Three fences.
Total containment.
NockLock is the open-source CLI that sandboxes AI agents with filesystem, network, and secret fencing. Watch a real agent try (and fail) to leak. Every blocked action logged. Every fence configurable.
Animated demo: an AI agent runs inside a NockLock sandbox. NockLock allows it to read and patch the project login file, but blocks its attempts to read SSH keys, reach an external API, and exfiltrate an AWS secret, ending with three fences enforced and zero leaks.
Three boundaries.
Zero exceptions.
Each fence is independently configurable, scriptable via TOML, and audited to a local SQLite log every time an agent crosses it.
Allowlist the directories your agent can touch. Everything else returns ENOENT. Symlink escape attempts are logged and blocked.
[fence.filesystem] allow = ["~/Dev/project", "~/.claude"] deny = ["~/.ssh", "~/.aws"] mode = "strict"
Default-deny outbound. Allowlist exactly the hosts your agent needs. DNS resolution and TLS SNI are both inspected.
[fence.network] allow = ["api.anthropic.com"] deny = ["*"] on_block = "log_and_abort"
Scan env, scan files, redact on read. The moment an AWS key or .pem touches the agent's context, the session aborts.
[fence.secrets] scan_env = true deny_files = [".env*", "*.pem"] on_block = "log_and_abort"
Wrap any agent.
In four steps.
NockLock is a single binary. No daemon, no kernel module. It wraps your existing agent CLI in a fenced sandbox and logs everything to SQLite.
Define your fences in TOML
One file per agent. Filesystem allowlist, network allowlist, secret rules. Commit it to your repo so your fleet ships with policy baked in.
Wrap your agent command
nocklock run claude-code "fix bug" runs the agent inside the sandbox. Works with Claude Code, Codex, Cursor agents, anything you can run from a shell.
Every action is checked, then logged
System calls and network requests are intercepted in user-space. Allowed actions pass through. Blocked actions are denied and written to ~/.nocklock/audit.db.
Review the audit trail anytime
SQLite, so query it however you want. Pipe it into Nock Command for fleet-wide visibility, or just sqlite3 it from the terminal.
Install
One line. No accounts. No telemetry.
# homebrew (macOS, Linux) $ brew install nocktechnologies/tap/nocklock # or from source $ cargo install nocklock # initialize in your project $ nocklock init # wrap any agent command $ nocklock run claude-code "fix login bug" [ok] 3 fences armed · agent sandboxed
Real fleet. Real numbers.
NockLock has been wrapping the founder's 14-agent fleet for 14 sprints. These are the receipts.
Stop trusting your agent.
Fence it.
The rest of the fleet.
NockLock is the foundation. The rest of the stack runs on top of it: context, orchestration, and the dashboard that ties it all together.
Context persistence layer. Diary, handoffs, identity documents. 94–99% retention.
Learn more → FREE · OSS Nock Skills · the playbookOperational patterns: handoff protocols, review pipelines, standing orders.
Learn more → $29 / MO Nock Terminal · the cockpitMulti-session Claude Code with tabs, status dots, git ops, command palette. macOS native.
Learn more → $97 / MO Nock Command · the dashboardFleet coordination. Sprint planning, /fire dispatch, agent messaging, content pipeline.
Learn more → RUNTIME NockOS · the operating systemLocal runtime for persistent agents. One of many runtimes Command coordinates.
Learn more → ← Back to homepage