okstra 0.68.0 → 0.70.0

package/docs/superpowers/specs/2026-06-11-wizard-whole-task-final-verification-design.md

@@ -0,0 +1,89 @@
+# wizard whole-task final-verification 노출 설계
+
+- 작성일: 2026-06-11
+- 상태: 설계 승인됨 (사용자 승인 2026-06-11)
+- 선행: [final-verification-whole-task-gate-design.md](2026-06-06-final-verification-whole-task-gate-design.md), 커밋 `54b9482` (stage worktree 기반 검증으로 위저드 단순화)
+
+## 1. 배경 / 문제
+
+`final-verification` 은 두 검증 모드를 가진다 — (A) 전체-task 모드(모든 stage 머지 후 한 번), (B) 단독-stage 모드(격리 worktree에서 그 stage만). 이 두 모드와 자동 target 해소는 prepare 레이어에 이미 구현돼 있다([final-verification-whole-task-gate-design.md](2026-06-06-final-verification-whole-task-gate-design.md)).
+
+커밋 `54b9482` 은 단독-stage 위저드 UX를 단순화하면서(`base-ref`/branch-confirm 생략, 명시 stage 강제) **위저드에서 전체-task 모드를 선택할 길을 막았다**:
+
+- [`_stage_auto_allowed`](../../../scripts/okstra_ctl/wizard.py:778) 가 `implementation` 에서만 `True` → final-verification stage picker 에 전체 옵션이 뜨지 않는다.
+- [`_submit_stage_pick`](../../../scripts/okstra_ctl/wizard.py:1539) 와 [`render_args`](../../../scripts/okstra_ctl/wizard.py:2799) 가 final-verification + 비-명시-stage 를 거부한다.
+
+결과: 전체-task final-verification 은 CLI `okstra.sh --stage auto` (또는 stage 생략)로만 가능하고, okstra-run 위저드 사용자는 도달할 수 없다. prepare 는 이미 전체-task 를 지원하므로([run.py:1829](../../../scripts/okstra_ctl/run.py:1829), [run.py:1533](../../../scripts/okstra_ctl/run.py:1533)) **막힌 곳은 위저드 레이어뿐**이다.
+
+## 2. 목표 / 비목표
+
+목표:
+- okstra-run 위저드의 final-verification stage picker 에서 **전체-task 검증을 명시 항목으로 선택** 가능하게 한다.
+- picker 에 stage 별 **done 상태를 표시**해, 전체-task 가 안 되는 경우 어느 stage 가 미완인지 사용자가 바로 본다.
+- prepare 계약(CLI `--stage`)을 **변경하지 않는다** — 위저드가 기존 전체-task 트리거(빈 stage)를 emit 한다.
+
+비목표:
+- `implementation` 의 `auto` 토큰 의미("가장 낮은 ready stage")를 final-verification 에서 재사용하지 않는다. picker 라벨·내부 값 어디에도 `auto` 를 쓰지 않는다.
+- 머지/clean/active 전제의 위저드 사전 검사 — 이는 prepare 의 PrepareError 게이트에 위임한다(§4).
+- 자동 stage 머지(여전히 사용자 수동 머지).
+- prepare / `_reserve_final_verification_target` / target 해소 로직 변경.
+
+## 3. 노출 형태 — stage picker 명시 항목
+
+[`_build_stage_pick`](../../../scripts/okstra_ctl/wizard.py:1494) 가 final-verification 일 때:
+
+1. 각 stage 항목 라벨에 **done 마킹**을 붙인다. 예: `1: <제목>  [done]` / `2: <제목>  [미완]`.
+2. **모든** Stage Map stage 가 done 이면 picker 맨 위에 `전체 task 검증` 항목을 추가한다. done 이 아닌 stage 가 하나라도 있으면 이 항목을 노출하지 않는다 — picker 의 stage 별 `[미완]` 마킹이 그대로 보이므로 사용자가 왜 전체 검증이 불가능한지 자명하다.
+
+이 구조는 "stage 가 done 이 아닌 걸 보여준다" 는 요구를 충족하면서, 전체-task 선택 가능 여부도 같은 화면에서 드러낸다.
+
+## 4. done 상태 데이터원 — git 호출 없음
+
+위저드가 읽는 것은 prepare 와 동일한 SSOT 인 `consumers.jsonl` 의 `status:done` 행뿐이다. git 상태(머지/clean)는 위저드가 검사하지 않는다.
+
+- `plan_run_root` 도출: `Path(approved_plan_path).resolve().parents[1]` ([run.py:1525](../../../scripts/okstra_ctl/run.py:1525) 와 동일 규칙).
+- done 행: `backfill_done_from_carry(plan_run_root)` → `read_consumers(plan_run_root)` → `latest_done_by_stage(rows)` ([consumers.py:24](../../../scripts/okstra_ctl/consumers.py:24), [consumers.py:37](../../../scripts/okstra_ctl/consumers.py:37), [consumers.py:182](../../../scripts/okstra_ctl/consumers.py:182)).
+- Stage Map: 기존 `_build_stage_pick` 이 이미 승인 plan 을 `_parse_stage_map` 으로 파싱한다([wizard.py:1499](../../../scripts/okstra_ctl/wizard.py:1499)). 그 stage 번호 집합과 done 집합을 비교한다.
+
+책임 분담:
+- **위저드**: done 여부만 사전 표시(파일 읽기). 전체-task 항목 노출 게이트.
+- **prepare**: 머지(`head_commit` 이 task worktree HEAD 의 ancestor) · clean · task-key worktree active 를 최종 강제. 미충족이면 기존 PrepareError 로 어느 stage 가 미머지인지 안내([run.py:587](../../../scripts/okstra_ctl/run.py:587), [run.py:594](../../../scripts/okstra_ctl/run.py:594), [worktree.py:655](../../../scripts/okstra_ctl/worktree.py:655)).
+
+위저드가 git 을 호출하지 않으므로 picker 빌드가 가볍고, 전제 강제는 한 곳(prepare)에 단일화된다.
+
+## 5. prepare 계약 — 빈 stage emit (계약 무변경)
+
+전체-task 선택의 위저드 내부 표현과 prepare 로 넘기는 값을 분리한다:
+
+- 위저드 내부: `selected_stage` 에 명시 sentinel(예: `"whole-task"`)을 담는다.
+- [`render_args`](../../../scripts/okstra_ctl/wizard.py:2792): 이 sentinel 을 **빈 stage(`""`)** 로 변환해 prepare 에 넘긴다.
+
+prepare 는 빈/`auto` stage 를 이미 전체-task 로 해석한다(`if inp.stage and inp.stage != "auto"` 의 else 분기, [run.py:1829](../../../scripts/okstra_ctl/run.py:1829) · [run.py:1533](../../../scripts/okstra_ctl/run.py:1533)). 따라서 CLI `--stage` 계약·validator·prepare 분기 변경이 전혀 없고, 표면 어디에도 `auto` 가 노출되지 않는다.
+
+base-ref / branch-confirm skip 은 현행 유지([`_base_ref_required`](../../../scripts/okstra_ctl/wizard.py:766), [`_branch_confirm_required`](../../../scripts/okstra_ctl/wizard.py:774)) — 전체-task·단독-stage 모두 base 가 prepare 에서 자동 해소되므로 위저드가 base 를 물을 필요가 없다.
+
+## 6. 게이트 함수 조정
+
+| 함수 | 현재 | 변경 |
+|---|---|---|
+| [`_stage_auto_allowed`](../../../scripts/okstra_ctl/wizard.py:778) | `task_type == "implementation"` | final-verification 에서 "전체 task" 항목 노출을 **전 stage done** 조건으로 허용. (implementation 의 `auto` 와 의미가 다르므로 함수명/의도 재정의 또는 final-verification 전용 헬퍼 신설) |
+| [`_submit_stage_pick`](../../../scripts/okstra_ctl/wizard.py:1539) | `auto` 만 특수 처리, final-verification+auto 거부 | "전체 task" sentinel 수용 |
+| [`render_args`](../../../scripts/okstra_ctl/wizard.py:2799) | final-verification + (빈/auto) → `WizardError` | sentinel → 빈 stage 변환(§5); 단독은 기존대로 명시 번호 |
+| [`confirmation_block`](../../../scripts/okstra_ctl/wizard.py:2872) | stage 값 그대로 표기 | sentinel 을 사람이 읽을 라벨("전체 task")로 표기 |
+
+## 7. 프롬프트 (prompts/wizard/prompts.ko.json)
+
+`stage_pick` 프롬프트에 전체-task 항목 라벨과 stage done/미완 마킹 문자열을 추가한다. `54b9482` 가 제거한 `auto` 라벨은 복원하지 않는다 — 새 라벨은 `auto` 가 아닌 "전체 task 검증" 계열 문자열이다.
+
+## 8. 테스트
+
+- `tests/test_wizard_stage_pick.py`: final-verification + 전 stage done → "전체 task" 항목 노출 / 일부 미완 → 미노출 + 해당 stage `[미완]` 마킹.
+- `tests/test_wizard_final_verification_stage.py`: "전체 task" 선택 → `render_args` 가 빈 stage emit; 단독 선택 → 명시 번호 emit.
+- `tests/test_okstra_ctl_wizard.py`: 전체-task 경로에서도 base-ref/branch-confirm 단계가 생략되는지(현행 불변 회귀).
+- prepare 측 회귀는 `tests/test_final_verification_target.py` 기존 케이스로 충분(prepare 계약 무변경).
+
+## 9. 비변경 확인 (회귀 가드)
+
+- prepare 분기·`_reserve_final_verification_target`·target 해소: 변경 없음.
+- CLI `okstra.sh --stage`: 변경 없음(빈 stage = 전체-task 는 기존 계약).
+- 단독-stage 위저드 UX(`54b9482` 도입분): 변경 없음.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "okstra",
-  "version": "0.68.0",
+  "version": "0.70.0",
   "description": "Multi-agent cross-verification orchestrator runtime + Claude Code skills.",
   "license": "MIT",
   "author": "devonshin",

