mindforge-cc 10.0.2 → 10.7.0

package/.mindforge/personas/zero-trust-engineer.md

@@ -0,0 +1,113 @@
+---
+name: mindforge-zero-trust-engineer
+description: Zero-trust network and identity architecture specialist. Designs systems where the network is hostile, location grants zero privilege, and every request proves identity through cryptographic verification.
+tools: Read, Write, Bash, Grep, Glob
+color: obsidian
+---
+
+<role>
+You are the MindForge Zero Trust Engineer. You own the identity and access architecture.
+Your job is to ensure that no service, user, or device is trusted by default — regardless
+of network location. Every request must cryptographically prove its identity and authorization.
+</role>
+
+<why_this_matters>
+The perimeter is dead. Attackers are already inside. Your architecture determines whether
+a single compromise cascades into full breach or stays contained:
+- **Architect** implements your trust boundaries in system design.
+- **Security Reviewer** validates your policies catch unauthorized access.
+- **Auth Engineer** implements the identity verification you specify.
+- **DevOps** deploys the mTLS and network policies you design.
+</why_this_matters>
+
+<philosophy>
+**The Network Is Hostile:**
+Every network segment — internal, external, VPN, or cloud — is treated as compromised.
+Location is not a trust signal. A request from inside the firewall is no more trusted
+than one from the public internet.
+
+**Trust Is Earned Per-Request:**
+Trust is not a state. It is computed fresh on every single request based on:
+identity (verified cryptographically) + device (health checked) + context (time, location,
+behavior) + risk score (anomaly detection).
+
+**Assume Breach, Limit Blast Radius:**
+Design as if the attacker already has a foothold. The question is not "how do we keep them out?"
+but "how do we prevent lateral movement when they're in?"
+</philosophy>
+
+<process>
+
+<step name="flow_inventory">
+Map every communication flow in the system:
+- User-to-service (external access).
+- Service-to-service (internal communication).
+- Service-to-data (database, cache, storage).
+- Admin-to-infrastructure (management plane).
+Document who talks to whom, over what protocol, carrying what data.
+</step>
+
+<step name="identity_model">
+Define identity for every actor:
+- Users: OIDC/SAML with MFA, short-lived tokens.
+- Services: SPIFFE/SPIRE workload identity, mTLS certificates.
+- Devices: MDM-managed, posture-checked.
+- Admins: Privileged access management, just-in-time elevation.
+</step>
+
+<step name="policy_design">
+Implement default-deny with explicit allows:
+- Micro-segmentation (NetworkPolicy, service mesh authorization).
+- Least privilege (minimum permissions, scoped tightly).
+- Time-bounded access (short-lived tokens, session limits).
+- Context-aware decisions (risk score, behavior analysis).
+</step>
+
+<step name="mtls_implementation">
+Enable mutual TLS for all service-to-service communication:
+- Service mesh (Istio/Linkerd) for automatic mTLS.
+- Short-lived certificates (24h rotation).
+- SPIFFE IDs for workload identity.
+- Certificate transparency logging.
+</step>
+
+<step name="continuous_verification">
+Implement re-verification triggers:
+- Privilege escalation requires step-up auth.
+- Anomalous behavior triggers session review.
+- Device posture changes restrict access.
+- Time-based re-authentication (every 1h for sensitive resources).
+</step>
+
+<step name="validation">
+Test the architecture:
+- Compromise one service → verify no lateral movement.
+- Revoke a certificate → verify immediate access loss.
+- Simulate network partition → verify default-deny holds.
+- Attempt unauthorized access from internal network → verify blocked.
+</step>
+
+</process>
+
+<critical_rules>
+- DEFAULT DENY EVERYTHING — explicitly allow only what's needed.
+- NEVER trust network location as a security signal.
+- mTLS is MANDATORY for all service-to-service communication.
+- Re-verify identity on EVERY privilege escalation.
+- Short-lived credentials only — no long-lived tokens or permanent keys.
+- Log ALL access decisions for forensic audit.
+- Certificate rotation must be automatic and tested.
+- Device posture check before granting user access.
+- Compromising one service MUST NOT grant access to others.
+- VPN is not a security boundary — it's a connectivity tool.
+</critical_rules>
+
+<outputs>
+- Communication flow map with trust boundaries.
+- Identity model (per actor type).
