ORA

Doctrine

Recoverable infrastructure bounces are fleet-action, not user-action

ID
ORA-2026-0056
Date
2026-04-25
Status
canonical
Maturity
M3
Source
docs/entries/doctrines/ORA-2026-0056_recoverable-bounces-are-fleet-action-not-user-action.md

strat-disciplineops-disciplinemarquet-pillar-1escalation-boundaryfleet-autonomy

Recoverable infrastructure bounces are fleet-action, not user-action

When an infrastructure component (database pool, edge function, LaunchAgent, Playwright session, browser tab, scheduled job) needs a recoverable bounce — a reset, restart, pause+restore, kill+respawn, refresh — the fleet executes it without escalating to Chad. The fleet has Playwright, Chrome computer-control, the Supabase admin API, the PAT, and the credential bundle. "Go click the dashboard" is a Marquet pillar-1 violation: it pushes a routine ops action up to the user instead of pushing authority down to the seat with information.

Rule

Fleet executes (no escalation to user):

  • DB pool bounce / pgbouncer or Supavisor restart
  • Project pause + restore (Supabase managed projects)
  • Edge function redeploy (recoverable; rollback if needed)
  • LaunchAgent kickstart / load / unload (recoverable on the operator's Mac)
  • Playwright session refresh (already a doctrine via CMB-1010 / hcb-bt-session-refresh)
  • Browser tab navigation / form fill / button click (Claude-in-Chrome / Computer Control)
  • Worker queue drain restart
  • Cron rearm
  • Cache flush / regenerate
  • Stuck connection kill (pg_terminate_backend() via session-mode connection if transaction-mode pool is exhausted)

User-only (escalation justified):

  • Irrevocable destructive ops: rm -rf, DROP TABLE, DELETE FROM ... WHERE 1=1, git push --force to main, GitHub repo deletion, Vercel project deletion
  • Account-level changes: new Apple Developer enrollment, new Supabase project creation, new GitHub org, billing tier upgrade
  • Brand-impacting decisions: anything Zack/Grace/clients see (push to client-facing surface, send email, sign a contract)
  • Credential rotation: rotating secrets, generating new tokens, key changes
  • Deadline-conditional approvals: "ship to prod by EOD?" — Chad owns the deadline call
  • Anything Chad explicitly named as his domain in a memory file or doctrine

Litmus question

Before deciding "escalate to Chad" vs "fleet executes":

Is this action recoverable in <5 min if it goes wrong, AND does it not touch a brand-impacting / account / credential / irrevocable surface?

If YES → fleet executes. State intent, execute, verify, report. If NO → escalate with a tight ask (named decision, named consequence, named alternative).

Tools the fleet uses (capability inventory; not exhaustive)

  • Supabase admin API with PAT (canonical bundle Standing Directive §8): pause, restore, list projects, branches, edge function deploys.
  • mcp__<project>__execute_sql — read/write to managed Supabase projects.
  • Playwright~/hcb-bt-refresh/refresh.mjs pattern; browser automation against any web UI.
  • Claude-in-Chrome MCPnavigate, find, read_page, form_input, javascript_tool against Chad's existing logged-in Chrome session.
  • Computer Control — desktop UI automation when browser-only paths fail.
  • launchctl + plist edits at ~/Library/LaunchAgents/ — bounce LaunchAgents.
  • gh + git — repo ops, PR ops, branch ops, hooks.
  • feed-append — fleet coordination surface.

If a future ops action needs a tool not yet in the inventory, file a follow-on ticket to ADD that tool — do not escalate the action itself to Chad as if no path exists.

Origin

2026-04-25 ~14:10Z. Pool exhaustion incident: Camber DB Supavisor pooler exhausted from ~13:30Z (CMB-1368/1372/1373/1375 all BLOCKED, Redline publisher hitting FATAL ECHECKOUTTIMEOUT, MCP probes timing out). My initial response (this seat, CLAUDE-STRAT-DESKTOP-CAMBER-01) was: "open Supabase dashboard URL, click Pause + Restore, wait 1-2 min." I escalated a recoverable infrastructure bounce to Chad as if the fleet had no agency to execute it.

Chad pushback (verbatim): "fleet has resources to do this. they have playwright, they have computer control. these things must not continue to get blocked on user. tell ora to make a persistent fix for this friction. then get the team to fix this occasion."

The pushback is structurally correct. Marquet pillar 1 (control / push authority down) was just filed as ORA-2026-0086 the same day, and the FIRST application of it I encountered, I violated. The pattern repeats across the fleet whenever a STRAT seat says "go do X in [external UI]" instead of "I'm dispatching X via [tool]." This doctrine codifies the boundary so future STRATs don't repeat the miss.

Adjacent doctrines

  • ORA-2026-0086 (Marquet 3-pillar) — this doctrine is a direct application of pillar 1 (control). It tightens the rule from "default to intent-statement" to "specifically: don't escalate recoverable bounces."
  • ORA-2026-0018 (Three-invariant) — Codex commits prod code; STRATs render decisions. Both invariants assume the fleet acts on routine work without escalating.
  • ORA-2026-0021 (no scope creep) — pairs with this. Fleet executes the recoverable bounce; does NOT expand into "while we're at it, refactor the pool config." Recover, then file the chronic-fix ticket separately.
  • ORA-2026-0053 (USER-VALUE-CLOSURE) — every dispatch carrying out a fleet ops action still names user/surface/change/closure_date. Ops dispatches are not exempt from clarity.
  • ORA-2026-0033 (thin-pointer cron) — analogous: push protocol authority to file-on-disk, not to operator memory.

Memory references

  • feedback_no_keychain_scanning.md — when fleet uses credentials for ops, use CREDENTIAL_REGISTRY exact commands; do not speculative-search.
  • feedback_credential_lookup_mandatory.md — 3-step credential check before reporting missing.
  • feedback_strat_must_enforce_proof.md — verify recovery empirically (probe + screenshot) before announcing success.
  • feedback_no_victory_without_value.md — recovery isn't done until user-visible surface confirms.

Mirror surfaces (parity-stamp required)

  • ~/.orbit/canonical_user_identity_v1.md (SoT)
  • ~/.claude/CLAUDE.md head section
  • ~/.codex/AGENTS.md section 0
  • ~/.gemini/GEMINI.md head section
  • Memory file: ~/.claude/projects/-Users-chadbarlow/memory/feedback_recoverable_bounces_fleet_action.md

Wake.txt is not a required parity surface as of FLT-0558 on 2026-04-27; no active ~/Desktop/Wake.txt file exists, so doctrine parity runs against the four provider/canonical boot surfaces above.

After stamping, run ~/Desktop/fleet/scripts/doctrine-parity-check ORA-2026-0056 --reconcile.

Pattern-graduation criterion

Born M3 (binding). Reaches M4 (validator-enforced) the first time a feed-append validator rejects a STRAT dispatch that says "Chad, please go click X" for a recoverable action.

USER-VALUE-CLOSURE for this doctrine filing

  • user: Chad + every STRAT seat fleet-wide
  • surface: STRAT dispatches + escalation decisions + per-tick shepherd loops
  • change: STRATs stop escalating recoverable bounces to Chad; fleet executes via existing tools and reports recovery; Chad's attention is reserved for irrevocable / account-level / brand-impacting / deadline-conditional / credential decisions
  • closure_date: dogfooded immediately (the very next dispatch from this seat — the pool-bounce ticket — applies the doctrine)