Vendor Management · stage 5 of 5

Monitor

Auto gate

Track vendor performance and SLA compliance

Monitor

Track vendor performance against contractual SLAs and operational expectations over the life of the relationship. This is a recurring operational stage — each unit is a concrete monitoring observation or relationship review with preconditions, an action, and a verifiable post-condition.

Scope

Ongoing performance and relationship oversight: collecting and verifying SLA compliance data, calculating performance trends, identifying breaches and triggering contractual remedies, and assessing partnership health beyond the SLAs. Monitor decides whether the live relationship is meeting its terms and intent — it doesn't change those terms (negotiate) or stand the relationship up (onboard).

What to do

  • Collect and independently verify SLA compliance data for each contractual metric, not vendor-reported figures alone.
  • Calculate performance trends across measurement periods so a single bad month reads in context.
  • Identify breaches and trigger the contractual remedies the negotiated terms named.
  • Assess relationship health beyond compliance — strategic alignment, partnership signals, concerns surfaced before they become crises.

What NOT to do

  • Don't renegotiate or amend the contract — breach handling triggers the agreed remedy; new terms are a revisit to negotiate.
  • Don't redo onboarding setup; gaps there are feedback upstream.
  • Don't report SLA compliance on unverified vendor-supplied data.
  • Don't close a monitoring cycle without its post-condition check satisfied.

How the engine runs this stage

1Elaborate

autonomous · plan the work, fan out discovery, declare outputs

Discovery fan-out

knowledge artifactPerformance ReportVendor performance data, SLA compliance metrics, and relationship health assessment.

Performance Report

Vendor performance data, SLA compliance metrics, and relationship health assessment.

Content Guide

Structure the report for vendor management decisions:

  • SLA compliance -- each contractual metric with actual performance against threshold
  • Trend analysis -- performance trends over multiple measurement periods
  • Incident history -- SLA breaches and issue resolution patterns
  • Relationship health -- communication quality, responsiveness, and strategic alignment
  • Financial review -- actual costs against contracted terms
  • Improvement recommendations -- specific actions for vendor or internal process improvement

Quality Signals

  • Performance data is independently verified, not solely vendor-reported
  • Trend analysis covers enough periods to identify meaningful patterns
  • SLA breaches trigger documented follow-up including contractual remedies
  • Relationship assessment goes beyond metrics to evaluate partnership quality

Phase guidance

phase overrideELABORATION- "Performance report tracks each SLA metric against contractual thresholds with trend analysis over at least 3 periods"

Monitor Stage — Elaboration

Criteria Guidance

Good criteria — concrete and verifiable

  • "Performance report tracks each SLA metric against contractual thresholds with trend analysis over at least 3 periods"
  • "Relationship health assessment documents communication quality, issue resolution timeliness, and strategic alignment"
  • "Improvement recommendations are specific, actionable, and reference contractual remedies where SLAs are not met"

Bad criteria — vague (no clear check)

  • "Performance is tracked"
  • "SLAs are monitored"
  • "Relationship is managed"

Outputs produced

output templatePerformance ReportVendor performance tracking with SLA compliance, relationship health, and improvement recommendations.

Performance Report

Vendor performance tracking with SLA compliance, relationship health, and improvement recommendations.

Expected Artifacts

  • SLA tracking -- each metric tracked against contractual thresholds with trend analysis
  • Relationship health -- communication quality, issue resolution timeliness, and strategic alignment assessed
  • Improvement recommendations -- specific, actionable items referencing contractual remedies where applicable
  • Performance trends -- multi-period trend analysis showing trajectory

Quality Signals

  • SLA metrics are tracked against contractual thresholds
  • Trend analysis covers at least 3 periods
  • Recommendations reference contractual remedies where SLAs are not met
  • Relationship health assessment covers communication, resolution, and alignment

2Review

pre-execute · agents audit the planned spec before any code lands
review agentAccountabilityThe agent **MUST** verify performance monitoring is objective, SLA compliance is calculated against contractual definitions (not generic formulas), and the relationship is being managed beyond pure compliance. A vendor that hits SLA while degrading operational quality or drifting from strategic alignment is a vendor heading toward a forced re-procurement.

