts`). The
    per-card **skip-completed** guard makes the resume idempotent — already-committed

package/framework/.claude/workflows/new2.js

@@ -27,6 +27,10 @@ export const meta = {
 //   { report, perCardResults, gateLedger, residualFollowups, telemetry, degraded, degradationReasons, residuals }
 //   `residuals` (materialized:false) is the OFFLINE-SAFE ledger of record — the skill writes
 //   any missing follow-up YAML and, if `degraded`, resumes via Workflow({scriptPath,resumeFromRunId}).
+//   A3 — residuals[] entries carry `deferralClass` and committed perCardResults[] carry
+//   `deferred` + `deferredClasses[]`: the skill marks a deferred card DONE post-run ONLY when
+//   every class is owner-gated / not-a-code-defect / policy-deferred-ac (an 'unresolved' class
+//   = DoD genuinely unmet → the card stays IN_PROGRESS and is surfaced).
 // ───────────────────────────────────────────────────────────────────────────
 
 // F-001/F-004 — tolerate args delivered as a JSON string (parse-or-default).
@@ -53,7 +57,6 @@ const gateLedger = []        // { card, gate, decision, detail }
 const residualFollowups = [] // { card, kind, followupCard, reason }
 const residuals = []         // F-020 OFFLINE-SAFE ledger: { card, kind, evidence, materialized }
 const perCardResults = []
-let batchFatal = false
 let prodReadiness = null
 let degraded = false
 const degradationReasons = []
@@ -117,7 +120,7 @@ if (!cardIds.length) {
 // ───────────────────────────────────────────────────────────────────────────
 const PREFLIGHT_SCHEMA = {
   type: 'object',
-  required: ['ok', 'worktreePath', 'branch', 'baseline', 'executionMode', 'cards', 'cardGraph'],
+  required: ['ok', 'worktreePath', 'branch', 'baseline', 'cards', 'cardGraph'],
   additionalProperties: false,
   properties: {
     ok: { type: 'boolean' },
@@ -126,8 +129,9 @@ const PREFLIGHT_SCHEMA = {
     port: { type: ['number', 'string'] },
     baseline: { enum: ['pass', 'fail'] },
     baselineLog: { type: 'string' },
-    executionMode: { enum: ['sequential', 'team'] },
-    groups: { type: 'array', items: { type: 'object', additionalProperties: true } },
+    // B4 — executionMode/groups removed: the DAG scheduler is strictly sequential (single
+    // worktree); computing team-mode groups was pre-flight work nobody read. Real parallelism
+    // is a future release, after A/B data.
     cards: { type: 'array', items: { type: 'string' }, description: 'card ids cleared to run' },
     // F-021/F-024/F-025/F-016 — the dependency graph + per-card routing facts (the
     // script cannot read YAML; the pre-flight agent supplies these).
@@ -140,6 +144,10 @@ const PREFLIGHT_SCHEMA = {
           dependsOn: { type: 'array', items: { type: 'string' }, description: 'IN-BATCH deps only' },
           ownerAgent: { type: 'string', description: 'coder|ui-expert|visual-designer|motion-expert (G25: unknown→coder)' },
           reviewProfile: { enum: ['skip', 'light', 'balanced', 'deep'] },
+          // B1/F-026 — git-authoritative idempotency, probed ONCE here instead of one Haiku
+          // spawn per card in runCard (always false on a fresh run).
+          alreadyCommitted: { type: 'boolean', description: 'commit referencing the card exists in trunk..HEAD of the worktree AND validation re-runs green AND no open follow-up' },
+          alreadyCommittedSha: { type: 'string' },
           // F-016 — ACs whose only implementation file is outside the card MAY-EDIT,
           // pre-classified deferred-by-policy (never routed to resolve).
           policyDeferredACs: { type: 'array', items: { type: 'object', additionalProperties: true } },
@@ -212,9 +220,10 @@ try {
       g3Bullet +
       `• G4 card-field validation (setup.md 1b/1c): card missing requirements/acceptance_criteria/files_likely_touched → EXCLUDE (excluded[] + reason). Never HALT for one bad card.\n` +
       `• G5 depends-on: a card whose depends_on names a non-DONE card NOT in this batch → EXCLUDE it AND every in-batch card that transitively depends on it.\n` +
-      `• cardGraph (REQUIRED, F-021): for every runnable card return { id, dependsOn:[IN-BATCH deps only], ownerAgent (the card's owner_agent; G25 unknown→'coder'), reviewProfile (the card's review_profile; default 'balanced'), policyDeferredACs }.\n` +
+      `• cardGraph (REQUIRED, F-021): for every runnable card return { id, dependsOn:[IN-BATCH deps only], ownerAgent (the card's owner_agent; G25 unknown→'coder'), reviewProfile (the card's review_profile; default 'balanced'), policyDeferredACs, alreadyCommitted, alreadyCommittedSha }.\n` +
+      `• B1/F-026 idempotency (per card, AFTER the worktree exists): set alreadyCommitted:true (+ alreadyCommittedSha) IFF ALL hold: (a) a commit referencing the card id exists in ${TRUNK}..HEAD of the worktree; (b) the card's validation_commands re-run GREEN right now; (c) NO open follow-up card for it exists in ${paths.backlog_dir || 'backlog'}. On a FRESH worktree ${TRUNK}..HEAD is empty → all false, zero extra work.\n` +
       `• F-016 AC↔ownership consistency: for each acceptance_criterion, derive the file(s) it requires editing. If those files are NOT a subset of the card's MAY-EDIT/files_likely_touched → add the AC to policyDeferredACs:[{n,text,owningCard|owningFile,reason}] (it will become ONE follow-up, never a resolve). Do the same for any AC whose remedy is an owner-gated infra action (remote db push / deploy / secret / DNS).\n` +
-      `• Complexity (setup.md 3c): decide executionMode sequential|team (+ groups for team). Build the file-ownership map → /tmp; return ownershipMapPath. F-040: each card's MAY-EDIT = files_likely_touched ∪ every path NAMED EXPLICITLY in that card's acceptance_criteria/definition_of_done (an ADR the DoD says to update, the data-model / ER doc for a schema-change, etc.) — so editing a DoD-mandated doc is NOT a file-diff violation. Do NOT add another card's files this way.\n` +
+      `• Ownership (setup.md 3c): build the file-ownership map → /tmp; return ownershipMapPath. F-040: each card's MAY-EDIT = files_likely_touched ∪ every path NAMED EXPLICITLY in that card's acceptance_criteria/definition_of_done (an ADR the DoD says to update, the data-model / ER doc for a schema-change, etc.) — so editing a DoD-mandated doc is NOT a file-diff violation. Do NOT add another card's files this way.\n` +
       `• Persist per-card architecture baselines to /tmp/arch-baseline-<CARD>.md; return archBaselinePaths.\n\n` +
       `Return the structured PREFLIGHT object. ok:false ONLY if the workspace is unworkable.`,
     { label: 'preflight', phase: 'Pre-flight', agentType: 'general-purpose', schema: PREFLIGHT_SCHEMA }
@@ -240,6 +249,20 @@ const runnableCards = preflight.cards || []
 const cardGraph = preflight.cardGraph || []
 const graphById = {}
 for (const n of cardGraph) graphById[n.id] = n
+
+// A1/G25 — deterministic owner_agent clamp, in JS not prompt. An invalid agentType is a
+// PERMANENT spawn error (→ crashResult → card 'failed'), so the /new router table
+// (implement.md §6b) must be a code-level guarantee: plan/visual-designer/motion-expert
+// degrade to coder (their briefing variant is not implemented — same as /new), anything
+// unknown/missing → coder. The RAW value is kept for the security-relevance heuristic.
+const OWNER_SPAWN = { coder: 'coder', 'ui-expert': 'ui-expert' }
+for (const n of cardGraph) {
+  const raw = String(n.ownerAgent || '').trim()
+  const spawn = OWNER_SPAWN[raw.toLowerCase()] || 'coder'
+  n.ownerAgentRaw = raw
+  n.ownerAgent = spawn
+  ledger(n.id, 'router', spawn === raw ? 'OK' : 'CLAMPED', `owner_agent='${raw || '(missing)'}' → spawn=${spawn}`)
+}
 const sharedCtx = {
   worktreePath: preflight.worktreePath,
   branch: preflight.branch,
@@ -253,7 +276,7 @@ const sharedCtx = {
 // F-016/F-010 — materialise ONE follow-up per policy-deferred AC up front; never resolve.
 for (const n of cardGraph) {
   for (const ac of (n.policyDeferredACs || [])) {
-    residuals.push({ card: n.id, kind: 'policy-deferred-ac', evidence: `AC-${ac.n}: ${ac.text} (${ac.reason || 'out-of-ownership / owner-gated'})`, materialized: false })
+    residuals.push({ card: n.id, kind: 'policy-deferred-ac', evidence: `AC-${ac.n}: ${ac.text} (${ac.reason || 'out-of-ownership / owner-gated'})`, materialized: false, deferralClass: 'policy-deferred-ac' })
     acceptedDeferrals.add(sig(n.id, 'ac-unmet', `AC-${ac.n}: ${ac.text}`))
     acceptedDeferrals.add(acSig(n.id, ac.n)) // F-040 (Fix G) — text-drift-proof AC key
 
