Land of Agents — Least privilege for AI agents

Architecture

One CLI, shared policies, isolated agents

loa

run watch policy secret audit

▽

LOA Kit

🤖 agents

📜 policies

🔗 audit

🔒 secrets

📁 folders

▽

Agent: coder

🤖

Claude Code Container agent runtime

↓

🌐

Envoy Proxy Container all traffic routed here

↓

🛡

Authz Container Cedar policies for network, mounts, and application access

internal network · no direct egress

Agent: researcher

🤖

Codex Container agent runtime

↓

🌐

Envoy Proxy Container all traffic routed here

↓

🛡

Authz Container Cedar policies for network, mounts, and application access

internal network · no direct egress

Agent: ops

🤖

OpenClaw Container agent runtime

↓

🌐

Envoy Proxy Container all traffic routed here

↓

🛡

Authz Container Cedar policies for network, mounts, and application access

internal network · no direct egress

What LOA governs

🌐

Network

Only required network access. Every outbound connection is observed and controlled.

📁

Filesystem

Only required folders. Mount access is explicit, remembered, and auditable.

🔒

Secrets

Only required secrets. No blanket environment variable passthrough.

👷

Workers

Agents can spawn secure workers via API. Each worker inherits at most the agent's policy.

🤝

Application

The agent provides built-in application security. LOA enforces the boundaries around it.

📦

Isolation

Each loa run creates three containers: agent, proxy, and authz. No direct external routes.

Quick Start

Ask your AI to install LOA

        # Ask Claude or Codex to install LOA

        "Install LOA from github.com/tallhamn/landofagents"

        # Create an agent

        loa agent create my-agent --runtime claude-code --volume ~/project

        # Start an agent, safely governed

        loa run my-agent

        # Watch your land of agents and approve in real time

        loa watch

        # See what servers and folders the agent can reach

        loa policy effective --agent my-agent

        # See what secrets the agent can access

        loa secret list

        # Review the full audit trail

        loa audit summary --agent my-agent

The Protocol

Built on GAP — Governed Agent Protocol

GAP is an implementation-neutral protocol for governed agent execution. LOA is one implementation. The protocol is open — build your own.

⚙

Control

Worker lifecycle. Spawn requests are signed by the authority and verified before execution. Replay and idempotency built in.

📜

Policy

Permission state and activation. Bundles are hashed, activated append-only, and deny always takes precedence over allow.

🔗

Trail

Append-only audit events with hash chains. Every decision is correlated, every record is tamper-evident.

Give your agents least privilege so they can move fast without breaking your things

One CLI, shared policies, isolated agents

What LOA governs

Network

Filesystem

Secrets

Workers

Application

Isolation

Ask your AI to install LOA

Built on GAP — Governed Agent Protocol

Control

Policy

Trail