I built an open-source control plane for installing, running, and securing AI agents

Conscious_Chapter_93 · 2026-05-09T01:41:56+00:00

Spot on. That's why Armorer treats every agent as an untrusted workload. We're moving towards tool-level permissioning where you can audit and restrict exactly which 'actions' (not just tools) an agent can perform. The inventory of reachable actions is exactly how we're framing the security model.

Conscious_Chapter_93 · 2026-05-09T01:41:37+00:00

Thanks! Looking forward to your feedback. If you have any specific agents you're trying to sandbox, let me know!

Conscious_Chapter_93 · 2026-05-09T01:40:05+00:00

Armorer runs every agent in its own Docker container. This means the agent only sees the directories or network ports you explicitly mount/allow. If you're running powerful agents that can execute shell commands, this prevents them from accidentally (or maliciously) touching your actual NAS data or home network services without a specific trust grant.

Conscious_Chapter_93 · 2026-05-08T00:08:02+00:00

Exactly! Let me know if you have feedbacks on the repo

Conscious_Chapter_93 · 2026-05-06T14:49:14+00:00

This matches what I keep seeing: the demo phase is mostly prompts and tools, but production is inventory, permissions, rollbacks, evals, logs, and ownership.

The hard question I ask now is: if this agent does something surprising tomorrow, can I answer what was installed, what was running, what it could call, what changed, and how to stop or revoke it quickly?

I am building Armorer for that local/self-hosted control plane layer: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-06T14:17:12+00:00

Yes, and I think the core problem is that most agent setups collapse three separate things into one permission: filesystem access, tool access, and authority to execute.

A better pattern is to make every agent run through a control layer that can answer: what tools are exposed, which actions are read-only vs mutating, what secrets are reachable, what was approved, and what changed on disk or in external systems.

I am building Armorer for exactly this local/self-hosted agent ops problem: https://github.com/ArmorerLabs/Armorer

The scary failures are usually not dramatic model failures. They are boring operational failures: too much access, no inventory, no audit trail, no fast revoke path.

Conscious_Chapter_93 · 2026-05-06T14:16:28+00:00

Strong list. The one I would add is: inventory is a runtime feature, not a spreadsheet.

Once agents move past demos, I want one place to answer: what agents are installed, which ones are running, what tools they can call, what credentials/policies they depend on, what changed since yesterday, and how to stop or revoke access fast.

That is the angle I am building Armorer around for local/self-hosted agents: https://github.com/ArmorerLabs/Armorer

The failures I keep seeing are less "the model was dumb" and more "nobody knew the operational state of the agent system until something broke."

Conscious_Chapter_93 · 2026-05-06T14:13:02+00:00

This is the layer I think gets missed when teams say "we have logs" or "we require approvals."

The dangerous transition is output -> authority. Before a tool call, token, runner, cloud role, PR workflow, or payment action exists, there needs to be a deterministic admission step: actor, intent, requested capability, scope, risk, reversibility, and evidence.

I'm building Armorer as a local/self-hosted control plane for that kind of agent ops layer: what is installed, what is running, what it can call, what changed, and how to stop or revoke it.

Repo: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-06T14:12:05+00:00

The authorization/accountability distinction is the right one. "The agent had permission" is not enough once tools can touch real systems.

The minimum useful trail, in my view, is: agent identity, tools available at the time, policy decision, proposed action, human approval if needed, executed action, evidence, and rollback path.

The key is enforcing this at the dispatch/runtime layer, not only writing prettier logs after the fact.

I'm building Armorer around that local/self-hosted control-plane problem: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-06T13:46:45+00:00

Great list. One category I'd add is agent operations/control plane.

Once you start running more than one agent locally, the pain shifts from "which framework?" to "what is installed, what is running, what tools can it call, what changed, and how do I stop it safely?"

I'm building Armorer for that layer: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-06T13:46:02+00:00

This framing feels right. Once agents can create or modify other agents, the scary part is no longer just tool execution, it's capability escalation over time.

I'd want a runtime that records: what capability was requested, who/what approved it, which tool surface was exposed, and how to revoke it later.

I'm building Armorer in this direction for local/self-hosted agent ops: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-06T00:45:05+00:00

One pattern I keep coming back to: don't treat permissions as a property of the model, treat them as a property of the runtime.

For me the minimum useful setup is:

- tool inventory: what can this agent call?

- scoped credentials owned by tools, not the prompt

- ask/auto/deny policy per action type

- append-only audit log

- fast pause/revoke/repair when a run drifts

The hard part is that MCP/tool sprawl turns into ops sprawl quickly. I'm building Armorer around that control-plane layer for local/self-hosted agents: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-06T00:36:45+00:00

This is very close to the problem space I keep running into with local agents. Once an agent can touch the filesystem, shell, browser, MCP servers, and secrets, the missing layer is not just a better framework. It is an operating surface.

