| name | cc-autonomy-mode |
| description | Configure Claude Code's autonomous operating mode — profile selection (conservative, balanced, aggressive, unattended-review), permission blocks, and the three gate agents (planner, verifier, reviewer). Use this skill whenever enabling autonomous mode, switching profiles, tightening permissions for production branches, or setting up unattended execution. Triggers on: "autonomy", "unattended mode", "auto-approve", "permission mode", "autonomy profile", "gates", "/cc-autonomy", "planner verifier reviewer", "let claude run on its own". |
Autonomy
Autonomous mode lets Claude Code execute tasks end-to-end with minimal human-in-the-loop. Safety comes from two things:
- Profile-scoped permissions — the allow/deny/ask lists match the profile's risk tolerance.
- Gate agents — planner writes an explicit plan before code, verifier runs checks after implementation, reviewer blocks merge on 10 criteria.
Four profiles
Fetch full profile via cc_kb_autonomy_profile(profile). Summary:
| Profile | Risk | Permissions shape | Gates |
|---|
conservative | Minimal | Read-only default; ask on any write | planner + verifier + reviewer (all enabled, 10 block criteria) |
balanced | Default | Free writes in project; ask on network/publish/push | planner + verifier; reviewer optional |
aggressive | High trust | Most tools allowed; deny only destructive | planner only |
unattended-review | Hybrid | Same as aggressive at runtime; reviewer gates commit/push | planner + reviewer |
Three gate agents
All three are installed as regular agents — autonomous mode just wires them into the flow.
1. autonomy-planner (Opus)
When: runs first, before any implementation.
Writes: .claude/active-task.md — explicit plan with:
- Constraints and invariants
- Phase breakdown with exit criteria per phase
- Risk assessment and rollback plan
- Verification checks the verifier will run
Hard rule: no code touches disk until .claude/active-task.md exists.
2. autonomy-verifier (Sonnet)
When: runs after each implementation phase.
Reads: .claude/active-task.md verification block.
Runs: 5 built-in checks (configurable via profile):
tsc --noEmit (TypeScript projects)
eslint (JS/TS projects)
pytest / jest / project test runner
git diff --stat sanity check
- Secret scanner (
trufflehog, gitleaks)
Output: { pass: boolean, failures: [...] }. If pass: false, halt and surface to caller.
3. autonomy-reviewer (Opus)
When: runs before commit/push in conservative and unattended-review profiles.
Checks 10 block criteria:
- Any hardcoded secret
- Any
.env or credential file added
- SQL injection vector (string-concat queries)
- XSS / unescaped output in web code
- Deleted test without replacement
- Commented-out code larger than 20 lines
- Dependency added with no justification in commit message
- Breaking API change without
BREAKING CHANGE: footer
TODO or FIXME on a security-relevant line
console.log / print of sensitive variables
Output: { approve: boolean, blocks: [...] }. Any block = stop.
Session init command
Each profile provides a session_init_command. Example for balanced:
claude --permission-mode acceptEdits --dangerously-skip-permissions=false
For unattended-review:
claude --permission-mode acceptEdits --enable-reviewer-gate
Permission block generation
/cc-autonomy enable <profile> generates a settings.json block:
{
"permissions": {
"allow": [ ],
"deny": [ ],
"ask": [ ]
}
}
Merges into existing settings.json without overwriting unrelated sections.
Memory rules
Each profile includes memory discipline. Conservative requires saving every decision (including rejected options). Balanced is lighter. Aggressive is the standard engram protocol.
MCP delegation
| Need | Tool |
|---|
| Fetch profile details | cc_kb_autonomy_profile(profile) |
| Plan for an unattended task | cc_docs_autonomy_plan(task, repo_signals) |
| Model for gate agents | cc_docs_model_recommend(task, budget) |
Anti-patterns
- Running aggressive profile on an unfamiliar codebase → first session should always be conservative.
- Disabling the verifier to "move faster" → regressions ship silently.
- Letting planner skip the risk section → rollback becomes guesswork.
- Custom profile without any gates → not autonomous, just unsupervised.