@@ -309,14 +332,16 @@ async function resolve(kind, card, evidence, extra) {
     if (e && (e.transientExhausted || isTransient(e))) noteDegraded('outage')
     res = { status: 'followup', reason: 'resolve workflow error: ' + String(e && e.message), deferralClass: 'outage' }
   }
+  // C — the 'fatal' branch was removed: new2-resolve never returns it (unreachable dead code,
+  // same rule as v4.17.2 G1).
   const status = (res && res.status) || 'followup'
   const deferralClass = (res && res.deferralClass) || null
-  if (status === 'fatal') { batchFatal = true; ledger(card, 'resolve:' + kind, 'FATAL', (res && res.reason) || ''); return { status, deferralClass } }
   if (status === 'followup') {
     acceptedDeferrals.add(s) // F-028 — a deferred residual must not be re-routed by a later gate.
     const fc = (res && res.followupCard) || null
     residualFollowups.push({ card, kind, followupCard: fc || '(pending)', reason: (res && res.reason) || '' })
-    residuals.push({ card, kind, evidence, materialized: !!fc })
+    // A3 — deferralClass rides the residual so the skill can gate DONE-reconciliation on it.
+    residuals.push({ card, kind, evidence, materialized: !!fc, deferralClass })
   }
   // F-022 — route out-of-scope findings the resolve surfaced.
   for (const osf of (res && res.outOfScopeFindings) || []) {
@@ -334,19 +359,23 @@ async function resolve(kind, card, evidence, extra) {
 async function rollbackCard(cardId, mayEdit) {
   // F-018 — restore the card's files to HEAD so a failed card never poisons the next.
   // Safe at file granularity because the DAG guarantees all deps are already committed
-  // (HEAD contains their work); this removes only THIS card's uncommitted changes.
+  // (HEAD contains their work); this removes only THIS card's uncommitted changes. With an
+  // empty mayEdit (A4 crash path: ownership unknown) the scope is the whole worktree — still
+  // safe for the same reason: everything good is in HEAD, only the crashed card is dirty.
+  // Returns true when the cleanup VERIFIED clean (A2 uses this to un-strand the merge gate).
+  const scope = (mayEdit || []).map((p) => `'${p}'`).join(' ') || '.'
   try {
-    await agentSafe(
-      `In the worktree ${sharedCtx.worktreePath}, restore the working tree to a CLEAN state for a FAILED card: \`git restore --source=HEAD --worktree --staged -- ${(mayEdit || []).map((p) => `'${p}'`).join(' ') || '.'}\` then \`git clean -fd\` ONLY within the card MAY-EDIT paths. Do NOT touch other cards' committed work. Confirm \`git status --porcelain\` is empty for those paths.`,
+    const r = await agentSafe(
+      `In the worktree ${sharedCtx.worktreePath}, restore the working tree to a CLEAN state for a FAILED card: \`git restore --source=HEAD --worktree --staged -- ${scope}\` then \`git clean -fd ${scope === '.' ? '' : '-- ' + scope}\` (with scope '.' this cleans the whole worktree — safe: all committed work lives in HEAD). Do NOT touch other cards' committed work. Confirm \`git status --porcelain\` is empty for the scope.`,
       { label: `rollback:${cardId}`, phase: 'Implement', agentType: 'general-purpose', model: 'haiku',
         schema: { type: 'object', required: ['clean'], additionalProperties: true, properties: { clean: { type: 'boolean' }, note: { type: 'string' } } } }
     )
-  } catch (_) { /* best-effort; OUTAGE path already flagged by caller */ }
+    return !!(r && r.clean)
+  } catch (_) { return false /* best-effort; OUTAGE path already flagged by caller */ }
 }
 
