Doctrine
Recoverable infrastructure bounces are fleet-action, not user-action
Recoverable infrastructure bounces are fleet-action, not user-action
When an infrastructure component (database pool, edge function, LaunchAgent, Playwright session, browser tab, scheduled job) needs a recoverable bounce — a reset, restart, pause+restore, kill+respawn, refresh — the fleet executes it without escalating to Chad. The fleet has Playwright, Chrome computer-control, the Supabase admin API, the PAT, and the credential bundle. "Go click the dashboard" is a Marquet pillar-1 violation: it pushes a routine ops action up to the user instead of pushing authority down to the seat with information.
Rule
Fleet executes (no escalation to user):
- DB pool bounce / pgbouncer or Supavisor restart
- Project pause + restore (Supabase managed projects)
- Edge function redeploy (recoverable; rollback if needed)
- LaunchAgent kickstart / load / unload (recoverable on the operator's Mac)
- Playwright session refresh (already a doctrine via CMB-1010 /
hcb-bt-session-refresh) - Browser tab navigation / form fill / button click (Claude-in-Chrome / Computer Control)
- Worker queue drain restart
- Cron rearm
- Cache flush / regenerate
- Stuck connection kill (
pg_terminate_backend()via session-mode connection if transaction-mode pool is exhausted)
User-only (escalation justified):
- Irrevocable destructive ops:
rm -rf,DROP TABLE,DELETE FROM ... WHERE 1=1,git push --forceto main, GitHub repo deletion, Vercel project deletion - Account-level changes: new Apple Developer enrollment, new Supabase project creation, new GitHub org, billing tier upgrade
- Brand-impacting decisions: anything Zack/Grace/clients see (push to client-facing surface, send email, sign a contract)
- Credential rotation: rotating secrets, generating new tokens, key changes
- Deadline-conditional approvals: "ship to prod by EOD?" — Chad owns the deadline call
- Anything Chad explicitly named as his domain in a memory file or doctrine
Litmus question
Before deciding "escalate to Chad" vs "fleet executes":
Is this action recoverable in <5 min if it goes wrong, AND does it not touch a brand-impacting / account / credential / irrevocable surface?
If YES → fleet executes. State intent, execute, verify, report. If NO → escalate with a tight ask (named decision, named consequence, named alternative).
Tools the fleet uses (capability inventory; not exhaustive)
- Supabase admin API with PAT (canonical bundle Standing Directive §8): pause, restore, list projects, branches, edge function deploys.
mcp__<project>__execute_sql— read/write to managed Supabase projects.- Playwright —
~/hcb-bt-refresh/refresh.mjspattern; browser automation against any web UI. - Claude-in-Chrome MCP —
navigate,find,read_page,form_input,javascript_toolagainst Chad's existing logged-in Chrome session. - Computer Control — desktop UI automation when browser-only paths fail.
launchctl+ plist edits at~/Library/LaunchAgents/— bounce LaunchAgents.gh+ git — repo ops, PR ops, branch ops, hooks.feed-append— fleet coordination surface.
If a future ops action needs a tool not yet in the inventory, file a follow-on ticket to ADD that tool — do not escalate the action itself to Chad as if no path exists.
Origin
2026-04-25 ~14:10Z. Pool exhaustion incident: Camber DB Supavisor pooler exhausted from ~13:30Z (CMB-1368/1372/1373/1375 all BLOCKED, Redline publisher hitting FATAL ECHECKOUTTIMEOUT, MCP probes timing out). My initial response (this seat, CLAUDE-STRAT-DESKTOP-CAMBER-01) was: "open Supabase dashboard URL, click Pause + Restore, wait 1-2 min." I escalated a recoverable infrastructure bounce to Chad as if the fleet had no agency to execute it.
Chad pushback (verbatim): "fleet has resources to do this. they have playwright, they have computer control. these things must not continue to get blocked on user. tell ora to make a persistent fix for this friction. then get the team to fix this occasion."
The pushback is structurally correct. Marquet pillar 1 (control / push authority down) was just filed as ORA-2026-0086 the same day, and the FIRST application of it I encountered, I violated. The pattern repeats across the fleet whenever a STRAT seat says "go do X in [external UI]" instead of "I'm dispatching X via [tool]." This doctrine codifies the boundary so future STRATs don't repeat the miss.
Adjacent doctrines
- ORA-2026-0086 (Marquet 3-pillar) — this doctrine is a direct application of pillar 1 (control). It tightens the rule from "default to intent-statement" to "specifically: don't escalate recoverable bounces."
- ORA-2026-0018 (Three-invariant) — Codex commits prod code; STRATs render decisions. Both invariants assume the fleet acts on routine work without escalating.
- ORA-2026-0021 (no scope creep) — pairs with this. Fleet executes the recoverable bounce; does NOT expand into "while we're at it, refactor the pool config." Recover, then file the chronic-fix ticket separately.
- ORA-2026-0053 (USER-VALUE-CLOSURE) — every dispatch carrying out a fleet ops action still names user/surface/change/closure_date. Ops dispatches are not exempt from clarity.
- ORA-2026-0033 (thin-pointer cron) — analogous: push protocol authority to file-on-disk, not to operator memory.
Memory references
feedback_no_keychain_scanning.md— when fleet uses credentials for ops, use CREDENTIAL_REGISTRY exact commands; do not speculative-search.feedback_credential_lookup_mandatory.md— 3-step credential check before reporting missing.feedback_strat_must_enforce_proof.md— verify recovery empirically (probe + screenshot) before announcing success.feedback_no_victory_without_value.md— recovery isn't done until user-visible surface confirms.
Mirror surfaces (parity-stamp required)
~/.orbit/canonical_user_identity_v1.md(SoT)~/.claude/CLAUDE.mdhead section~/.codex/AGENTS.mdsection 0~/.gemini/GEMINI.mdhead section- Memory file:
~/.claude/projects/-Users-chadbarlow/memory/feedback_recoverable_bounces_fleet_action.md
Wake.txt is not a required parity surface as of FLT-0558 on 2026-04-27; no active ~/Desktop/Wake.txt file exists, so doctrine parity runs against the four provider/canonical boot surfaces above.
After stamping, run ~/Desktop/fleet/scripts/doctrine-parity-check ORA-2026-0056 --reconcile.
Pattern-graduation criterion
Born M3 (binding). Reaches M4 (validator-enforced) the first time a feed-append validator rejects a STRAT dispatch that says "Chad, please go click X" for a recoverable action.
USER-VALUE-CLOSURE for this doctrine filing
- user: Chad + every STRAT seat fleet-wide
- surface: STRAT dispatches + escalation decisions + per-tick shepherd loops
- change: STRATs stop escalating recoverable bounces to Chad; fleet executes via existing tools and reports recovery; Chad's attention is reserved for irrevocable / account-level / brand-impacting / deadline-conditional / credential decisions
- closure_date: dogfooded immediately (the very next dispatch from this seat — the pool-bounce ticket — applies the doctrine)