Data Residency for Planner-Executor Agents

Many assume that a planner‑executor pair automatically respects data residency simply because the planner runs in a compliant zone. The reality is that the executor often reaches out to resources without any guarantee that the data stays within the intended geography.

Data residency is not a property of the code alone; it is a property of the entire request path. When a planner asks an executor to run a job, the executor’s network traffic, logs, and temporary artifacts can cross region boundaries unless the connection is explicitly constrained.

How teams typically wire planner‑executor agents today

In practice, many organizations deploy a planner service that generates tasks for a fleet of executor agents. The agents authenticate with static service‑account keys that are shared across environments. Connections to databases, caches, or internal APIs are made directly from the executor, often using the same credential set that the planner uses. There is little visibility into which region the executor contacts, and audit logs are scattered across individual services or written to local files on the agent host.

This model creates three hidden problems. First, the executor can inadvertently query a replica in a different country, breaking regulatory mandates. Second, logs that contain query results or error details may be written to disks that are not subject to the same residency controls as the primary data store. Third, because the planner and executor share credentials, revoking a single compromised key revokes access everywhere, increasing blast radius.

The missing piece: a controlled data path

The precondition for solving data residency is to treat the executor’s access as a non‑human identity that is granted the minimum permissions needed for each task. Federation with an identity provider and just‑in‑time role assignment reduce the attack surface. However, even with tight identity controls, the request still travels straight to the target service. No component in that path inspects the traffic, enforces geographic constraints, or records the exact query for later review.

Without a gateway in the middle, you cannot guarantee that every request respects the residency rule, nor can you produce a reliable audit trail that shows where data was read or written.

hoop.dev as the enforcement layer

hoop.dev solves the problem by becoming the mandatory data path for every planner‑executor interaction. The executor connects through hoop.dev instead of reaching the target directly. hoop.dev verifies the caller’s OIDC token, applies policy that defines allowed regions, and then proxies the request to the actual service.

Because hoop.dev sits in the protocol layer, it can enforce several outcomes that directly address data residency:

• hoop.dev records each session, capturing which endpoint was contacted and the region involved.
• hoop.dev masks any sensitive fields in responses that might reveal location‑specific identifiers before the data reaches the executor.
• hoop.dev blocks requests that attempt to connect to a resource outside the approved geography, returning a clear denial.
• hoop.dev triggers a just‑in‑time approval workflow when a planner asks for access that spans regions, ensuring a human review before the connection proceeds.

These enforcement outcomes exist only because hoop.dev is positioned in the data path. The identity setup decides who may ask for access, but hoop.dev is the only component that can actually enforce residency policies and capture evidence.

Why the architecture matters

Separating setup from enforcement prevents a common pitfall: believing that strong IAM policies alone are enough. A token may grant permission to read a table, but without a gateway, there is no guarantee the read happens in the right region. hoop.dev provides the enforcement boundary that makes the residency rule actionable.

In addition to residency, the same gateway can be reused for command‑level audit, inline masking, and session replay, giving you a unified control surface for all non‑human agents.

Getting started

Review the getting‑started guide to deploy the gateway and configure your planner‑executor workflow. The feature documentation explains how to define region‑based policies and enable just‑in‑time approvals.

FAQ

Do I need to change my existing planner code?

No. The executor simply points its client to the hoop.dev endpoint instead of the target service. All standard protocols (SQL, HTTP, SSH) are supported without code changes.

Will hoop.dev store my data?

hoop.dev holds only short‑lived credentials needed to proxy the connection. It does not persist the payload beyond what is required for session recording, which is stored in a location you control.

Can I enforce residency for multiple cloud providers?

Yes. The policy engine is provider‑agnostic; you define allowed regions and hoop.dev applies the rule to any supported connector, whether the backend is a PostgreSQL instance in AWS or a MongoDB cluster in GCP.

Explore the source code, contribute enhancements, and see how the gateway works under the hood on GitHub.