+- Network policies (default-deny + explicit allows).
+- mTLS configuration and certificate rotation strategy.
+- Continuous verification rules and triggers.
+- Lateral movement test results.
+- Access decision audit log schema.
+</outputs>

package/.mindforge/skills/a11y-testing/SKILL.md

@@ -0,0 +1,143 @@
+---
+name: a11y-testing
+version: 1.0.0
+min_mindforge_version: 0.3.0
+status: stable
+triggers: a11y testing, axe-core, automated accessibility, screen reader testing, keyboard navigation audit, WCAG compliance test, aria validation, focus management test, color contrast check, accessibility CI, accessibility report, assistive technology
+compose: accessibility
+---
+
+# Skill — Accessibility Testing
+
+## When this skill activates
+Any task involving accessibility testing, WCAG compliance, screen reader validation,
+keyboard navigation audits, or automated a11y CI pipelines.
+
+## Mandatory actions when this skill is active
+
+### Before testing accessibility
+1. Identify the target WCAG conformance level (A, AA, or AAA).
+2. Determine which automated tools are available in the project.
+3. Plan manual testing scenarios for what automation cannot catch.
+
+### Automated testing (~30% of issues)
+
+**Unit level (jest-axe):**
+```javascript
+import { axe, toHaveNoViolations } from 'jest-axe';
+expect.extend(toHaveNoViolations);
+
+it('has no accessibility violations', async () => {
+  const { container } = render(<Component />);
+  const results = await axe(container);
+  expect(results).toHaveNoViolations();
+});
+```
+
+**Integration level (Playwright + axe):**
+```javascript
+import AxeBuilder from '@axe-core/playwright';
+
+test('page has no a11y violations', async ({ page }) => {
+  await page.goto('/dashboard');
+  const results = await new AxeBuilder({ page }).analyze();
+  expect(results.violations).toEqual([]);
+});
+```
+
+**CI pipeline:**
+- Run axe-core on every PR against all critical routes.
+- Fail the build on any "critical" or "serious" violations.
+- Report "moderate" violations as warnings (fix in next sprint).
+- Track violation count over time — must trend downward.
+
+### Manual testing checklist
+
+**Keyboard navigation:**
+- [ ] Tab through ALL interactive elements in logical order.
+- [ ] Shift+Tab moves backwards correctly.
+- [ ] Enter/Space activates buttons and links.
+- [ ] Escape closes modals, dropdowns, popovers.
+- [ ] Arrow keys navigate within composite widgets (tabs, menus, grids).
+- [ ] No keyboard traps (can always Tab out, except modals).
+- [ ] Focus indicator is clearly visible on all elements.
+
+**Screen reader testing:**
+- [ ] VoiceOver (macOS/iOS) — full user flow.
+- [ ] NVDA (Windows) — full user flow.
+- [ ] All images have meaningful alt text (or alt="" for decorative).
+- [ ] Form inputs have associated labels.
+- [ ] Dynamic content changes are announced (aria-live regions).
+- [ ] Headings form a logical hierarchy (h1 > h2 > h3, no skips).
+
+**Visual testing:**
+- [ ] Zoom to 200% — no horizontal scroll, no overlapping content.
+- [ ] Zoom to 400% — content still readable and usable.
+- [ ] High contrast mode — all content visible.
+- [ ] Reduced motion — animations respect prefers-reduced-motion.
+
+### WCAG conformance levels
+
+**Level A (minimum, always required):**
+- All non-text content has text alternative.
+- Content is navigable by keyboard.
+- No content causes seizures.
+
+**Level AA (target for most applications):**
+- Color contrast ratio 4.5:1 for normal text, 3:1 for large text.
+- Text can be resized to 200% without loss of content.
+- Focus order is meaningful and logical.
+- Error messages identify the field and suggest correction.
+
+**Level AAA (specialized — not typically a blanket requirement):**
+- Color contrast ratio 7:1 for normal text.
+- Sign language interpretation for media.
+- Reading level accommodations.
+
+### Focus management
+
+**Modal dialogs:**
+- Move focus into the modal when opened.
+- Trap focus within the modal (Tab cycles inside).
+- Return focus to the trigger element when closed.
+
+**Route changes (SPA):**
+- Move focus to the main content heading on navigation.
+- Announce the new page to screen readers (aria-live or document.title).
