npm - maestro-flow - Versions diffs - 0.4.8 → 0.4.10 - Mend

maestro-flow 0.4.8 → 0.4.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (280) hide show

package/.agy/skills/quality-test/SKILL.md ADDED Viewed

@@ -0,0 +1,119 @@
+---
+name: quality-test
+description: Use when implementation needs user acceptance testing with interactive verification and gap closure
+argument-hint: [phase] [--smoke] [--auto-fix]
+allowed-tools:
+  - ask_question
+  - define_subagent
+  - grep_search
+  - invoke_subagent
+  - manage_subagents
+  - replace_file_content
+  - run_command
+  - send_message
+  - view_file
+  - write_to_file
+---
+<purpose>
+Run UAT-style conversational testing for a completed phase. Designs test scenarios from verification criteria, walks through each scenario interactively one at a time with plain text responses, and records pass/fail results with severity inference.
+When issues are found, spawns parallel debug agents (one per gap cluster) to diagnose root causes, then optionally triggers the gap-fix loop (plan --gaps -> execute -> re-verify) to auto-close gaps.
+Key mechanisms from GSD verify-work:
+- **Session persistence**: uat.md survives context resets, resume from any point
+- **Severity inference**: Natural language -> blocker/major/minor/cosmetic (never ask)
+- **Cold-start smoke tests**: --smoke flag injects basic sanity tests before UAT
+- **Parallel auto-diagnosis**: Spawn debug agents per gap cluster with pre-filled symptoms
+- **Gap-plan closure loop**: --auto-fix triggers verify -> plan --gaps -> execute -> re-verify
+</purpose>
+<required_reading>
+@~/.maestro/workflows/test.md
+</required_reading>
+<context>
+Phase or task: $ARGUMENTS (optional)
+Flags, artifact context resolution, and output directory format defined in workflow test.md.
+</context>
+<execution>
+Follow '~/.maestro/workflows/test.md' completely.
+**Command-specific extensions (not in workflow):**
+**Knowledge context loading** (before test design):
+- Wiki search: `maestro wiki search "<phase/feature keywords>" --json` → prior test strategies, recipes, decisions
+- Role knowledge: `maestro wiki list --category test` → select relevant → `maestro wiki load <id>`
+- Specs + tools: `maestro spec load --category test` → test conventions + discoverable knowhow tools
+**Test tool discovery** (knowhow tools as scenario source):
+- Load registered test tools: `maestro spec load --category test --keyword <feature>`
+- If tools found, extract their steps as additional test scenarios marked `source: "tool"`
+- Each numbered step in a tool becomes a UAT test with its assertion as `expected` behavior
+**Review findings integration** (from related review artifacts):
+- Extract critical/high findings as additional test scenarios, marked `source: "review_finding"`
+- When review verdict is "BLOCK" and review-finding tests fail, auto-enter gap-fix loop
+**Debug root cause integration** (from related debug artifacts):
+- Generate regression test scenarios from confirmed root causes, marked `source: "debug_root_cause"`
+**Register artifact on completion:**
+```
+Append to state.json.artifacts[]:
+{
+  id: nextArtifactId(artifacts, "test"),  // TST-001
+  type: "test",
+  milestone: current_milestone,
+  phase: target_phase,
+  scope: "phase",
+  path: "scratch/{YYYYMMDD}-test-P{N}-{slug}",
+  status: issues == 0 ? "completed" : "failed",
+  depends_on: exec_art.id,
+  harvested: false,
+  created_at: start_time,
+  completed_at: now()
+}
+```
+**Next-step routing on completion:**
+- All tests pass → `/maestro-milestone-audit`
+- Issues found, --auto-fix ran and succeeded → `/maestro-verify {phase}`
+- Issues found, --auto-fix ran but gaps remain → `/quality-debug --from-uat {phase}`
+- Issues found, manual fix needed → `/quality-debug --from-uat {phase}`
+- Coverage below threshold → `/quality-auto-test {phase}`
+- Need integration tests → `/quality-auto-test {phase}`
+</execution>
+<error_codes>
+| Code | Severity | Condition | Recovery |
+|------|----------|-----------|----------|
+| E001 | error | Phase or task target required (no active sessions) | Prompt user for phase number |