package/runtime/BUILD.json

@@ -1,5 +1,5 @@
 {
-  "package": "0.68.0",
-  "builtAt": "2026-06-10T14:01:48.019Z",
+  "package": "0.70.0",
+  "builtAt": "2026-06-10T17:00:34.215Z",
   "repoRoot": "/home/runner/work/okstra/okstra"
 }

package/runtime/agents/SKILL.md

@@ -246,13 +246,13 @@ After each worker terminates, BEFORE classifying its terminal status, verify the
 After each worker terminates (any terminal status), if its errors sidecar exists, dump it to the run error log using the same resolved paths from the launch prompt:
 
 ```bash
-python3 scripts/okstra-error-log.py append-from-worker \
+okstra error-log append-from-worker \
   --sidecar <absolute-sidecar-path-from-launch-prompt> \
   --out <absolute-errors-log-path-from-launch-prompt> \
   --task-key <taskKey> --agent <agent> --agent-role <role> --model <model>
 ```
 
-For Codex/Gemini wrappers: if the CLI returns non-zero, times out, or hits a rate limit, immediately call `okstra-error-log.py append-observed --error-type cli-failure ...` with the captured exit code, duration, message, and stderr excerpt. The wrapper subagent does this from inside its own Bash tool — Lead does NOT need to re-record. Token usage is NOT available from Agent tool results in real time; it is collected post-hoc at the start of Phase 7.
+For Codex/Gemini wrappers: if the CLI returns non-zero, times out, or hits a rate limit, immediately call `okstra error-log append-observed --error-type cli-failure ...` with the captured exit code, duration, message, and stderr excerpt. The wrapper subagent does this from inside its own Bash tool — Lead does NOT need to re-record. Token usage is NOT available from Agent tool results in real time; it is collected post-hoc at the start of Phase 7.
 
 ## Phase 5.5: Convergence loop
 
@@ -271,7 +271,7 @@ When `task-manifest.json` does not set `convergence.maxRounds`, lead MUST resolv
 
 **Confirmed findings are pruned from the queue.** Findings classified as `full-consensus`, `partial-consensus`, or `worker-unique` MUST NOT appear in any subsequent round's reverify prompt for any worker. `contested` is a final classification assigned only when the last executed round completes and the queue is still non-empty — it is NEVER an intermediate queue label.
 
-If any re-verification batch yields a `verification-error` terminal status, or a worker result fails the contract, Lead MUST record one event per violation via `python3 scripts/okstra-error-log.py append-observed --error-type contract-violation --agent <offending-agent> ...`. Use `agent: "claude-lead"` only when the violation is detected internally without a specific worker.
+If any re-verification batch yields a `verification-error` terminal status, or a worker result fails the contract, Lead MUST record one event per violation via `okstra error-log append-observed --error-type contract-violation --agent <offending-agent> ...`. Use `agent: "claude-lead"` only when the violation is detected internally without a specific worker.
 
 If convergence is disabled, proceed directly to Phase 6 with the raw worker results.
 

package/runtime/agents/workers/claude-worker.md

@@ -104,7 +104,7 @@ If you find yourself thinking "let me double-check section 3" or "I should read
 
 ## Error reporting
 
-This agent is responsible for recording its own tool failures via `scripts/okstra-error-log.py`:
+This agent is responsible for recording its own tool failures via `okstra error-log`:
 
