[FEATURE] SOSA Governance for Cowork — Treat each task as a governed agent with supervision, token budgeting, and security
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Cowork sessions are effectively autonomous agents — each one consumes tokens, accesses external services (WhatsApp, Notion, Monday, Gmail, LinkedIn, X), and makes decisions independently. At scale (200+ sessions, 54 scheduled tasks), there is no centralized governance layer.
Today in Cowork:
- No supervision hierarchy — a task sending WhatsApp messages gets the same oversight as one reading a file
- No token budgeting — no way to set daily/weekly/monthly token ceilings, per-session budgets, or track cost-per-outcome
- No cross-session governance —
list_sessions+read_transcriptexist but there's no governor pattern to use them for oversight - No pre-execution hooks — a session can't intercept another session's high-impact action before it executes
We developed SOSA™ (Supervised, Orchestrated, Secured, Agents) — a four-pillar methodology for production-grade autonomous AI operations — and are proposing first-class support for agent governance in Cowork.
Proposed Solution
SOSA Control Plane for Cowork
1. Supervised — Graduated Oversight
- Each MCP tool gets an impact level (low/medium/high)
- Low-impact actions (read Notion, search Gmail) run autonomously
- High-impact actions (send WhatsApp, send email, post to X) require approval gates
- Trust gradient: after N successful approvals of the same action type, auto-approve (earned autonomy)
2. Orchestrated — Token Budgeting & Active Optimization
- Cascading token budgets: monthly → weekly → daily → per-session, with overage policies per agent category
- Governor actively optimizes: rewrites bloated skill descriptions, consolidates overlapping scheduled tasks, kills stuck sessions, compresses context windows
- Prioritization engine: ranks tasks by
urgency × business_impact × efficiency_score; when budget runs low, low-priority tasks get throttled first - Plan → Act → Verify → Optimize loop: every task's token consumption feeds back into budget rebalancing
3. Secured — Zero-Trust Boundaries
- Scan skills for hardcoded secrets
- Prompt injection scanning on external data ingestion (WhatsApp, emails, web scrapes)
- MCP connector version pinning and credential scope auditing
4. Agents — Formal Agent Model
Every Cowork task modeled as A = (Role, Tools, Memory, Planning) with declared boundaries, success criteria, escalation triggers, and token budgets.
What We Need from the Platform
Must-have:
- Pre-execution hooks — ability for a governor session to intercept tool calls from other sessions based on impact classification
- Token usage metadata — expose actual token counts per session (currently must estimate from transcript length)
- Session budget API — ability to set and enforce token ceilings per session
Nice-to-have:
- Session tagging — label sessions with metadata (agent category, compliance level, priority)
- Cross-session messaging — a governor session that can send instructions to other running sessions
- Scheduled task → session ID mapping — trace which session a scheduled task created
Full architecture spec: SOSA Control Plane Spec
Alternative Solutions
We're currently building a SOSA Governor as a Cowork skill + scheduled task that uses list_sessions and read_transcript to observe sessions after the fact. This works for auditing but cannot prevent high-impact actions — only detect them post-execution.
Other multi-agent frameworks (CrewAI, AutoGen, LangGraph) have built-in supervision and orchestration layers, but they don't integrate with the Cowork/Claude Code ecosystem. We need governance primitives native to the platform.
Priority
High - Significant impact on productivity
Feature Category
MCP server integration
Use Case Example
Real production scenario at MSApps (200+ Cowork sessions):
- I have 54 scheduled tasks running daily — invoicing, WhatsApp bot (Gali), lead management, health checks, social media outreach, employee monitoring
- The WhatsApp bot sends messages to real clients. A prompt injection in an incoming message could cause it to send something inappropriate — but there's no way to intercept that before it happens
- Low-priority health check tasks burn tokens even when the monthly budget is getting tight, because there's no way to set token ceilings or throttle by priority
- With SOSA governance, the Governor would: (a) classify the WhatsApp send as high-impact and require approval, (b) enforce a daily token budget per agent category, (c) throttle monitoring tasks when revenue tasks need the tokens, (d) scan incoming WhatsApp messages for injection attempts before the bot processes them
- This would save tokens, prevent costly mistakes, and give me confidence to let agents operate autonomously at scale
Additional Context
- Full SOSA methodology spec: https://github.com/MSApps-Mobile/claude-plugins/blob/main/docs/SOSA.md
- This comes from real production usage at MSApps running 200+ Cowork sessions across business functions (sales, communication, development, monitoring)
- We're building the Governor as a skill/scheduled task workaround, but the platform needs native primitives (especially pre-execution hooks and token metadata) to make governance truly effective
- Happy to collaborate on the design — we've already written a detailed architecture spec mapping all four SOSA pillars to Cowork's session model
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