+| E002 | error | Phase not verified yet (no verification.json) | Suggest `/maestro-verify` first |
+| E003 | error | Smoke test failed (app won't start) | Suggest `/quality-debug` |
+| W001 | warning | One or more test scenarios failed | Auto-diagnose, suggest fix options |
+| W002 | warning | Coverage below threshold | Suggest `/quality-auto-test` |
+</error_codes>
+<success_criteria>
+- [ ] Target resolved (phase or scratch task)
+- [ ] Active sessions checked, resume offered if applicable
+- [ ] Smoke tests run if --smoke flag set
+- [ ] test-plan.json generated with categorized tests mapped to requirements
+- [ ] uat.md created/resumed with all tests
+- [ ] Tests presented one at a time with expected behavior
+- [ ] User responses processed as pass/issue/skip
+- [ ] Severity inferred from natural language (never asked)
+- [ ] Batched writes: on issue, every 5 passes, or completion
+- [ ] test-results.json and coverage-report.json written
+- [ ] UAT confidence scored with 4-dimension factor model
+- [ ] Readiness gate checked before final report
+- [ ] Pressure pass completed if > 80% pass rate
+- [ ] Confidence summary appended to uat.md
+- [ ] index.json uat fields updated
+- [ ] If issues: parallel debug agents spawned per gap cluster
+- [ ] Gaps updated with root_cause, fix_direction, affected_files
+- [ ] Gap-fix loop triggered if --auto-fix (max 2 iterations)
+- [ ] Next step routed (phase-transition if pass, verify if auto-fix success, debug --from-uat if issues, test-gen if low coverage)
+</success_criteria>

package/.agy/skills/security-audit/SKILL.md ADDED Viewed

@@ -0,0 +1,157 @@
+---
+name: security-audit
+description: OWASP Top 10 and STRIDE security auditing with supply chain analysis
+argument-hint: [quick|standard|deep] [--scope <path>]
+allowed-tools:
+  - ask_question
+  - define_subagent
+  - grep_search
+  - invoke_subagent
+  - manage_subagents
+  - run_command
+  - send_message
+  - view_file
+  - write_to_file
+---
+<purpose>
+Systematic security audit covering OWASP Top 10, dependency supply chain, secrets detection,
+CI/CD pipeline review, and optional STRIDE threat modeling. Three tiers control depth vs speed.
+</purpose>
+<context>
+$ARGUMENTS — Parse tier and scope:
+- Tier: `quick` (default) | `standard` | `deep`
+- `--scope <path>`: Limit scan to directory (default: project root)
+**Tier coverage:**
+| Tier | OWASP | Dependencies | Secrets | CI/CD | STRIDE | Git History |
+|------|-------|-------------|---------|-------|--------|-------------|
+| quick | ✓ | ✓ | — | — | — | — |
+| standard | ✓ | ✓ | ✓ | ✓ | — | — |
+| deep | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+</context>
+<execution>
+**Phase 1: Reconnaissance**
+1. Detect tech stack from package.json / go.mod / requirements.txt / Cargo.toml
+2. Identify entry points: HTTP handlers, API routes, CLI parsers, WebSocket handlers
+3. List authentication/authorization modules
+4. Map data flow: user input → processing → storage → output
+**Phase 2: OWASP Top 10 Scan** (all tiers)
+For each category, scan relevant source files:
+| # | Category | What to check |
+|---|----------|--------------|
+| A01 | Broken Access Control | Missing auth middleware, direct object references, path traversal |
+| A02 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing TLS, plaintext storage |
+| A03 | Injection | SQL concatenation, shell exec with user input, template injection |
+| A04 | Insecure Design | Missing rate limits, no CSRF tokens, predictable tokens |
+| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors, open CORS |
+| A06 | Vulnerable Components | Known CVEs in dependencies |
+| A07 | Auth Failures | Weak password rules, missing brute-force protection, session fixation |
+| A08 | Data Integrity | Deserialization of untrusted data, unsigned updates |
+| A09 | Logging Failures | Missing audit logs, logging sensitive data |
+| A10 | SSRF | Unvalidated URLs in server-side requests |
+Use `Grep` for pattern matching (e.g., `eval(`, `exec(`, `innerHTML`, `dangerouslySetInnerHTML`,
+`sql.*\+.*req\.`, `process\.env` without validation).