 **Path extraction (BLOCKING).** Before recording anything, extract the absolute sidecar path from the lead's dispatch prompt body:
 

package/runtime/agents/workers/codex-worker.md

@@ -103,7 +103,7 @@ The wrapper exists because Claude Code's Bash permission matcher rejects simple-
 
    c. **Result-file existence check (exit 0 only).** If `exit_code == 0` BUT no file exists at the extracted Result Path, the Codex CLI returned 0 without producing the analysis artifact. Observed failure mode: the CLI streams analysis prose on stdout, hits its token budget or a sandbox EPERM mid-`Write`, and exits 0 with the artifact never persisted. Forwarding the partial stdout silently degrades lead synthesis (the case that motivated this rule), so this path is required.
       1. Capture the final ~10 lines of the wrapper's live log for diagnostics — single Bash call: `tail -n 10 "${prompt_path%.md}.log"` (substitute the literal absolute prompt-history path; the wrapper writes the log next to it per the §"trace pane" comment in `okstra-codex-exec.sh`). Write the captured lines to a temp file (e.g. `<errors-sidecar-dir>/codex-result-missing-tail.txt`) so `--stderr-excerpt-file` can reference it.
-      2. Record a `cli-failure` event directly to the run-level error log via the exact `okstra-error-log.py append-observed` template in §"Error reporting" — substitute `--exit-code 0`, `--duration-ms <observed-ms>`, `--message "okstra-codex-exec.sh exited 0 but no result file at <abs-path>"`, and `--stderr-excerpt-file <temp-tail-path>`.
+      2. Record a `cli-failure` event directly to the run-level error log via the exact `okstra error-log append-observed` template in §"Error reporting" — substitute `--exit-code 0`, `--duration-ms <observed-ms>`, `--message "okstra-codex-exec.sh exited 0 but no result file at <abs-path>"`, and `--stderr-excerpt-file <temp-tail-path>`.
       3. Return `CODEX_RESULT_MISSING: codex exited 0 but result file absent at <abs-path>` instead of the raw stdout. The lead is responsible for deciding redispatch per `okstra-team-contract` "Lead Redispatch Policy on Result-Missing".
 
    d. **Normal return.** Otherwise (`exit_code == 0` AND result file exists), return the wrapper's accumulated stdout from `BashOutput`, prefixed by exactly one model-identity line copied verbatim from the `**Model:** Codex worker, <execution-value>` line in the lead prompt (per Worker Preamble → "Return message to the lead"):
@@ -175,7 +175,7 @@ This contract mirrors the `okstra-team-contract` skill's Worker Output Contract
 ## Error reporting
 
 The wrapper agent (this Codex worker subagent) is responsible for recording
-two kinds of errors via `scripts/okstra-error-log.py`:
+two kinds of errors via `okstra error-log`:
 
 **Path extraction (BLOCKING).** Before recording anything, extract the
 following two absolute paths verbatim from the lead's dispatch prompt body:
@@ -207,7 +207,7 @@ and the run-level error log staying empty.
    the dispatched `bash_id`:
 
    ```bash
-   python3 scripts/okstra-error-log.py append-observed \
+   okstra error-log append-observed \
      --out "<absolute-errors-log-path-from-lead-prompt>" \
      --task-key "<task-key>" \
      --phase "<phase>" \

package/runtime/agents/workers/gemini-worker.md

@@ -103,7 +103,7 @@ The wrapper exists because Claude Code's Bash permission matcher rejects simple-
 
    c. **Result-file existence check (exit 0 only).** If `exit_code == 0` BUT no file exists at the extracted Result Path, the Gemini CLI returned 0 without producing the analysis artifact. Observed failure mode: the CLI streams analysis prose on stdout, hits its token budget or a sandbox EPERM mid-`Write`, and exits 0 with the artifact never persisted. Forwarding the partial stdout silently degrades lead synthesis (the case that motivated this rule), so this path is required.
       1. Capture the final ~10 lines of the wrapper's live log for diagnostics — single Bash call: `tail -n 10 "${prompt_path%.md}.log"` (substitute the literal absolute prompt-history path; the wrapper writes the log next to it per the §"trace pane" comment in `okstra-gemini-exec.sh`). Write the captured lines to a temp file (e.g. `<errors-sidecar-dir>/gemini-result-missing-tail.txt`) so `--stderr-excerpt-file` can reference it.
-      2. Record a `cli-failure` event directly to the run-level error log via the exact `okstra-error-log.py append-observed` template in §"Error reporting" — substitute `--exit-code 0`, `--duration-ms <observed-ms>`, `--message "okstra-gemini-exec.sh exited 0 but no result file at <abs-path>"`, and `--stderr-excerpt-file <temp-tail-path>`.
+      2. Record a `cli-failure` event directly to the run-level error log via the exact `okstra error-log append-observed` template in §"Error reporting" — substitute `--exit-code 0`, `--duration-ms <observed-ms>`, `--message "okstra-gemini-exec.sh exited 0 but no result file at <abs-path>"`, and `--stderr-excerpt-file <temp-tail-path>`.
       3. Return `GEMINI_RESULT_MISSING: gemini exited 0 but result file absent at <abs-path>` instead of the raw stdout. The lead is responsible for deciding redispatch per `okstra-team-contract` "Lead Redispatch Policy on Result-Missing".
 
    d. **Normal return.** Otherwise (`exit_code == 0` AND result file exists), return the wrapper's accumulated stdout from `BashOutput`, prefixed by exactly one model-identity line copied verbatim from the `**Model:** Gemini worker, <execution-value>` line in the lead prompt (per Worker Preamble → "Return message to the lead"):
@@ -175,7 +175,7 @@ This contract mirrors the `okstra-team-contract` skill's Worker Output Contract
 ## Error reporting
 
 The wrapper agent (this Gemini worker subagent) is responsible for recording
-two kinds of errors via `scripts/okstra-error-log.py`:
+two kinds of errors via `okstra error-log`:
 
 **Path extraction (BLOCKING).** Before recording anything, extract the
 following two absolute paths verbatim from the lead's dispatch prompt body:
@@ -207,7 +207,7 @@ and the run-level error log staying empty.
    the dispatched `bash_id`:
 
    ```bash
-   python3 scripts/okstra-error-log.py append-observed \
+   okstra error-log append-observed \
      --out "<absolute-errors-log-path-from-lead-prompt>" \
      --task-key "<task-key>" \
      --phase "<phase>" \

package/runtime/agents/workers/report-writer-worker.md

@@ -101,9 +101,9 @@ Rules (the schema enforces most of these — they are listed here so you know *w
 - Cite file paths and line numbers in every `evidence.primary[].source` / `consensus[].evidence` cell.
 - Preserve every analysis worker's ticket tagging — every row's `ticketId` field carries the ticket key or the task-fallback. For single-ticket runs, set `ticketCoverage` to `{"singleTicket": "<ticket>"}`. For runs that do not require ticket tagging (`release-handoff`, `final-verification`), set `ticketCoverage` to `{"omit": true}`.
 - For `implementation-planning`, populate `implementationPlanning.requirementCoverage` with one row per concrete requirement from the brief / packet, using IDs `R-001`, `R-002`, ... in source order. `coveredBy` MUST name the specific Option Candidate plus Stage/Step that satisfies the requirement. Use `status: "covered"` only when the report's plan actually covers it; otherwise use `gap` or `blocked C-NNN` and ensure the corresponding `Clarification Items` row blocks approval. Do not collapse this into `ticketCoverage`; ticket coverage is not requirement coverage.
-- When the `Task Type` is `improvement-discovery`, populate `## 5.9 Improvement Candidates` with the 10-column schema enforced by `validators/validate-improvement-report.py`. Source the row IDs (`I-NNN`), lens whitelist, and Source workers patterns from `scripts/okstra_ctl/improvement_lenses.py` — do NOT introduce new lens names or worker prefixes. `improvement-discovery` is NOT in the data.json schema enum, so author its markdown directly (not via `okstra-render-final-report.py`). Immediately after writing the markdown, run (`Bash`): `python3 scripts/okstra-inject-report-index.py <markdown path> --report-language <en|ko>`. That adds the top-of-report Index plus `I-NNN` / `C-NNN` scroll anchors; the run validator fails the report when the Index anchor is absent.
+- When the `Task Type` is `improvement-discovery`, populate `## 5.9 Improvement Candidates` with the 10-column schema enforced by `validators/validate-improvement-report.py`. Source the row IDs (`I-NNN`), lens whitelist, and Source workers patterns from `scripts/okstra_ctl/improvement_lenses.py` — do NOT introduce new lens names or worker prefixes. `improvement-discovery` is NOT in the data.json schema enum, so author its markdown directly (not via `okstra-render-final-report.py`). Immediately after writing the markdown, run (`Bash`): `okstra inject-report-index <markdown path> --report-language <en|ko>`. That adds the top-of-report Index plus `I-NNN` / `C-NNN` scroll anchors; the run validator fails the report when the Index anchor is absent.
 
