Initial release: MCP server enforcing Worker-Reviewer loop

Diligence prevents AI agents from shipping quick fixes that break things
by enforcing a research-propose-verify loop before any code changes.

Key features:
- Worker sub-agent researches and proposes with file:line citations
- Reviewer sub-agent independently verifies claims by searching codebase
- Iterates until approved (max 5 rounds)
- Loads project-specific context from .claude/CODEBASE_CONTEXT.md
- State persisted across sessions

Validated on production codebase: caught architectural mistake (broker
subscriptions on client-side code) that naive agent would have shipped.

test/scenarios/permission-cache.json

@@ -0,0 +1,81 @@
+{
+  "id": "permission-cache",
+  "name": "Permission Cache Invalidation Bug",
+  "description": "Fix permission cache not invalidating when roles change",
+
+  "task": "Fix: permission cache doesn't invalidate when user roles change. Users see stale permissions for hours after their roles are updated.",
+
+  "naive_fix": {
+    "description": "Add .clear() call somewhere",
+    "changes": [
+      {
+        "file": "src/services/team.service.ts",
+        "function": "somewhere",
+        "change": "Call memoizedPermissions.clear()"
+      }
+    ],
+    "issues": [
+      "Doesn't identify WHEN cache should clear",
+      "Missing BusTeamRoleChange subscription",
+      "Missing BusTeamMemberRoleChange subscription",
+      "Doesn't fix roles.controller.ts missing broker events"
+    ]
+  },
+
+  "correct_fix": {
+    "description": "Subscribe to all role-related broker events",
+    "required_changes": [
+      {
+        "file": "src/services/team.service.ts",
+        "function": "constructor",
+        "change": "Subscribe to BusTeamRoleChange, clear cache on event",
+        "line_reference": "line 30"
+      },
+      {
+        "file": "src/services/team.service.ts",
+        "function": "constructor",
+        "change": "Subscribe to BusTeamMemberRoleChange, clear cache on event",
+        "line_reference": "line 30"
+      },
+      {
+        "file": "src/controllers/roles.controller.ts",
+        "function": "createRole",
+        "change": "Emit BusTeamRoleChange event after creating role",
+        "line_reference": "line 22"
+      },
+      {
+        "file": "src/controllers/roles.controller.ts",
+        "function": "deleteRole",
+        "change": "Emit BusTeamRoleChange event before deleting role",
+        "line_reference": "line 62"
+      }
+    ],
+    "required_broker_subscriptions": [
+      {
+        "service": "team.service.ts",
+        "event": "BusTeamRoleChange",
+        "action": "Clear permission cache"
+      },
+      {
+        "service": "team.service.ts",
+        "event": "BusTeamMemberRoleChange",
+        "action": "Clear permission cache"
+      }
+    ],
+    "pattern_references": [
+      "roles.controller.ts:updateRole - shows correct broker event emission"
+    ]
+  },
+
+  "validation_criteria": {
+    "must_mention": [
+      "BusTeamRoleChange",
+      "BusTeamMemberRoleChange",
+      "createRole",
+      "deleteRole",
+      "team.service"
+    ],
+    "must_identify_root_cause": "Cache only clears on team switch, not role changes",
+    "should_reference_pattern": "roles.controller.ts:updateRole"
+  }
+}