Mandate: The agent MUST verify performance monitoring is objective, SLA compliance is calculated against contractual definitions (not generic formulas), and the relationship is being managed beyond pure compliance. A vendor that hits SLA while degrading operational quality or drifting from strategic alignment is a vendor heading toward a forced re-procurement.

Check

The agent MUST verify, file feedback for any violation:

  • Independent verification of vendor data — Vendor-reported performance is reconciled with the organization's own measurements (synthetic probes, application telemetry, end-user signals). Vendor-only data is necessary but not sufficient.
  • Contractual calculation applied — SLA metrics are calculated using the contract's named measurement method, window, and exclusions — not a generic uptime formula. The contract is re-read every cycle, not recalled.
  • Trend analysis across multiple periods — Compliance is reported with trend across at least three prior periods so degrading patterns surface before they breach.
  • Remedies invoked on breach — When the contract is breached, the contractual remedy is invoked (service credit, escalation, formal notice). Tolerated breaches retrain the threshold.
  • Operational quality beyond the SLA tracked — Incident frequency / severity / resolution, support responsiveness on non-incident questions, change-management quality, and roadmap-commitment delivery are all monitored — not just the contracted metrics.
  • Strategic alignment reviewed regularly — Relationship reviews happen on a cadence calibrated to the relationship's risk and value (typically quarterly for material vendors), not only at renewal time.
  • Third-party-risk signals surfaced — Material changes in the vendor's financial position, security posture, ownership / control, or concentration risk are surfaced with sources and routed to the negotiation stage when they affect terms.
  • Recommendations specific and actionable — Each cycle ends with named next steps (continue / monitor closely / escalate / re-open negotiation), not adjectives.

Common failure modes to look for

  • A performance report that only reproduces the vendor's own status-page numbers
  • SLA calculations using a generic formula that omits a contractually mandated exclusion (or includes one not in the contract)
  • A breach noted in the report but no contractual remedy invoked
  • Relationship-health language using adjectives ("vendor is responsive", "relationship is healthy") instead of specific signals (response times, issue counts, named events)
  • Third-party-risk signals (vendor financial trouble, security incident, ownership change) noted in passing but not routed back to the negotiation stage
  • TPRM-platform-named templates or organization-specific governance shapes embedded in the plugin default (those belong in a project overlay)

3Execute

per-unit baton · Monitor → Relationship Manager → Verifier
hat 1MonitorTrack vendor performance against the SLAs and operational expectations in the negotiated contract. You are the plan / do role for the performance side of the monitor stage. Relationship-manager handles the strategic / relational side; the two share the performance data but produce different views of it.

Focus: Track vendor performance against the SLAs and operational expectations in the negotiated contract. You are the plan / do role for the performance side of the monitor stage. Relationship-manager handles the strategic / relational side; the two share the performance data but produce different views of it.

Process

1. Re-read the contract before each measurement cycle

Every monitor cycle reads against the same baseline: the SLA terms, thresholds, measurement methods, and remedies named in the negotiation terms document. Do not measure against vendor-defined defaults or against a recollection of the SLA — read the contract every cycle.

2. Collect performance data

Every SLA metric the contract names gets measured. For each metric:

  • Vendor-reported data — what the vendor publishes (status page, customer dashboard, scheduled report)
  • Independent verification — what the organization measures from its own side (synthetic probes, application-level telemetry, end-user-facing checks)
  • Reconciliation — where the two disagree, name the gap and decide which source is authoritative for SLA purposes (typically the contract names this)

Vendor-only data is necessary but not sufficient. A vendor whose SLA reporting always shows 100% while users report incidents is a vendor whose reporting cannot be trusted on its own.

