feat: Agents Plane — multi-tenant agent provisioning and isolation

[amor71]

Summary

An Agents Plane — an infrastructure layer that lets organizations deploy isolated AI agents for team members. Each agent gets its own VM, service account, secrets, and network isolation. This is essentially "OpenClaw for Teams."

Motivation

Today, deploying OpenClaw agents for a team is manual: spin up a VM, install OpenClaw, configure secrets, set up channels — repeat per person. There's no unified way to provision, manage, or enforce isolation across a fleet of agents. Organizations need:

• One command to provision an agent for a team member
• Zero-trust isolation between agents (no shared secrets, no shared network)
• Admin oversight without admin access to individual agent secrets
• Cost visibility per agent

Related Issues & PRs

• feat: GCP Secret Manager integration for external secrets management #16663 — GCP Secret Manager integration (per-agent secret scoping is foundational)
• feat: Agent Thinking Clock — periodic reflection with multi-model orchestration #17287 — Thinking Clock (each agent gets its own reflection cycle)
• Platform prerequisites for multi-agent per-org isolation #10004 — Platform prerequisites for multi-agent per-org isolation
• memory-lancedb: add per-agent memory isolation (agentId scoping) #15325 — Per-agent memory isolation (agentId scoping)
• feat: Sysbox Docker Runtime for Secure Container Isolation (Host Maintenance Required) #7575 — Sysbox Docker runtime for secure container isolation
• [Feature]: Add a secure way to pair dynamically autoscaled worked nodes in K8s #12429 — Secure pairing for dynamically autoscaled worker nodes in K8s
• Feature Request: Multi-user permission management with role-based access control #8081 — Multi-user permission management with RBAC
• [Feature Request] Unified Built-in Sandbox with Multi-Platform Support and Tiered Presets #12505 — Unified sandbox with multi-platform support
• Critical: Default configuration provides zero isolation - users have unrestricted filesystem access and plaintext credentials #7139 — Default config provides zero isolation
• [Critical Bug]: Session Isolation Leak #12571 — Session isolation leak

Proposed CLI

# Create a plane (admin)
openclaw planes create --name "acme-agents" --project gcp-project-id --region us-east4

# Provision agents for team members
openclaw planes add-agent --plane acme-agents --name alice --owner alice@acme.com --vm-type e2-small
openclaw planes add-agent --plane acme-agents --name bob --owner bob@acme.com --vm-type e2-small

# Manage
openclaw planes status
openclaw planes remove-agent --plane acme-agents --name alice
openclaw planes logs --plane acme-agents --name bob

What Gets Provisioned Per Agent

Resource	Details
Compute	VM (or container) with OpenClaw pre-installed
Identity	Dedicated GCP service account with minimal permissions
Secrets	Secret Manager prefixed secrets + IAM bindings (ties into #16663)
Network	VPC subnet or firewall rules for network isolation
Access	IAP tunnel scoped to the owner only (OS Login)
Channels	WhatsApp/Telegram/Signal connection (agent-specific)
Runtime	Thinking clock (#17287) + heartbeat pre-configured

Deployment Model Comparison

Model	Isolation	Cost/agent	Ops Complexity	Best For
VM-per-agent	🟢 Strongest	~$15-30/mo	Low	< 20 agents, high security
Container on K8s	🟡 Good (namespace + netpol)	~$5-15/mo	Medium	20-100+ agents, cost-sensitive
Process on shared VM	🔴 Weak	~$2-5/mo	Low	Dev/testing only

Recommendation: Start with VM-per-agent (simplest, strongest isolation). Add K8s support later for organizations at scale.

Security Model

• Zero trust between agents — no agent can access another's VM, secrets, or network
• SSH via IAP only — no SSH keys on disk, all access audited
• Per-agent service accounts — each can ONLY access its own Secret Manager secrets
• Admin audit without secret access — separation of duties (admin sees metrics/logs, not secret values)
• Network isolation — agents cannot reach each other's ports; egress controlled per policy

Architecture

┌─────────────────────────────────────────────┐
│              Agents Plane (admin)            │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐     │
│  │ Agent A  │  │ Agent B  │  │ Agent C  │    │
│  │ (alice)  │  │ (bob)    │  │ (carol)  │    │
│  ├─────────┤  ├─────────┤  ├─────────┤     │
│  │ SA: a@   │  │ SA: b@   │  │ SA: c@   │    │
│  │ Secrets  │  │ Secrets  │  │ Secrets  │    │
│  │ VPC/FW   │  │ VPC/FW   │  │ VPC/FW   │    │
│  │ IAP→alice│  │ IAP→bob  │  │ IAP→carol│    │
│  └─────────┘  └─────────┘  └─────────┘     │
│                                              │
│  Shared: VPC, Cloud NAT, monitoring, billing │
└─────────────────────────────────────────────┘

Open Questions

1. IaC tooling — Terraform/Pulumi for declarative infra, or pure gcloud CLI for simplicity? Terraform is more portable for multi-cloud.
2. Multi-cloud — GCP first (we're already there), but the abstraction should allow AWS/Azure later. How tightly do we couple to GCP APIs?
3. K8s vs VMs — Should we support GKE from day one, or add it as a second backend later?
4. Billing/cost tracking — GCP labels per agent for cost attribution? Or a built-in usage tracker?
5. Channel provisioning — How do we automate WhatsApp/Telegram setup per agent? (WhatsApp Business API requires phone numbers)
6. Agent updates — Rolling updates across a plane? openclaw planes upgrade --plane acme-agents?
7. State & backup — Agent workspace snapshots? Memory export/import for migration?

