Second-order prompt injection risk: gap text from verification LLM flows directly into replan prompt. Add 500-char cap on gap descriptions before passing to replan().