-async function runCard(cardId, cardPath, lessons) {
+async function runCard(cardId, cardPath) {
   const gates = []
-  const tele = {}
   const node = graphById[cardId] || {}
   const ownerAgent = node.ownerAgent || 'coder'
   const reviewProfile = node.reviewProfile || 'balanced'
@@ -354,24 +383,23 @@ async function runCard(cardId, cardPath, lessons) {
   // NON-DONE; the SKILL marks it DONE post-run only after the deferral's follow-up exists on disk
   // in the main repo. Seeded from the pre-flight policy-deferred ACs; set by any owner-gated review
   // deferral or unmet-AC follow-up below.
+  // A3 — deferredClasses records WHY each deferral happened. The skill marks the card DONE
+  // post-run ONLY if every class is owner-gated/not-a-code-defect/policy-deferred-ac; a class
+  // like 'unresolved' (a genuinely unimplemented AC) keeps the card IN_PROGRESS — never auto-DONE.
   let deferredOpen = ((node.policyDeferredACs) || []).length > 0
+  const deferredClasses = new Set(deferredOpen ? ['policy-deferred-ac'] : [])
   function g(name, decision, detail) { gates.push({ gate: name, decision, detail: detail || '' }); ledger(cardId, name, decision, detail) }
 
-  // F-026 — skip-completed: only if committed AND gates green for that sha AND no open follow-up.
-  // Keyed on the receipt, NOT the (unreliable) DONE flag.
-  try {
-    const probe = await agentSafe(
-      `Idempotency probe for card ${cardId} in worktree ${sharedCtx.worktreePath}. Return done:true ONLY if ALL hold: (a) a commit referencing ${cardId} exists in ${TRUNK}..HEAD; (b) the card's validation_commands re-run GREEN right now (tsc/lint/card greps); (c) NO open follow-up card for ${cardId} exists in ${paths.backlog_dir || 'backlog'}. Otherwise done:false. Do not edit anything.`,
-      { label: `probe:${cardId}`, phase: 'Implement', agentType: 'general-purpose', model: 'haiku',
-        schema: { type: 'object', required: ['done'], additionalProperties: true, properties: { done: { type: 'boolean' }, commit: { type: 'string' }, note: { type: 'string' } } } }
-    )
-    if (probe && probe.done) {
-      g('skip-completed', 'CACHED', probe.commit || 'already committed + green')
-      return { card: cardId, status: 'committed', commit: probe.commit || '-', filesChanged: [], scopeFiles: [], archBaselinePath: `/tmp/arch-baseline-${cardId}.md`, gates, telemetry: tele }
-    }
-  } catch (e) { if (e && e.transientExhausted) { noteDegraded('outage'); return { card: cardId, status: 'pending', gates, telemetry: tele } } }
+  // F-026/B1 — skip-completed from the PRE-FLIGHT's git-authoritative probe (cardGraph[].
+  // alreadyCommitted), not a per-card agent spawn: on a fresh run the old Haiku probe was N
+  // guaranteed-false spawns, and on resume the journal cache already covers it. Keyed on the
+  // receipt (commit in TRUNK..HEAD + green + no open follow-up), NOT the unreliable DONE flag.
+  if (node.alreadyCommitted) {
+    g('skip-completed', 'CACHED', node.alreadyCommittedSha || 'pre-flight: commit in trunk..HEAD + green + no open follow-up')
+    return { card: cardId, status: 'committed', commit: node.alreadyCommittedSha || '-', filesChanged: [], scopeFiles: [], archBaselinePath: `/tmp/arch-baseline-${cardId}.md`, gates }
+  }
 