Scope

This is a large feature. Suggested phases:

1. Phase 1: planes create + add-agent with VM-per-agent on GCP, Secret Manager isolation, IAP access
2. Phase 2: Admin dashboard, cost tracking, agent health monitoring
3. Phase 3: K8s backend, multi-cloud support
4. Phase 4: Self-service portal for team members, channel auto-provisioning

[amor71]

Requirements Document & Workspace Add-on

Comprehensive requirements document covering both the Orchestration Framework and the new Google Workspace Add-on has been drafted:

📄 Requirements doc: hush/agents-plane/REQUIREMENTS.md

Key additions to the design:

Provider-agnostic plugin architecture with typed interfaces for:

• Identity providers — Google Workspace, Microsoft Entra, Okta, LDAP/SAML
• Infra providers — GCP VMs/GKE, AWS EC2/EKS, Azure VMs/AKS, self-hosted
• Secrets providers — already built in PR feat: GCP Secret Manager integration for external secrets management #16663 (GCP, AWS, Azure, Vault)
• Networking providers — IAP, SSM, WireGuard, Tailscale

Config schema (planes.yaml) — declarative, Kubernetes-style manifest with per-agent and per-OU/group policy support.

Full CLI spec — openclaw planes create/add-agent/remove-agent/status/upgrade/rotate-secrets/pause/resume/cost-report

REST API contract — OpenAPI spec for Orchestration Framework ↔ Workspace Add-on communication.

4-phase rollout plan — Foundation → Workspace Integration → Enterprise → Scale

Linked issue:

• 🆕 Google Workspace Add-on: feat: Google Workspace Add-on for Agent Management #17303 — Admin Console integration for zero-touch agent management

Dependencies:

• ✅ Secrets providers: PR feat: GCP Secret Manager integration for external secrets management #16663
• 🔗 Thinking Clock: feat: Agent Thinking Clock — periodic reflection with multi-model orchestration #17287

[amor71]

Update: Working E2E + WhatsApp Onboarding

The Agents Plane is now working end-to-end. Here's what's new since the initial issue:

Working Now

• Full provisioning flow: Admin toggles agent ON in Google Admin Console → Apps Script detects → Cloud Function provisions VM → startup script installs OpenClaw + configures everything
• Welcome email: Agent sends welcome email to user via Gmail API (domain-wide delegation, no SMTP passwords)
• WhatsApp channel: Pre-configured in gateway config, auto-enabled on boot
• API key management: Keys stored in GCP Secret Manager, never on disk. ExecStartPre fetches fresh on every gateway boot
• Agent onboarding: 5-phase journey — welcome email → WhatsApp QR pairing → personality setup → API key migration → proactive engagement

Architecture

• Single startup script on GCS (source of truth for both CLI and Cloud Function)
• Per-agent secrets in Secret Manager
• Private VPC, no external IPs, IAP-only SSH
• fetch-agent-key.sh as systemd ExecStartPre — keys never persist between restarts

Repo

All code: https://github.com/amor71/agents-plane

PRs on the repo

• PR #2 — CF OOM + AUTH_SECRET fix
• PR #3 — Mermaid diagrams
• PR #4 — Full WhatsApp onboarding flow (890 lines)

What's Next

• QR code delivery via email for headless WhatsApp pairing
• Proactive agent behavior post-onboarding
• Channel upgrade path (WhatsApp → Telegram/Discord)

Would love feedback from the community, especially on:

1. Email channel as a native OpenClaw channel (currently email is not supported)
2. WhatsApp pairing for headless VMs (QR expiry is a UX challenge)
3. Agent-to-agent isolation patterns

[amor71]

Update: WhatsApp Onboarding + Agent Isolation

Big progress since the last update. The Agents Plane now has a complete onboarding flow:

New: Email → WhatsApp Onboarding

Instead of pre-configuring communication channels, agents now bootstrap themselves:

1. Welcome email via Gmail API (service account + domain-wide delegation) — no SMTP passwords
2. User replies "connect" when ready → agent generates a WhatsApp QR code and emails it
3. User scans QR → WhatsApp linked device (same model as a personal OpenClaw setup)
4. Agent drives onboarding via WhatsApp — personality setup, explains why own API key matters, teaches what the agent can do
5. API key migration — user provides their own Anthropic key, agent stores it in Secret Manager via store_key.py

Key Design Decisions

• WhatsApp over Telegram — it's where people actually are
• QR on-demand, not upfront — QR codes expire in ~60s, so we only generate when user is ready
• Email is bootstrap-only — one welcome email + QR delivery. Everything after is WhatsApp.
• API keys never on disk — fetch-agent-key.sh runs as ExecStartPre in systemd, pulls from Secret Manager on every boot. Key only lives in memory.
• Agent-driven onboarding — the agent proactively guides the conversation, doesn't dump checklists

Startup Script Rewrite

Single source of truth on GCS (gs://agents-plane-scripts/startup-script.sh). Major additions:

• fetch-agent-key.sh — pulls API key from Secret Manager on every gateway start
• store_key.py — agent writes user's API key to agent-{name}-api-key secret
• gmail.py enhanced with send_html, inbox (body extraction), mark_read, delete
• WhatsApp pre-configured (selfChatMode: true, allowFrom: ["*"])
• python3-qrcode for QR generation
• Sudoers for agent to restart own gateway

Testing

3 agent VMs (allison, andreas, ivan) successfully provisioned and running. Currently testing the full onboarding flow end-to-end.

Docs: REQUIREMENTS-email-channel.md, DESIGN-email-channel.md

[amor71]

🚀 Implementation Available

The working implementation is open source:

👉 amor71/agents-plane

Running in production — 3 agents provisioned and operational. Setup script, Cloud Function, startup scripts, WhatsApp onboarding flow — all included.

Builds on the secrets management PR (#16663) for secure key handling.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.