feat: implement 401 Unauthorized handling across all agent roles and update agent guide with escalation policy

Author: aalmada

.github/agents/backend-developer.agent.md

@@ -29,15 +29,29 @@ You are the **Backend Developer** for the BookStore project. You implement event
    - Projections (single-stream for per-aggregate reads, multi-stream for cross-aggregate views)
    - `MartenCommitListener` SSE notification entries for every mutating event
    - `HybridCache` tag invalidation via `RemoveByTagAsync` after every mutation
-4. **Run `dotnet build`** after all changes and fix any compilation errors before proceeding.
+4. **Do not implement tests** — all test implementation is owned by the **TestEngineer** agent.
+5. **Run `dotnet build`** after all changes and fix any compilation errors before proceeding.
 5. **Write to `/memories/session/backend-output.md`** using `vscode/memory`:
    - Files created / modified (full paths)
    - Aggregates and events defined
    - Endpoints registered (HTTP method + path)
    - Cache tags used
    - SSE event names emitted
+  - **Testing Required**: explicit test scenarios the TestEngineer must implement (unit/integration), including expected behaviour and important edge cases
    - Any deviations from the plan (with reasons)
 
+Use this output structure in memory:
+
+```
+## Implementation Summary
+## Files Created / Modified
+## Backend Behaviour Implemented
+## Testing Required
+- <scenario>
+- <scenario>
+## Deviations
+```
+
 ## BookStore Code Rules (MUST follow)
 
 ```
@@ -66,3 +80,9 @@ Before implementing, read the relevant skill file for patterns and templates:
 - ❌ Missing SSE notification for a new event — add an entry to `MartenCommitListener`
 - ❌ Missing cache invalidation after a mutation — call `RemoveByTagAsync` with the right tag
 - ❌ Using `Guid.NewGuid()` — always `Guid.CreateVersion7()`
+
+## Authentication Failure Protocol
+
+- If you receive a `401 Unauthorized` from any tool/service, stop work immediately.
+- Inform the **Orchestrator** that backend implementation is blocked by authentication.
+- Do not continue implementation until the Orchestrator re-delegates the task.

.github/agents/code-reviewer.agent.md

@@ -106,3 +106,4 @@ You are the **Code Reviewer** for the BookStore project. You review all changes
   - **Critical** — security vulnerability or data corruption risk; blocks merge
   - **Major** — violates a MUST rule from `AGENTS.md`; blocks merge
   - **Minor** — style, naming, or non-blocking convention issue; comment only
+- If you receive a `401 Unauthorized` from any tool/service, stop the review immediately and inform the **Orchestrator** that review is blocked by authentication.

.github/agents/frontend-developer.agent.md

@@ -33,15 +33,29 @@ You are the **Frontend Developer** for the BookStore project. You implement Blaz
    - Subscribe to SSE events using the notification service pattern (`docs/guides/real-time-notifications.md`)
    - Invalidate `HybridCache` tags after mutations using `RemoveByTagAsync`
    - Apply optimistic UI updates where the plan specifies them
-4. **Run `dotnet build`** after all changes and fix any compilation errors before proceeding.
+4. **Do not implement tests** — all test implementation is owned by the **TestEngineer** agent.
+5. **Run `dotnet build`** after all changes and fix any compilation errors before proceeding.
 5. **Write to `/memories/session/frontend-output.md`** using `vscode/memory`:
    - Files created / modified (full paths)
    - Pages and components added
    - SSE event names subscribed to
    - Cache tags invalidated
    - API client methods called
+  - **Testing Required**: explicit test scenarios the TestEngineer must implement (component/integration/E2E), including expected behaviour and UX edge cases
    - Any deviations from the plan (with reasons)
 
+Use this output structure in memory:
+
+```
+## Implementation Summary
+## Files Created / Modified
+## Frontend Behaviour Implemented
+## Testing Required
+- <scenario>
+- <scenario>
+## Deviations
+```
+
 ## BookStore Code Rules (MUST follow)
 
 ```
@@ -66,3 +80,9 @@ Before implementing, read the relevant skill file for patterns and templates:
 - ❌ Missing cache invalidation after a mutation — call `RemoveByTagAsync` after successful API call
 - ❌ Calling `HttpClient` directly — always go through `IBookStoreClient`
 - ❌ Using `Task.Delay` for UI timing — use event-driven updates via SSE instead
+
+## Authentication Failure Protocol
+
+- If you receive a `401 Unauthorized` from any tool/service, stop work immediately.
+- Inform the **Orchestrator** that frontend implementation is blocked by authentication.
+- Do not continue implementation until the Orchestrator re-delegates the task.