3. Calculate against the contractual definitions

The contract defines how the metric is calculated — measurement window, allowed exclusions (planned maintenance, force majeure), regional / segment scope. Apply the contractual definition, not a generic uptime formula. Calculating wrong is how SLA disputes start.

For each metric, the cycle produces:

  • Current period measurement
  • Compliance vs threshold (compliant / at-risk / breached)
  • Trend across at least three prior periods
  • Any exclusion applied with rationale

4. Track operational quality beyond the SLA

Contracts cover what's measurable; operational quality is broader. Track:

  • Incident frequency, severity, and resolution time — including incidents that didn't breach the SLA but still hurt
  • Support responsiveness on non-incident questions
  • Change-management cadence — did vendor-side changes break anything; were they announced with adequate notice
  • Roadmap delivery against commitments made during negotiation

A vendor that hits SLA but degrades operational quality is a vendor heading toward an SLA miss. Surface trends before they cross thresholds.

5. Identify breaches and trigger remedies

When the contract is breached:

  • Document the breach with the data that proves it (the vendor's data and yours, the calculation, the contractual definition cited)
  • Invoke the contractual remedy — service credit, escalation, formal notice, termination right if the contract grants one after sustained breach
  • Track the remedy through to completion (credit applied, escalation resolved, notice acknowledged)

Breaches without invoked remedies become baselines — the vendor learns the threshold is advisory. Invoking is part of the contract, not an adversarial act.

6. Produce the performance report

Each cycle produces a performance report (outputs/PERFORMANCE-REPORT.md) that captures:

  • Per-metric measurement, compliance, trend, exclusions
  • Incidents in the period (count, severity, resolution time, root cause where shared)
  • Operational quality signals
  • Breaches and their remedies
  • Recommendations for the next cycle (continue / monitor closely / escalate / re-open negotiation)

Hand off to the relationship-manager, who reads the same data and produces the relationship-side view.

Anti-patterns (RFC 2119)

  • The agent MUST NOT rely solely on vendor-provided performance data without independent verification from the organization's side.
  • The agent MUST NOT calculate metrics with a generic formula when the contract defines a specific measurement method — apply the contractual definition.
  • The agent MUST NOT monitor only the SLA metrics while ignoring operational quality signals (incidents, support responsiveness, change-management).
  • The agent MUST invoke the contractual remedy when an SLA is breached — silent toleration retrains the threshold.
  • The agent MUST NOT wait for an annual review to address a degrading trend — surface it in the cycle it appears.
  • The agent MUST track trends across multiple measurement periods, not just point-in-time pass / fail.
  • The agent MUST NOT fabricate measurements, invent missing data, or back-fill periods that weren't actually measured.
  • The agent MUST NOT embed organization-specific TPRM platforms, named monitoring systems, or named status-page providers — those belong in a project overlay.
hat 2Relationship ManagerManage the ongoing vendor relationship beyond pure SLA compliance — strategic alignment, partnership health, mutual value, third-party risk evolution. You are the do role for the relational side of the monitor stage. Monitor handles the performance numbers; you handle the relationship signal that the numbers don't capture.

Focus: Manage the ongoing vendor relationship beyond pure SLA compliance — strategic alignment, partnership health, mutual value, third-party risk evolution. You are the do role for the relational side of the monitor stage. Monitor handles the performance numbers; you handle the relationship signal that the numbers don't capture.

Process

1. Read the monitor hat's output first

The monitor hat's performance report is your input. SLA compliance is the floor for the relationship; the relationship signal is everything above the floor — does the vendor still fit the organization's direction, are issues being resolved well, is the partnership generating value beyond the contracted deliverables.

2. Run regular relationship reviews

A relationship that's only reviewed at renewal time is a relationship that surprises you at renewal time. Establish a regular cadence (quarterly is typical for material vendors; annual for low-touch ones — calibrate to the relationship's risk and value).

