Configuring agent autonomy

Goose's defaults — autonomous mode, no extension allowlist, disabled injection detection, 1000-turn ceiling — each removes a guardrail that would contain the others, and despite the v1.26.2 permissions fail-open fix the other four compounding defaults remain.

Four CVEs and five supply-chain vectors share one pattern: project-scoped settings execute with user privileges before or without trust verification.

Five categories of hook failures — silent non-firing, ignored decisions, platform breakage, data corruption, and architectural constraints — mean defense-in-depth across multiple events is required.

DeepEval hijacked the global OTel TracerProvider on import through v3.7.7-era, silently exfiltrating trace data to New Relic cloud regardless of configured backend — removed in v3.9.x, but Langfuse non-generation span data loss in LangGraph supervisor orchestration remains current.

Error suppression that a human would notice and investigate leaves an agent with exit code 0 and no signal to stop — the Tools Fail paper measured a 76-point accuracy drop under silent failures.