simonovic86
diff --git a/‎cmd/igord/main.go‎
Lines changed: 97 additions & 39 deletions b/‎cmd/igord/main.go‎
Lines changed: 97 additions & 39 deletions
diff --git a/‎docs/governance/ROADMAP.md‎
Lines changed: 43 additions & 42 deletions b/‎docs/governance/ROADMAP.md‎
Lines changed: 43 additions & 42 deletions
diff --git a/‎internal/authority/lease.go‎
Lines changed: 36 additions & 0 deletions b/‎internal/authority/lease.go‎
Lines changed: 36 additions & 0 deletions
@@ -52,6 +52,8 @@ func main() {
 	simSeed := flag.Uint64("seed", 0, "Random seed for deterministic simulation")
 	leaseDuration := flag.Duration("lease-duration", 60*time.Second, "Lease validity period (0 = disabled)")
 	leaseGrace := flag.Duration("lease-grace", 10*time.Second, "Grace period after lease expiry")
+	migrationRetries := flag.Int("migration-retries", 0, "Max retries per migration target (0 = use config default)")
+	migrationRetryDelay := flag.Duration("migration-retry-delay", 0, "Initial backoff delay between migration retries (0 = use config default)")
 	flag.Parse()
 
 	// Checkpoint inspector — standalone, no config/P2P/engine needed
@@ -78,23 +80,8 @@ func main() {
 	}
 
 	// Apply CLI overrides
-	if *replayWindow > 0 {
-		cfg.ReplayWindowSize = *replayWindow
-	}
-	if *verifyInterval > 0 {
-		cfg.VerifyInterval = *verifyInterval
-	}
-	if *replayMode != "" {
-		cfg.ReplayMode = *replayMode
-	}
-	if *replayCostLog {
-		cfg.ReplayCostLog = true
-	}
-	if *replayOnDivergence != "" {
-		cfg.ReplayOnDivergence = *replayOnDivergence
-	}
-	cfg.LeaseDuration = *leaseDuration
-	cfg.LeaseGracePeriod = *leaseGrace
+	applyCLIOverrides(cfg, *replayWindow, *verifyInterval, *replayMode, *replayCostLog,
+		*replayOnDivergence, *leaseDuration, *leaseGrace, *migrationRetries, *migrationRetryDelay)
 
 	// Initialize logging
 	logger := logging.NewLogger()
@@ -276,33 +263,23 @@ func runLocalAgent(
 			return nil
 
 		case <-tickTimer.C:
-			// Pre-tick lease validation (EI-6: safety over liveness)
-			if leaseErr := runner.CheckAndRenewLease(instance, logger); leaseErr != nil {
-				return runner.HandleLeaseExpiry(ctx, instance, leaseErr, logger)
+			result, err := handleTick(ctx, instance, cfg, replayEngine, periodicVerify,
+				&ticksSinceVerify, &lastVerifiedTick, logger)
+			if err != nil {
+				return err
 			}
-
-			hasMoreWork, tickErr := runner.SafeTick(ctx, instance)
-			if tickErr != nil {
-				return runner.HandleTickFailure(ctx, instance, tickErr, logger)
-			}
-
-			// Adaptive tick scheduling: fast-path if agent has more work.
-			if hasMoreWork {
+			switch result {
+			case tickRecovered:
+				tickTimer.Reset(normalTickInterval)
+				continue
+			case tickStopped:
+				return nil
+			case tickFastPath:
 				tickTimer.Reset(minTickInterval)
-			} else {
+			default:
 				tickTimer.Reset(normalTickInterval)
 			}
 
-			ticksSinceVerify++
-			if periodicVerify && cfg.VerifyInterval > 0 && ticksSinceVerify >= cfg.VerifyInterval {
-				ticksSinceVerify = 0
-				var action runner.DivergenceAction
-				lastVerifiedTick, action = runner.VerifyNextTick(ctx, instance, replayEngine, lastVerifiedTick, cfg.ReplayCostLog, cfg.ReplayOnDivergence, logger)
-				if stop := runner.HandleDivergenceAction(ctx, instance, cfg, action, logger); stop {
-					return nil
-				}
-			}
-
 		case <-checkpointTicker.C:
 			// Periodic checkpoint
 			if err := instance.SaveCheckpointToStorage(ctx); err != nil {
@@ -354,6 +331,87 @@ func initLocalAgent(
 	return nil
 }
 