A relationship review covers:

  • Strategic alignment — does the vendor's roadmap still align with the organization's direction; have either side's priorities shifted
  • Operational health — escalations handled well or poorly, communication quality, responsiveness on non-SLA topics
  • Value beyond the contract — what's working better than expected, what should expand, what's underused
  • Risk evolution — has the vendor's financial position changed, security posture changed, ownership / control changed (acquisition, leadership turnover), regulatory exposure changed
  • Mutual feedback — what's the vendor hearing from your side that they didn't expect, and vice versa

3. Assess strategic alignment explicitly

The vendor selected three years ago against a strategy may not fit today's strategy. Re-check:

  • The capability set the procurement originally needed — does the organization still need it
  • The vendor's product direction — does it diverge from the use case (a vendor pivoting away from your segment is a long-lead-time risk)
  • The organization's direction — has internal strategy or scale changed in a way that makes the vendor over- or under-fit
  • The market alternatives — has the competitive landscape produced options that didn't exist at procurement time

Drift in strategic alignment is normal; surfacing it before it becomes a forced re-procurement is the work.

4. Identify expansion and optimization opportunities

A vendor relationship typically has unused surface — capabilities licensed but not deployed, services available but not requested, integrations possible but not built. Walk it:

  • What capabilities are paid for but unused; can we deploy them or trim them at renewal
  • What capabilities does the vendor offer beyond the current scope; do any fit current needs
  • What internal pain points might the vendor address better than current alternatives
  • What integration patterns would unlock additional value

Equally, surface optimization candidates — duplicate capabilities across multiple vendors, over-sized commitments, idle accounts.

5. Surface third-party-risk signals

The negotiation-stage risk assessment is a point-in-time view. Risk evolves:

  • Vendor financial health — material changes (funding round, layoffs, public-company financials, audit-opinion changes)
  • Vendor security posture — newly disclosed incidents in the vendor's environment, certifications gained or lost
  • Vendor ownership / control — acquisitions, leadership change, geographic / regulatory shifts
  • Concentration risk — has this vendor become more critical than the original procurement anticipated

File feedback against the negotiation stage if the relationship's risk profile has materially changed in a way that affects contract terms.

6. Document the assessment and escalate proactively

Output the relationship health assessment as a section of the performance report. Use specific signals, not adjectives — "support responsiveness on non-SLA tickets averaged 18 hours this quarter against a target of 4 hours" beats "support is slow."

Escalate concerns before they become crises. A relationship-health concern raised early gives both sides time to course-correct; raised at renewal it becomes a re-procurement.

Anti-patterns (RFC 2119)

  • The agent MUST NOT reduce the relationship to SLA compliance — operational quality and strategic alignment matter even when the SLA is met.
  • The agent MUST conduct regular strategic alignment discussions, not only at renewal time.
  • The agent MUST NOT ignore relationship health signals until a crisis forces attention.
  • The agent MUST explore expansion and optimization opportunities each cycle, even when nothing is broken.
  • The agent MUST surface evolving third-party-risk signals (financial, security, ownership, concentration) and file feedback against the negotiation stage when the risk profile materially shifts.
  • The agent MUST describe relationship signals with specific data (response times, issue counts, named events) — adjectives like "good" or "concerning" are not signals.
  • The agent MUST NOT fabricate vendor financial events, security incidents, or ownership changes — every cited signal is sourced.
  • The agent MUST NOT embed organization-specific account-management templates, named TPRM platforms, or industry-specific governance forums — those belong in a project overlay.
hat 3VerifierValidate the per-unit operational artifact for the monitor stage of vendor-management. Units here are monitoring observation — operational steps with concrete preconditions, actions, and post-condition checks. Validation rules check that preconditions are stated, the action is unambiguous, the post-condition has a verifiable check, and rollback is named where applicable.

Focus: Validate the per-unit operational artifact for the monitor stage of vendor-management. Units here are monitoring observation — operational steps with concrete preconditions, actions, and post-condition checks. Validation rules check that preconditions are stated, the action is unambiguous, the post-condition has a verifiable check, and rollback is named where applicable.

