fix(isolation): close all 4 subissues of tracker #228 (worktree, resume, persistence) (#234)

* fix(isolation): close all 4 subissues of tracker #228

Lands v1 scope of every subissue under tracker #228. Friction observed
across two campaigns on 2026-05-27 (paper-burst + cross-account-signal-
pooling) where the experiment worktree's isolation guarantee was
silently undermined: executors `cd` to the parent repo to use
gitignored deps, write Python modules into the worktree without
declaring them as code_changes, and on resume occasionally hit
unreplaced-placeholder errors.

Closes #229 — `target_system.worktree_extras` schema field +
  auto-symlink gitignored deps from main into each experiment
  worktree on creation. Each entry must be a non-empty relative path
  resolving under repo_path; absolute paths and ../ traversal are
  rejected at creation time. Source must exist. On extras failure,
  the half-built worktree + branch are cleaned up before re-raising
  (no leak). Symlinks live inside the worktree dir, so
  `git worktree remove --force` reaps them with the rest of the dir.

Closes #230 — Pre-cleanup `git status --porcelain` warns on
  undeclared writes; surfaced in `findings.json` under a new optional
  `worktree_uncommitted_writes` key (schema-allowed). Filters
  symlinks (orchestrator-managed inputs from #229) and any path
  declared in `bundle.arms[].code_changes[].file`. Tripwire only —
  never blocks cleanup.

Closes #231 — "Worktree discipline" guidance added to
  `execute_analyze.md` (full) and `execute_analyze_thin.md`. Tells
  the executor: stay in the worktree, reference parent assets via
  `worktree_extras` symlinks (relative paths, not absolute paths
  into main), declare any new files via `code_changes`. Prose-only
  change — no new placeholders, no behavior change to dispatch.

Closes #232 — Forensic logging in `prompt_loader.py`: when
  rendering fails on unreplaced placeholders, log
  `template`, `resolved_path`, `missing_placeholders`, and
  `context_keys` at ERROR before raising. Diagnostic only — no
  speculative fix for the resume-time bug. The intermittent
  Unreplaced-placeholders failure on iter-2 EXECUTE_ANALYZE is
  gated on reproduction; this PR ships the seine.

Refs #228 (tracker).

## Test plan

- 1167 passed, 1 skipped (was 1133 + 1 in #227 baseline; +34 new
  behavioral tests).
- All tests use real on-disk fixtures or seam-injected fakes per
  CLAUDE.md (no live LLM calls).
- New behavioral coverage:
  - test_worktree.py: TestWorktreeExtras (9), TestDetectUndeclared
    Writes (6), TestDeclaredCodeChangePaths (5), TestRecord
    UndeclaredWritesInFindings (5)
  - test_prompt_loader.py: TestWorktreeDisciplineGuidance (3),
    TestPlaceholderDiagnosticLogging (2)

## Out of scope (v2 — explicit, in tracker #228)

- Post-execution `git -C <main> diff` fail-loud check on main's
  working tree (defense in depth for #229)
- `auto_capture_writes` synthetic `code_changes` flag (alternative
  for #230)
- Actual fix for the resume-time placeholder bug (gated on
  reproduction; #232 ships the diagnostic)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(review): address PR #234 review findings

Addresses 4 reviewer reports against PR #234. All findings actioned
except those explicitly out of scope (silent-failure-hunter's "write
to sibling file" alternative — overkill given the tripwire is
non-blocking).

## Critical fixes

1. **Porcelain parser rewrite** (orchestrator/worktree.py)
   The substring filter `"M" in status` was too loose (matched
   phantom code combinations) and too narrow (missed staged-add `A`,
   renames `R`, copies `C`, typechanges `T`). Rename paths in
   porcelain v1 use `orig -> new` syntax that the old parser
   reported as a single garbage path.

   New: explicit `_PORCELAIN_WRITE_CODES` set, `_parse_porcelain_line`
   helper that splits rename destinations correctly. Untracked is
   handled via the `??` special case; deletions (`D`) are documented
   as intentionally NOT surfaced (removing a file isn't a "write").