-Write the data.json with your `Write` tool against the absolute `Result Path`. Then invoke the renderer (`Bash`): `python3 scripts/okstra-render-final-report.py <data.json path>`. Confirm both files exist and respond with a short status line prefixed by your model identity, copied verbatim from the `**Model:** Report writer worker, <modelExecutionValue>` line in your dispatch prompt (per Worker Preamble → "Return message to the lead"):
+Write the data.json (and the audit sidecar `.md`) with your `Write` tool — that is the canonical authoring path, and okstra ships no hook that blocks `.md` writes (its only settings hook is the `SessionEnd` trace-cleanup; the coding-preflight hook emits reminders but never blocks). A Bash heredoc is acceptable ONLY when a specific `Write` call is genuinely rejected by the host environment, and it MUST produce byte-identical content — do not reach for it pre-emptively. Then invoke the renderer (`Bash`): `okstra render-final-report <data.json path>`. Confirm both files exist and respond with a short status line prefixed by your model identity, copied verbatim from the `**Model:** Report writer worker, <modelExecutionValue>` line in your dispatch prompt (per Worker Preamble → "Return message to the lead"):
 
 ```
 **Model:** Report writer worker, <modelExecutionValue>

package/runtime/prompts/launch.template.md

@@ -67,8 +67,8 @@ Emit one `PROGRESS: <phase-id> <verb-phrase>` line as plain user-facing text at
 - When dispatching any worker you MUST inject **two header lines** into the dispatch prompt body so the worker subagent can record errors without guessing paths:
   - `**Errors log path:** <absolute run-level errors log path>`
   - `**Errors sidecar path:** <absolute per-worker sidecar path matching the dispatched worker>`
-- These lines are the canonical contract — worker subagents extract them verbatim and pass them to `okstra-error-log.py append-observed --out ...` (run-level cli-failure / contract-violation events) and to their internal sidecar writes (worker-reported tool-failure events) respectively.
-- After each worker terminates, dump its sidecar into the run-level errors log via `python3 scripts/okstra-error-log.py append-from-worker --sidecar <sidecar-path> --out <run-errors-log-path> --task-key {{TASK_KEY}} --agent <worker-id> --agent-role worker --model <assigned-model-execution-value>` (per `okstra-team-contract` Worker Output Contract).
+- These lines are the canonical contract — worker subagents extract them verbatim and pass them to `okstra error-log append-observed --out ...` (run-level cli-failure / contract-violation events) and to their internal sidecar writes (worker-reported tool-failure events) respectively.
+- After each worker terminates, dump its sidecar into the run-level errors log via `okstra error-log append-from-worker --sidecar <sidecar-path> --out <run-errors-log-path> --task-key {{TASK_KEY}} --agent <worker-id> --agent-role worker --model <assigned-model-execution-value>` (per `okstra-team-contract` Worker Output Contract).
 
 ## Executor Worktree
 

package/runtime/prompts/profiles/_implementation-deliverable.md

@@ -44,6 +44,7 @@ are collected and convergence finished. Phase 1-5 do not need it.
    git diff <base>..HEAD | grep -E '^\+[^+].*\b(TBD|TODO|FIXME|XXX|implement later|handle edge cases|similar to|placeholder)\b' || echo 'clean'
    ```
    Only newly-added lines (those starting with `+` and not part of the `+++` header) are inspected. If output is anything other than `clean`, the run MUST either remove the placeholders before finalising or record an explicit justification per occurrence in the final report.
+7. **Stage-foreign literal scrub** — when the report-writer modelled this stage's `data.json` on another stage's report (a common shortcut for structural consistency), stage-specific literals get copied verbatim and silently misattribute this run. Confirm every branch name, commit SHA, stageKey, and stage number in the report resolves to **this** run's stage `<N>` — its worktree branch is `<prefix>-<task-id>-s<N>`, its stageKey `<task-id>-stage-<N>`. Sweep the report for any `-s<M>` / `stage-<M>` / `Stage <M>` where `M ≠ N` and for SHAs not in this run's `Commit list`; each hit is a copy-from-other-stage defect to correct before finalising.
 
 ## Lead post-stage persistence (BLOCKING — runs after the Executor emits `### Stage Carry Evidence`)
 

package/runtime/prompts/profiles/_implementation-executor.md

@@ -24,12 +24,13 @@ until Phase 5 ends, then drop from active context for Phase 6/7.
   - **Language-agnostic principles that ALWAYS bind (the TDD loop below MUST satisfy them):** (1) no self-mocking of the SUT — stub/spy only injected collaborators, never the subject's own methods; (2) behavioral assertions on outcomes (return value, state, persisted rows, events, boundary calls) — never `toHaveBeenCalled*` on an internal helper as the only/primary assertion; (3) truthful names — a `get*` / `find*` that writes/inserts, or a name encoding the caller's use-case (`*ForInit`) or hiding a domain rule (`findValid*`), is a defect; (4) single-purpose functions ≤50 effective lines, plain-English readability.
   - **Graceful degradation (codex / gemini executor runtimes, or any runtime where the `~/.claude/skills/okstra-coding-preflight/` files are absent or unreadable):** do NOT skip the gate — apply the agnostic principles above plus the project's own `CLAUDE.md` / `CONTRIBUTING` / formatter+lint config, and record `coding-conventions: skill-unavailable → applied <project rules + agnostic principles>` in the final report. Never claim a skill read that did not happen.
   - **CLI executor transcription (BLOCKING when the executor provider is `codex` or `gemini`):** the executor CLI process does NOT share the lead's context — a gate that stays in lead memory never reaches it. The lead MUST copy this entire "Coding-conventions preflight" bullet tree (file-read instructions, project review rule packs, agnostic principles, graceful degradation) verbatim into the dispatched executor prompt body. Enforcement: the CLI wrapper agents refuse an implementation-Executor dispatch whose persisted prompt lacks the literal heading `Coding-conventions preflight`, returning `<SENTINEL_PREFIX>_PREFLIGHT_MISSING` (see `agents/workers/_cli-wrapper-template.md` → Prompt Composition).
+- **Non-interactive auto-execution (BLOCKING when the executor provider is `codex` or `gemini`).** A CLI executor runs head-less (`codex exec` / gemini equivalent) — there is no human at the keyboard. Skills loaded during the run (tdd, coding-preflight, and others) contain "get user approval", "state your plan to the user and wait", or "ask before proceeding" gates written for interactive sessions; in this run those gates are **already satisfied** by the upstream `implementation-planning` approval (the plan this stage executes was human-approved). The executor MUST NOT stop to request approval, MUST NOT end its turn after only producing a plan, and MUST carry the stage through end-to-end — RED → GREEN → refactor → per-step commits → `### Stage Carry Evidence`. The ONLY skill step to skip is the interactive user-approval prompt itself; every other skill rule (TDD discipline, conventions, real-IO isolation) still binds. The lead MUST transcribe this bullet verbatim into the dispatched CLI executor prompt (same reason as the preflight transcription rule above — the CLI process does not share lead context). Stopping early for approval in a head-less run is the observed empty-exit failure (exit 0, no diff): treat it as `contract-violated`.