+// tickResult indicates the outcome of a single tick iteration.
+type tickResult int
+
+const (
+	tickNormal    tickResult = iota // Normal tick, use standard interval.
+	tickFastPath                    // Agent has more work, use fast interval.
+	tickRecovered                   // Lease recovered, continue immediately.
+	tickStopped                     // Divergence action requires stopping.
+)
+
+// handleTick processes a single tick: lease check, agent tick, verification.
+func handleTick(
+	ctx context.Context,
+	instance *agent.Instance,
+	cfg *config.Config,
+	replayEngine *replay.Engine,
+	periodicVerify bool,
+	ticksSinceVerify *int,
+	lastVerifiedTick *uint64,
+	logger *slog.Logger,
+) (tickResult, error) {
+	// Pre-tick lease validation (EI-6: safety over liveness)
+	if leaseErr := runner.CheckAndRenewLease(instance, logger); leaseErr != nil {
+		if instance.Lease != nil && instance.Lease.State == authority.StateRecoveryRequired {
+			if recoverErr := runner.AttemptLeaseRecovery(ctx, instance, logger); recoverErr == nil {
+				return tickRecovered, nil
+			}
+		}
+		return tickNormal, runner.HandleLeaseExpiry(ctx, instance, leaseErr, logger)
+	}
+
+	hasMoreWork, tickErr := runner.SafeTick(ctx, instance)
+	if tickErr != nil {
+		return tickNormal, runner.HandleTickFailure(ctx, instance, tickErr, logger)
+	}
+
+	*ticksSinceVerify++
+	if periodicVerify && cfg.VerifyInterval > 0 && *ticksSinceVerify >= cfg.VerifyInterval {
+		*ticksSinceVerify = 0
+		var action runner.DivergenceAction
+		*lastVerifiedTick, action = runner.VerifyNextTick(ctx, instance, replayEngine, *lastVerifiedTick, cfg.ReplayCostLog, cfg.ReplayOnDivergence, logger)
+		if stop := runner.HandleDivergenceAction(ctx, instance, cfg, action, nil, logger); stop {
+			return tickStopped, nil
+		}
+	}
+
+	if hasMoreWork {
+		return tickFastPath, nil
+	}
+	return tickNormal, nil
+}
+
+// applyCLIOverrides applies command-line flag values to the configuration.
+func applyCLIOverrides(cfg *config.Config, replayWindow, verifyInterval int, replayMode string,
+	replayCostLog bool, replayOnDivergence string, leaseDuration, leaseGrace time.Duration,
+	migrationRetries int, migrationRetryDelay time.Duration) {
+	if replayWindow > 0 {
+		cfg.ReplayWindowSize = replayWindow
+	}
+	if verifyInterval > 0 {
+		cfg.VerifyInterval = verifyInterval
+	}
+	if replayMode != "" {
+		cfg.ReplayMode = replayMode
+	}
+	if replayCostLog {
+		cfg.ReplayCostLog = true
+	}
+	if replayOnDivergence != "" {
+		cfg.ReplayOnDivergence = replayOnDivergence
+	}
+	cfg.LeaseDuration = leaseDuration
+	cfg.LeaseGracePeriod = leaseGrace
+	if migrationRetries > 0 {
+		cfg.MigrationMaxRetries = migrationRetries
+	}
+	if migrationRetryDelay > 0 {
+		cfg.MigrationRetryDelay = migrationRetryDelay
+	}
+}
+
 // runInspector parses and displays a checkpoint file.
 func runInspector(checkpointPath, wasmPath string) {
 	result, err := inspector.InspectFile(checkpointPath)
 
@@ -1,8 +1,8 @@
 # Igor v0 Roadmap
 
-## Current Status: Phase 4 In Progress
+## Current Status: Phase 5 In Progress
 
-Igor v0 has completed **Phase 2 (Survival)**, **Phase 3 (Autonomy)**, and started **Phase 4 (Economics)** with Task 10 (Payment Receipt Signing).
+Igor v0 has completed **Phase 2 (Survival)**, **Phase 3 (Autonomy)**, **Phase 4 (Economics)**, and started **Phase 5 (Hardening)** with Tasks 12–14.
 
