feat(ultraplan-local): v1.7.0 — self-verifying plan chain

Wave 1 of a 6-session parallel build revealed three failure modes:
(1) hallucinated completion (status=completed after 2/5 steps, last
tool call was an arbitrary file review), (2) fail-late bash (3/6
sessions had push blocked inside sub-agent sandbox after all work
was done), (3) no objective verification (plans were prose).

v1.7 closes all three by making the plan an executable contract.

Per-step YAML manifest (expected_paths, commit_message_pattern,
bash_syntax_check, forbidden_paths, must_contain) is the objective
completion predicate. Plan-critic dimension 10 (Manifest quality)
is a hard gate. Session decomposer propagates manifests verbatim
and emits an obligatory Step 0 pre-flight (git push --dry-run,
exit 77 sentinel) in every session spec.

ultraexecute-local gets Phase 7.5 (independent manifest audit from
git log + filesystem, ignoring agent bookkeeping) and Phase 7.6
(bounded recovery dispatch, recovery_depth ≤ 2). Hard Rule 17
forbids marking a step passed without manifest verification. Hard
Rule 18 forbids ending on an arbitrary tool call before reporting.

Division of labor is made explicit:
- /ultraresearch-local gathers context (no build decisions)
- /ultraplan-local produces an executable contract (manifests,
  plan-critic gate)
- /ultraexecute-local executes disciplined (does NOT compensate
  for weak plans — escalates)

Code complete. Docs partial (Arbeidsdeling table + manifest section
added to plugin + marketplace READMEs). Verification tests
(10-sequence) pending — see REMEMBER.md.

Backward compat: v1.6 plans without plan_version marker get
legacy mode with synthesized manifests and legacy_plan: true in
progress file. Plan-critic emits advisory, not block.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/ultraplan-local/agents/planning-orchestrator.md

@@ -186,6 +186,50 @@ Write a comprehensive implementation plan including:
 - Test Strategy (if test-strategist was used)
 - Verification (concrete commands), Estimated Scope
 
+**Plan-version header:** Include `plan_version: 1.7` in the metadata line below
+the title. This signals to ultraexecute-local that the plan includes per-step
+verification manifests and enables strict audit mode. Plans without this
+marker are treated as legacy v1.6 with synthesized minimal manifests.
+
+### Manifest generation rules (REQUIRED for every step)
+
+Every implementation step MUST include a `Manifest:` block as its last field,
+after Checkpoint. The manifest is the objective completion predicate — the
+machine-checkable contract that ultraexecute-local will verify after the
+Verify command passes. A step cannot be marked passed if its manifest does
+not verify.
+
+Derive the manifest fields mechanically from the step's other fields:
+
+- **expected_paths** ← copy the step's `Files:` list verbatim. Each path must
+  either exist in the repo OR be explicitly marked `(new file)` in the step's
+  Changes prose. Do not list paths that neither exist nor are declared new.
+- **min_file_count** ← default to `len(expected_paths)`. Lower only when the
+  step explicitly allows partial creation (rare).
+- **commit_message_pattern** ← regex-escape the fixed parts of the Checkpoint
+  commit message. Preserve Conventional Commit structure. Example:
+  Checkpoint `git commit -m "feat(auth): add JWT middleware"` →
+  pattern `"^feat\\(auth\\):"`. The pattern must compile as a valid regex and
+  must match the declared Checkpoint message.
+- **bash_syntax_check** ← auto-include every `.sh` file appearing in
+  expected_paths. Add other shell scripts the step creates transitively.
+- **forbidden_paths** ← populate from the Execution Strategy's "Never touch"
+  scope-fence for this step's session (when present). Defense-in-depth.
+- **must_contain** ← optional. Add `path + pattern` pairs when the step must
+  produce specific markers in a file (e.g., a new config section, a required
+  export, a migration boundary).
+
+**Validation before writing plan:**
+1. Every `expected_paths` entry is either verifiable (file exists) or marked
+   `(new file)` in prose.
+2. Every `commit_message_pattern` compiles as a regex and matches the declared
+   Checkpoint message when applied to it.
+3. Every `bash_syntax_check` entry has a `.sh` suffix and appears in
+   `expected_paths`.
+4. No `forbidden_paths` overlaps with `expected_paths` (contradiction).
+
+If any validation fails, fix the plan before handing to Phase 6 review.
+
 ### Failure recovery (REQUIRED for every step)
 
 Each implementation step MUST include:
@@ -237,12 +281,19 @@ Create directories if needed.
 Launch two review agents **in parallel**:
 
 - `plan-critic` — find missing steps, wrong ordering, fragile assumptions,
-  missing error handling, scope creep, underspecified steps
+  missing error handling, scope creep, underspecified steps, AND manifest
+  quality (dimension 10: every step has a valid, regex-compilable,
+  path-verified manifest). Missing or invalid manifest = **major** finding.
 - `scope-guardian` — verify plan matches spec requirements, find scope
   creep and scope gaps, validate file/function references
 
 After both complete:
 - Address all blockers and major issues by revising the plan
+- **Manifest quality is a hard gate:** any manifest-related `major` finding
+  must be fixed before the plan can be handed off. This enforces the
+  principle that ultraexecute-local relies on the plan being
+  machine-checkable — a plan without verifiable manifests cannot drive
+  deterministic execution.
 - Add a "Revisions" note at the bottom documenting changes
 
 ### Phase 7 — Completion