← All results
GO 2-1
Curated scenario

The fix survived its own breaking; the split is over release conditions.

The panel built the recovery design, found the structural hole in its own evidence ladder, patched it in-session — and preserved a genuine 2-v-1 on what the 12-million-user re-run still requires.

Review cost$0.93
Session3 rounds · ~4 min model time
Result1 structural hole found in the panel's own fix — and patched in-session
Panel
GPTGrokMuse
01

The plan under review

A recovery design for a managed background-job platform after a poison-pill object (corrupt gzip) was retried 6,842 times in 74 minutes: the crash-reaper path enforced no max_attempts, autoscaling amplified the storm, and the customer dashboard showed "80% complete" throughout. Five candidate mitigations — durable pre-attempt rows, input fingerprinting, a queue circuit breaker, per-shard UI transparency, crash-path retry policy — with a 12M-user re-run due Friday under a 4-hour contractual window.

Scenario context6,842 retries in 74 minutes on one corrupt object; 26 useless autoscaled pods; billing jobs delayed 41 minutes; a 12M-user re-run against a 4-hour contractual completion window.Figures as stated in the reviewed plan — no inferred savings.
02

What changed before ship

Proposed
Landed
Five candidate mitigations
A+E+D floor unanimously non-negotiable: durable pre-attempt rows + fencing tokens, crash-path enforcement, per-shard UI; narrow fingerprinting on the evidence ladder; group circuit breaker deferred
Quarantine-copy for ambiguous objects
Streaming digest of bytes already in flight — the zero-infrastructure equivalent, adopted by all three
'Same error class twice' DLQ rule
The byte-identity evidence ladder with bad_input / unreadable_input / transient_io terminal states, abort-on-failure, pinned canonical error categories, and the partial-prefix-hash promotion patch
Queue-level circuit breaker (20 failures/5min)
ZERO lines of pause code — group needs_attention derives from terminal shard states in the UI layer, flipping on ONE terminal shard
'Import running: 80% complete'
Per-shard states with attempt counts, next-retry times, and action buttons (retry shard / cancel / continue without)
Two reaction-vs-prose split-states
Both BOUND on the record: bad_input on stable hash regardless of bucket versioning; the one-terminal-shard flip
Depth-driven autoscaling
Delayed jobs excluded from scale metrics; ops concurrency ceiling on the import queue for the re-run
03

Findings

Ship blockerDefect
Round 1

The crash-reaper path WAS the retry policy, and it had none

Every route to another execution — lease expiry, process death, redelivery, manual retry — must pass one retry-decision function with a hard total-execution cap. max_attempts in YAML but not in the reaper is how 6,842 happens.

Ship blockerDefect
Round 1

Attempt counting was invisible on exactly the failing path

Incrementing attempt_count only on worker completion means a crash-before-classification leaves no durable marker — durable pre-attempt rows in the lock-acquisition transaction, plus fencing tokens so a stale worker cannot overwrite its replacement.

Ship blockerDefect
Round 2

Metadata matching could blame customers for transient corruption

Two same-class failures with matching length/ETag do not prove the same bytes failed twice. The evidence bar landed on a streaming SHA-256 of bytes already being downloaded: stable identity + byte digest + same deterministic failure twice means bad_input; differing hashes mean unreadable_input; length mismatch means transient_io, never poison.

Ship blockerDefect
Round 3

The panel's own ladder had a hole exactly where the incident lived

A worker that crashes mid-decompression never completes a digest — fingerprinting never fires, and the poison object burns the whole attempt cap as lost. Named by all three in the final round: the ladder is a fast-path classifier, not a completeness guarantee. Patched in-session with partial-prefix-hash promotion for caught early aborts.

MaterialDefect
Round 3

Post-error draining is a deadline hazard

Draining a multi-GB body just to finish a classification digest can eat the contractual window — abort-on-failure for the patch, drain budgets if ever.

MaterialDefect
Round 3

Error-class matching is brittle across zlib/runtime versions

Match a pinned canonical category (code + phase + offset bucket), never message strings — a rolling deploy could reset poison strikes and reopen the storm.

MaterialDefect
Round 1

The autoscaler treats a death loop as demand

Exclude delayed jobs from depth metrics or cap concurrency — otherwise backoff is undermined by scale-out that adds workers all hitting the same deterministic bad object.

04

Decision

Landed invariantVerdict 2-1
Every path that can create another job execution — including crash recovery — passes one retry-policy function with a hard attempt cap; customer-facing bad_input requires proven byte identity, never metadata.

GO carried 2-1 with the dissent preserved, not smoothed: the majority ships with light on-call and cap alerts; the minority's release conditions are on the record as the price of skipping them.

05

Where the panel split

Terminal ship dissent2-1

Ship Friday's 12M-user re-run with the patch alone, or require a canary and an SRE in the loop?

Majority · GO

Grok + Muse: GO with light on-call — storm prevention does not depend on fingerprinting firing; the worst case is bounded unreadable_input, not an infinite loop.

Minority · NO-GO

Sol: NO-GO without a canary on representative multi-GB objects, a verified 4-hour capacity budget, and an SRE with a kill switch — 'ship today' is not a safety requirement.

06

Evidence trail