Alpha Software: Still in development and being tested, not recommended in production. Always default to sandboxed agents if you are not sure what you’re doing. Never give Agents access to credentials or files that you cannot afford to lose.
Multi-agent orchestrator for Claude with layered security. Agents run in containers with no secrets, no direct internet, and per-tool permission rules — but you can poke precise holes when you need to.
| Quick Start | Architecture | Configuration Reference | GitHub |
Stockade runs on the Anthropic Agent SDK — the same runtime that powers Claude Code. Each agent is a Claude Code session with access to built-in tools: Bash, Read, Write, Edit, Glob, Grep, WebSearch, WebFetch.
What Stockade adds:
ask_agent MCP toolallow / deny / ask rules per agent, per tool, per path| Layer | What it does |
|---|---|
| Container isolation | Sandboxed agents run in Docker on an internal network. No direct internet. |
| Credential proxy | MITM proxy strips auth headers and injects credentials per route. Agents never see API keys. |
| Tool permissions | Per-agent allow/deny/ask rules with path globs. No match = ask user. |
| Gatekeeper | AI risk assessment for ask rules. Auto-approves low-risk, prompts for higher. |
| RBAC | User roles control agent and tool access. Identity flows through sub-agent chains. |
| Network policy | Deny-by-default allowlist per host, path, and HTTP method. |
| OpenClaw | NanoClaw | NemoClaw | Stockade | |
|---|---|---|---|---|
| Isolation | Optional containers, app-level perms | Container per group | Landlock + seccomp + netns | 6-layer (see above) |
| Credentials | In-process | Gateway injection | Host-only via OpenShell | MITM proxy, per-route |
| Multi-agent | Single | Single per group | Single (wraps OpenClaw) | Hierarchical ask_agent MCP |
| Codebase | ~500k lines | ~2k lines | Thin CLI over OpenClaw | ~8k lines, 749 tests |
| Status | Production | Production | Alpha | Alpha |