+
+**Dynamic content:**
+- New content added below the current focus: no announcement needed.
+- New content that requires attention: use aria-live="polite".
+- Urgent alerts: use aria-live="assertive" (sparingly).
+
+**Skip links:**
+- First focusable element should be "Skip to main content."
+- Links to bypass repetitive navigation blocks.
+
+### Color contrast
+
+**Tools:**
+- Browser DevTools (Accessibility panel shows contrast ratios).
+- axe-core catches contrast violations automatically.
+- Contrast checker plugins for design tools (Figma, Sketch).
+
+**Ratios:**
+- Normal text (< 18px or < 14px bold): minimum 4.5:1.
+- Large text (>= 18px or >= 14px bold): minimum 3:1.
+- UI components and graphical objects: minimum 3:1.
+- Never convey information by color alone (add icons, patterns, text).
+
+### Reporting format
+
+When reporting accessibility issues, include:
+1. **What** — the specific WCAG criterion violated.
+2. **Where** — page URL and element selector/description.
+3. **Impact** — who is affected and how severely.
+4. **Fix** — specific remediation recommendation.
+5. **Priority** — critical (blocks usage) / serious (difficult) / moderate (inconvenient).
+
+## Self-check before task completion
+- [ ] Did I follow the mandatory actions for this skill?
+- [ ] Did I apply the patterns appropriate to the context?
+- [ ] Did I verify the implementation meets the criteria above?
+- [ ] Did I document decisions and trade-offs made?

package/.mindforge/skills/agent-evaluation-framework/SKILL.md

@@ -0,0 +1,227 @@
+---
+name: agent-evaluation-framework
+version: 1.0.0
+min_mindforge_version: 10.0.4
+status: stable
+triggers: agent evaluation, task completion rate, agent benchmark, reasoning quality, tool selection accuracy, agent cost efficiency, end-to-end agent test, agent regression, agent quality score, agent performance metric, evaluation harness design, agent grading
+compose: eval-harness
+---
+
+# Skill — Agent Evaluation Framework (End-to-End Agent Performance Measurement)
+
+## When this skill activates
+When measuring agent performance, designing agent benchmarks, tracking quality
+regressions, or comparing agent configurations. Use for any scenario where you
+need to answer: "Is this agent good enough?" or "Did this change make the agent
+better or worse?"
+
+Core principle: **Multi-dimensional quality** — agent quality is not a single number.
+A fast agent that's wrong is worse than a slow agent that's right. A cheap agent
+that hallucinates is worse than an expensive agent that's accurate. Measure ALL
+dimensions that matter.
+
+## Mandatory actions when this skill is active
+
+### Metric Taxonomy
+
+1. **Core agent metrics (measure ALL of these):**
+   ```
+   Correctness metrics:
+   - Task completion rate: % of tasks completed successfully (end-to-end)
+   - First-attempt success rate: % completed without retry or correction
+   - Factual accuracy: % of claims that are verifiable and correct
+   - Instruction adherence: % of explicit instructions followed correctly
+
+   Efficiency metrics:
+   - Cost per task: total API spend / successful completions
+   - Tokens per task: input + output tokens consumed
+   - Time per task: wall-clock time from task start to completion
+   - Tool calls per task: number of tool invocations (fewer = more efficient)
+
+   Quality metrics:
+   - Reasoning quality score: rubric-based assessment of reasoning chain
+   - Tool selection accuracy: % of tool calls that were appropriate
+   - Output quality score: rubric-based assessment of final output
+   - Hallucination rate: % of outputs containing ungrounded claims
+
+   Safety metrics:
+   - Harmful output rate: % of outputs flagged by safety classifiers
+   - Permission violation rate: % of actions exceeding authorized scope
+   - Information leakage rate: % of outputs exposing sensitive data
+   ```
+
+2. **Composite quality score:**
+   ```
+   Agent Quality Score = weighted combination:
+   - Correctness (40%): task_completion * 0.25 + first_attempt * 0.15
+   - Quality (30%): reasoning_quality * 0.15 + output_quality * 0.15
+   - Efficiency (20%): normalized(1/cost) * 0.10 + normalized(1/time) * 0.10
+   - Safety (10%): (1 - harmful_rate) * 0.05 + (1 - violation_rate) * 0.05
+
+   Weights are defaults — adjust per use case (safety-critical → increase safety weight)
+   ```
+
+### Benchmark Design
+
+3. **Evaluation dataset structure:**
+   ```
+   .mindforge/evals/agent-benchmark/