2. **Tripwire hoisted into execute-incomplete branch**
   (orchestrator/iteration.py) The original implementation only ran
   `detect_undeclared_writes` on EXECUTE_ANALYZE success. But that's
   exactly when undeclared writes matter LEAST — the executor wrote
   findings.json and likely declared what it needed. The case that
   matters MOST is `_missing_execute_artifacts` (max-turn exhaustion,
   subprocess crash) where the executor wrote partial code and never
   got to declare it. New `_detect_undeclared_writes_for_iter`
   helper runs in both branches; results land in retry_log.jsonl
   on incomplete and findings.json on success.

3. **`detect_undeclared_writes` git-failure log: DEBUG → WARNING**
   The whole point of the helper is "turn silent loss into an
   auditable trail." Swallowing diagnostic failures at DEBUG
   re-introduces the silent loss for the failure case. Now logs at
   WARNING with returncode + stderr.

4. **`_declared_code_change_paths` YAML failure logged at ERROR**
   bundle.yaml is a system boundary; corruption is operator-
   actionable. Previously: silent empty-set return. Now: ERROR log
   naming the parse error and the bundle path before returning empty.

## Important fixes

5. **`except BaseException` → `except Exception`** in
   create_experiment_worktree's extras-cleanup path. BaseException
   catches KeyboardInterrupt/SystemExit; we don't want to trigger a
   `git worktree remove` subprocess on Ctrl-C.

6. **Existing-path collision in `_link_worktree_extras`** now logs a
   loud, explanatory WARNING (was a quiet warn-and-continue) — names
   the collision, explains why declaring a tracked path as an extra
   is almost certainly a misconfiguration, and tells the operator
   how to fix.

7. **`_record_undeclared_writes_in_findings` JSON failure logged at
   ERROR** with the undeclared-paths list. Previously: silent return.
   Now the operator can recover the list from logs even when
   findings.json is corrupt.

8. **Parity: success branch now uses `experiment_id` AND
   `experiment_dir` guards**, matching the cleanup path's
   `experiment_id` guard. A future refactor that decouples them
   won't silently disable the tripwire.

## Test additions (+8 behavioral tests)

- `test_modify_then_stage_flagged` — porcelain MM
- `test_added_staged_file_flagged` — porcelain A
- `test_renamed_file_reports_destination` — rename parser
- `test_deleted_file_not_flagged` — codify the D-skip behavior
- `test_renamed_destination_can_be_declared` — declared-paths
  filter survives rename round-trip
- `test_git_failure_logs_warning` — diagnostic failures aren't silent
- `test_malformed_findings_logs_error_with_paths` — recovery info in logs
- `test_corrupted_bundle_logs_error` — bundle corruption is loud

## Test relaxations (review-flagged brittleness)

- `TestWorktreeDisciplineGuidance` no longer asserts the literal
  string "Do not `cd` to the parent repo" — anchors on
  "Worktree discipline", "worktree_extras", "code_changes" instead.
  Editorial prose tweaks won't break the test; the *concepts* still
  must be present.
- `test_logs_missing_placeholders_and_context_keys` now matches by
  substring (not exact list-repr). A future format swap (JSON,
  comma-joined) preserves the diagnostic intent.

## Test plan

- 1175 passed, 1 skipped (was 1167; +8 new). Zero regressions.
- All tests behavioral; real on-disk git repos in tmp_path; caplog
  for diagnostic-line assertions.

Refs #228, closes #229 #230 #231 #232 (v1).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: sriumcp

orchestrator/iteration.py

@@ -48,6 +48,97 @@ class IterationOutcome(str, Enum):
 
