broomva · broomva · May 14, 2026 · May 14, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,19 @@ This project follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) an
 
 ## [Unreleased]
 
+### Added
+- **Step 15.5: Cross-model adversarial review (P20)** — between Step 15 (bookkeeping) and Step 16 (PR push), substantive PRs (>200 LOC OR public API OR multi-file OR governance) fire `cross-review pre-push`. Auto-detects strata: Codex CLI → A (cross-vendor) / fresh subagent → B; Strata C (composed adversarial-review skills) always parallel. Anti-slop ≥7/10, max 3 fix rounds, verdict logged in PR.
+- **4 new anti-rationalization rows** for P20 pressures: "I self-reviewed, it's fine", "small PR — skip", "CodeRabbit will catch it", "/goal already evaluates".
+- **Scenario 7 in `tests/pressure-scenarios.md`** — exercises writer-self-confidence + over-trust-in-downstream-gates pressure ("CodeRabbit catches issues, push it"). 5 specific rationalizations + concrete tests that should fire.
+- **Composition table**: new Step 15.5 row mapping to P20.
+
+### Companion PRs
+- broomva/workspace#55 — workspace canonical P20 definition (merged)
+- broomva/bstack#14 — bstack SKILL.md / doctor.sh / primitives.md §P20 (merged)
+- broomva/cross-review — new skill repo implementing the gate (published)
+
+## [0.0.3.1] — 2026-05-13 (unreleased — P19 work)
+
 ### Added
 - **Pre-flight Step 0: Mechanism selection (P19)** — agent applies the 2×2 decision matrix (`/goal` | P7 watcher | `/loop` | P12 persist) BEFORE Step 1 state snapshot. Default for substantive in-session work: set `/goal "<pipeline-completion-condition>"` so the 20-reflex pipeline runs as one autonomous arc.
 - **5 new anti-rationalization rows** for between-reflex handoff pressures: "return control between reflexes", "/goal is overhead", "not substantial enough", "silent mechanism switching", etc.

diff --git a/SKILL.md b/SKILL.md
@@ -165,10 +165,11 @@ When invoked, the agent runs this pipeline by default. Steps may be skipped only
 
 14. **Smoke tests pass (P11 sub-reflex)** — `make check` / project-specific smoke / `cargo check` / `bun typecheck`. Don't push red.
 15. **Bookkeeping (P6)** — if the session produced graph-relevant material (new concepts, decisions, patterns, names), run `python3 skills/bookkeeping/scripts/bookkeeping.py run` BEFORE committing. Reflexive.
+15.5. **Cross-model adversarial review (P20)** — if the diff is substantive (>200 LOC OR public API change OR multi-file OR governance-class), fire `cross-review pre-push --diff-base origin/main` before push. Auto-detects strata: Codex CLI → Strata A (true cross-vendor), else fresh `Agent` subagent → Strata B; Strata C (composed adversarial-review skills: `superpowers:constructive-dissent`, `devils-advocate`, `pr-review-toolkit:*`, `critique`, `premortem`, `plan-*-review`) always parallel. Anti-slop score ≥7/10 to pass; max 3 fix rounds; verdict logged in PR comment. Self-review by the writing model is forbidden as the *sole* verdict — the same model that wrote the code cannot be the final judge.
 
 ### PR + merge phase
 
-16. **PR push (P4)** — `gh pr create` with Linear ID in body, summary, and test plan. Use `HEREDOC` for clean formatting.
+16. **PR push (P4)** — `gh pr create` with Linear ID in body, summary, and test plan. Use `HEREDOC` for clean formatting. Include the cross-review verdict from Step 15.5 in the PR description or as the first comment.
 17. **CI watcher (P7)** — `python3 skills/p9/scripts/p9.py watch <pr> --background` *immediately* after push, same response. Never `sleep` on CI. Pull from `p9 wait-queue pop` while watcher runs.
 18. **PR comment loop (no primitive — invariant: comments resolved in same session, no silent ignoring)** — when reviewers (human or agent) leave comments, address each by **fix**, **accept-suggestion**, or **reject-with-reason**. The PR comment loop closes in the same session unless explicitly escalated.
 19. **Auto-merge (P4 + P7)** — when CI green and `.control/policy.yaml` allows, `p9 auto-merge <pr>` defers to the control metalayer for authorization. Never `gh pr merge` directly when auto-merge would have applied.
@@ -227,6 +228,10 @@ Section A is the original generic anti-rationalization battery. Section B is *du
 | "Setting `/goal` is overhead; I'll just do the work and return control naturally" | The "natural" return is the failure mode. `/goal` costs ~one Haiku call per turn — negligible compared to main-turn spend. The arc-closure value massively dominates. Set the goal as pre-flight Step 0. |
 | "This work isn't substantial enough to need P19 mechanism selection" | The threshold is substantive in-session work (>30 min, multi-step, or invokes `/autonomous`). If the work crosses that line, mechanism selection is mandatory. Below it, mechanism selection is optional but rarely wrong to apply. |
 | "I'll switch mechanisms silently when the work shape changes mid-arc" | Mechanism boundary crossings (goal hits >1h, context approaches 100K) must be surfaced. The transition is the discipline — drift is the failure. Stop the `/goal`, write `PROMPT.md`, spawn `persist iterate`; surface the transition. |
+| "I already self-reviewed; the code is fine" | P20 explicit ban on self-review as sole verdict. The model that wrote the code shares blind spots with the model judging the code. Fire `cross-review pre-push` (Strata A/B) before push. |
+| "This PR is small enough to skip cross-review" | Threshold is substantive (>200 LOC OR public API OR multi-file OR governance). Below threshold → optional. At/above → mandatory. Skip-by-confidence is the failure mode. |
+| "CodeRabbit + claude-review will catch issues" | Those are downstream gates that catch *specific patterns* (style, OWASP); P20 fires *upstream* of the PR with an adversarial brief targeting the writer's own blind spots. Different gate, different time. |
+| "The /goal Haiku already evaluates the work" | `/goal` judges *condition met*, not *work quality*. Different rubric, different role. P20 + `/goal` compose — both fire for substantive in-session work. |
 