+**Phase 3: Dependency Audit** (all tiers)
+```bash
+# Node.js
+npm audit --json 2>/dev/null || true
+# Check lockfile integrity
+test -f package-lock.json && echo "lockfile present" || echo "WARNING: no lockfile"
+```
+Check for:
+- Known vulnerabilities (CVE references)
+- Lockfile presence and integrity
+- Typosquatting risk on critical dependencies (manually check suspicious names)
+**Phase 4: Secrets Detection** (standard + deep)
+```bash
+# Current codebase
+grep -rn --include="*.ts" --include="*.js" --include="*.json" --include="*.env*" \
+  -E "(password|secret|api.?key|token|credential).*=.*['\"][^'\"]{8,}" . || true
+```
+Check `.env.example` for leaked values. Check `.gitignore` for missing `.env` patterns.
+**Phase 5: CI/CD Audit** (standard + deep)
+Scan `.github/workflows/*.yml` for:
+- Overly permissive `permissions:` (write-all, contents: write)
+- Unpinned action versions (`uses: actions/checkout@main` vs `@v4.1.0`)
+- Secrets in logs (missing `mask` or `add-mask`)
+- Pull request trigger with `pull_request_target` (code injection risk)
+**Phase 6: STRIDE Threat Modeling** (deep only)
+For each critical module identified in Phase 1:
+| Threat | Question |
+|--------|----------|
+| **S**poofing | Can identity be faked? Is auth per-request? |
+| **T**ampering | Can data be modified in transit/storage? Integrity checks? |
+| **R**epudiation | Are actions logged with user identity? |
+| **I**nformation Disclosure | Can unauthorized data be accessed? |
+| **D**enial of Service | Resource limits? Rate limiting? |
+| **E**levation of Privilege | Can roles be escalated? Input validation on role fields? |
+**Phase 7: Git History Archaeology** (deep only)
+```bash
+# Search for previously committed secrets
+git log --all --diff-filter=D --name-only --pretty=format: -- "*.env" "*.key" "*.pem" 2>/dev/null | head -20
+git log -p --all -S "password" --since="1 year ago" -- "*.ts" "*.js" 2>/dev/null | head -50
+```
+**Phase 8: Report**
+Output severity matrix:
+```
+=== Security Audit ({tier}) ===
+CRITICAL ({count}):
+  - [A03] SQL injection in {file}:{line} — {description}
+    Fix: {remediation}
+HIGH ({count}):
+  ...
+MEDIUM ({count}):
+  ...
+LOW ({count}):
+  ...
+Summary: {total} findings ({critical} critical, {high} high, {medium} medium, {low} low)
+```
+Emit completion status:
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS
+CONCERNS: {count} critical findings require immediate action
+NEXT: /quality-review
+--- END STATUS ---
+```
+</execution>
+<success_criteria>
+- [ ] Tech stack identified and entry points mapped
+- [ ] OWASP Top 10 categories all checked (tier-appropriate)
+- [ ] Dependency audit completed with CVE listing
+- [ ] Severity matrix produced with file:line references
+- [ ] Each finding includes remediation suggestion
+- [ ] Completion status block emitted
+</success_criteria>

package/.agy/skills/skill-iter-tune/SKILL.md ADDED Viewed

@@ -0,0 +1,381 @@
+---
+name: skill-iter-tune
+description: Iterative skill tuning via execute-evaluate-improve feedback loop. Uses ccw cli Claude to execute skill, Gemini to evaluate quality, and Agent to apply improvements. Iterates until quality threshold or max iterations. Triggers on "skill iter tune", "iterative skill tuning", "tune skill".