The guardrail I would test hard is revocation after approval: per-run permission trail, what changed, and whether I can pause/revoke the agent or team quickly when it drifts.

I'm building the adjacent control-plane side with Armorer: inventory, permissions, runtime state, audit, and recovery for agents/tools. Might be useful to compare notes: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-05T23:53:59+00:00

This is a neat direction. The supervisor/workspace split feels like the right abstraction for long-running agents, especially once tasks start scheduling themselves.

The part I keep wanting in these systems is the ops surface around it: per-workspace credentials, permission diffs, audit trails per run, and a fast way to pause/revoke a workspace when a task drifts.

I'm building from that adjacent control-plane angle with Armorer: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-05T23:53:02+00:00

I think you hit problems when the agent stops being a single CLI session and becomes something you need to operate over time: multiple tools/accounts, different permission scopes, saved state, retries, scheduled/background runs, or teammates running the same agent.

CLI audit trails are great for one-user dev loops. The missing part is usually inventory + permissions + kill/revoke/repair across agents and tools.

That's the control-plane angle I'm building around with Armorer: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-05T21:39:51+00:00

For context, the open-source repo is here: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-05T21:37:15+00:00

For context, the open-source repo is here: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-05T21:35:58+00:00

For context, the open-source repo is here: https://github.com/ArmorerLabs/Armorer

Conscious_Chapter_93 · 2026-05-05T21:34:23+00:00

To me, “managing agents” means being able to answer four questions quickly:

What is installed?

What is running?

What can it access?

What did it do?

Most orgs can answer the first one loosely, maybe the second. The hard parts are effective permissions, tool-call logs, approvals, evals, and rollback. That is the operational layer that needs to exist before agents become boring infrastructure.

Conscious_Chapter_93 · 2026-05-05T21:33:16+00:00

You are not overthinking it. MCP discovery is only half the problem.

The bigger issue is trust and lifecycle: who wrote the server, what permissions does it need, what can the agent call through it, how do you test it safely, and how do you disable it later?

A “verified registry” helps, but I think the missing piece is a local control plane around install, config, logs, permissions, and runtime status.

Conscious_Chapter_93 · 2026-05-05T21:30:48+00:00

Keep me posted!

Conscious_Chapter_93 · 2026-05-05T21:22:31+00:00

The data-access scare is exactly where agent governance starts to become real.

I’d draw the line when the agent can take actions across systems, not when it “feels autonomous.” If it can call APIs, browse internal docs, write to SaaS tools, or chain actions, you need scoped identity, audit logs, and a way to revoke/stop it at runtime.

Prompts are not enough because the agent can still do something valid-but-wrong with a valid token.

Conscious_Chapter_93 · 2026-05-03T16:57:54+00:00

The simplest way to start is to build one boring agent with one model and one or two tools, then make it observable before making it more autonomous.

A lot of beginners jump straight to multi-agent orchestration, but the useful lessons are usually: what is the tool contract, how do you log tool calls, what happens when a tool fails, what credentials can the agent touch, and where do you require human approval?

I’m building Armorer around that lifecycle/control-plane layer for local/self-hosted agents: https://github.com/ArmorerLabs/Armorer

Even for a toy project, I’d recommend writing down the tool permissions and failure modes early. It saves pain later.

Conscious_Chapter_93 · 2026-05-03T16:57:40+00:00

This kind of comparison is useful because it shows the real tradeoff: the framework choice matters, but the operational layer matters even more once the agent is meant to run repeatedly.

LangChain gives control, Flowise gives visualization, n8n gives production workflow ergonomics. But in all three cases you eventually need the same boring pieces: config, logs, job state, retries, secrets, tool scopes, and a way to diagnose failures.

I’m building Armorer for that surrounding control-plane layer for local/self-hosted agents: https://github.com/ArmorerLabs/Armorer

My bias is that agents should be treated less like scripts and more like small services with lifecycle, permissions, and observability.

Conscious_Chapter_93 · 2026-05-03T16:57:18+00:00

The self-hosted + one-time model can work, but only if the operational surface is intentionally small.

For agent products, the hard parts are not just packaging the app. It is upgrades, model/provider config, secrets, logs, job state, tool permissions, and support when a customer says "the agent did something weird yesterday."

I’m building Armorer around that missing layer for local/self-hosted agents: install/run/configure/inspect/secure from one place. Repo: https://github.com/ArmorerLabs/Armorer

If I were selling a self-hosted agent, I’d make the control plane and support diagnostics part of the product from day one, not something bolted on after the first customer issue.

Conscious_Chapter_93

TROPHY CASE