-  const cardBrief = `${projectBrief}\n\nCard: ${cardId}\nCard YAML: ${cardPath}\nOwner agent: ${ownerAgent} · Review profile: ${reviewProfile}\nWorktree: ${sharedCtx.worktreePath} (cd into it)\nFile-ownership map: ${sharedCtx.ownershipMapPath}\nBatch lessons so far: ${lessons.length ? lessons.join(' | ') : '(none)'}\nArch baseline (write to /tmp/arch-baseline-${cardId}.md): reuse if present.\nNOTE: ACs already pre-classified as policy-deferred MUST NOT be implemented or routed — they are tracked as follow-ups.`
+  const cardBrief = `${projectBrief}\n\nCard: ${cardId}\nCard YAML: ${cardPath}\nOwner agent: ${ownerAgent} · Review profile: ${reviewProfile}\nWorktree: ${sharedCtx.worktreePath} (cd into it)\nFile-ownership map: ${sharedCtx.ownershipMapPath}\nArch baseline (write to /tmp/arch-baseline-${cardId}.md): reuse if present.\nNOTE: ACs already pre-classified as policy-deferred MUST NOT be implemented or routed — they are tracked as follow-ups.`
 
   // --- Phase 1+2: dispatch the card's OWNER_AGENT (F-024), not general-purpose. ---
   let impl
@@ -386,11 +414,11 @@ async function runCard(cardId, cardPath, lessons) {
           properties: { epic: { type: 'boolean' }, buildBlocked: { type: 'boolean' }, blockedGate: { type: 'string' }, unmetACs: { type: 'array', items: { type: 'object', additionalProperties: true } }, scopeFiles: { type: 'array', items: { type: 'string' } }, mayEditPaths: { type: 'array', items: { type: 'string' } }, revertedOutOfOwnership: { type: 'array', items: { type: 'string' } }, fileDiffViolation: { type: 'boolean' }, note: { type: 'string' } } } }
     )
   } catch (e) {
-    if (e && e.transientExhausted) { noteDegraded('outage'); return { card: cardId, status: 'pending', gates, telemetry: tele } }
+    if (e && e.transientExhausted) { noteDegraded('outage'); return { card: cardId, status: 'pending', gates } }
     throw e
   }
 
-  if (impl && impl.epic) { g('router', 'EPIC-SKIPPED', 'epic card'); return { card: cardId, status: 'epic-skipped', gates, commit: '-', telemetry: tele } }
+  if (impl && impl.epic) { g('router', 'EPIC-SKIPPED', 'epic card'); return { card: cardId, status: 'epic-skipped', gates, commit: '-' } }
 
   const mayEdit = (impl && impl.mayEditPaths) || []
   const scopeFiles = (impl && impl.scopeFiles) || []
@@ -407,22 +435,27 @@ async function runCard(cardId, cardPath, lessons) {
   if (impl && impl.buildBlocked) {
     const s = (await resolve('blocker', cardId, `Phase-2 gate failing: ${impl.blockedGate}`, { mayEditPaths: mayEdit, scopeFiles, domain: 'code' })).status
     g('G26-build', s === 'resolved' ? 'RESOLVED' : 'FOLLOWUP', impl.blockedGate)
-    if (s !== 'resolved') { await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'followup', gates, commit: '-', scopeFiles, telemetry: tele } }
+    if (s !== 'resolved') { await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'followup', gates, commit: '-', scopeFiles } }
   }
 
   // F-010/F-016 — unmet ACs that are policy-deferred are skipped (already tracked).
   for (const ac of (impl && impl.unmetACs) || []) {
-    if (acceptedDeferrals.has(acSig(cardId, ac.n)) || acceptedDeferrals.has(sig(cardId, 'ac-unmet', `AC-${ac.n}: ${ac.text}`))) { g('G7-ac-closure', 'DEFERRED-BY-POLICY', `AC-${ac.n}`); deferredOpen = true; continue }
-    const s = (await resolve('ac-unmet', cardId, `AC-${ac.n}: ${ac.text}`, { mayEditPaths: mayEdit, scopeFiles, domain: 'code' })).status
-    g('G7-ac-closure', s === 'resolved' ? 'RESOLVED' : 'FOLLOWUP', `AC-${ac.n}`)
-    if (s !== 'resolved') deferredOpen = true // F-040/H — unmet AC tracked as follow-up → card stays NON-DONE
+    if (acceptedDeferrals.has(acSig(cardId, ac.n)) || acceptedDeferrals.has(sig(cardId, 'ac-unmet', `AC-${ac.n}: ${ac.text}`))) { g('G7-ac-closure', 'DEFERRED-BY-POLICY', `AC-${ac.n}`); deferredOpen = true; deferredClasses.add('policy-deferred-ac'); continue }
+    const r = await resolve('ac-unmet', cardId, `AC-${ac.n}: ${ac.text}`, { mayEditPaths: mayEdit, scopeFiles, domain: 'code' })
+    g('G7-ac-closure', r.status === 'resolved' ? 'RESOLVED' : 'FOLLOWUP', `AC-${ac.n}`)
+    // A3 — record the deferral CLASS (v4.24.1 did this only for the blocks loop). An
+    // 'unresolved' AC still commits (never destroy completed work) but the class keeps the
+    // card from being auto-DONE by the skill — its DoD is genuinely not met.
+    if (r.status !== 'resolved') { deferredOpen = true; deferredClasses.add(r.deferralClass || 'unresolved') }
   }
 