 TEMPLATES_DIR = Path(__file__).resolve().parent / "templates"
 SCHEMAS_DIR = Path(__file__).resolve().parent / "schemas"
+
+
+def _declared_code_change_paths(bundle_path: Path) -> set[str]:
+    """Read ``bundle.yaml`` and return every ``arms[].code_changes[].file``
+    declared on any arm (#230).
+
+    Returns the set of declared file paths verbatim — paths are NOT
+    normalized. If the bundle declares an absolute path or a ``./``-
+    prefixed path, it won't match the relative paths that
+    ``detect_undeclared_writes`` reports; that mismatch is the bundle
+    author's responsibility (the bundle schema already constrains
+    ``file`` shape).
+
+    Returns an empty set when the bundle is missing or declares no
+    ``code_changes``. A YAML parse failure is logged at ERROR (the
+    bundle is a system boundary; corruption is operator-actionable)
+    and an empty set returned so cleanup proceeds.
+    """
+    if not bundle_path.exists():
+        return set()
+    try:
+        bundle = yaml.safe_load(bundle_path.read_text()) or {}
+    except yaml.YAMLError as exc:
+        logger.error(
+            "_declared_code_change_paths: bundle.yaml parse failed at %s "
+            "(%s); treating as if no code_changes were declared. Every "
+            "executor write will be flagged as undeclared until this is fixed.",
+            bundle_path, exc,
+        )
+        return set()
+    arms = bundle.get("arms") or []
+    declared: set[str] = set()
+    for arm in arms:
+        if not isinstance(arm, dict):
+            continue
+        for change in arm.get("code_changes") or []:
+            if isinstance(change, dict) and isinstance(change.get("file"), str):
+                declared.add(change["file"])
+    return declared
+
+
+def _record_undeclared_writes_in_findings(
+    findings_path: Path,
+    undeclared: list[str],
+) -> None:
+    """Merge ``worktree_uncommitted_writes`` into ``findings.json`` (#230).
+
+    No-op if findings.json is missing — the cleanup may be running in
+    the execute-incomplete branch where findings was never produced
+    (the caller surfaces the data via retry_log there instead).
+
+    A JSONDecodeError on the existing findings is logged at ERROR
+    (corrupted findings is operator-actionable) and the function
+    returns without writing — modifying a corrupt JSON file would
+    only make recovery harder.
+    """
+    if not undeclared or not findings_path.exists():
+        return
+    try:
+        findings = json.loads(findings_path.read_text())
+    except json.JSONDecodeError as exc:
+        logger.error(
+            "_record_undeclared_writes_in_findings: findings.json at %s "
+            "is not valid JSON (%s); the undeclared-writes list will not "
+            "be persisted. Undeclared paths: %s",
+            findings_path, exc, undeclared,
+        )
+        return
+    findings["worktree_uncommitted_writes"] = sorted(set(undeclared))
+    atomic_write(findings_path, json.dumps(findings, indent=2) + "\n")
+
+
+def _detect_undeclared_writes_for_iter(
+    iter_dir: Path,
+    experiment_dir: Path,
+) -> list[str]:
+    """Detect undeclared writes in ``experiment_dir`` and log a WARNING
+    if any are found (#230). Returns the list so the caller can decide
+    where to persist it (findings.json on success, retry_log on
+    incomplete). Pure tripwire — never raises, never blocks cleanup."""
+    from orchestrator.worktree import detect_undeclared_writes
+    declared = _declared_code_change_paths(iter_dir / "bundle.yaml")
+    undeclared = detect_undeclared_writes(experiment_dir, declared)
+    if undeclared:
+        logger.warning(
+            "Executor wrote %d files in the experiment worktree "
+            "without declaring them in bundle.arms[].code_changes; "
+            "they will be lost on cleanup: %s",
+            len(undeclared), undeclared[:20],
+        )
+    return undeclared
 DEFAULTS_PATH = Path(__file__).resolve().parent / "defaults.yaml"
 _ARM_TYPE_RE = re.compile(r"^[a-zA-Z0-9_-]+$")
 
