This is the kind of boring architecture I trust more.\n\nThe one extra layer I would add is loop dedupe. If the agent hits the same blocker, same file boundary, or same failed verification pattern again, it should not be allowed to politely keep trying forever.\n\nThe runtime should force one of three outcomes at that point: refresh state, ask for review, or stop with a receipt.\n\nThat is the part people miss when they focus only on roles and prompts. A lot of waste comes after the first bad step, not during it. We built MartinLoop around that exact control layer because the expensive failures kept looking more like repeated uncertainty than dramatic breakage.