+---
+# Skill Iter Tune
+Iterative skill refinement through execute-evaluate-improve feedback loops. Each iteration runs the skill via Claude, evaluates output via Gemini, and applies improvements via Agent.
+## Architecture Overview
+```
+┌──────────────────────────────────────────────────────────────────────────┐
+│  Skill Iter Tune Orchestrator (SKILL.md)                                 │
+│  → Parse input → Setup workspace → Iteration Loop → Final Report         │
+└────────────────────────────┬─────────────────────────────────────────────┘
+                             │
+         ┌───────────────────┼───────────────────────────────────┐
+         ↓                   ↓                                   ↓
+    ┌──────────┐      ┌─────────────────────────────┐     ┌──────────┐
+    │ Phase 1  │      │  Iteration Loop (2→3→4)     │     │ Phase 5  │
+    │ Setup    │      │  ┌─────┐  ┌─────┐  ┌─────┐ │     │ Report   │
+    │          │─────→│  │ P2  │→ │ P3  │→ │ P4  │ │────→│          │
+    │ Backup + │      │  │Exec │  │Eval │  │Impr │ │     │ History  │
+    │ Init     │      │  └─────┘  └─────┘  └─────┘ │     │ Summary  │
+    └──────────┘      │       ↑               │     │     └──────────┘
+                      │       └───────────────┘     │
+                      │    (if score < threshold    │
+                      │     AND iter < max)         │
+                      └─────────────────────────────┘
+```
+### Chain Mode Extension
+```
+Chain Mode (execution_mode === "chain"):
+Phase 2 runs per-skill in chain_order:
+  Skill A → ccw cli → artifacts/skill-A/
+       ↓ (artifacts as input)
+  Skill B → ccw cli → artifacts/skill-B/
+       ↓ (artifacts as input)
+  Skill C → ccw cli → artifacts/skill-C/
+Phase 3 evaluates entire chain output + per-skill scores
+Phase 4 improves weakest skill(s) in chain
+```
+## Key Design Principles
+1. **Iteration Loop**: Phases 2-3-4 repeat until quality threshold, max iterations, or convergence
+2. **Two-Tool Pipeline**: Claude (write/execute) + Gemini (analyze/evaluate) = complementary perspectives
+3. **Pure Orchestrator**: SKILL.md coordinates only — execution detail lives in phase files
+4. **Progressive Phase Loading**: Phase docs read only when that phase executes
+5. **Skill Versioning**: Each iteration snapshots skill state before execution
+6. **Convergence Detection**: Stop early if score stalls (no improvement in 2 consecutive iterations)
+## Interactive Preference Collection
+```javascript
+// ★ Auto mode detection
+const autoYes = /\b(-y|--yes)\b/.test($ARGUMENTS)
+if (autoYes) {
+  workflowPreferences = {
+    autoYes: true,
+    maxIterations: 5,
+    qualityThreshold: 80,
+    executionMode: 'single'
+  }
+} else {
+  const prefResponse = ask_question({
+    questions: [
+      {
+        question: "选择迭代调优配置：",
+        header: "Tune Config",
+        multiSelect: false,
+        options: [
+          { label: "Quick (3 iter, 70)", description: "快速迭代，适合小幅改进" },
+          { label: "Standard (5 iter, 80) (Recommended)", description: "平衡方案，适合多数场景" },
+          { label: "Thorough (8 iter, 90)", description: "深度优化，适合生产级 skill" }
+        ]
+      }
+    ]
+  })
+  const configMap = {
+    "Quick": { maxIterations: 3, qualityThreshold: 70 },
+    "Standard": { maxIterations: 5, qualityThreshold: 80 },
