Every architecture guide draws the happy path first.

A design method where the first artifact you check in is not a happy-path diagram, it is a typed enum of named failure modes the system can emit. We write the FailureReason Literal in state.py before we write a single node body. Then we build a matrix of every node by every failure mode it can emit and name the destination for each one. Only after that matrix is complete do we write graph.py. The happy path drops out as the residual: whatever routing is left when every failure edge is explicitly wired. The benefit is that the design document and the code converge on one source of truth; there is no separate architecture deck that can drift from reality.

Exceptions are control flow. Named failure modes are data. If a node raises, the router has to wrap every call in try/except and map error classes to branches, which couples the router to every agent's internal error taxonomy. If a node sets state.last_failure = 'rubric_fail' and returns, the router is pure data routing and the node body stays pure domain logic. The second shape is also trivially auditable: every transition writes one Postgres row with the failure_reason column populated, so the on-call can run SELECT failure_reason, COUNT(*) FROM case_turns GROUP BY 1 and see the whole taxonomy in production. The exception shape hides that information in logs.

On the production systems we have shipped, six is the typical ceiling. compliance_fail covers policy rejections, latency_blow covers budget exceedences, rubric_fail covers ragas plus case-rubric scoring below threshold, handoff_exhausted covers the handoff_budget ceiling from our MAST-anchored rules, schema_invalid covers tool output that does not validate against its Pydantic model, and model_down covers provider 5xx or timeouts. If the enum grows past ten, the granularity is wrong and the enum is leaking internal state. If it stays at three or four, failure modes are being squashed into 'other' and the on-call cannot triage without reading logs.

Supervisor and router are happy-path patterns. They describe who decides what node runs next when everything is going well. They do not specify what the router reads on failure, how failure is represented, or how the audit log captures it. Failure-first architecture is orthogonal: you can apply it inside a supervisor topology, a sequential pipeline, or a custom DAG. The artifact is the FailureReason enum and the node-by-failure-mode matrix, not the topology. We ship systems that use a LangGraph router topology and systems that use a custom DAG, and both have the same enum shape.

A two-dimensional table: rows are nodes, columns are failure modes. Each cell is either dashes (this node cannot emit that mode) or the name of the destination node the graph routes to. We check it in as a markdown table next to graph.py with the title ARCHITECTURE.md. A simple CI test parses the FailureReason Literal from state.py, greps graph.py for every 'state.last_failure ==' branch, and fails the PR if any cell in the markdown table does not match the code. The matrix is the spec; graph.py is the implementation; CI enforces equality.

It promotes failure_reason to a NOT NULL enum column on the case_turns table, with 'ok' as the success value. Every node transition writes exactly one row, success or failure. That gives the on-call engineer a production failure taxonomy in one SQL query instead of a grep through JSON logs. The schema also adds a partial index WHERE failure_reason <> 'ok' so failure rates are cheap to compute per case_id, per node, per hour. We have watched a 2 AM incident resolve in eight minutes because the first query the on-call ran returned 'rubric_fail: 4200' and pointed at a drafter regression, not a routing bug.

No. It shortens it. The enum and the matrix are a one-day exercise on day three of the engagement, and they eliminate most of the week-three-onward thrash because every PR has an unambiguous place to declare new failure behavior. On the Upstate Remedial system we hit the week 2 prototype rubric on day 13, and the week-six production cutover required zero rearchitecting of the graph: the only changes in weeks three to six were new nodes and new enum values, never a rewrite of the routing.

Yes. At week 2 the leave-behind-in-progress includes four files: state.py with the FailureReason Literal, graph.py with the conditional edges reading it, the Postgres migration creating failure_reason_t as an enum and case_turns as the audit table, and ARCHITECTURE.md with the node-by-failure-mode matrix. At week 6 we add evals/ (ragas plus case rubric in CI), runbook.md keyed to your on-call rotation naming every failure_reason and the first query to run, and RATIONALE.md explaining which framework decisions are load-bearing and which are replaceable. The design document is the code. We do not ship separate decks.

Yes, that is most of the week 0 refactor engagements we run. We read your current graph, grep for exception handlers, and propose a FailureReason enum that captures the modes your code already implicitly raises. The first PR replaces try/except sites with state.last_failure assignments and introduces the Postgres enum column. The second PR flips the conditional edges to read from it. Usually this is a two-week delta, not a rewrite, and it leaves your current framework in place. The goal is to make failure visible in one query, not to move you to a new framework.