Autonomy posture

YOLO by design

The default control loop is not "ask the human." It's "make the move, log the mutation, keep going."

The product posture

Swink AgentShore is expected to create, edit, label, decompose, and close GitHub issues during normal operation. Human approval is not the default control loop.

Why autonomy by default

A learned manager that asks permission for every move can't learn. The reward signal becomes noisy, the trajectory becomes a series of human-in-the-loop interventions, and the policy ends up modeling the human's patience more than the project's state.

So Swink AgentShore intentionally has a riskier autonomous posture than a chat-style assistant. The implementation favors moving work forward and creating traceable GitHub artifacts over pausing for approval. The control surface is the audit log, not the confirmation dialog.

What the agent does without asking

Allowed by default

Create issues
Edit issue body, title, labels
Decompose epics into stories and tasks
Close issues
Open PRs
Push branches
Merge approved PRs that pass CI
Spawn and end agents within budget

Gated, never silent

Reviewing your own PR
Merging without an approval
Merging with failing CI
Spending past the budget cap
Running plays without replay metadata
Writing to GitHub without an audit record

The hard-gate catalog

Hard gates are narrow on purpose. They cover correctness invariants and operations where proceeding would corrupt session state. Everything else is the policy's call.

Anti-confirmation bias Code Review reviewer must not be the PR author. Cannot be overridden, even by a human.

Merge readiness Merge PR requires an approved PR and passing CI before the play is dispatchable.

Budget exhaustion Once the configured budget cap is hit, every play except End Session and approved budget-adjustment paths is masked.

Replay metadata Every PPO experience row must persist observation, action mask, log-prob, value estimate, policy version, and config hash. Trajectories missing fields cannot train.

Mutation auditability Every external GitHub write goes through a single adapter that attaches an idempotency key and writes an audit record. No external mutation outside this path.

Spawn limits Live agent count is capped per (agent type, model tier) via agent_spawn.max_per_config. No spawning if an idle agent of the same type/tier already exists.

Scope, currently soft

Scope validation enforces issue-inflation limits today. The policy is penalized (and in some cases masked) when issue count grows faster than work closes. Artifact drift detection is evidence-only in v1: Swink AgentShore records when a PR touches files outside the issue's apparent scope, but doesn't block on it until beads-native path boundaries are reliable enough to gate on.

Soft today, hard later. The interesting choice is admitting which is which.

The deeper rule

Hard gates are architectural invariants, not prompt instructions. They live in the executor and the mask catalog, not in the system prompt. The reasoning is the same as cross-framework review: irreversible mistakes are exactly the ones you cannot afford to learn from negative reward, and prompt-level safety drifts under any sufficient amount of pressure.

The right autonomy posture isn't "lock everything down." It's "lock down the things that, if they go wrong once, ruin everything. And let the agent do everything else."