+    "Thorough": { maxIterations: 8, qualityThreshold: 90 }
+  }
+  const selected = Object.keys(configMap).find(k =>
+    prefResponse["Tune Config"].startsWith(k)
+  ) || "Standard"
+  workflowPreferences = { autoYes: false, ...configMap[selected] }
+  // ★ Mode selection: chain vs single
+  const modeResponse = ask_question({
+    questions: [{
+      question: "选择调优模式：",
+      header: "Tune Mode",
+      multiSelect: false,
+      options: [
+        { label: "Single Skill (Recommended)", description: "独立调优每个 skill，适合单一 skill 优化" },
+        { label: "Skill Chain", description: "按链序执行，前一个 skill 的产出作为后一个的输入" }
+      ]
+    }]
+  });
+  workflowPreferences.executionMode = modeResponse["Tune Mode"].startsWith("Skill Chain")
+    ? "chain" : "single";
+}
+```
+## Input Processing
+```
+$ARGUMENTS → Parse:
+  ├─ Skill path(s): first arg, comma-separated for multiple
+  │   e.g., ".claude/skills/my-skill" or "my-skill" (auto-prefixed)
+  │   Chain mode: order preserved as chain_order
+  ├─ Test scenario: --scenario "description" or remaining text
+  └─ Flags: --max-iterations=N, --threshold=N, -y/--yes
+```
+## Execution Flow
+> **⚠️ COMPACT DIRECTIVE**: Context compression MUST check TodoWrite phase status.
+> The phase currently marked `in_progress` is the active execution phase — preserve its FULL content.
+> Only compress phases marked `completed` or `pending`.
+### Phase 1: Setup (one-time)
+Read and execute: `Ref: phases/01-setup.md`
+- Parse skill paths, validate existence
+- Create workspace at `.workflow/.scratchpad/skill-iter-tune-{ts}/`
+- Backup original skill files
+- Initialize iteration-state.json
+Output: `workDir`, `targetSkills[]`, `testScenario`, initialized state
+### Iteration Loop
+```javascript
+// Orchestrator iteration loop
+while (true) {
+  // Increment iteration
+  state.current_iteration++;
+  state.iterations.push({
+    round: state.current_iteration,
+    status: 'pending',
+    execution: null,
+    evaluation: null,
+    improvement: null
+  });
+  // Update TodoWrite
+  TaskUpdate(iterationTask, {
+    subject: `Iteration ${state.current_iteration}/${state.max_iterations}`,
+    status: 'in_progress',
+    activeForm: `Running iteration ${state.current_iteration}`
+  });
+  // === Phase 2: Execute ===
+  // Read: phases/02-execute.md
+  // Single mode: one ccw cli call for all skills
+  // Chain mode: sequential ccw cli per skill in chain_order, passing artifacts
+  // Snapshot skill → construct prompt → ccw cli --tool claude --mode write
+  // Collect artifacts
+  // === Phase 3: Evaluate ===
+  // Read: phases/03-evaluate.md
+  // Construct eval prompt → ccw cli --tool gemini --mode analysis
+  // Parse score → write iteration-N-eval.md → check termination
+  // Check termination
+  if (shouldTerminate(state)) {
+    break;  // → Phase 5
+  }
+  // === Phase 4: Improve ===
+  // Read: phases/04-improve.md
+  // Agent applies suggestions → write iteration-N-changes.md
+  // Update TodoWrite with score
+  // Continue loop
+}
+```
+### Phase 2: Execute Skill (per iteration)
+Read and execute: `Ref: phases/02-execute.md`
+- Snapshot skill → `iteration-{N}/skill-snapshot/`
+- Build execution prompt from skill content + test scenario
+- Execute: `ccw cli -p "..." --tool claude --mode write --cd "${iterDir}/artifacts"`
