[FEATURE] SOSA: A production-tested methodology for supervised autonomous agents (open-source, shipping since 2025)

Resolved 💬 3 comments Opened Mar 29, 2026 by msmobileapps Closed Apr 1, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

As Claude Code plugins and agents become more autonomous, the community is hitting real safety walls — and several open issues here prove it:

  • #36690 — Background tasks self-approve actions without user consent
  • - #32029 — Auto-compact causes Claude to self-approve and execute without confirmation
  • - - #32646 — Need for project-level ethical constraint files (CLAUDE.md as guardrails)
  • - - - #28321 — Directory-scoped permission allow rules needed
  • - - - - #37157 — Skills bypass protected directory prompts

These aren't isolated bugs — they're symptoms of a missing layer: a formal methodology for graduated agent autonomy with structured safety guarantees.

We've been running production autonomous agents on Claude Code since early 2025 (18+ department types, daily operations across LinkedIn, WhatsApp, email, CRM, invoicing, recruiting). Every one of these issues bit us — and we built a systematic solution.

Proposed Solution

We open-sourced SOSA (Supervised Orchestrated Secured Agents) — a four-pillar methodology that directly addresses these gaps:

The Four Pillars

  1. Supervised — Graduated autonomy based on impact level. Low-impact tasks (read-only, local) run autonomously. Medium-impact (sending messages, modifying data) include confirmation checkpoints. High-impact (financial, bulk outreach) require human approval. A trust gradient means plugins that consistently succeed earn expanded autonomy.
  2. Orchestrated — Agents coordinate through structured registries and DAG execution, not ad-hoc message passing. Every plugin follows Plan > Act > Verify loops with structured outputs feeding downstream workflows.
  3. Secured — Security at every layer: scoped credentials (never hardcoded), declared capability sets, prompt injection scanning, pinned MCP package versions, audit trails via daily summary reports, principle of least privilege.
  4. Agents — Goal-directed entities defined as A = (R, T, M, P): Role spec, Tool manifest, Memory store, Planning policy. Each maps directly to plugin SKILL.md, .mcp.json, persistence layer, and workflow instructions.

How This Maps to Claude Code

| SOSA Pillar | Claude Code Mechanism |
|---|---|
| Supervised | Impact-level declarations in plugin metadata, approval gates |
| Orchestrated | Plugin dependency graph, Plan>Act>Verify execution loop |
| Secured | Scoped credentials, capability sets, injection scanning |
| Agents | SKILL.md (role), .mcp.json (tools), structured stores (memory) |

Live Implementation

  • Full spec: SOSA.md
  • - Open-source plugin marketplace (30+ production plugins, all SOSA-compliant): github.com/MSApps-Mobile/claude-plugins
  • - - OpsAgent — first commercial SOSA implementation, running in production since early 2025

What We're Proposing

We'd love to see Anthropic consider adopting SOSA patterns (or similar) natively in Claude Code:

  • Plugin metadata should declare impact levels (low/medium/high)
  • - A formal Plan>Act>Verify execution model for agent tasks
  • - - Built-in trust gradient that expands autonomy for reliable plugins
  • - - - Scoped credential management at the plugin level
  • - - - - Standardized audit logging for agent actions

This would address #36690, #32029, #32646, #28321, #37157 and many more at a systemic level rather than patching symptoms individually.

Alternative Solutions

_No response_

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

_No response_

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