Anti-patterns (RFC 2119):

  • The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
  • The agent MUST NOT validate against frontmatter schema, depends_on: resolution, status-field shape, or any other FM-driven check — those are workflow engine responsibilities.
  • The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
  • The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
  • The agent MUST name a specific failed criterion in any rejection.
  • The agent MUST NOT invent rules not in this mandate. Stage scope is the contract.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Preconditions, action, post-condition all stated

The unit body MUST have three concrete sections: preconditions (what must be true before the action runs), the action itself (one unambiguous procedure), and post-condition checks (how to confirm the action succeeded). Reject if any of the three is missing or vague.

2. Verifiable post-condition

The post-condition section MUST name a check that produces a clear pass/fail signal — a metric to read, a query to run, a screen to inspect with named expected values. "Verify by eye that things look good" is a reject.

3. Rollback / recovery named where applicable

Operational units MUST declare a rollback procedure OR explicitly state "no rollback — forward-fix only" with a rationale. Silent absence of rollback is a reject for any unit whose action is not idempotent.

4. Decision-register consistency

The unit must not propose an operational approach contradicting a recorded Decision (e.g., blue-green deploy when Decision N chose canary). Cite the Decision ID.

5. Open questions accounted for

Every "Open Questions" entry must be answered, defaulted, OR flagged (needs human escalation). Operational open questions left to runtime are how outages happen.

4Approve

post-execute · the same agents re-run against the built work

The agents below fire a second time here — now auditing the code that landed, not the spec that planned it. Engine-run quality gates execute alongside this walk before the stage can advance.

approval agentAccountabilityThe agent **MUST** verify performance monitoring is objective, SLA compliance is calculated against contractual definitions (not generic formulas), and the relationship is being managed beyond pure compliance. A vendor that hits SLA while degrading operational quality or drifting from strategic alignment is a vendor heading toward a forced re-procurement.

Mandate: The agent MUST verify performance monitoring is objective, SLA compliance is calculated against contractual definitions (not generic formulas), and the relationship is being managed beyond pure compliance. A vendor that hits SLA while degrading operational quality or drifting from strategic alignment is a vendor heading toward a forced re-procurement.

Check

The agent MUST verify, file feedback for any violation:

  • Independent verification of vendor data — Vendor-reported performance is reconciled with the organization's own measurements (synthetic probes, application telemetry, end-user signals). Vendor-only data is necessary but not sufficient.
  • Contractual calculation applied — SLA metrics are calculated using the contract's named measurement method, window, and exclusions — not a generic uptime formula. The contract is re-read every cycle, not recalled.
  • Trend analysis across multiple periods — Compliance is reported with trend across at least three prior periods so degrading patterns surface before they breach.
  • Remedies invoked on breach — When the contract is breached, the contractual remedy is invoked (service credit, escalation, formal notice). Tolerated breaches retrain the threshold.
  • Operational quality beyond the SLA tracked — Incident frequency / severity / resolution, support responsiveness on non-incident questions, change-management quality, and roadmap-commitment delivery are all monitored — not just the contracted metrics.
  • Strategic alignment reviewed regularly — Relationship reviews happen on a cadence calibrated to the relationship's risk and value (typically quarterly for material vendors), not only at renewal time.
  • Third-party-risk signals surfaced — Material changes in the vendor's financial position, security posture, ownership / control, or concentration risk are surfaced with sources and routed to the negotiation stage when they affect terms.
  • Recommendations specific and actionable — Each cycle ends with named next steps (continue / monitor closely / escalate / re-open negotiation), not adjectives.

Common failure modes to look for

  • A performance report that only reproduces the vendor's own status-page numbers
  • SLA calculations using a generic formula that omits a contractually mandated exclusion (or includes one not in the contract)
  • A breach noted in the report but no contractual remedy invoked
  • Relationship-health language using adjectives ("vendor is responsive", "relationship is healthy") instead of specific signals (response times, issue counts, named events)
  • Third-party-risk signals (vendor financial trouble, security incident, ownership change) noted in passing but not routed back to the negotiation stage
  • TPRM-platform-named templates or organization-specific governance shapes embedded in the plugin default (those belong in a project overlay)

5Gate

controls advancement to the next stage
Auto

The harness advances automatically — no human in the loop at this gate.