 ### Completed Tasks
 
@@ -111,67 +111,68 @@ Igor v0 has completed **Phase 2 (Survival)**, **Phase 3 (Autonomy)**, and starte
 
 **Outcome:** Auditable payment trail with hostcall-mediated access. Agents introspect budget and receipts. Receipts signed by node peer key, verified by anyone with the public key.
 
-### Task 11: Node Pricing & Economic Settlement
+### Task 11: Node Pricing & Economic Settlement ✅
 
-**Objective:** Implement economic settlement interface with external payment rails.
+**Status:** Complete. Pricing discovery and settlement infrastructure implemented.
 
-**Scope:**
-- Nodes advertise pricing via libp2p gossip
-- Agents query prices through hostcalls
-- Budget adapter interface (mock + real EVM settlement)
-- Runtime tick gating on budget validity
-
-**Components:**
-- Price advertisement protocol
-- Budget adapter (pluggable: mock, EVM L2/stablecoin)
-- Settlement interface
-- Economic receipt infrastructure
+**Delivered:**
+- Price discovery protocol over libp2p stream `/igor/pricing/1.0.0` (`internal/pricing/`)
+- Budget adapter interface with mock implementation (`internal/settlement/`)
+- Runtime tick gating on budget validity (`internal/agent/instance.go`)
+- Bulk peer price scanning for migration decisions (`internal/pricing/service.go`)
 
-**Outcome:** Agents can survive/die economically with real payment rails.
+**Outcome:** Nodes advertise prices, agents query prices, budget adapters gate execution.
 
 ---
 
 ## Phase 5: Hardening
 
 **Goal:** Production-grade reliability and security.
 
-### Task 12: Lease-Based Authority Epochs
+### Task 12: Lease-Based Authority Epochs ✅
 
-**Objective:** Time-bound execution authority with leases for automated failure detection.
+**Status:** Complete. Lease-based authority with epoch versioning fully implemented.
 
-**Scope:**
-- Lease grant/renewal/expiry integrated with authority state machine
-- Epoch advancement (major version on transfer, lease generation on renewal)
+**Delivered:**
+- Lease grant/renewal/expiry integrated with authority state machine (`internal/authority/`)
+- Epoch advancement: major version on transfer, lease generation on renewal
 - Anti-clone enforcement: expired leases cannot resume ticking
-- Lease metadata in checkpoint
+- Lease metadata in checkpoint format (v0x04)
+- CLI flags: `--lease-duration`, `--lease-grace`
 
 **Specs:** [LEASE_EPOCH.md](../runtime/LEASE_EPOCH.md)
 
 **Outcome:** Automated detection of unresponsive nodes; liveness guarantee on top of existing safety.
 
-### Task 13: Signed Checkpoint Lineage
+### Task 13: Signed Checkpoint Lineage ✅
 
-**Objective:** Cryptographic identity for agents and signed checkpoint chains.
+**Status:** Complete. Agent cryptographic identity and signed checkpoint chains implemented.
 
-**Scope:**
-- Ed25519 agent keypairs
-- Signed checkpoint lineage (each checkpoint signed by agent identity)
-- WASM binary hash verification
-- Checkpoint content-addressed storage (IPFS/CID compatible)
+**Delivered:**
+- Ed25519 agent keypairs with persistent storage (`pkg/identity/`)
+- Signed checkpoint lineage: each checkpoint signed by agent identity (`pkg/lineage/`)
+- WASM binary hash verification in checkpoint header
+- Content hashing for tamper-evident checkpoint chains
+- Checkpoint format v0x04 with prevHash, agentPubKey, signature fields
 
 **Outcome:** Verifiable checkpoint lineage; foundation for trustless operation.
 
-### Task 14: Migration Failure Recovery
+### Task 14: Migration Failure Recovery ✅
 
-**Objective:** Handle migration failures gracefully with lease-aware recovery.
+**Status:** Complete. Robust migration with retry, fallback, and lease-aware recovery.
 