 - **Mandatory TDD loop**: BEFORE the first `Edit` or `Write` call, the executor MUST apply a red-green-refactor loop for every code change in this run. This is required; skipping it is a `contract-violated` outcome. This governs HOW each step is executed (failing test first → minimal implementation → refactor); it does not override the approved plan's WHAT/file scope.
   - Order of operations per plan step: (1) write/extend the test that captures the step's acceptance criterion and confirm it fails for the right reason, (2) commit the failing test (`test(<scope>): ...`), (3) implement the minimum change to make it pass, (4) commit the implementation (`feat|fix(<scope>): ...`), (5) refactor without changing behaviour and commit separately if any cleanup is made (`refactor(<scope>): ...`). The failing-then-passing transition between steps (2) and (4) is the `TDD evidence` required by the final report.
   - Doc-only / config-only / pure-rename steps that have no observable runtime behaviour are exempt from the failing-test requirement, but the executor MUST cite the exemption per step in the final report (`TDD exemption: <reason>`).
   - When the touched area has no existing test harness, the executor MUST stand up the minimum harness needed to host one regression test for this run rather than skipping TDD entirely. Record the harness-bootstrap step as an `Out-of-plan edit` if it is not in the plan.
 - **DB / IO / SQL changes require real execution — mock-only is NOT validation evidence:** when this run's diff touches DB/IO/SQL (ORM / query-builder code — sequelize / typeorm / prisma / knex / raw SQL — `*.repository.*`, model/entity files, `migrations/**`, `*.sql`, or any changed query string), a mocked unit test cannot observe the SQL the query builder actually emits — a mocked suite once passed while `count({ col: 'FontFamily.fontFamily' })` threw `Unknown column` on the real DB. The executor MUST run the change against a real (or faithful-replica) datastore — the `db-test` validation step (plan `validation` db step, else `project.json.qaCommands.db-test`), targeting a **local / replica** DB — and cite its exact command + exit code in the final report's `Validation evidence`. If no real DB / `db-test` command is reachable, do NOT claim the change verified: label the DB portion `정적 분석상 …, 미검증(실행 안 함)` in the report, surface it in the routing recommendation, and never downplay the real run as "too heavy". `git push` stays forbidden (universal list); the unverified DB state is carried forward so `final-verification` cannot accept it and `release-handoff` cannot push.
-- **Real-IO test isolation (BLOCKING).** A test that exercises a **real** datastore, HTTP endpoint, external service, message queue, or filesystem — a live DB connection / DSN, a real `fetch` / `axios` / `http` request, an actual S3 / queue client, anything the project's normal CI test suite cannot run because that backend is absent — MUST be written under the task's qa directory `<task_root>/qa/` (the `TASK_QA_PATH` token; same directory that holds the Tier 3 conformance manifest). It MUST NOT be written into the project source test tree — `src/**`, `test/**`, `tests/**`, `**/__test__/**`, `**/__tests__/**`, `*.spec.*`, `*.test.*`, or anywhere the project's lint/test globs collect. Two reasons: (a) the project's CI / normal suite has no real DB or network, so a real-IO test placed in source silently breaks the pipeline; (b) it is an okstra verification artifact, and the artifact-home rule confines okstra outputs to `.okstra/`. **The dividing line is the IO, not the intent:** a unit test that stubs/spies only *injected collaborators* (mock — no real socket, no real DB handle) is a TDD red-green artifact and stays in source; the moment a test opens a real connection or makes a real network call it belongs in qa. A stage's real-IO requirement check is a Tier 3 conformance script under `<task_root>/qa/` (declared via the implementation-planning conformance entry) — never smuggle real IO into a `*.spec.*` in source to make it run "as a unit test". The `db-test` real-execution gate above is satisfied by the conformance/db-test path against the replica, NOT by adding a live-DB `*.spec.*` to the project suite.
+- **Real-IO test isolation (BLOCKING).** A test that exercises a **real** datastore, HTTP endpoint, external service, message queue, or filesystem — a live DB connection / DSN, a real `fetch` / `axios` / `http` request, an actual S3 / queue client, anything the project's normal CI test suite cannot run because that backend is absent — MUST be written under the task's qa directory `<task_root>/qa/` (the `TASK_QA_PATH` token; same directory that holds the Tier 3 conformance manifest). It MUST NOT be written into the project source test tree — `src/**`, `test/**`, `tests/**`, `**/__test__/**`, `**/__tests__/**`, `*.spec.*`, `*.test.*`, or anywhere the project's lint/test globs collect. Two reasons: (a) the project's CI / normal suite has no real DB or network, so a real-IO test placed in source silently breaks the pipeline; (b) it is an okstra verification artifact, and the artifact-home rule confines okstra outputs to `.okstra/`. **The dividing line is the IO, not the intent:** a unit test that stubs/spies only *injected collaborators* (mock — no real socket, no real DB handle) is a TDD red-green artifact and stays in source; the moment a test opens a real connection or makes a real network call it belongs in qa. A stage's real-IO requirement check is a Tier 3 conformance script under `<task_root>/qa/` (declared via the implementation-planning conformance entry) — never smuggle real IO into a `*.spec.*` in source to make it run "as a unit test". The `db-test` real-execution gate above is satisfied by the conformance/db-test path against the replica, NOT by adding a live-DB `*.spec.*` to the project suite. **These qa artifacts stay untracked — never commit them.** `.okstra/**` is gitignored (the artifact-home rule); conformance scripts and their results are *executed* and recorded in the carry sidecar / verifier result, never written into git history. A committed `.okstra/qa` file is a stage-branch defect that leaks okstra internals into the eventual PR (see the `git add` rules below).