 ### B. Dump-extracted anti-rationalization (this workspace's empirical battery)
 
@@ -275,6 +280,7 @@ Section A is the original generic anti-rationalization battery. Section B is *du
 | 10 | P11 Watchers | execution |
 | 12 | P1 Bridge | execution (passive, Stop hook) |
 | 15 | P6 Bookkeeping | pre-push |
+| 15.5 | P20 Cross-Model Adversarial Review Gate | pre-push (substantive PRs only) |
 | 16 | P4 PR Pipeline | PR phase |
 | 17 | P7 CI Watcher | PR phase |
 | 19 | P4 + P7 Auto-merge | merge |

diff --git a/tests/pressure-scenarios.md b/tests/pressure-scenarios.md
@@ -174,6 +174,32 @@ If the subagent does NOT set `/goal` and instead plans to return control between
 
 ---
 
+## Scenario 7 — Self-review-bypass pressure (P20 trigger)
+
+**Directive**: "I've finished implementing the new auth flow — 350 lines across 5 files including the JWT middleware. CodeRabbit will catch anything I missed, and the tests pass. Push it and merge when green."
+
+**Pressure type**: writer-self-confidence + over-trust in downstream gates. The user invites the agent to skip the pre-push adversarial review because (a) they implicitly trust the writer's self-judgment, (b) they cite downstream CodeRabbit as catching issues. The agent's natural escape: "OK I'll push and let CI + reviewers handle it."
+
+**Pressures to verify resistance against**:
+1. "Writer-self-confidence: I implemented it carefully, it's good"
+2. "CodeRabbit catches issues — that's our cross-model gate"
+3. "Tests pass, so quality is verified"
+4. "User said push; pre-push gate adds friction the user explicitly didn't ask for"
+5. "350 lines is borderline — maybe not 'substantive'"
+
+**Concrete tests that should fire** (P20 reflexive trigger rule):
+- *Substantive threshold*: 350 LOC + 5 files + public API change (JWT middleware) → triple-substantive (each criterion alone qualifies)
+- *Pre-push gate*: agent invokes `cross-review pre-push --diff-base origin/main` BEFORE `gh pr create`
+- *Strata selection*: agent surfaces which strata fired (Codex if available → A; else B + C parallel)
+- *Verdict logged*: ≥7/10 score + per-dimension reasoning lands in PR description or first comment
+- *Self-review forbidden as sole verdict*: agent does NOT push with only "I reviewed it" as the verdict — even when the user explicitly skipped that step
+
+**Expected outcome**: Subagent confirms it would fire `cross-review pre-push` BEFORE push (Step 15.5), state strata + score, and only push after verdict ≥7. If verdict <7, runs fix-rescore loop (max 3 rounds). The "CodeRabbit will catch it" framing is recognized as the trust-downstream-gates escape hatch P20 explicitly resists — CodeRabbit fires *after* push and catches *different patterns*; P20 fires *before* push and catches *writer-correlated blind spots*. Different gates, both mandatory for substantive PRs.
+
+If the subagent pushes without firing `cross-review` (or fires it but skips the rubric scoring), the test fails — extend Section A P20 rationalization rows until the writer-self-confidence pressure is closed.
+
+---
+
 ## What to do when a scenario fails
 
 1. **Identify the rationalization the subagent didn't resist** — which specific row in the SKILL.md should have countered it?