markus41/plugins/claude-code-expert/skills/autonomy

Autonomy

Autonomous mode lets Claude Code execute tasks end-to-end with minimal human-in-the-loop. Safety comes from two things:

1. Profile-scoped permissions — the allow/deny/ask lists match the profile's risk tolerance.
2. Gate agents — planner writes an explicit plan before code, verifier runs checks after implementation, reviewer blocks merge on 10 criteria.

Four profiles

Fetch full profile via cc_kb_autonomy_profile(profile). Summary:

| Profile | Risk | Permissions shape | Gates | |---|---|---|---| | conservative | Minimal | Read-only default; ask on any write | planner + verifier + reviewer (all enabled, 10 block criteria) | | balanced | Default | Free writes in project; ask on network/publish/push | planner + verifier; reviewer optional | | aggressive | High trust | Most tools allowed; deny only destructive | planner only | | unattended-review | Hybrid | Same as aggressive at runtime; reviewer gates commit/push | planner + reviewer |

Three gate agents

All three are installed as regular agents — autonomous mode just wires them into the flow.

1. autonomy-planner (Opus)

When: runs first, before any implementation. Writes: .claude/active-task.md — explicit plan with:

• Constraints and invariants
• Phase breakdown with exit criteria per phase
• Risk assessment and rollback plan
• Verification checks the verifier will run

Hard rule: no code touches disk until .claude/active-task.md exists.

2. autonomy-verifier (Sonnet)

When: runs after each implementation phase. Reads: .claude/active-task.md verification block. Runs: 5 built-in checks (configurable via profile):

• tsc --noEmit (TypeScript projects)
• eslint (JS/TS projects)
• pytest / jest / project test runner
• git diff --stat sanity check
• Secret scanner (trufflehog, gitleaks)

Output: { pass: boolean, failures: [...] }. If pass: false, halt and surface to caller.

3. autonomy-reviewer (Opus)

When: runs before commit/push in conservative and unattended-review profiles. Checks 10 block criteria:

1. Any hardcoded secret
2. Any .env or credential file added
3. SQL injection vector (string-concat queries)
4. XSS / unescaped output in web code
5. Deleted test without replacement
6. Commented-out code larger than 20 lines
7. Dependency added with no justification in commit message
8. Breaking API change without BREAKING CHANGE: footer
9. TODO or FIXME on a security-relevant line
10. console.log / print of sensitive variables

Output: { approve: boolean, blocks: [...] }. Any block = stop.

Session init command

Each profile provides a session_init_command. Example for balanced:

claude --permission-mode acceptEdits --dangerously-skip-permissions=false

For unattended-review:

claude --permission-mode acceptEdits --enable-reviewer-gate

Permission block generation

/cc-autonomy enable <profile> generates a settings.json block:

{
  "permissions": {
    "allow": [ /* from profile */ ],
    "deny":  [ /* from profile */ ],
    "ask":   [ /* from profile */ ]
  }
}

Merges into existing settings.json without overwriting unrelated sections.

Memory rules

Each profile includes memory discipline. Conservative requires saving every decision (including rejected options). Balanced is lighter. Aggressive is the standard engram protocol.

MCP delegation

| Need | Tool | |---|---| | Fetch profile details | cc_kb_autonomy_profile(profile) | | Plan for an unattended task | cc_docs_autonomy_plan(task, repo_signals) | | Model for gate agents | cc_docs_model_recommend(task, budget) |

Anti-patterns

• Running aggressive profile on an unfamiliar codebase → first session should always be conservative.
• Disabling the verifier to "move faster" → regressions ship silently.
• Letting planner skip the risk section → rollback becomes guesswork.
• Custom profile without any gates → not autonomous, just unsupervised.