Open Source

Give your agents least privilege so they can move fast without breaking your things

Built for people who want to
--safely-skip-permissions

Get Started
Architecture

One CLI, shared policies, isolated agents

loa
agent policy audit init doctor
LOA Kit
🤖 agents
📜 policies
🔗 audit
🔒 secrets
📁 folders
Agent: coder
🤖
Claude Code Container agent runtime
🌐
Envoy Proxy Container all traffic routed here
🛡
Authz Container Cedar policies for network, mounts, and application access
internal network · no direct egress
Agent: researcher
🤖
Codex Container agent runtime
🌐
Envoy Proxy Container all traffic routed here
🛡
Authz Container Cedar policies for network, mounts, and application access
internal network · no direct egress
Agent: ops
🤖
OpenClaw Container agent runtime
🌐
Envoy Proxy Container all traffic routed here
🛡
Authz Container Cedar policies for network, mounts, and application access
internal network · no direct egress

What LOA governs

🌐

Network

Only required network access. Every outbound connection is observed and controlled.

📁

Filesystem

Only required folders. Mount access is explicit, remembered, and auditable.

🔒

Secrets

Only required secrets. No blanket environment variable passthrough.

👷

Workers

Agents can spawn secure workers via API. Each worker inherits at most the agent's policy.

🤝

Application

The agent provides built-in application security. LOA enforces the boundaries around it.

📦

Isolation

Each loa agent run creates three containers: agent, proxy, and authz. No direct external routes.

Quick Start

Ask your AI to install LOA

Tell Claude or Codex to install LOA from github.com/tallhamn/landofagents, then run:

loa init
loa agent create demo --runtime claude-code --volume ~/project:/workspace
loa agent run demo
# In another terminal
loa policy decide demo
loa policy list
loa audit demo
The Protocol

Built on GAP — Governed Agent Protocol

GAP is an implementation-neutral protocol for governed agent execution. LOA is one implementation. The protocol is open — build your own.

Control

Worker lifecycle. Spawn requests are signed by the authority and verified before execution. Replay and idempotency built in.

📜

Policy

Permission state and activation. Bundles are hashed, activated append-only, and deny always takes precedence over allow.

🔗

Trail

Append-only audit events with hash chains. Every decision is correlated, every record is tamper-evident.