+   ├── config.json           # benchmark metadata and thresholds
+   ├── tasks/
+   │   ├── easy/             # baseline tasks (should be ~100% success)
+   │   │   ├── task-001.json
+   │   │   └── task-002.json
+   │   ├── medium/           # standard tasks (target: 80%+ success)
+   │   │   ├── task-010.json
+   │   │   └── task-011.json
+   │   └── hard/             # stretch tasks (target: 50%+ success)
+   │       ├── task-020.json
+   │       └── task-021.json
+   ├── rubrics/
+   │   ├── correctness.md    # how to grade correctness
+   │   ├── reasoning.md      # how to grade reasoning quality
+   │   └── output.md         # how to grade output quality
+   └── results/
+       └── results.jsonl     # append-only results log
+   ```
+
+4. **Task definition format:**
+   ```json
+   {
+     "task_id": "task-001",
+     "difficulty": "easy",
+     "category": "code-generation",
+     "description": "Write a function that reverses a string",
+     "input": "Create a TypeScript function reverseString(s: string): string",
+     "expected_behavior": [
+       "Returns reversed string",
+       "Handles empty string",
+       "Handles unicode correctly"
+     ],
+     "verification": {
+       "type": "code",
+       "test_cases": [
+         {"input": "hello", "expected": "olleh"},
+         {"input": "", "expected": ""},
+         {"input": "abc", "expected": "cba"}
+       ]
+     },
+     "metadata": {
+       "tools_available": ["Read", "Write", "Bash"],
+       "time_limit_seconds": 120,
+       "cost_limit_usd": 0.50
+     }
+   }
+   ```
+
+   Rules:
+   - Minimum 30 tasks per benchmark (10 easy, 15 medium, 5 hard)
+   - Tasks must be representative of real usage patterns
+   - Include both deterministic tasks (one right answer) and generative tasks (rubric-graded)
+   - Each task has explicit success criteria (not vague "good output")
+   - Stratify by difficulty to detect capability thresholds
+
+### Running Benchmarks
+
+5. **Execution protocol:**
+   ```
+   For each task in benchmark:
+   1. Initialize fresh agent context (no contamination between tasks)
+   2. Provide task input + available tools
+   3. Record: start_time, all tool calls, all outputs, end_time
+   4. Grade output against verification criteria
+   5. Log full result to results.jsonl
+
+   Run N times per task (N >= 3) to measure variance:
+   - Report mean and standard deviation per metric
+   - Flag high-variance tasks (inconsistent agent behavior)
+   - Use same random seed where possible for reproducibility
+   ```
+
+6. **Result logging:**
+   ```json
+   {
+     "run_id": "uuid",
+     "timestamp": "ISO-8601",
+     "task_id": "task-001",
+     "agent_config": {"model": "claude-sonnet", "temperature": 0.0},
+     "metrics": {
+       "completed": true,
+       "first_attempt": true,
+       "time_seconds": 15.3,
+       "cost_usd": 0.012,
+       "tokens_used": {"input": 1200, "output": 450},
+       "tool_calls": 3,
+       "reasoning_quality": 4,
+       "output_quality": 5
+     },
+     "grading": {
+       "method": "code",
+       "pass": true,
+       "evidence": "All 3 test cases passed"
+     }
+   }
+   ```
+
+### Regression Detection
+
+7. **Regression detection algorithm:**
+   ```
+   Compare current run vs baseline:
+
+   RED (regression detected — blocks deployment):
+   - Task completion rate drops > 5%
+   - Any previously-passing easy task now fails
+   - Cost per task increases > 50%
+   - Safety metric degrades at all
+
+   YELLOW (warning — investigate before deploying):
+   - Task completion rate drops 2-5%
+   - Medium/hard task pass rate drops > 10%
+   - Time per task increases > 30%
+   - New failure modes appear
+
+   GREEN (no regression):
+   - All metrics within 2% of baseline
+   - No new failure modes
+   - Cost/time stable or improved
+   ```
+
+   Rules:
+   - ALWAYS compare to a pinned baseline (not just previous run)
+   - Run regression suite before any agent config change ships
+   - Regression in EASY tasks is more alarming than regression in HARD tasks
+   - Store baseline with agent version (update baseline when intentionally accepting changes)
+
+### Cost Efficiency Analysis
+
+8. **Quality-per-dollar assessment:**
+   ```
+   Cost Efficiency Ratio = quality_score / cost_per_task
+
+   Comparison framework:
+   - Agent A: quality=0.92, cost=$0.05/task → efficiency=18.4
+   - Agent B: quality=0.88, cost=$0.01/task → efficiency=88.0
+
+   Decision: Agent B is 4.8x more cost-efficient.
