Contained Autonomy Mode All Tiers

Safely run Claude Code with autonomous capabilities while protecting critical infrastructure

What is Contained Autonomy?

Contained Autonomy Mode lets you run Claude Code autonomously while preventing it from modifying its own enforcement infrastructure. This solves a fundamental challenge: how do you let an agent work autonomously without risking it modifying the rules that govern its behavior?

The Problem It Solves

When running Claude Code in autonomous mode, there's risk the AI might:

  • Modify skill definitions to bypass workflow requirements
  • Edit CLAUDE.md to remove constraints
  • Change security enforcement code
  • Access credentials or secrets

How It Works

  1. Git checkpoint created - Automatic rollback point before entering containment
  2. Filesystem access enforced - Three-tier protection based on configuration
  3. Network restricted - Only allowed domains can be accessed
  4. Claude works autonomously - Full capability within the allowed scope
  5. Safe exit - Can rollback if anything goes wrong

Quick Start

bash 
# Start Claude Code in contained autonomy mode
bpsai-pair contained-auto

# Check containment status
bpsai-pair containment status

# Rollback to last checkpoint
bpsai-pair containment rollback

Configuration

yaml 
containment:
  enabled: true
  mode: strict                    # strict | permissive
  auto_checkpoint: true           # Create checkpoint on entry

  # Tier 1: Blocked (no read, no write)
  blocked_files:
- .env
- .env.local
- credentials.json
- secrets.yaml

  # Tier 2: Read-only (can read, cannot write)
  readonly_directories:
- .claude/agents
- .claude/skills
  readonly_files:
- CLAUDE.md
- .paircoder/config.yaml

  # Network domains allowed
  allow_network:
- api.anthropic.com
- api.trello.com
- github.com

Checkpoints and Rollback

Containment mode automatically creates git checkpoints for safe rollback.

bash 
# List checkpoints
bpsai-pair containment checkpoints

# Rollback to most recent
bpsai-pair containment rollback

# Rollback to specific checkpoint
bpsai-pair containment rollback --checkpoint containment-20260113-140000

# Preview what would be reverted
bpsai-pair containment rollback --preview

When to Use Contained Mode

Use contained mode when:
  • Running Claude Code autonomously for extended periods
  • Executing implementation tasks without constant supervision
  • Working on tasks that don't require modifying enforcement code
Don't use contained mode when:
  • You need to modify skills, agents, or commands
  • Updating CLAUDE.md or AGENTS.md
  • Working on security or core infrastructure

Docker Requirement

Strict containment requires Docker

Strict mode (requires Docker) = OS-level read-only mounts that Claude cannot bypass

Advisory mode (no Docker) = Python-level warnings only, no actual enforcement

Without Docker, containment falls back to advisory mode which logs warnings but cannot prevent writes.