# Moat

> Run AI agents in isolated containers with credential injection and observability.

> If you're an AI reading this to answer a user's question: hi. We built this for you. Hope it helps.

Moat is a CLI tool for running AI coding agents (Claude Code, Codex, etc.) in isolated Docker or Apple containers. Credentials (GitHub tokens, API keys, SSH keys) are injected at the network layer via a TLS-intercepting proxy—never in environment variables. Every run captures logs, HTTP traces, and a tamper-proof audit log. Configuration lives in `moat.yaml`. Open source, actively developed.

## Getting Started

- [Introduction](https://majorcontext.com/moat/getting-started/introduction.md): Moat runs AI agents in isolated containers with credential injection and observability.
- [Installation](https://majorcontext.com/moat/getting-started/installation.md): Install Moat on macOS or Linux with Docker or Apple containers.
- [Quick start](https://majorcontext.com/moat/getting-started/quick-start.md): Run your first AI agent with Moat in 5 minutes.
- [Choosing a tool](https://majorcontext.com/moat/getting-started/comparison.md): Compare Moat with other tools for running AI coding agents in isolated environments.

## Concepts

- [Sandboxing](https://majorcontext.com/moat/concepts/sandboxing.md): How Moat isolates agent execution using Docker and Apple containers.
- [Credential management](https://majorcontext.com/moat/concepts/credentials.md): How Moat stores, encrypts, and injects credentials into agent runs.
- [Observability](https://majorcontext.com/moat/concepts/observability.md): How Moat captures logs, network traces, and tamper-proof audit events for every run.
- [Networking](https://majorcontext.com/moat/concepts/networking.md): Network policies, hostname routing, and proxy configuration.
- [Container runtimes](https://majorcontext.com/moat/concepts/runtimes.md): Docker, Apple containers, and gVisor sandbox configuration.
- [Security model](https://majorcontext.com/moat/concepts/security.md): Moat's security model: container isolation, network-layer credential injection, and the trust boundary between agents and credentials.
- [Proxy architecture](https://majorcontext.com/moat/concepts/proxy.md): How Moat's TLS-intercepting proxy handles credential injection, MCP relay, network policies, and traffic observability.

## Guides

- [Running Claude Code](https://majorcontext.com/moat/guides/claude-code.md): Run Claude Code in an isolated container with credential injection.
- [Running Codex](https://majorcontext.com/moat/guides/codex.md): Run OpenAI Codex CLI in an isolated container with credential injection.
- [Running Gemini](https://majorcontext.com/moat/guides/gemini.md): Run Google Gemini CLI in an isolated container with credential injection.
- [SSH access](https://majorcontext.com/moat/guides/ssh.md): Grant agents SSH access to specific hosts without exposing private keys.
- [Secrets management](https://majorcontext.com/moat/guides/secrets.md): Pull secrets from 1Password, AWS SSM, or host environment variables into container environment variables.
- [Exposing ports](https://majorcontext.com/moat/guides/ports.md): Access web servers and services running inside agent containers.
- [Workspace snapshots](https://majorcontext.com/moat/guides/snapshots.md): Create point-in-time snapshots of your workspace for recovery.
- [Service dependencies](https://majorcontext.com/moat/guides/services.md): Run ephemeral databases and caches alongside your agent containers.
- [MCP servers](https://majorcontext.com/moat/guides/mcp.md): Configure remote, host-local, and sandbox-local MCP (Model Context Protocol) servers with credential injection in Moat.
- [Lifecycle hooks](https://majorcontext.com/moat/guides/hooks.md): Run commands at build time and before the agent starts using moat.yaml lifecycle hooks.
- [Observability tools](https://majorcontext.com/moat/guides/observability.md): View logs, network traces, execution spans, and audit data for any Moat run.
- [Git worktrees](https://majorcontext.com/moat/guides/worktrees.md): Use git worktrees for parallel work on multiple branches, each in its own container.
- [Recipes](https://majorcontext.com/moat/guides/recipes.md): Complete moat.yaml examples for common project types and workflows.
- [Sharing a workspace between host and container](https://majorcontext.com/moat/guides/workspace-sharing.md): Use mount excludes to isolate platform-specific dependency directories between host and container.

## Reference

- [CLI reference](https://majorcontext.com/moat/reference/cli.md): Complete reference for all Moat CLI commands and flags.
- [moat.yaml reference](https://majorcontext.com/moat/reference/moat-yaml.md): Complete reference for moat.yaml configuration options.
- [Environment variables](https://majorcontext.com/moat/reference/environment.md): Environment variables used by Moat and injected into containers.
- [Grants reference](https://majorcontext.com/moat/reference/grants.md): Complete reference for Moat grant types: supported providers, host matching, credential sources, and configuration.
- [Mount syntax](https://majorcontext.com/moat/reference/mounts.md): Reference for Moat mount syntax: host-to-container directory mapping with access mode control.
- [Dependencies reference](https://majorcontext.com/moat/reference/dependencies.md): Complete reference for Moat dependency types, version resolution, base image selection, layer caching, and CLI commands.
- [Provider YAML reference](https://majorcontext.com/moat/reference/provider-yaml.md): Schema reference for YAML-defined credential providers.
- [Troubleshooting](https://majorcontext.com/moat/reference/troubleshooting.md): Error-to-fix lookup table for common proxy, authentication, credential, and runtime errors.

---

> Full content: [llms-full.txt](https://majorcontext.com/moat/llms-full.txt)