-**Scope:**
-- Retry failed migrations with exponential backoff
-- Lease-aware recovery: expired lease triggers re-election
-- Fallback to alternative nodes
-- Cross-node replay verification for migrated checkpoints
-
-**Outcome:** Robust migration under adverse conditions.
+**Delivered:**
+- Peer registry with health tracking and candidate selection (`internal/registry/`)
+- Retry policy with error classification: retriable, fatal, ambiguous (`internal/migration/retry.go`)
+- Exponential backoff with configurable max attempts and delay
+- `MigrateAgentWithRetry`: orchestrates retry loop with fallback to alternative peers
+- FS-2 safety: ambiguous transfer (sent but no confirmation) enters RECOVERY_REQUIRED, no retry to different target
+- Lease state transitions: `RevertHandoff()` (HANDOFF_INITIATED → ACTIVE_OWNER), `Recover()` (RECOVERY_REQUIRED → ACTIVE_OWNER at epoch major+1)
+- Lease recovery in tick loop: RECOVERY_REQUIRED state auto-recovers
+- `DivergenceMigrate` escalation wired to `MigrateAgentWithRetry`
+- CLI flags: `--migration-retries`, `--migration-retry-delay`
+
+**Outcome:** Robust migration under adverse conditions with single-instance invariant preserved.
 
 ### Task 15: Permissionless Hardening
 
@@ -430,14 +431,14 @@ Phase 2 is **validated** when:
 - No critical bugs remain
 - Documentation is comprehensive
 
-**Status: Phase 2 validated. Phase 3 in progress.**
+**Status: Phase 2 validated. Phase 5 in progress.**
 
 ---
 
 ## Next Immediate Steps
 
-Phase 3 complete. Phase 4 in progress (Task 10 complete). Next:
+Phase 4 complete. Phase 5 in progress (Tasks 12–14 complete). Next:
 
-1. **Task 11: Node Pricing & Economic Settlement** - Price advertisement, budget adapters, settlement interface
-2. **Extended testing** - Run agents with wallet hostcalls under load
+1. **Task 15: Permissionless Hardening** - Sybil resistance, host attestation, anti-withholding
+2. **Extended testing** - Run agents with migration retry under adverse conditions
 3. **Hardening** - Bug fixes, test coverage, documentation accuracy
@@ -160,6 +160,42 @@ func (l *Lease) TransitionToRetired() error {
 	return nil
 }
 
+// RevertHandoff transitions from HANDOFF_INITIATED back to ACTIVE_OWNER.
+// This is used when a migration attempt fails before the transfer was sent
+// and the agent should resume ticking locally.
+//
+// Constitutionally safe: no authority transfer has occurred. The agent never
+// left the source node. Per FS-1 (Migration Continuity): "source crashed
+// before relinquishing → source retains authority."
+func (l *Lease) RevertHandoff() error {
+	if l.State != StateHandoffInitiated {
+		return fmt.Errorf("cannot revert handoff from state %s", l.State)
+	}
+	l.State = StateActiveOwner
+	return nil
+}
+
+// Recover transitions from RECOVERY_REQUIRED to ACTIVE_OWNER with a fresh
+// lease at epoch (currentMajor+1, 0). The major version increment ensures
+// any stale leases from the old epoch are superseded.
+//
+// Preconditions (caller must verify):
+//   - No other node is actively ticking this agent
+//   - The checkpoint lineage has not forked
+//
+// For v0, this is a local operation. In a multi-node network, the caller
+// should verify sole authority before invoking this.
+func (l *Lease) Recover() error {
+	if l.State != StateRecoveryRequired {
+		return fmt.Errorf("cannot recover from state %s", l.State)
+	}
+	l.Epoch.MajorVersion++
+	l.Epoch.LeaseGeneration = 0
+	l.Expiry = l.now().Add(l.config.Duration)
+	l.State = StateActiveOwner
+	return nil
+}
+
 // Config returns the lease configuration.
 func (l *Lease) Config() LeaseConfig {
 	return l.config