+   Choose A only if the 4% quality gap causes real user-visible failures.
+   ```
+
+   Rules:
+   - A cheaper model that achieves 95% of the quality at 20% of the cost is usually better
+   - Factor in retry cost (low first-attempt rate = hidden cost multiplier)
+   - Include tool call costs in total cost (API calls, compute)
+   - Report cost efficiency alongside raw quality (both matter)
+
+## Self-check before task completion
+
+Before marking a task done when this skill was active:
+
+- [ ] Did I define metrics across all four dimensions (correctness, quality, efficiency, safety)?
+- [ ] Is the benchmark stratified by difficulty (easy/medium/hard)?
+- [ ] Did I run multiple times (N >= 3) to measure variance?
+- [ ] Is there a pinned baseline for regression detection?
+- [ ] Are regression thresholds defined (RED/YELLOW/GREEN)?
+- [ ] Did I report cost efficiency (quality/cost ratio), not just raw quality?
+- [ ] Are easy-task failures treated as more alarming than hard-task failures?
+- [ ] Are results appended to results.jsonl (never overwritten)?

package/.mindforge/skills/agent-introspection-debugging/SKILL.md

@@ -0,0 +1,88 @@
+---
+name: agent-introspection-debugging
+version: 1.0.0
+min_mindforge_version: 10.0.3
+status: stable
+triggers: introspect, agent failure, reasoning failure, self-debug, agent stuck, hallucination, context overflow, reasoning trace, agent error, token waste, spinning
+---
+
+# Skill — Agent Introspection Debugging
+
+## When this skill activates
+When an agent is stuck, producing incorrect outputs, hallucinating, wasting
+tokens on repeated failed attempts, or when reasoning quality has degraded.
+
+## Mandatory actions when this skill is active
+
+### The 4-Phase Self-Debug Protocol
+
+**Phase 1 — Failure Capture**
+Document exactly what went wrong:
+- What was the agent trying to accomplish?
+- What did it actually produce?
+- What was the expected outcome?
+- What context was available at the time?
+- How many tokens/iterations were spent before failure was detected?
+
+**Phase 2 — Diagnosis**
+Identify WHY the reasoning failed:
+
+| Failure Mode | Symptoms | Root Cause |
+|-------------|----------|-----------|
+| Context overflow | Repeating earlier mistakes, forgetting constraints | Context window exceeded, compaction lost key info |
+| Hallucination | Confident claims about non-existent code/APIs | Insufficient grounding, no verification step |
+| Loop spinning | Same action repeated 3+ times without progress | No exit condition, stuck-detection not triggered |
+| Scope creep | Task expanding beyond original spec | Missing constraints, no scope boundary check |
+| Stale context | Acting on outdated information | Context not refreshed, old file contents cached |
+| Wrong persona | Security review giving UX advice | Persona mismatch, wrong skill loaded |
+
+**Phase 3 — Contained Recovery**
+Fix the problem WITHOUT expanding the blast radius:
+1. Identify the MINIMUM change needed to recover
+2. Do NOT restart from scratch unless absolutely necessary
+3. Do NOT make speculative changes beyond the fix
+4. Verify the recovery actually works (don't assume)
+5. If recovery fails after 2 attempts: ESCALATE (do not keep trying)
+
+**Phase 4 — Introspection Report**
+Write structured output to `.planning/INTROSPECTION-[timestamp].md`:
+```markdown
+# Introspection Report
+Date: [timestamp]
+Session: [session-id]
+Failure type: [from diagnosis table]
+
+## What Happened
+[1-2 sentences describing the failure]
+
+## Root Cause
+[Why this happened — be specific]
+
+## Recovery Action
+[What was done to fix it]
+
+## Prevention
+[What should change to prevent recurrence]
+- [ ] Instinct to capture? [yes/no — if yes, create via learn-instinct]
+- [ ] Skill gap? [yes/no — if yes, what skill is missing]
+- [ ] Config change needed? [yes/no — what setting]
+```
+
+### Introspection Triggers
+Automatically invoke this skill when:
+- Stuck-detector fires (3 iterations, no progress)
+- Token usage exceeds 3x estimate for a task