.github/agents/orchestrator.agent.md

@@ -54,7 +54,13 @@ You are the **Orchestrator** for the BookStore agent team. Your **only** respons
    - Then **TestEngineer** (step 3)
    - Finally **CodeReviewer** (step 4)
 
-4. **Report outcome** — after the Code Reviewer writes `/memories/session/review.md`, read that file and present the final status to the user.
+4. **Handle 401 escalations from specialists**:
+  - If any specialist reports a `401 Unauthorized`, stop the active orchestration flow immediately
+  - Inform the user that orchestration is paused due to authentication failure
+  - Do not continue to the next handoff while the 401 condition is active
+  - Retry later by re-delegating to the same specialist with the same handoff intent once authentication is expected to be valid
+
+5. **Report outcome** — after the Code Reviewer writes `/memories/session/review.md`, read that file and present the final status to the user.
 
 ## Rules
 
@@ -63,3 +69,4 @@ You are the **Orchestrator** for the BookStore agent team. Your **only** respons
 - Do **NOT** override or second-guess the Planner's plan
 - Do **NOT** modify other agents' memory output files
 - Always ask the user for clarification if requirements are vague
+- Treat any specialist-reported `401 Unauthorized` as a hard pause signal until retry

.github/agents/planner.agent.md

@@ -71,3 +71,4 @@ You are the **Planner** for the BookStore project. You research the codebase and
 - Every plan step must note which BookStore code rule applies (from `AGENTS.md`)
 - Do **NOT** implement anything — only plan
 - Surface all blockers and open questions in the plan rather than making assumptions
+- If you receive a `401 Unauthorized` from any tool/service, stop immediately and inform the **Orchestrator** that planning is blocked by authentication; do not continue until re-delegated.

.github/agents/test-engineer.agent.md

@@ -28,9 +28,12 @@ You are the **Test Engineer** for the BookStore project. You write and run TUnit
    - `/memories/session/plan.md` — what was planned (test cases are listed there)
    - `/memories/session/backend-output.md` — what the Backend Developer implemented
    - `/memories/session/frontend-output.md` — what the Frontend Developer implemented
+   - In both implementation outputs, read the **`## Testing Required`** section and treat those scenarios as mandatory coverage.
 
 2. **Write tests** covering every new behaviour:
 
+   - The union of: plan test steps + backend `## Testing Required` + frontend `## Testing Required` is the minimum required test scope.
+
    ### Unit Tests — `tests/BookStore.ApiService.UnitTests/`
    - Aggregate state transitions (apply events → verify state)
    - Validation logic (valid and invalid inputs)
@@ -98,3 +101,9 @@ dotnet test -- --maximum-parallel-tests 4
 - ❌ Not verifying SSE events on mutating tests — use `ExecuteAndWaitForEventAsync`
 - ❌ Sharing data between tests — create all data fresh inside each `[Test]` method
 - ❌ Using `Guid.NewGuid()` for test IDs — always `Guid.CreateVersion7()`
+
+## Authentication Failure Protocol
+
+- If you receive a `401 Unauthorized` from any tool/service, stop work immediately.
+- Inform the **Orchestrator** that test execution is blocked by authentication.
+- Do not continue testing until the Orchestrator re-delegates the task.

.github/agents/ui-ux-designer.agent.md

@@ -91,3 +91,4 @@ You are the **UI/UX Designer** for the BookStore project. You analyse the implem
 - Do **NOT** invent backend APIs — reference only what the Planner has specified
 - Do **NOT** override or second-guess the Planner's functional plan
 - Always align with existing BookStore UI patterns before proposing something new
+- If you receive a `401 Unauthorized` from any tool/service, stop immediately and inform the **Orchestrator** that design work is blocked by authentication.

docs/guides/agent-guide.md

@@ -314,6 +314,16 @@ The Orchestrator has `disable-model-invocation: true` — it **cannot** reason a
 
 This ensures the Orchestrator acts as a pure coordinator and never contaminates the specialist agents' technical judgment.
 
+### 401 Escalation Policy
+
+All specialist agents must treat `401 Unauthorized` as a hard stop:
+
+1. Stop current work immediately.
+2. Inform the **Orchestrator** that work is blocked by authentication.
+3. Wait for re-delegation.
+
+When the Orchestrator receives a 401 escalation, it must pause the workflow, notify the user, and retry later by delegating the same step back to the appropriate specialist agent.
+
 ### Handoff Chain
 
 ```