   // --- Review fan-out (F-024/F-025): specialized agents, trimmed by review_profile. ---
   // G5 — scopeFiles tokens alone miss a security card whose files don't carry them. Also
-  // trigger security-reviewer on the card's owner_agent and its brief (title/requirements).
-  const securityRelevant = highRisk.length
-    || ownerAgent === 'security-reviewer'
+  // trigger security-reviewer on the card's RAW owner_agent and its brief (title/requirements).
+  // B2 — high_risk_modules triggers only when THIS card's files intersect them (`highRisk.length`
+  // alone fired security-reviewer on every card of every project that configures the list).
+  const securityRelevant = highRisk.some((m) => scopeFiles.some((f) => String(f).includes(String(m))))
+    || node.ownerAgentRaw === 'security-reviewer'
     || /auth|security|secret|migration|rls/i.test(`${scopeFiles.join(' ')} ${cardBrief}`)
   // v4.18.0 — at `light`, Codex is the SOLE finder (cost-shift off Claude); `code-reviewer` is the
   // fallback when the companion is unavailable. The FP-gate equivalent is preserved downstream: any
@@ -463,9 +496,23 @@ async function runCard(cardId, cardPath, lessons) {
   const blocks = reviewResults.flatMap((r) => (r.blocks || [])).filter((b) => b && b.gate && b.evidence)
   const scopeExp = reviewResults.flatMap((r) => (r.scopeExpansion || []))
   let cardBlocked = false
+  // B3 — group blocks by kind+domain → ONE resolve per group via findings[] (the same F-007
+  // batching the final review already does). One-by-one routing was the dominant per-card cost
+  // driver (each resolve = fixer + judge + possible Tier-2 fan-out). A group is homogeneous by
+  // kind+domain, so its single status/deferralClass is coherent for every block in it.
+  const blockGroups = {}
   for (const b of blocks) {
     const kind = /e2e/i.test(b.gate) ? 'e2e-blocked' : /qa/i.test(b.gate) ? 'qa-fail' : 'blocker'
-    const r = await resolve(kind, cardId, `${b.gate}: ${b.evidence}`, { mayEditPaths: mayEdit, scopeFiles, domain: b.domain || 'code' })
+    const key = `${kind}::${b.domain || 'code'}`
+    ;(blockGroups[key] = blockGroups[key] || []).push(Object.assign({ kindResolved: kind }, b))
+  }
+  for (const key of Object.keys(blockGroups)) {
+    const grp = blockGroups[key]
+    const kind = grp[0].kindResolved
+    const dom = grp[0].domain || 'code'
+    const r = await resolve(kind, cardId, grp.map((b) => `${b.gate}: ${b.evidence}`).join(' || '),
+      { mayEditPaths: mayEdit, scopeFiles, domain: dom,
+        findings: grp.map((b) => ({ kind, evidence: `${b.gate}: ${b.evidence}`, domain: b.domain || 'code' })) })
     // F-040 — THE primary fix. An owner-gated / not-a-code-defect deferral means the card's OWN
     // code is complete and correct; the residual is an external/infra step (e.g. a remote db push)
     // already tracked as a follow-up. Do NOT roll the card back — it proceeds to commit, NON-DONE
@@ -473,16 +520,22 @@ async function runCard(cardId, cardPath, lessons) {
     // `s !== 'resolved' → cardBlocked` which destroyed a completed migration card's work over a db:push gate.
     // A genuine unresolved CODE defect (or out-of-ownership/baseline/outage) still blocks + rolls back.
     const ownerGated = r.status === 'followup' && (r.deferralClass === 'owner-gated' || r.deferralClass === 'not-a-code-defect')
-    g(b.gate, r.status === 'resolved' ? 'RESOLVED' : ownerGated ? 'DEFERRED-OWNER-GATED' : 'FOLLOWUP', b.evidence)
-    if (ownerGated) deferredOpen = true
+    for (const b of grp) g(b.gate, r.status === 'resolved' ? 'RESOLVED' : ownerGated ? 'DEFERRED-OWNER-GATED' : 'FOLLOWUP', b.evidence)
+    if (ownerGated) { deferredOpen = true; deferredClasses.add(r.deferralClass) }
     else if (r.status !== 'resolved') cardBlocked = true
   }
-  for (const sx of scopeExp) {
-    const s = (await resolve('scope-expansion', cardId, sx.evidence || '', { mayEditPaths: mayEdit, scopeFiles, domain: sx.domain || 'code' })).status
-    g('scope-expansion', s === 'resolved' ? 'INTEGRATED' : 'FOLLOWUP', sx.evidence || '')
+  // B3 — scope-expansion findings batched per domain (same rationale).
+  const sxGroups = {}
+  for (const sx of scopeExp) { const d = sx.domain || 'code'; (sxGroups[d] = sxGroups[d] || []).push(sx) }
+  for (const dom of Object.keys(sxGroups)) {
+    const grp = sxGroups[dom]
+    const s = (await resolve('scope-expansion', cardId, grp.map((x) => x.evidence || '').join(' || '),
+      { mayEditPaths: mayEdit, scopeFiles, domain: dom,
+        findings: grp.map((x) => ({ kind: 'scope-expansion', evidence: x.evidence || '', domain: dom })) })).status
+    for (const sx of grp) g('scope-expansion', s === 'resolved' ? 'INTEGRATED' : 'FOLLOWUP', sx.evidence || '')
   }
 
-  if (cardBlocked) { await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'followup', gates, commit: '-', scopeFiles, archBaselinePath: `/tmp/arch-baseline-${cardId}.md`, telemetry: tele } }
+  if (cardBlocked) { await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'followup', gates, commit: '-', scopeFiles, archBaselinePath: `/tmp/arch-baseline-${cardId}.md` } }
 
