[FEATURE] SOSA: A production-tested methodology for supervised autonomous agents (open-source, shipping since 2025)
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
As Claude Code plugins and agents become more autonomous, the community is hitting real safety walls — and several open issues here prove it:
- #36690 — Background tasks self-approve actions without user consent
- - #32029 — Auto-compact causes Claude to self-approve and execute without confirmation
- - - #32646 — Need for project-level ethical constraint files (CLAUDE.md as guardrails)
- - - - #28321 — Directory-scoped permission allow rules needed
- - - - - #37157 — Skills bypass protected directory prompts
These aren't isolated bugs — they're symptoms of a missing layer: a formal methodology for graduated agent autonomy with structured safety guarantees.
We've been running production autonomous agents on Claude Code since early 2025 (18+ department types, daily operations across LinkedIn, WhatsApp, email, CRM, invoicing, recruiting). Every one of these issues bit us — and we built a systematic solution.
Proposed Solution
We open-sourced SOSA (Supervised Orchestrated Secured Agents) — a four-pillar methodology that directly addresses these gaps:
The Four Pillars
- Supervised — Graduated autonomy based on impact level. Low-impact tasks (read-only, local) run autonomously. Medium-impact (sending messages, modifying data) include confirmation checkpoints. High-impact (financial, bulk outreach) require human approval. A trust gradient means plugins that consistently succeed earn expanded autonomy.
- Orchestrated — Agents coordinate through structured registries and DAG execution, not ad-hoc message passing. Every plugin follows Plan > Act > Verify loops with structured outputs feeding downstream workflows.
- Secured — Security at every layer: scoped credentials (never hardcoded), declared capability sets, prompt injection scanning, pinned MCP package versions, audit trails via daily summary reports, principle of least privilege.
- Agents — Goal-directed entities defined as A = (R, T, M, P): Role spec, Tool manifest, Memory store, Planning policy. Each maps directly to plugin SKILL.md, .mcp.json, persistence layer, and workflow instructions.
How This Maps to Claude Code
| SOSA Pillar | Claude Code Mechanism |
|---|---|
| Supervised | Impact-level declarations in plugin metadata, approval gates |
| Orchestrated | Plugin dependency graph, Plan>Act>Verify execution loop |
| Secured | Scoped credentials, capability sets, injection scanning |
| Agents | SKILL.md (role), .mcp.json (tools), structured stores (memory) |
Live Implementation
- Full spec: SOSA.md
- - Open-source plugin marketplace (30+ production plugins, all SOSA-compliant): github.com/MSApps-Mobile/claude-plugins
- - - OpsAgent — first commercial SOSA implementation, running in production since early 2025
What We're Proposing
We'd love to see Anthropic consider adopting SOSA patterns (or similar) natively in Claude Code:
- Plugin metadata should declare impact levels (low/medium/high)
- - A formal Plan>Act>Verify execution model for agent tasks
- - - Built-in trust gradient that expands autonomy for reliable plugins
- - - - Scoped credential management at the plugin level
- - - - - Standardized audit logging for agent actions
This would address #36690, #32029, #32646, #28321, #37157 and many more at a systemic level rather than patching symptoms individually.
Alternative Solutions
_No response_
Priority
Critical - Blocking my work
Feature Category
CLI commands and flags
Use Case Example
_No response_
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