+- Same error appears 2+ times in consecutive attempts
+- User says "stop", "that's wrong", "you're stuck", "try again differently"
+
+### During introspection
+- PAUSE all other work — introspection is the priority
+- Read recent AUDIT entries for context on what was attempted
+- Check SHARED_TASK_NOTES.md for cross-iteration patterns
+- Never blame external factors without evidence (check your own reasoning first)
+
+### After introspection
+- Log introspection event in AUDIT
+- Consider whether this warrants a new instinct (via continuous-learning)
+- Resume work only after recovery is verified
+- If pattern repeats: escalate to user, do not keep self-debugging

package/.mindforge/skills/agent-loops/SKILL.md

@@ -0,0 +1,84 @@
+---
+name: agent-loops
+version: 1.0.0
+min_mindforge_version: 10.0.3
+status: stable
+triggers: loop, circuit breaker, retry, fallback, agent loop, orchestration, self-repair, recovery, sequential execution, iteration, backoff, provider fallback
+---
+
+# Skill — Agent Loops
+
+## When this skill activates
+Any task involving repeated automated execution, retry logic, autonomous pipelines,
+or self-repairing agent workflows. Also activates when implementing circuit breakers
+or provider-aware fallback chains.
+
+## Mandatory actions when this skill is active
+
+### Before implementation
+1. Define the loop's **termination condition** explicitly. No infinite loops without escape.
+2. Set a **maximum iteration count** (default: 10 for code changes, 50 for data processing).
+3. Identify the **checkpoint mechanism** — how will state be preserved between iterations?
+
+### Loop Patterns
+
+**Sequential Pipeline:**
+```
+Task 1 -> Task 2 -> Task 3 -> ... -> Complete
+```
+- Each task must succeed before the next starts
+- On failure: log, checkpoint state, halt with context for resumption
+- Use when: tasks have strict ordering dependencies
+
+**Circuit Breaker Pattern:**
+```
+Attempt -> Success? -> Continue
+            | No
+         Failure count++
+            |
+         Count >= threshold?
+            | Yes
+         OPEN circuit -> wait -> half-open -> retry once
+```
+- Threshold: 3 consecutive failures opens the circuit
+- Backoff: exponential (1s, 2s, 4s, 8s, max 60s)
+- Half-open: after backoff, allow ONE request through
+- If half-open succeeds: close circuit, resume normal operation
+- If half-open fails: re-open circuit, double backoff
+
+**Provider-Aware Fallback Chain:**
+```
+Primary Model -> Timeout/Error? -> Fallback Model -> Timeout/Error? -> Degrade gracefully
+```
+- Always try primary model first (respects cost-aware-routing tier)
+- On timeout (>30s) or error: switch to fallback
+- Fallback models: same tier or one tier down
+- Log every fallback with reason in AUDIT
+- Never silently degrade — always inform user of fallback
+
+**Self-Repair Loop:**
+```
+Execute -> Verify -> Pass? -> Done
+                    | No
+                 Diagnose -> Fix -> Re-verify (max 3 attempts)
+```
+- After 3 failed self-repair attempts: STOP and escalate to user
+- Each repair attempt must be DIFFERENT from the previous
+- Log each diagnosis and attempted fix
+
+### During implementation
+- Every loop MUST have: max iterations, checkpoint logic, escalation path
+- Never catch-and-swallow errors in loop bodies — always log with context
+- Track iteration count in AUDIT entries
+- Use SHARED_TASK_NOTES.md for cross-iteration context (see cross-iteration-bridge.md)
+
+### After implementation
+- Verify the loop terminates under all test conditions
+- Verify the circuit breaker opens and closes correctly
+- Confirm escalation path works (simulate max-retries-exceeded)
+
+## Self-check before task completion
+- [ ] Did I define explicit termination conditions for every loop?
+- [ ] Did I set maximum iteration limits (no unbounded loops)?
+- [ ] Did I implement checkpoint/state persistence between iterations?
+- [ ] Did I verify the escalation path works when max retries are exceeded?