+- Collect artifacts
+### Phase 3: Evaluate Quality (per iteration)
+Read and execute: `Ref: phases/03-evaluate.md`
+- Build evaluation prompt with skill + artifacts + criteria + history
+- Execute: `ccw cli -p "..." --tool gemini --mode analysis`
+- Parse 5-dimension score (Clarity, Completeness, Correctness, Effectiveness, Efficiency)
+- Write `iteration-{N}-eval.md`
+- Check termination: score >= threshold | iter >= max | convergence | error limit
+### Phase 4: Apply Improvements (per iteration, skipped on termination)
+Read and execute: `Ref: phases/04-improve.md`
+- Read evaluation suggestions
+- Launch general-purpose Agent to apply changes
+- Write `iteration-{N}-changes.md`
+- Update state
+### Phase 5: Final Report (one-time)
+Read and execute: `Ref: phases/05-report.md`
+- Generate comprehensive report with score progression table
+- Write `final-report.md`
+- Display summary to user
+**Phase Reference Documents** (read on-demand when phase executes):
+| Phase | Document | Purpose | Compact |
+|-------|----------|---------|---------|
+| 1 | [phases/01-setup.md](phases/01-setup.md) | Initialize workspace and state | TodoWrite 驱动 |
+| 2 | [phases/02-execute.md](phases/02-execute.md) | Execute skill via ccw cli Claude | TodoWrite 驱动 + 🔄 sentinel |
+| 3 | [phases/03-evaluate.md](phases/03-evaluate.md) | Evaluate via ccw cli Gemini | TodoWrite 驱动 + 🔄 sentinel |
+| 4 | [phases/04-improve.md](phases/04-improve.md) | Apply improvements via Agent | TodoWrite 驱动 + 🔄 sentinel |
+| 5 | [phases/05-report.md](phases/05-report.md) | Generate final report | TodoWrite 驱动 |
+**Compact Rules**:
+1. **TodoWrite `in_progress`** → 保留完整内容，禁止压缩
+2. **TodoWrite `completed`** → 可压缩为摘要
+3. **🔄 sentinel fallback** → 若 compact 后仅存 sentinel 而无完整 Step 协议，立即 `view_file()` 恢复
+## Core Rules
+1. **Start Immediately**: First action is preference collection → Phase 1 setup
+2. **Progressive Loading**: Read phase doc ONLY when that phase is about to execute
+3. **Snapshot Before Execute**: Always snapshot skill state before each iteration
+4. **Background CLI**: ccw cli runs in background, wait for hook callback before proceeding
+5. **Parse Every Output**: Extract structured JSON from CLI outputs for state updates
+6. **DO NOT STOP**: Continuous iteration until termination condition met
+7. **Single State Source**: `iteration-state.json` is the only source of truth
+## Data Flow
+```
+User Input (skill paths + test scenario)
+    ↓ (+ execution_mode + chain_order if chain mode)
+    ↓
+Phase 1: Setup
+    ↓ workDir, targetSkills[], testScenario, iteration-state.json
+    ↓
+┌─→ Phase 2: Execute (ccw cli claude)
+│   ↓ artifacts/ (skill execution output)
+│   ↓
+│   Phase 3: Evaluate (ccw cli gemini)
+│   ↓ score, dimensions[], suggestions[], iteration-N-eval.md
+│   ↓
+│   [Terminate?]─── YES ──→ Phase 5: Report → final-report.md
+│   ↓ NO
+│   ↓
+│   Phase 4: Improve (Agent)
+│   ↓ modified skill files, iteration-N-changes.md
+│   ↓
+└───┘ next iteration
+```
+## TodoWrite Pattern
+```javascript
+// Initial state
+TaskCreate({ subject: "Phase 1: Setup workspace", activeForm: "Setting up workspace" })
+TaskCreate({ subject: "Iteration Loop", activeForm: "Running iterations" })
+TaskCreate({ subject: "Phase 5: Final Report", activeForm: "Generating report" })