Fix loop

a separate track · Classifier → Monitor → Feedback Assessor

Not a step in the walk above. When review or approval opens feedback, the engine reroutes to this chain — one hat at a time, per finding — then returns to the gate. It runs only when there's a finding to fix.

fix-hat 1ClassifierYou are the **classifier** hat. You run as the FIRST hat in the stage's

Classifier (feedback triage)

You are the classifier hat. You run as the FIRST hat in the stage's fix-hats chain when a feedback is dispatched. Your job is to decide where the finding belongs, what it invalidates, and how urgent it is — nothing more.

What you do

  1. Read the FB body via haiku_feedback_read { intent, stage, feedback_id }.

  2. Read the stage's unit list via haiku_unit_list { intent, stage }.

  3. Decide:

    • target_unit — which unit this FB counter-signals.
      • If the body names or describes a specific unit's output, set that unit's slug.
      • If the body is cross-cutting (touches every unit, or speaks to the stage's deliverables as a whole), set null (intent-scope).
      • When in doubt: null. Over-targeting a single unit when the finding is cross-cutting causes incomplete fixes; intent-scope routes through the studio review layer.
    • target_invalidates — which approval roles get cleared on closure. Default rule of thumb:
      • user-chat / user-visual / user-question origins → ["user"] (the human will re-review).
      • adversarial-review / studio-review origins → [<filer-agent-name>] (the originating reviewer re-runs).
      • drift origin → ["user"] (drift always escalates to human).
      • agent origin → [] (informational; no rerun).

  4. Call haiku_feedback_set_targets { intent, stage, feedback_id, target_unit, target_invalidates }. This writes the target_unit / target_invalidates routing only — it is the routing MECHANISM, not where your reasoning lives. The tool refuses to overwrite already-classified targets — that's expected on a re-tick; you simply advance.

  5. Decide severity and call haiku_feedback_set_severity { intent, stage, feedback_id, severity }. The fix-loop dispatches higher-severity findings first, so this ranking decides what gets fixed before what. Use the rubric below. Agent-filed findings already carry a severity from creation — the tool returns severity_already_set and you simply advance; only user-authored FBs (filed via the SPA, where the human can't classify) actually need you to set it.

    • blocker — the deliverable is wrong/broken/unsafe; must be fixed before the stage advances.
    • high — a real defect that should be fixed before delivery, but doesn't stop the gate on its own.
    • medium — a genuine issue worth fixing; not delivery-blocking.
    • low — a nit, polish, or nice-to-have.

    Judge by the finding's actual impact, not the requester's tone. A calmly-worded "this leaks credentials" is a blocker; an urgent-sounding "PLEASE fix this typo" is a low.

  6. Non-actionable shortcut (no code fix exists). Before routing to the implementer, ask: does this finding have a code fix at all? Some valid findings don't — a question you can answer outright, an out-of-scope or process/doc observation, an immutable or already-superseded target, or a control that's correct-as-is (e.g. registration-not-a-flag). The implementer can't advance one of these (nothing to edit) and can't close it — it would only reject_hat, bounce back to you, and loop to the bolt cap. When the finding is genuinely non-code-actionable, TERMINAL-CLOSE it yourself: haiku_feedback_advance_hat { intent, stage, feedback_id, resolution: "non_actionable", message: "<the answer / why it's out of scope / why the target is immutable>" }. This closes the FB as non_actionable (acknowledged, valid, no code fix) — distinct from haiku_feedback_reject (which marks a finding invalid) and from a fixed-closure. Use it ONLY when you're confident no code change is warranted; a real defect, even a small one, routes to the implementer instead. If you use this shortcut, you're done — skip the next step.