   // --- Phase 4 — commit (F-023: Haiku + git-status reconcile, never git add -A). ---
   // F-040/H — DONE policy. A card with an OPEN owner-gated/policy-deferred AC commits its code but
@@ -503,14 +556,14 @@ async function runCard(cardId, cardPath, lessons) {
         schema: { type: 'object', required: ['committed'], additionalProperties: true, properties: { committed: { type: 'boolean' }, commit: { type: 'string' }, filesChanged: { type: 'array', items: { type: 'string' } }, reconcileNote: { type: 'string' } } } }
     )
   } catch (e) {
-    if (e && e.transientExhausted) { noteDegraded('outage'); await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'pending', gates, telemetry: tele } }
+    if (e && e.transientExhausted) { noteDegraded('outage'); await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'pending', gates } }
     throw e
   }
 
   if (!commitRes || !commitRes.committed) {
     const s = (await resolve('blocker', cardId, 'commit blocked after retries', { mayEditPaths: mayEdit, scopeFiles, domain: 'code' })).status
     g('G16-commit', s === 'resolved' ? 'RESOLVED' : 'FOLLOWUP')
-    if (s !== 'resolved') { await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'followup', gates, commit: '-', scopeFiles, archBaselinePath: `/tmp/arch-baseline-${cardId}.md`, telemetry: tele } }
+    if (s !== 'resolved') { await rollbackCard(cardId, mayEdit); return { card: cardId, status: 'followup', gates, commit: '-', scopeFiles, archBaselinePath: `/tmp/arch-baseline-${cardId}.md` } }
   }
   if (commitRes && commitRes.reconcileNote) g('commit-reconcile', 'NOTE', commitRes.reconcileNote)
 
@@ -520,9 +573,12 @@ async function runCard(cardId, cardPath, lessons) {
     commit: (commitRes && commitRes.commit) || '-',
     filesChanged: (commitRes && commitRes.filesChanged) || [],
     // F-040/H — true when this committed card is intentionally left NON-DONE (open deferral). The
-    // merge agent leaves it non-DONE and the SKILL marks it DONE after its follow-up materialises.
+    // merge agent leaves it non-DONE and the SKILL marks it DONE after its follow-up materialises —
+    // but ONLY if every class in deferredClasses is owner-gated/not-a-code-defect/policy-deferred-ac
+    // (A3): an 'unresolved' class means the DoD is genuinely unmet → the card stays IN_PROGRESS.
     deferred: deferredOpen,
-    scopeFiles, archBaselinePath: `/tmp/arch-baseline-${cardId}.md`, gates, telemetry: tele,
+    deferredClasses: Array.from(deferredClasses),
+    scopeFiles, archBaselinePath: `/tmp/arch-baseline-${cardId}.md`, gates,
   }
 }
 
@@ -533,7 +589,7 @@ async function runCard(cardId, cardPath, lessons) {
 // re-queue with a cap; sustained outage → stop cleanly + degraded return.
 // ───────────────────────────────────────────────────────────────────────────
 phase('Implement')
-const lessons = []
+const failedCleaned = new Set() // A4 — failed cards whose crash cleanup VERIFIED clean (un-strands the merge gate)
 const state = {}            // cardId → 'pending'|'committed'|'followup'|'epic-skipped'|'blocked'|'failed'
 const attempts = {}         // cardId → retry count (transient)
 const RETRY_CAP = 2
@@ -563,7 +619,7 @@ while (guard-- > 0) {
   const next = runnableCards.find((id) => state[id] === 'pending' && depsSatisfied(id))
   if (!next) break // nothing runnable (all done/blocked, or a cycle/stall)
 
-  const r = await runCard(next, pathById[next], lessons).catch((e) => crashResult(next, e))
+  const r = await runCard(next, pathById[next]).catch((e) => crashResult(next, e))
   if (r.status === 'pending') {
     attempts[next]++
     consecutiveOutage++
@@ -578,7 +634,6 @@ while (guard-- > 0) {
   consecutiveOutage = 0
   state[next] = r.status
   perCardResults.push(r)
-  if (r.note) lessons.push(`${next}: ${r.note}`)
 }
 
 // Any still-pending card after the loop (outage) is recorded as a residual.
@@ -586,11 +641,17 @@ for (const id of runnableCards) {
   if (state[id] === 'pending') residuals.push({ card: id, kind: 'not-reached', evidence: 'batch paused before this card ran', materialized: false })
 }
 
-function crashResult(id, e) {
-  if (e && (e.transientExhausted || isTransient(e))) { return { card: id, status: 'pending', gates: [], telemetry: {} } }
+async function crashResult(id, e) {
+  if (e && (e.transientExhausted || isTransient(e))) { return { card: id, status: 'pending', gates: [] } }
   residuals.push({ card: id, kind: 'agent-crash', evidence: String(e && e.message), materialized: false })
   ledger(id, 'runCard', 'ERROR', String(e && e.message))
-  return { card: id, status: 'failed', gates: [{ gate: 'runCard', decision: 'ERROR', detail: String(e && e.message) }], commit: '-', telemetry: {} }
+  // A4 — a crashed card used to leave its dirty files in the worktree (the NEXT card's owner
+  // agent then reverted them via E4 with a misleading 'out-of-ownership' label). Clean up here;
+  // a VERIFIED-clean failure also stops stranding the merge gate (A2).
+  const clean = await rollbackCard(id, [])
+  if (clean) failedCleaned.add(id)
+  ledger(id, 'crash-cleanup', clean ? 'CLEAN' : 'DIRTY', clean ? 'worktree restored to HEAD' : 'cleanup unverified — merge stays blocked')
+  return { card: id, status: 'failed', gates: [{ gate: 'runCard', decision: 'ERROR', detail: String(e && e.message) }], commit: '-' }
 }
 
