Non-technical end users
We fixed the street address on the house plans but forgot that the security camera installer was ALSO using the old address as the "who's allowed to ring the doorbell" list. Building permit passed. Camera install failed.
Campaign a2a-hermes-v0.6.0-r3 FAIL
Infrastructure
Back-filled by scripts/backfill_legacy_runs.sh — historical run predates campaign.meta.json emission.
Run focus
VPC succeeded but stale 10.260 CIDR in firewall killed the plan
What this campaign tested: Whether the VPC CIDR fix alone was sufficient.
What it demonstrated: Post-VPC firewall creation exposed a SECOND hardcoded 10.260.0.0/24 that the first fix missed — two firewall inbound_rules used it as source_addresses. Iteration-style debugging surfaced the second bug that would have been easy to miss in a one-shot manual audit.
AI NHI analysis · Claude Opus 4.7
VPC succeeded but stale 10.260 CIDR in firewall killed the plan
RED at Terraform init + apply in 1 m 5 s (longer because VPC create succeeded before firewall create failed).
For three audiences
C-level decision makers
Demonstrates why staged real-infrastructure testing exposes bugs that static analysis wouldn't — the second CIDR was in a different resource that only gets created if VPC creation succeeds. The fail-fast pattern naturally walks the dependency graph.
Engineers & architects
DO firewall POST returned 422 "invalid address: 10.260.0.0/24" on the inbound_rule blocks for port 9077 and icmp. Fix swapped the hardcoded strings for digitalocean_vpc.a2a.ip_range — one source of truth, eliminates the entire class of drift bugs between VPC CIDR and downstream CIDR references.
What changes going into the next campaign
Link firewall CIDR to VPC CIDR via reference; dispatch r4.