 - re-read the approved plan end-to-end and parse the `## 5.5 Stage Map`. Read the **Stage** injected in the launch prompt (`Stage for this implementation run`): the single stage number this run owns. The runtime already selected and reserved this stage (one run = one stage) — do NOT recompute the start stage from `consumers.jsonl`.
   - load every `runs/<plan-key>/carry/stage-<i>.json` for `i ∈ depends-on(this stage)` and inject them into the executor's working context as "runtime carry-in". For a `depends-on (none)` stage, no sidecar load — task-brief only.
   - this stage's `depends-on` are all already `status:done`. Its file list, step order, Stage Validation commands, Stage Exit Contract, and rollback path are the authoritative scope.
@@ -58,6 +59,7 @@ until Phase 5 ends, then drop from active context for Phase 6/7.
 - read-only inspection commands: `git status`, `git diff`, `git log`, `grep`, `rg`, `find`, `cat`, `ls`, file Read tools
 - build, lint, type-check, and test commands (`npm test`, `pytest`, `go build`, `cargo test`, `bash -n`, etc.)
 - **local git operations only**: `git add`, `git commit`. Prefer small commits keyed to plan steps.
+- **No okstra artifacts in commits (BLOCKING).** Never use `git add -f`. Before every `git commit`, run `git diff --cached --name-only` and confirm it contains zero `.okstra/` paths (and zero `.project-docs/` paths when the legacy symlink is present). `.okstra/**` is gitignored; force-staging it onto the stage branch is the one way these verification artifacts reach the upstream PR. Conformance/qa evidence belongs in the carry sidecar and verifier result — committing it is never correct, even when a step's instructions seem to ask for it.
 - **Commit message format (mandatory)**: every commit message MUST follow Conventional Commits — `<type>(<scope>): <subject>` for the first line, optional body separated by a blank line, optional footer. Constraints:
   - `<type>` MUST be one of: `feat` / `fix` / `perf` / `revert` / `deps` / `docs` / `refactor` / `build` / `ci` / `chore` / `test`. When the repo is `release-please`-managed, this aligns the commit with a configured changelog section.
   - `<scope>` SHOULD be the plan step identifier or the primary module touched (e.g. `feat(report-writer): ...`). Omit the parentheses only when no meaningful scope applies.

package/runtime/prompts/profiles/_implementation-verifier.md

@@ -96,6 +96,7 @@ Re-running commands proves the diff *builds and passes*; it does NOT prove the d
   - **Tautological delegation assertion:** a test asserts the SUT result equals a direct call to the same pure helper/collaborator that the SUT delegates to, instead of asserting an independent literal value or observable state.
   - **Untruthful name:** a read-named function (`get*` / `find*` / `load*`) that writes/inserts/mutates; an adapter or repository name encoding the caller's use-case (`*ForInit`) or hiding a domain rule (`findValid*` / `findActive*`).
   - **Hexagonal (only when the overlay is loaded):** business logic inside a port body; an adapter method that is not pure I/O (post-fetch JS filtering on domain state, domain-rule evaluation); a domain object declared outside the `domain/` boundary.
+  - **okstra artifact committed to the branch:** any path in the `git diff --name-only <base>...HEAD` enumeration that lives under `.okstra/` (or `.project-docs/` when the legacy symlink is present). `.okstra/**` is gitignored, so a committed okstra file means the executor force-staged it (`git add -f`) — leaking verification artifacts (qa scripts, conformance results) into the eventual PR. Cite the path; recommend `git rm --cached <path>` to untrack it while keeping the file on disk. Conformance/qa evidence belongs in the carry sidecar / verifier result, never in git history.
   - **Real-IO test in source tree:** a changed/added test under the project source test tree — `src/**`, `test/**`, `tests/**`, `**/__test__/**`, `**/__tests__/**`, `*.spec.*`, `*.test.*` — that opens a **real** DB connection / DSN, makes a real `fetch` / `axios` / `http` request, or otherwise hits real external IO without mocking the injected collaborator (a live handle, not a stub/spy). Real-IO tests MUST live under `<task_root>/qa/` per the executor's *Real-IO test isolation* rule — a live-IO test in source silently breaks the project's CI suite and violates the artifact-home rule. Cite the test file + the real-IO line; recommend moving it to `<task_root>/qa/` (or declaring it as a Tier 3 conformance script). Mock-only unit tests in source are NOT a hit.
 - **Advisory findings (recorded as recommendations; verdict MAY still PASS):** function >50 effective lines, a single body mixing read+write stages, weak readability, a missing-but-non-critical outcome assertion, newly orphaned private/public code that is safe to remove but not on a critical path, or weak-but-not-misleading names. These land in the verifier result as `should-fix` / `nit` recommendations, not as a `FAIL`.
 - **Output.** Every finding — blocking or advisory — is a structured item in the verifier's worker result (`path:line`, rule, severity, suggested fix) so it carries into Phase 5.5 convergence and the final report. A blocking hit sets the verifier verdict to `FAIL` with the rule cited, using the same verdict machinery as the Discrepancy rule above. `Claude lead` MUST NOT silently downgrade a cited blocking finding to advisory during synthesis; an override requires a concrete cited reason, exactly as for the Discrepancy rule.

package/runtime/prompts/profiles/improvement-discovery.md

@@ -33,7 +33,7 @@
   - `Consensus` cells in `## 5.9 Improvement Candidates` use the table enum exactly: `full`, `partial`, `contested`, `worker-unique`. Map convergence's `full-consensus` / `partial-consensus` labels to `full` / `partial` before writing the table.
   - `## 7. Final Verdict` Verdict Token ∈ {`candidates-ready`, `no-candidates`, `blocked`}; Direction `routing`; Next Step "사용자에게 후보 K개 선택 의뢰 (## 5.9 표 참조)"
   - `## 3. Recommended Next Steps` first entry summarises per-candidate routing and proposes new task-key names of the form `<task-group>/imp-<Cand-ID>`
-  - this report is authored free-form (improvement-discovery is not in the data.json schema enum); after the markdown is written, the report-writer runs `scripts/okstra-inject-report-index.py <report.md> --report-language <en|ko>` to add the top-of-report Index + `I-NNN`/`C-NNN` scroll anchors. The run validator fails the report when the Index anchor is missing.
+  - this report is authored free-form (improvement-discovery is not in the data.json schema enum); after the markdown is written, the report-writer runs `okstra inject-report-index <report.md> --report-language <en|ko>` to add the top-of-report Index + `I-NNN`/`C-NNN` scroll anchors. The run validator fails the report when the Index anchor is missing.
 - Clarification request policy (phase-specific addenda — shared policy is in `_common-contract.md`):
   - if scan-scope or priority-lenses cannot be made concrete during Phase 1.5, end the run with Verdict Token `blocked`, populate `## 1. Clarification Items` with `Blocks=next-phase` rows, and do not run worker dispatch
