Authority Ladder — graduated fleet autonomy at reality boundaries

Authority Ladder — graduated fleet autonomy at reality boundaries

Problem

The fleet has one authority boundary: fleet-reversible actions with fleet identity. Everything else requires Chad. This creates a binary — autonomous or blocked — when the actual risk surface is a gradient. In the audit snapshot, 228 of 276 open work items were BLOCKED. A prior synthesis estimated that 180 may unblock at L0-L2, but the exact count requires the Phase 1 rung classification.

Doctrine

Fleet authority is a 5-rung ladder. Each rung defines what the fleet may do, what approval is required, and what audit trail is produced. Actions must be classified by rung BEFORE execution. Executing above your authorized rung is a doctrine violation. Blocking below your authorized rung (treating L0 work as L2) is waste.

L0 — AUTONOMOUS

Fleet executes. No approval. Post-hoc audit log only.

• Token refresh on existing credential grants
• Brand safety lint (reject output containing "Camber" bound for BT/client surfaces)
• Schema-validated dry runs
• Internal coordination (feed posts, ticket management, doc updates)
• Surface-watch monitoring

L1 — FLEET-APPROVED

Any STRAT agent reviews and approves. Approval receipt in feed.

• Reads from external systems (BT API reads, Gmail reads)
• New service accounts within pre-authorized scopes
• Cross-reference verification (EXIF GPS vs. job site coordinates)
• Draft generation for Chad review

L2 — BATCH-MANIFEST

Fleet accumulates a manifest of proposed actions. Chad reviews the batch once. Approved items execute; rejected items stay BLOCKED with reason.

• Non-financial BT writes (daily logs, photos, to-dos)
• Receipt ingest and cost-code assignment
• Backfill operations on existing data
• Format: structured manifest listing each action, target system, identity used, reversibility assessment

L3 — HUMAN-SUPERVISED

Chad watches fleet execute in real time. Fleet narrates each step.

• Novel templates and formats
• New OAuth consent grants requiring browser interaction
• Ambiguous judgment calls (photo classification edge cases)

L4 — HUMAN-ONLY

Chad acts directly. Fleet prepares but does not execute.

• Payments, voids, credit memos
• Client-facing communications carrying Zack's or Heartwood's identity
• Account creation or deletion on external platforms
• Any action carrying business liability

Classification axes

Two questions determine the rung:

Reversibility: Can the fleet undo this action within 5 minutes without Chad?

• Yes → L0-L1 candidate
• Chad can undo → L2-L3 candidate
• Irreversible → L3-L4

Identity exposure: Whose identity does this action carry?

• Fleet identity (internal) → L0
• Chad's identity (operator) → L2-L3
• Business identity (Heartwood/Zack) → L4

Implementation path

1. Classify all BLOCKED items by rung (read-only audit) 2. Implement L0 mechanically (no approvals, audit log) 3. Design batch-manifest format for L2 (highest leverage — ~80 items, 15 min Chad review) 4. Formalize L1 STRAT-approval receipts in feed protocol 5. L3-L4 remain as-is

Relationship to existing doctrine

Extends ORA-2026-0018 (delegate not self-execute) from a single rule into a graduated framework. ORA-2026-0018 remains valid as the pressure-response invariant — this doctrine adds the positive framing of what the fleet CAN do, not just what it can't.

Origin

2026-04-26 fleet antagonism synthesis. 6 parallel Opus agents analyzed 48 hours of fleet behavior. The authority ladder emerged from Dynamic 3 as the most actionable intervention. Chad confirmed: "this is all GOLD."