@@ -960,8 +1051,9 @@ def _max_turns_for(phase_key: str) -> int:
                 create_experiment_worktree,
                 remove_experiment_worktree,
             )
+            extras = campaign.get("target_system", {}).get("worktree_extras") or []
             experiment_dir, experiment_id = create_experiment_worktree(
-                Path(repo_path), iteration,
+                Path(repo_path), iteration, extras=extras,
             )
             (iter_dir / ".experiment_id").write_text(experiment_id)
             print(f"  Experiment worktree: {experiment_dir}")
@@ -1007,13 +1099,22 @@ def _max_turns_for(phase_key: str) -> int:
         # "X not found" from validate_execution.
         missing = _missing_execute_artifacts(iter_dir)
         if missing:
+            # #230: even on incomplete, the executor may have written
+            # partial code into the worktree — exactly the case where
+            # undeclared writes matter most. Capture before cleanup.
+            incomplete_undeclared: list[str] = []
+            if repo_path and experiment_id and experiment_dir is not None:
+                incomplete_undeclared = _detect_undeclared_writes_for_iter(
+                    iter_dir, experiment_dir,
+                )
             from orchestrator.metrics import log_retry_event
             log_retry_event(work_dir / "llm_metrics.jsonl", {
                 "iteration": iteration,
                 "phase": "execute-analyze",
                 "failure_type": "execute_incomplete",
                 "missing_artifacts": missing,
                 "max_turns": _max_turns_for("execute_analyze"),
+                "undeclared_writes": incomplete_undeclared,
             })
             # Clean up the experiment worktree so a re-run isn't blocked.
             if repo_path and experiment_id:
@@ -1031,6 +1132,18 @@ def _max_turns_for(phase_key: str) -> int:
                 "Executor artifacts failed post-check validation: %s",
                 result["errors"],
             )
+        # #230: surface undeclared writes that would be lost when the
+        # worktree is removed below. Persist into findings.json so the
+        # design agent on iter-N+1 can see what to declare in
+        # ``code_changes``. Tripwire only — never blocks cleanup.
+        if repo_path and experiment_id and experiment_dir is not None:
+            undeclared = _detect_undeclared_writes_for_iter(
+                iter_dir, experiment_dir,
+            )
+            if undeclared:
+                _record_undeclared_writes_in_findings(
+                    iter_dir / "findings.json", undeclared,
+                )
         # Clean up worktree only on success
         if repo_path and experiment_id:
             remove_experiment_worktree(Path(repo_path), experiment_id)

orchestrator/prompt_loader.py

@@ -60,9 +60,21 @@ def load(self, template_name: str, context: dict[str, str]) -> str:
 
         remaining = _PLACEHOLDER_RE.findall(text)
         if remaining:
+            missing = sorted(set(remaining))
+            # #232: forensic logging on the resume-time placeholder bug.
+            # The error message names the missing placeholders; we add
+            # what keys WERE present in the context so the next
+            # occurrence produces evidence pointing at the actual cause
+            # (phase string mismatch, stale loader, resume-path field
+            # uninitialized, ...).
+            logger.error(
+                "prompt render failed: template=%s resolved_path=%s "
+                "missing_placeholders=%s context_keys=%s",
+                template_name, path, missing, sorted(context.keys()),
+            )
             raise ValueError(
                 f"Unreplaced placeholders in {template_name}.md: "
-                f"{', '.join(sorted(set(remaining)))}"
+                f"{', '.join(missing)}"
             )
 
         logger.debug("Loaded prompt %s (%d chars)", template_name, len(text))

orchestrator/schemas/campaign.schema.yaml

@@ -84,6 +84,23 @@ properties:
         type: ["string", "null"]
         minLength: 1
         description: "Path to target system git repo. Used by CLIDispatcher for code-access agents. If set, experiments run in isolated worktrees."
+      worktree_extras:
+        type: array
+        items:
+          type: string
+          minLength: 1
+        uniqueItems: true
+        description: >
+          Paths (relative to repo_path) to symlink into each experiment
+          worktree on creation (#229). Use this for gitignored assets
+          the executor needs from main — virtualenvs, pre-fetched data
+          dirs, prior-iteration outputs, build artifacts. Without this
+          mechanism, executors discover that the worktree is missing
+          their tooling and `cd` back to the parent repo, silently
+          breaking isolation. Each entry must be a relative path that
+          resolves under repo_path; absolute paths and ``..`` traversal
+          are rejected at worktree creation. Source must exist in main
+          at the time of worktree creation.
 
   models:
     type: object

orchestrator/schemas/findings.schema.json

@@ -24,6 +24,12 @@
       "minimum": 0,
       "maximum": 100,
       "description": "Percentage of total effect from single dominant component, if detected."
+    },
+    "worktree_uncommitted_writes": {
+      "type": "array",
+      "items": { "type": "string", "minLength": 1 },
+      "uniqueItems": true,
+      "description": "#230 — paths the executor wrote inside the experiment worktree without declaring them in the bundle's `code_changes`. Surfaced just before worktree cleanup; logged at WARNING. Empty array (or absent) means the executor declared everything it wrote, or wrote nothing untracked. The orchestrator does not block cleanup on undeclared writes — this is a tripwire, not a gate."
     }
   },
   "$defs": {