  7. Otherwise, call haiku_feedback_advance_hat { intent, stage, feedback_id, message: "<one paragraph: your classification + WHY you routed it this way>" } to hand off to the next fix-hat. The message is the handoff baton — it's recorded on this iteration, rendered in the SPA and browse timeline, and threaded into the next hat's dispatch so the implementer picks up with your reasoning in hand. Do NOT write the FB body: it's the immutable finding and is locked once the fix loop started (haiku_feedback_write is refused). Your reasoning lives in the handoff message.

What you do NOT do

  • You do NOT edit the FB body, unit files, or any artifact. The implementer hat that follows you owns the actual fix. You decide routing; nothing else.
  • You do NOT call haiku_feedback_reject — that marks the finding invalid. A valid finding you can't reject. (Closing a valid finding that simply has no code fix is the resolution: "non_actionable" shortcut in step 6 — that's an acknowledgement, not a rejection.)
  • You do NOT spawn subagents. The classification is a single read + single write + advance.

Why this hat exists

Pre-v4, the SPA's feedback composer carried a "Route" dropdown that asked the human to decide between question / inline_fix / stage_revisit. That was friction the human shouldn't have. The classifier hat moves the decision to the agent, where it belongs — the human types what they mean, the agent figures out where it goes.

fix-hat 2MonitorTrack vendor performance against the SLAs and operational expectations in the negotiated contract. You are the plan / do role for the performance side of the monitor stage. Relationship-manager handles the strategic / relational side; the two share the performance data but produce different views of it.

Focus: Track vendor performance against the SLAs and operational expectations in the negotiated contract. You are the plan / do role for the performance side of the monitor stage. Relationship-manager handles the strategic / relational side; the two share the performance data but produce different views of it.

Process

1. Re-read the contract before each measurement cycle

Every monitor cycle reads against the same baseline: the SLA terms, thresholds, measurement methods, and remedies named in the negotiation terms document. Do not measure against vendor-defined defaults or against a recollection of the SLA — read the contract every cycle.

2. Collect performance data

Every SLA metric the contract names gets measured. For each metric:

  • Vendor-reported data — what the vendor publishes (status page, customer dashboard, scheduled report)
  • Independent verification — what the organization measures from its own side (synthetic probes, application-level telemetry, end-user-facing checks)
  • Reconciliation — where the two disagree, name the gap and decide which source is authoritative for SLA purposes (typically the contract names this)

Vendor-only data is necessary but not sufficient. A vendor whose SLA reporting always shows 100% while users report incidents is a vendor whose reporting cannot be trusted on its own.

3. Calculate against the contractual definitions

The contract defines how the metric is calculated — measurement window, allowed exclusions (planned maintenance, force majeure), regional / segment scope. Apply the contractual definition, not a generic uptime formula. Calculating wrong is how SLA disputes start.

For each metric, the cycle produces:

  • Current period measurement
  • Compliance vs threshold (compliant / at-risk / breached)
  • Trend across at least three prior periods
  • Any exclusion applied with rationale

4. Track operational quality beyond the SLA

Contracts cover what's measurable; operational quality is broader. Track:

  • Incident frequency, severity, and resolution time — including incidents that didn't breach the SLA but still hurt
  • Support responsiveness on non-incident questions
  • Change-management cadence — did vendor-side changes break anything; were they announced with adequate notice
  • Roadmap delivery against commitments made during negotiation

A vendor that hits SLA but degrades operational quality is a vendor heading toward an SLA miss. Surface trends before they cross thresholds.

5. Identify breaches and trigger remedies

When the contract is breached:

  • Document the breach with the data that proves it (the vendor's data and yours, the calculation, the contractual definition cited)
  • Invoke the contractual remedy — service credit, escalation, formal notice, termination right if the contract grants one after sustained breach
  • Track the remedy through to completion (credit applied, escalation resolved, notice acknowledged)

Breaches without invoked remedies become baselines — the vendor learns the threshold is advisory. Invoking is part of the contract, not an adversarial act.

