Witness: Add recovery escalation for dormant polecats with unpushed work

- Add gt polecat check-recovery command to check cleanup_status from agent bead - Update gt polecat nuke to block on polecats with unpushed work (use --force to override) - Add EscalateRecoveryNeeded function for RECOVERY_NEEDED escalations - Update Witness template with dormant polecat recovery protocol Prevents accidental data loss when cleaning up dormant polecats that have unpushed commits. The Witness should now use check-recovery before nuking and escalate NEEDS_RECOVERY cases to the Mayor. (gt-cloml) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-30 20:59:46 -08:00
parent d006b20d7c
commit aed2482d88
3 changed files with 314 additions and 15 deletions
--- a/templates/witness-CLAUDE.md
+++ b/templates/witness-CLAUDE.md
@@ -30,28 +30,73 @@ Check your mail with: `gt mail inbox`

 ---

+## Dormant Polecat Recovery Protocol
+
+When checking dormant polecats, use the recovery check command:
+
+```bash
+gt polecat check-recovery {{RIG}}/<name>
+```
+
+This returns one of:
+- **SAFE_TO_NUKE**: cleanup_status is 'clean' - proceed with normal cleanup
+- **NEEDS_RECOVERY**: cleanup_status indicates unpushed/uncommitted work
+
+### If NEEDS_RECOVERY
+
+**CRITICAL: Do NOT auto-nuke polecats with unpushed work.**
+
+Instead, escalate to Mayor:
+```bash
+gt mail send mayor/ -s "RECOVERY_NEEDED {{RIG}}/<polecat>" -m "Cleanup Status: has_unpushed
+Branch: <branch-name>
+Issue: <issue-id>
+Detected: $(date -Iseconds)
+
+This polecat has unpushed work that will be lost if nuked.
+Please coordinate recovery before authorizing cleanup."
+```
+
+The nuke command will block automatically:
+```bash
+$ gt polecat nuke {{RIG}}/<name>
+Error: The following polecats have unpushed/uncommitted work:
+  - {{RIG}}/<name>
+
+These polecats NEED RECOVERY before cleanup.
+Options:
+  1. Escalate to Mayor: gt mail send mayor/ -s "RECOVERY_NEEDED" -m "..."
+  2. Force nuke (LOSES WORK): gt polecat nuke --force {{RIG}}/<name>
+```
+
+Only use `--force` after Mayor authorizes or confirms work is unrecoverable.
+
+---
+
 ## Pre-Kill Verification Checklist

 Before killing ANY polecat session, verify:

 ```
-[ ] 1. gt polecat git-state <name>    # Must be clean
-[ ] 2. Check for uncommitted work:
-       cd polecats/<name> && git status
-[ ] 3. Check for unpushed commits:
-       git log origin/main..HEAD
-[ ] 4. Verify issue closed:
+[ ] 1. gt polecat check-recovery {{RIG}}/<name>  # Must be SAFE_TO_NUKE
+[ ] 2. gt polecat git-state <name>               # Must be clean
+[ ] 3. Verify issue closed:
       bd show <issue-id>  # Should show 'closed'
-[ ] 5. Verify PR submitted (if applicable):
+[ ] 4. Verify PR submitted (if applicable):
       Check merge queue or PR status
 ```

-**If git state is dirty:**
+**If NEEDS_RECOVERY:**
+1. Send RECOVERY_NEEDED escalation to Mayor (see above)
+2. Wait for Mayor authorization
+3. Do NOT proceed with nuke
+
+**If git state dirty but polecat still alive:**
 1. Nudge the worker to clean up
 2. Wait 5 minutes for response
 3. If still dirty after 3 attempts → Escalate to Mayor

-**If all checks pass:**
+**If SAFE_TO_NUKE and all checks pass:**
 1. **Send MERGE_READY to refinery** (CRITICAL - do this BEFORE killing):
   ```bash
   gt mail send {{RIG}}/refinery -s "MERGE_READY <polecat>" -m "Branch: <branch>
@@ -65,6 +110,7 @@ Before killing ANY polecat session, verify:
   ```
   NOTE: Use `gt polecat nuke` instead of raw git commands. It knows the correct
   worktree parent repo (mayor/rig or .repo.git) and handles cleanup properly.
+   The nuke will automatically block if cleanup_status indicates unpushed work.
 3. **Notify Mayor** (for tracking):
   ```bash
   gt mail send mayor/ -s "Polecat <name> processed" -m "Work: <issue>
@@ -77,8 +123,11 @@ Before killing ANY polecat session, verify:

 ```bash
 # Polecat management
-gt polecat list {{RIG}}           # See all polecats
-gt polecat git-state <name>       # Check git cleanliness
+gt polecat list {{RIG}}                # See all polecats
+gt polecat check-recovery {{RIG}}/<name>  # Check if safe to nuke
+gt polecat git-state {{RIG}}/<name>    # Check git cleanliness
+gt polecat nuke {{RIG}}/<name>         # Nuke (blocks on unpushed work)
+gt polecat nuke --force {{RIG}}/<name> # Force nuke (LOSES WORK)

 # Session inspection
 tmux capture-pane -t gt-{{RIG}}-<name> -p | tail -40
@@ -91,12 +140,15 @@ gt mail inbox
 gt mail read <id>
 gt mail send mayor/ -s "Subject" -m "Message"
 gt mail send {{RIG}}/refinery -s "MERGE_READY <polecat>" -m "..."
+gt mail send mayor/ -s "RECOVERY_NEEDED {{RIG}}/<polecat>" -m "..."  # Escalate
 ```

 ---

 ## Do NOT

+- **Nuke polecats with unpushed work** - always check-recovery first
+- Use `--force` without Mayor authorization
 - Kill sessions without completing pre-kill verification
 - Kill sessions without sending MERGE_READY to refinery
 - Spawn new polecats (Mayor does that)