 const committed = perCardResults.filter((r) => r.status === 'committed')
@@ -601,8 +662,8 @@ const committed = perCardResults.filter((r) => r.status === 'committed')
 // ───────────────────────────────────────────────────────────────────────────
 phase('Final')
 let finalSummary = null
-let mergeBlocked = batchFatal || degraded
-if (committed.length && !batchFatal && !degraded) {
+let mergeBlocked = degraded
+if (committed.length && !degraded) {
   const reviewScopeFiles = dedupe(committed.flatMap((r) => r.scopeFiles || []))
   const archPaths = committed.map((r) => r.archBaselinePath).filter(Boolean)
   const allArch = archPaths.length === committed.length ? archPaths : null
@@ -638,24 +699,32 @@ if (committed.length && !batchFatal && !degraded) {
       const area = (Array.isArray(f.files) && f.files[0]) || (f.file) || (f.domain || 'misc')
       ;(byArea[area] = byArea[area] || []).push(f)
     }
+    // F-040 (parallel location, v4.24.3) — the owner-gated classification applies HERE too,
+    // not just in the per-card loops: a final-review finding whose only remedy is an external/
+    // infra step (e.g. the same pending remote db:push a reviewer re-raises batch-wide) must
+    // NOT block the merge — the batch's code is complete and the residual is already tracked
+    // as a follow-up with its deferralClass. Only a genuine unresolved CODE defect blocks.
+    const ownerGatedFinal = (r) => r.status === 'followup' && (r.deferralClass === 'owner-gated' || r.deferralClass === 'not-a-code-defect')
     for (const area of Object.keys(byArea)) {
       const group = byArea[area]
-      const s = (await resolve('merge-blocker', group[0].finding_id || firstCard,
+      const r = await resolve('merge-blocker', group[0].finding_id || firstCard,
         group.map((f) => `${f.severity} ${f.title}: ${f.evidence}`).join(' || '),
         { mayEditPaths: reviewScopeFiles, scopeFiles: reviewScopeFiles, domain: group[0].domain || 'code',
-          findings: group.map((f) => ({ kind: 'merge-blocker', evidence: `${f.title}: ${f.evidence}`, domain: f.domain || 'code' })) })).status
-      if (s !== 'resolved') mergeBlocked = true
+          findings: group.map((f) => ({ kind: 'merge-blocker', evidence: `${f.title}: ${f.evidence}`, domain: f.domain || 'code' })) })
+      if (ownerGatedFinal(r)) ledger(group[0].finding_id || firstCard, 'final-merge-blocker', 'DEFERRED-OWNER-GATED', `${r.deferralClass} — follow-up tracked, merge NOT blocked`)
+      else if (r.status !== 'resolved') mergeBlocked = true
     }
     if (finalSummary && finalSummary.failingGates && finalSummary.failingGates.length) {
-      const s = (await resolve('qa-fail', firstCard, `final gates failing: ${finalSummary.failingGates.join(', ')}`, { mayEditPaths: reviewScopeFiles, scopeFiles: reviewScopeFiles, domain: 'code' })).status
-      if (s !== 'resolved') mergeBlocked = true
+      const r = await resolve('qa-fail', firstCard, `final gates failing: ${finalSummary.failingGates.join(', ')}`, { mayEditPaths: reviewScopeFiles, scopeFiles: reviewScopeFiles, domain: 'code' })
+      if (ownerGatedFinal(r)) ledger(firstCard, 'final-qa', 'DEFERRED-OWNER-GATED', `${r.deferralClass} — follow-up tracked, merge NOT blocked`)
+      else if (r.status !== 'resolved') mergeBlocked = true
     }
   } else {
     ledger(firstCard, 'final-review', 'SKIPPED', degraded ? 'degraded' : 'workflow returned null')
     mergeBlocked = true
   }
 } else {
-  ledger(firstCard, 'final-review', 'SKIPPED', batchFatal ? 'batch fatal' : degraded ? 'degraded (outage)' : 'no committed cards')
+  ledger(firstCard, 'final-review', 'SKIPPED', degraded ? 'degraded (outage)' : 'no committed cards')
 }
 