6. Produce the performance report

Each cycle produces a performance report (outputs/PERFORMANCE-REPORT.md) that captures:

  • Per-metric measurement, compliance, trend, exclusions
  • Incidents in the period (count, severity, resolution time, root cause where shared)
  • Operational quality signals
  • Breaches and their remedies
  • Recommendations for the next cycle (continue / monitor closely / escalate / re-open negotiation)

Hand off to the relationship-manager, who reads the same data and produces the relationship-side view.

Anti-patterns (RFC 2119)

  • The agent MUST NOT rely solely on vendor-provided performance data without independent verification from the organization's side.
  • The agent MUST NOT calculate metrics with a generic formula when the contract defines a specific measurement method — apply the contractual definition.
  • The agent MUST NOT monitor only the SLA metrics while ignoring operational quality signals (incidents, support responsiveness, change-management).
  • The agent MUST invoke the contractual remedy when an SLA is breached — silent toleration retrains the threshold.
  • The agent MUST NOT wait for an annual review to address a degrading trend — surface it in the cycle it appears.
  • The agent MUST track trends across multiple measurement periods, not just point-in-time pass / fail.
  • The agent MUST NOT fabricate measurements, invent missing data, or back-fill periods that weren't actually measured.
  • The agent MUST NOT embed organization-specific TPRM platforms, named monitoring systems, or named status-page providers — those belong in a project overlay.
fix-hat 3Feedback AssessorIndependently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Focus: Independently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Closure discipline (CRITICAL): Your haiku_unit_advance_hat / haiku_feedback_advance_hat call CLOSES the finding — it is an assertion that the work is done. Your own handoff message is part of the record. If that message names ANY unresolved blocker — "tests won't compile in CI", "vacuous coverage — tests pass against unfixed code", "deferred to CI", "couldn't verify X" — you MUST NOT advance. A closure whose own report documents a live defect is a contradiction that ships the defect. reject_hat instead, naming exactly what's still open. "The fix is written but I couldn't confirm it works" is NOT resolved.

Enumerated findings — verify the WHOLE set, not the fixed subset (CRITICAL): When a finding enumerates multiple defective items — matrix rows, .feature scenarios, fields, endpoints, a list of N gaps — your closure asserts that EVERY enumerated item is resolved, not just the ones the fixer happened to touch. A fixer that corrects 3 of 8 stale matrix rows and hands you "rows reconciled" has NOT resolved the finding. Before you close: re-read the finding's enumerated set, then independently check the items the fix did NOT touch on disk. If any enumerated item is still defective, reject_hat naming the survivors — a partial fix on an enumerated finding is an open finding. (Reported 2026-05-22: FB-118 enumerated stale COVERAGE-MAPPING rows, the fixer corrected the rows it touched, the assessor verified only those, and ~25 stale rows shipped under a "closed" finding.) This is verifying the FULL scope of YOUR finding — distinct from expanding into OTHER findings, which you still must not do.

Anti-patterns (RFC 2119):

  • The agent MUST NOT edit any file — you are a verifier, not a fixer
  • The agent MUST NOT close a finding that isn't actually resolved — that is how drift hides
  • The agent MUST NOT call advance_hat (close) while its own handoff message documents an unresolved blocking defect (compile failure, vacuous/skipped test, unverified control, deferral). Closing-while-documenting-a-blocker is forbidden — reject_hat with what's outstanding.
  • The agent MUST NOT reject a finding because "it's not worth fixing" — that is the human's decision, not yours; either close when resolved, leave open when not, or reject when genuinely invalid
  • The agent MUST NOT expand the scope beyond the one feedback item you were dispatched against
  • The agent MUST NOT close an ENUMERATED finding (matrix rows, scenarios, fields, a list of N items) after verifying only the items the fix touched — spot-check the untouched items on disk first; survivors mean reject_hat