+// Chain mode: create per-skill tracking tasks
+if (state.execution_mode === 'chain') {
+  for (const skillName of state.chain_order) {
+    TaskCreate({
+      subject: `Chain: ${skillName}`,
+      activeForm: `Tracking ${skillName}`,
+      description: `Skill chain member position ${state.chain_order.indexOf(skillName) + 1}`
+    })
+  }
+}
+// During iteration N
+// Single mode: one score per iteration (existing behavior)
+// Chain mode: per-skill status updates
+if (state.execution_mode === 'chain') {
+  // After each skill executes in Phase 2:
+  TaskUpdate(chainSkillTask, {
+    subject: `Chain: ${skillName} — Iter ${N} executed`,
+    activeForm: `${skillName} iteration ${N}`
+  })
+  // After Phase 3 evaluates:
+  TaskUpdate(chainSkillTask, {
+    subject: `Chain: ${skillName} — Score ${chainScores[skillName]}/100`,
+    activeForm: `${skillName} scored`
+  })
+} else {
+  // Single mode (existing)
+  TaskCreate({
+    subject: `Iteration ${N}: Score ${score}/100`,
+    activeForm: `Iteration ${N} complete`,
+    description: `Strengths: ... | Weaknesses: ... | Suggestions: ${count}`
+  })
+}
+// Completed — collapse
+TaskUpdate(iterLoop, {
+  subject: `Iteration Loop (${totalIters} iters, final: ${finalScore})`,
+  status: 'completed'
+})
+```
+## Termination Logic
+```javascript
+function shouldTerminate(state) {
+  // 1. Quality threshold met
+  if (state.latest_score >= state.quality_threshold) {
+    return { terminate: true, reason: 'quality_threshold_met' };
+  }
+  // 2. Max iterations reached
+  if (state.current_iteration >= state.max_iterations) {
+    return { terminate: true, reason: 'max_iterations_reached' };
+  }
+  // 3. Convergence: ≤2 points improvement over last 2 iterations
+  if (state.score_trend.length >= 3) {
+    const last3 = state.score_trend.slice(-3);
+    if (last3[2] - last3[0] <= 2) {
+      state.converged = true;
+      return { terminate: true, reason: 'convergence_detected' };
+    }
+  }
+  // 4. Error limit
+  if (state.error_count >= state.max_errors) {
+    return { terminate: true, reason: 'error_limit_reached' };
+  }
+  return { terminate: false };
+}
+```
+## Error Handling
+| Phase | Error | Recovery |
+|-------|-------|----------|
+| 2: Execute | CLI timeout/crash | Retry once with simplified prompt, then skip |
+| 3: Evaluate | CLI fails | Retry once, then use score 50 with warning |
+| 3: Evaluate | JSON parse fails | Extract score heuristically, save raw output |
+| 4: Improve | Agent fails | Rollback from `iteration-{N}/skill-snapshot/` |
+| Any | 3+ consecutive errors | Terminate with error report |
+**Error Budget**: Each phase gets 1 retry. 3 consecutive failed iterations triggers termination.
+## Coordinator Checklist
+### Pre-Phase Actions
+- [ ] Read iteration-state.json for current state
+- [ ] Verify workspace directory exists
+- [ ] Check error count hasn't exceeded limit
+### Per-Iteration Actions
+- [ ] Increment current_iteration in state
+- [ ] Create iteration-{N} subdirectory
+- [ ] Update TodoWrite with iteration status
+- [ ] After Phase 3: check termination before Phase 4
+- [ ] After Phase 4: write state, proceed to next iteration
+### Post-Workflow Actions
+- [ ] Execute Phase 5 (Report)
+- [ ] Display final summary to user
+- [ ] Update all TodoWrite tasks to completed