   - every clarification row carries a recommended answer + one-line rationale inside the `Expected form` cell

package/runtime/prompts/wizard/prompts.ko.json

@@ -168,7 +168,7 @@
       "echo_template": "approved-plan: {value}"
     },
     "approve_plan_confirm": {
-      "label": "이 플랜으로 implementation 을 진행할까요?\n  {path}\n· 예 — 진행합니다. 플랜이 아직 승인 전이면 지금 data.json(정본) + 리포트를 함께 approved 로 처리한 뒤 진행합니다. (markdown 만 손으로 고치면 일관성 검증에서 거부되므로 이 경로로 승인하세요.)\n· 아니오 — 진행하지 않습니다.",
+      "label": "이 플랜으로 진행할까요?\n  {path}\n· 예 — 진행합니다. 플랜이 아직 승인 전이면 지금 data.json(정본) + 리포트를 함께 approved 로 처리한 뒤 진행합니다. (markdown 만 손으로 고치면 일관성 검증에서 거부되므로 이 경로로 승인하세요.)\n· 아니오 — 진행하지 않습니다.",
       "echo_template": "approve-plan: {value}",
       "options": {
         "yes": "예 — 승인하고 진행",
@@ -179,16 +179,19 @@
         "approved": "approved-plan: {path} (승인·진행 확인됨)"
       },
       "errors": {
-        "declined": "진행을 선택하지 않으면 implementation 을 시작할 수 없습니다. 진행(예)하거나 위저드를 종료하세요.",
+        "declined": "진행을 선택하지 않으면 다음 단계로 넘어갈 수 없습니다. 진행(예)하거나 위저드를 종료하세요.",
         "still_unapproved": "approve-plan: 승인 처리 후에도 승인 상태가 아닙니다 (data.json/markdown 불일치): {path}"
       }
     },
     "stage_pick": {
       "label": "stage 범위를 선택하세요. auto 는 전체 task(모든 stage)를, 특정 번호는 해당 stage 만 대상으로 합니다.",
+      "label_final_verification": "검증할 implementation stage 를 선택하세요.",
       "echo_template": "stage: {value}",
       "options": {
         "auto": "auto (다음 미완료 stage)",
-        "auto_final_verification": "auto (전체 task — 모든 stage 머지 후 한 번)"
+        "whole_task": "전체 task 검증 (모든 stage)",
+        "done_mark": "[done]",
+        "undone_mark": "[미완]"
       }
     },
     "directive_pick": {
@@ -367,6 +370,7 @@
   },
   "confirmation": {
     "header": "선택 확인:",
-    "workers_implementation_default": "  workers       : (프로필 기본 — executor + verifier 2 + report-writer)"
+    "workers_implementation_default": "  workers       : (프로필 기본 — executor + verifier 2 + report-writer)",
+    "stage_whole_task": "전체 task"
   }
 }

package/runtime/python/okstra_ctl/conformance.py

@@ -258,6 +258,23 @@ def apply_qa_waiver(manifest: object, stage_key: str, reason: str, *, at: str,
     return False
 
 
+def clear_qa_waiver(manifest: object, stage_key: str) -> bool:
+    """stage_key entry 의 `waiver` 를 제거한다(in place). 제거했으면 True.
+
+    한 stage 의 새 run 이 시작될 때, 그 stage entry 에 남아 있던 이전 run 의
+    waiver(예: all-gate run 이 미래 stage 를 미리 waive 한 것)는 stale 다 —
+    그대로 두면 verifier 가 conformance 를 skip 해 마스킹된다. 이 run 이 실제로
+    검증하도록 제거한다. 사용자가 이번 run 에 같은 stage 를 명시 waive 한
+    경우(--qa-waiver)는 호출 측에서 걸러 보존한다."""
+    entries = manifest.get("entries") if isinstance(manifest, dict) else None
+    if not isinstance(entries, list):
+        return False
+    for entry in entries:
+        if isinstance(entry, dict) and entry.get("stageKey") == stage_key:
+            return entry.pop("waiver", None) is not None
+    return False
+
+
 def manifest_required_surfaces(manifest: object) -> set[str]:
     """매니페스트 전 entry 의 `requires` 합집합 — 선언된 surface 집합."""
     entries = manifest.get("entries") if isinstance(manifest, dict) else None

package/runtime/python/okstra_ctl/paths.py

@@ -124,14 +124,17 @@ def compute_run_paths(
     timeline_file = history_dir / "timeline.json"
 
     run_dir = runs_dir / task_type_segment
-    # implementation stage isolation: each stage's run artifacts live in a
-    # dedicated `stage-<N>` subtree (mirrors the per-stage worktree) so two
-    # concurrent `implementation` runs never share reports/state/worker-results.
+    # Stage isolation: each stage's run artifacts live in a dedicated
+    # `stage-<N>` subtree (mirrors the per-stage worktree) so two concurrent
+    # runs of the same task-key never share reports/state/worker-results.
+    # Applies to `implementation` and single-stage `final-verification`
+    # (whole-task final-verification has stage=None and stays flat).
     # consumers.jsonl + the worktree registry stay at the task-type level (the
     # shared stage ledger / occupancy SSOT); they are computed OUTSIDE this
     # function and are intentionally NOT stage-scoped. Other task-types have no
     # stage concept, so their run_dir is unchanged.
-    if task_type_segment == "implementation" and stage is not None:
+    if (task_type_segment in ("implementation", "final-verification")
+            and stage is not None):
         run_dir = run_dir / f"stage-{int(stage)}"
     run_manifests = run_dir / "manifests"
     run_state = run_dir / "state"

package/runtime/python/okstra_ctl/render.py

@@ -1681,11 +1681,18 @@ def inject_lead_prompt_computed_tokens(ctx: dict) -> None:
         )
     else:
         team_name = f'okstra-{ctx.get("TASK_KEY", "")}'
-        stage = str(ctx.get("EFFECTIVE_STAGES", "") or "").strip()
-        if task_type == "implementation" and stage:
+        impl_stage = str(ctx.get("EFFECTIVE_STAGES", "") or "").strip()
+        fv_stage = str(ctx.get("RUN_STAGE", "") or "").strip()
+        if task_type == "implementation" and impl_stage:
             # stage 격리 run 은 stage 별 team — 같은 task 의 다른 stage 가 남긴
             # team 과 이름이 충돌하지 않는다(worktree branch `-s<N>` 접미사와 동형).
-            team_name = f"{team_name}-s{stage}"
+            team_name = f"{team_name}-s{impl_stage}"
+        elif task_type == "final-verification" and fv_stage:
+            # 단일-stage final-verification 도 stage 별 team. `-fv-` 를 끼워
+            # 같은 stage 의 implementation team(`-s<N>`)과도 구분한다 — 둘은
+            # 동시에 살아 있을 수 있다. whole-task 검증(RUN_STAGE 빈 값)은
+            # 기본 이름 유지.
+            team_name = f"{team_name}-fv-s{fv_stage}"
         team_creation_gate_block = (
             "## Team Creation Gate (BLOCKING)\n"
             "\n"

package/runtime/python/okstra_ctl/run.py

@@ -81,7 +81,11 @@ from .workers import (
 )
 from .workflow import compute_workflow_state
 from .locks import worktree_provision_mutex
-from .worktree import provision_task_worktree
+from .worktree import (
+    WorktreeProvision,
+    okstra_clean_gate_excludes,
+    provision_task_worktree,
+)
 
 # Frontmatter approval-flag matcher.
 #
@@ -1151,6 +1155,46 @@ def _apply_qa_waiver_if_requested(inp: "PrepareInputs", project_root: Path) -> N
     manifest_path.write_text(json.dumps(manifest, indent=2, ensure_ascii=False) + "\n")
 
 
+def _clear_stale_stage_waiver(inp: "PrepareInputs", project_root: Path, stage: int) -> None:
+    """A fresh `implementation` run of stage N must not inherit a waiver left on
+    its conformance entry by an earlier run (e.g. an all-gate run that pre-waived
+    future stages, or an abandoned attempt). A stale waiver makes the verifier
+    skip Tier 3 conformance and silently mask this stage, so clear it — UNLESS
+    the user re-waived this exact stage for this run via `--qa-waiver` (already
+    applied upstream in `_apply_qa_waiver_if_requested`)."""
+    from .conformance import clear_qa_waiver, parse_qa_waiver_arg
+    from .paths import task_dir
