Let agents break things safely

Moat runs AI agents in sandboxed containers with scoped credentials and tamper-proof audit trails.

Works with Claude, Codex, and Gemini.
Credential injection for GitHub, GitLab, AWS, OpenAI, npm, SSH, 1Password, and more.

# Install
$ brew tap majorcontext/moat
$ brew install moat

# Grant credentials and run Claude safely
$ moat grant anthropic
$ moat grant github
$ moat claude .

Safety

Sandboxed Execution

Every agent runs in an isolated container—Docker, Apple containers, or gVisor. No host access.

Network-Layer Credentials

OAuth tokens and API keys are injected at the proxy layer. Agents never see raw secrets.

Network Policies

Permissive or strict firewall mode. Whitelist allowed hosts, block everything else.

Tamper-Proof Audit

Hash-chained audit logs with cryptographic verification. Export proof bundles for compliance.

Developer Experience

Declarative Config

One agent.yaml defines runtime, credentials, services, and network policy.

Service Dependencies

PostgreSQL, MySQL, and Redis sidecars auto-provisioned with injected credentials.

Snapshots & Recovery

Automatic workspace snapshots on commits, builds, and idle. Point-in-time restore without stopping.

Parallel Worktrees

Run multiple agents on separate git branches simultaneously. No workspace conflicts.

Why This Exists

AI coding agents need access to credentials—GitHub tokens for pushing code, API keys for external services, SSH keys for deployment. The standard approach is to pass these as environment variables, but this means the agent can read, log, or exfiltrate them. If the agent's behavior is compromised or simply buggy, your credentials are exposed.

Moat solves this by injecting credentials at the network layer through a TLS-intercepting proxy. The agent's code never sees the tokens; they're added to outgoing HTTP requests transparently. This means you can run untrusted or experimental agent code without risking credential leakage.

Who Did It

Dan Pupius

Principal Engineer at TheGP, helping startups at critical moments, while exploring what it means to be AI native.

Andy Bonventre

CTO at Neptune. Previously led the Go open source project and security for Stripe Link.

Get Started

Introduction — Learn about Moat's core concepts and architecture
Installation — Platform-specific installation instructions
Quick Start — Guided walkthrough of your first Moat run

Moat is open source and in active development. APIs and configuration formats may change. View github.com/majorcontext/moat for the latest updates.