autonomy ros2

Execute governed ROS2 commands under AutonomyOps policy

Synopsis

Execute ROS2 commands under AutonomyOps policy governance.

All subcommands dispatch through the dual-path executor:

  Container path (default when Docker is available):
    ROS2 runs inside an OCI container with full policy interception and
    container isolation.  Requires --image to be set to a ROS2-capable image.

  Native path (fallback when Docker is absent):
    ROS2 runs as a native subprocess with no container isolation and no active
    interception layer — REDUCED-GOVERNANCE. This path is FAIL-CLOSED by
    default: it is refused unless you explicitly pass
    --allow-reduced-governance (the acceptance is logged and audited). The
    container path is the only fully-governed path; use it for production.

  Neither available:
    Returns an error if Docker is absent and ros2 is not in PATH.

Subcommands

• autonomy ros2 keystore — Manage SROS 2 keystores for the governed bridge (#938 Phase 3-A)

• autonomy ros2 run — Run a ros2 subcommand under policy governance (dual-path)