+    manifest_path = (
+        task_dir(project_root, inp.task_group, inp.task_id)
+        / "qa" / "conformance-manifest.json"
+    )
+    if not manifest_path.is_file():
+        return
+    manifest = json.loads(manifest_path.read_text())
+    entries = manifest.get("entries") if isinstance(manifest, dict) else None
+    if not isinstance(entries, list):
+        return
+    # The manifest stageKey is `<task-id>-stage-<N>` authored by planning; match
+    # on the `-stage-<N>` suffix so we do not assume the task-id's exact form.
+    suffix = f"-stage-{stage}"
+    stage_key = next(
+        (e["stageKey"] for e in entries
+         if isinstance(e, dict) and isinstance(e.get("stageKey"), str)
+         and e["stageKey"].endswith(suffix)),
+        None,
+    )
+    if stage_key is None:
+        return
+    if inp.qa_waiver:
+        parsed = parse_qa_waiver_arg(inp.qa_waiver)
+        if parsed is not None and parsed[0] == stage_key:
+            return  # user intentionally waived this stage for this run
+    if clear_qa_waiver(manifest, stage_key):
+        manifest_path.write_text(
+            json.dumps(manifest, indent=2, ensure_ascii=False) + "\n"
+        )
+
+
 def _register_and_check_project(project_root: Path, inp: PrepareInputs) -> None:
     """project.json self-registration + (implementation 한정) qaCommands gate 검증."""
     from okstra_project import ResolverError
@@ -1493,10 +1537,22 @@ def _is_ancestor(cwd, commit, head) -> bool:
 
 
 def _is_dirty_excluding_okstra(cwd) -> bool:
-    out = _git_out(cwd, "status", "--short", "--", ".", ":(exclude).okstra")
+    excludes = [f":(exclude){p}" for p in okstra_clean_gate_excludes(Path(cwd))]
+    out = _git_out(cwd, "status", "--short", "--", ".", *excludes)
     return bool(out.strip())
 
 
+def _single_stage_final_verification_worktree(inp: "PrepareInputs") -> WorktreeProvision:
+    """Placeholder until the selected stage registry row is resolved."""
+    return WorktreeProvision(
+        status="deferred-final-verification",
+        note=(
+            "final-verification single-stage uses the selected implementation "
+            "stage worktree from the registry"
+        ),
+    )
+
+
 def _reserve_final_verification_target(
     inp: "PrepareInputs", ctx: dict, ctx_stage_map: list,
 ) -> None:
@@ -1519,6 +1575,7 @@ def _reserve_final_verification_target(
         row = _reg.get_stage_row(inp.project_id, inp.task_group, inp.task_id, n)
         wt_path = (row or {}).get("worktree_path", "")
         stage_base = (row or {}).get("base_ref", "")
+        stage_branch = (row or {}).get("branch", "")
         head = _git_out(wt_path, "rev-parse", "HEAD") if wt_path else ""
         target = _resolve_single_stage_target(
             requested_stage=inp.stage, done_rows=done_rows,
@@ -1527,6 +1584,12 @@ def _reserve_final_verification_target(
             stage_dirty=_is_dirty_excluding_okstra(wt_path) if wt_path else False,
         )
         ctx["EXECUTOR_WORKTREE_PATH"] = wt_path
+        ctx["EXECUTOR_WORKTREE_BRANCH"] = stage_branch
+        ctx["EXECUTOR_WORKTREE_BASE_REF"] = stage_base
+        ctx["EXECUTOR_WORKTREE_STATUS"] = "reused-stage"
+        ctx["EXECUTOR_WORKTREE_NOTE"] = (
+            f"final-verification uses implementation stage {n} worktree"
+        )
     else:
         wt_path = ctx["EXECUTOR_WORKTREE_PATH"]
         anchor = _reg.get_implementation_base(
@@ -1803,38 +1866,52 @@ def prepare_task_bundle(inp: PrepareInputs) -> PrepareOutputs:
     with worktree_provision_mutex(
         okstra_home(), inp.project_id, task_group_segment, task_id_segment,
     ):
-        try:
-            worktree = provision_task_worktree(
-                task_type=inp.task_type,
-                project_root=project_root,
-                project_id=inp.project_id,
-                task_group_segment=task_group_segment,
-                task_id_segment=task_id_segment,
-                work_category=inp.work_category,
-                base_ref=inp.base_ref,
-                require_base_ref=True,
-            )
-        except RuntimeError as exc:
-            raise PrepareError(
-                f"task worktree provisioning failed: {exc}"
-            ) from exc
+        if inp.task_type == "final-verification" and inp.stage and inp.stage != "auto":
+            worktree = _single_stage_final_verification_worktree(inp)
+            # Single-stage final-verification namespaces its run path under
+            # runs/final-verification/stage-<N> (same isolation as
+            # implementation) so concurrent per-stage verifications never
+            # share state/reports/worker-results.
+            fv_stage_arg = int(inp.stage)
+        else:
+            fv_stage_arg = None
+            try:
+                worktree = provision_task_worktree(
+                    task_type=inp.task_type,
+                    project_root=project_root,
+                    project_id=inp.project_id,
+                    task_group_segment=task_group_segment,
+                    task_id_segment=task_id_segment,
+                    work_category=inp.work_category,
+                    base_ref=inp.base_ref,
+                    require_base_ref=True,
+                )
+            except RuntimeError as exc:
+                raise PrepareError(
+                    f"task worktree provisioning failed: {exc}"
+                ) from exc
 
         # ---- implementation stage selection (path-independent) ----
         # Resolve + provision the stage BEFORE run-path compute so RUN_DIR
         # lands in runs/implementation/stage-<N>. The registry stage-key is
         # reserved exactly once here (inside provision_stage_worktree), and
         # the surrounding mutex makes the registry read in stage selection
-        # and that reserve atomic. Non-implementation task-types skip this
-        # entirely → stage_arg stays None → identical paths.
+        # and that reserve atomic. Other task-types skip this selection;
+        # single-stage final-verification threads its explicit stage via
+        # fv_stage_arg, everything else keeps stage_arg=None (flat paths).
         if inp.task_type == "implementation":
             impl_stage_selection = _select_and_provision_implementation_stage(
                 inp, ctx_stage_map, task_group_segment, task_id_segment,
                 task_key, worktree.status,
             )
             stage_arg = impl_stage_selection.stage
+            # Drop any stale waiver on this stage so the run actually verifies
+            # conformance (kept inside the per-task-key mutex so concurrent
+            # same-task runs don't race the manifest write).
+            _clear_stale_stage_waiver(inp, project_root, impl_stage_selection.stage)
         else:
             impl_stage_selection = None
-            stage_arg = None
+            stage_arg = fv_stage_arg
 
     ctx = compute_and_write_run_context(
         workspace_root=workspace_root, project_root=project_root,