 // ───────────────────────────────────────────────────────────────────────────
@@ -666,12 +735,19 @@ if (committed.length && !batchFatal && !degraded) {
 // ───────────────────────────────────────────────────────────────────────────
 phase('Merge')
 let mergeResult = null
-const incomplete = runnableCards.filter((id) => state[id] !== 'committed' && state[id] !== 'epic-skipped')
+// A2 — 'followup'/'blocked' cards were rolled back and their residuals live in the offline-safe
+// ledger: the worktree holds ONLY gate-passing committed work, so they must not strand the batch
+// (the old filter contradicted the gate's own comment and orphaned the worktree with no resume
+// path — not degraded, so the skill never resumed). 'failed' counts as complete ONLY when its
+// crash cleanup VERIFIED the worktree clean (A4); an unverified crash still blocks the merge.
+const incomplete = runnableCards.filter((id) =>
+  !(state[id] === 'committed' || state[id] === 'epic-skipped' || state[id] === 'followup'
+    || state[id] === 'blocked' || (state[id] === 'failed' && failedCleaned.has(id))))
 // F-040/H — committed cards intentionally left NON-DONE (open owner-gated/policy-deferred AC). They
 // ARE merged (their code is complete), but Phase 6b must NOT force them to DONE; the SKILL does that
 // post-run once the deferral's follow-up exists on disk. They count as complete for the merge gate.
 const deferredCards = committed.filter((r) => r.deferred).map((r) => r.card)
-const integrityOK = committed.length > 0 && !mergeBlocked && !batchFatal && !degraded && incomplete.length === 0
+const integrityOK = committed.length > 0 && !mergeBlocked && !degraded && incomplete.length === 0
 if (!committed.length) {
   ledger(firstCard, 'merge', 'SKIPPED', 'no committed cards')
 } else if (!integrityOK) {
@@ -686,7 +762,7 @@ if (!committed.length) {
         `• F-030 HARD RULE: NEVER \`git add\`/commit code that did not pass the per-card gates. If the worktree is dirty with uncommitted code → DO NOT commit it; leave it, set uncommittedLeft:true, and report. NO "safety commit". Security/migration code is NEVER swept in.\n` +
         `• F-029 HARD RULE: Phase 6b reconciliation marks a card DONE ONLY if it has a real commit in ${TRUNK}..HEAD AND its gates are green. NEVER force a non-implemented card to DONE. Return forcedDone:[] (must be empty).\n` +
         `• F-040 DEFERRED CARDS — leave NON-DONE (do NOT force to DONE in Phase 6b): ${deferredCards.length ? deferredCards.join(' ') : '(none)'}. These committed their code but carry an OPEN owner-gated/policy-deferred AC (e.g. a pending remote db:push). Their YAML is INTENTIONALLY IN_PROGRESS; the new2 skill marks them DONE post-run after materialising the deferral's follow-up. They ARE part of the merge — just skip them in the DONE-reconciliation. Return deferredLeftOpen:[the ones you left non-DONE].\n` +
-        `• EPIC CLOSURE (Phase 6b step 5e): the epic/parent card (group.is_epic:true) is NOT in the batch and stays TODO unless closed here. For each distinct group.parent of the batch cards (and any epic card in the batch itself): if EVERY child of that epic — \`grep -l "parent: <EPIC-ID>" backlog/*.yml | xargs grep -L "status: DONE"\` prints nothing — set the epic card status:DONE + completed_date + note "epic-closure gate — all children DONE" and fold into the reconciliation commit. If any child is still open → leave the epic untouched. This is NOT a forcedDone violation (the epic is a tracker, gated on all-children-DONE, not on its own commit). Return epicsClosed:[<EPIC-IDs marked DONE>].\n` +
+        `• EPIC CLOSURE (Phase 6b step 5e): the epic/parent card (group.is_epic:true) is NOT in the batch and stays TODO unless closed here. For each distinct group.parent of the batch cards (and any epic card in the batch itself): if EVERY child of that epic — \`grep -l "parent: <EPIC-ID>" ${paths.backlog_dir || 'backlog'}/*.yml | xargs grep -L "status: DONE"\` prints nothing — set the epic card status:DONE + completed_date + note "epic-closure gate — all children DONE" and fold into the reconciliation commit. If any child is still open → leave the epic untouched. This is NOT a forcedDone violation (the epic is a tracker, gated on all-children-DONE, not on its own commit). Return epicsClosed:[<EPIC-IDs marked DONE>].\n` +
         `• G19 sync-deferred → HEAD==${TRUNK} ff-pull, else leave+report. G20 → leave+report. G21 post-batch dirty → partition-ignore framework artifacts; leave the rest + report (do NOT commit). G22 divergence → behind: ff-pull; ahead/both: leave+report; NEVER reset --hard/force-push. G23 stash restore conflict → leave intact + report.\n\n` +
         `Return: { merged, mergeCommit, mergeTs, reconciliation, forcedDone:[], deferredLeftOpen:[], uncommittedLeft, note }`,
       { label: 'merge', phase: 'Merge', agentType: 'general-purpose', schema: MERGE_SCHEMA }
@@ -759,12 +835,12 @@ function buildTelemetry() {
     merged: !!(mergeResult && mergeResult.merged),
     degraded,
     degradation_reasons: degradationReasons,
-    execution_mode: preflight ? preflight.executionMode : 'sequential',
+    execution_mode: 'sequential', // B4 — the scheduler is strictly sequential by design
     codex_resolved: preflight ? !!preflight.codexResolved : null, // v4.18.0 — probed for EVERY batch (drives per-card Codex-light + multi-card cross-card)
     // cost — total_tokens via budget.spent() delta; agent_count via counter; wall_clock_s stamped by the SKILL.
     total_tokens: totalTokens,
     agent_count: agentCount,
-    per_card: perCardResults.map((r) => ({ card: r.card, status: r.status, telemetry: r.telemetry || {} })),
+    per_card: perCardResults.map((r) => ({ card: r.card, status: r.status, deferred: !!r.deferred, deferredClasses: r.deferredClasses || [], gates: (r.gates || []).length })),
     stats_requested: !!FLAGS.stats,
   }
 }
@@ -772,7 +848,7 @@ function buildTelemetry() {
 function buildReport(o) {
   const L = []
   L.push(`# new2 batch — ${cardIds.join(' ')}`)
-  L.push(`Variant: **new2** · Mode: ${preflight ? preflight.executionMode : '?'} · Trunk: ${TRUNK}${degraded ? ' · ⚠️ DEGRADED (' + degradationReasons.join(',') + ')' : ''}`)
+  L.push(`Variant: **new2** · Mode: sequential · Trunk: ${TRUNK}${degraded ? ' · ⚠️ DEGRADED (' + degradationReasons.join(',') + ')' : ''}`)
   if (o.fatal) { L.push(``, `## ⛔ BATCH FATAL`, o.reason || 'workspace unworkable'); return L.join('\n') }
   L.push(``, `## Esito card`)
   L.push(`| Card | Status | Commit | File |`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "baldart",
-  "version": "4.24.1",
+  "version": "4.24.3",
   "description": "Claude Agent Framework - Reusable framework for coordinating AI agents and humans in software projects",
   "bin": {
     "baldart": "./bin/baldart.js"