Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ Moat is pre-1.0. The CLI interface and `moat.yaml` schema may change between min

## Unreleased

### Added

- **Kiro CLI support** — `moat kiro` runs the Kiro CLI in an isolated container with transparent credential injection; `moat grant kiro` stores a Kiro token. Supports local and remote MCP and runtime-context injection. ([#NNN](https://github.com/majorcontext/moat/pull/NNN))

## v0.5.1 — 2026-04-28

Patch release with one security fix (IPv6 egress firewall) and a batch of run-lifecycle and proxy fixes. Adds `MOAT_HOME` for relocating moat state, a multi-runtime manager so Docker and Apple containers can coexist in one install, TUI debug shortcuts, and Python 3.13/3.14 support. Gatekeeper is extracted to its own repository.
Expand Down
190 changes: 190 additions & 0 deletions docs/content/guides/14-kiro.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
---
title: "Running Kiro"
navTitle: "Kiro"
description: "Run the Kiro CLI in an isolated container with credential injection."
keywords: ["moat", "kiro", "ai agent", "coding assistant"]
---

# Running Kiro

This guide covers running the Kiro CLI in a Moat container.

## Prerequisites

- Moat installed
- A Kiro API token

## Granting Kiro credentials

Run `moat grant kiro` to configure authentication:

```bash
$ moat grant kiro

Enter your Kiro token: ...

Kiro token saved to ~/.moat/credentials/kiro.enc
```

You can also set `KIRO_API_KEY` in your environment before running the command:

```bash
export KIRO_API_KEY="..."
moat grant kiro
```

Kiro tokens are static credentials — there is no automatic refresh. When a token expires, re-run `moat grant kiro` to replace it.

### How credentials are injected

The actual credential is never in the container environment. Moat's proxy intercepts requests to the Kiro API and injects the real token at the network layer. The container receives only a placeholder value for `KIRO_API_KEY`. See [Credential management](../concepts/02-credentials.md) for details.

## Running Kiro

### Interactive mode

Start Kiro in the current directory:

```bash
moat kiro
```

Start in a specific project:

```bash
moat kiro ./my-project
```

Kiro launches in interactive mode with full access to the mounted workspace.

### Non-interactive mode

Run with a prompt:

```bash
moat kiro -p "explain this codebase"
moat kiro -p "fix the failing tests"
moat kiro -p "add input validation to the user registration form"
```

Kiro executes the prompt and exits when complete.

### Named runs

Give your run a name for reference:

```bash
moat kiro --name feature-auth ./my-project
```

The name appears in `moat list` and makes it easier to manage multiple runs.

## Adding GitHub access

Grant GitHub access so Kiro can interact with repositories:

```bash
moat kiro --grant github ./my-project
```

Configure in `moat.yaml` for repeated use:

```yaml
name: my-kiro-project
agent: kiro

grants:
- kiro
- github
```

Then:

```bash
moat kiro ./my-project
```

## Local MCP servers

Run MCP servers as processes inside the container using the `kiro.mcp` section in `moat.yaml`:

```yaml
name: my-kiro-project
agent: kiro

grants:
- kiro

kiro:
mcp:
filesystem:
command: npx
args: ["-y", "@modelcontextprotocol/server-filesystem", "/workspace"]
```

The MCP server configuration is written to `~/.kiro/settings/mcp.json` inside the container.

## Remote MCP servers

Remote HTTP MCP servers are configured with the top-level `mcp:` field and relayed through the Moat proxy:

```yaml
name: my-kiro-project
agent: kiro

grants:
- kiro

mcp:
- name: context7
url: https://mcp.context7.com/mcp
auth:
grant: mcp-context7
header: CONTEXT7_API_KEY
```

Store the MCP server credential before running:

```bash
moat grant mcp context7
```

## Network hosts

Kiro uses the following hosts. Moat allows them automatically when the `kiro` grant is configured:

| Host | Purpose |
|------|---------|
| `q.us-east-1.amazonaws.com` | Kiro API (credential injection applies to this host) |
| `cognito-identity.*.amazonaws.com` | Cognito identity (allowlisted, no credential injection) |
| `cli.kiro.dev` | Kiro CLI installer |

**Note on regions:** Credential injection is scoped to `q.us-east-1.amazonaws.com`. This is the only region currently in use. If Kiro adds support for additional regions in the future, their hostnames must be listed explicitly — the credential injection layer does not wildcard-match hostnames.

## Allowing additional hosts

To allow access to additional hosts:

```bash
moat kiro --allow-host example.com ./my-project
```

Or configure in `moat.yaml`:

```yaml
network:
rules:
- example.com
- "*.internal.corp"
```

## Workspace snapshots

Moat captures workspace snapshots for recovery and rollback. See [Snapshots](./07-snapshots.md) for configuration and usage.

## Related guides

- [SSH access](./04-ssh.md) — Set up SSH for git operations
- [Snapshots](./07-snapshots.md) — Protect your workspace with snapshots
- [MCP servers](./09-mcp.md) — Configure remote and local MCP servers
- [Exposing ports](./06-ports.md) — Access services running inside containers
76 changes: 75 additions & 1 deletion docs/content/reference/01-cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ If a name matches multiple runs, batch commands (`stop`, `destroy`) prompt for c

## Common agent flags

The agent commands (`moat claude`, `moat codex`, `moat gemini`) share the following flags. These flags work identically across `moat claude`, `moat codex`, and `moat gemini`.
The agent commands (`moat claude`, `moat codex`, `moat gemini`, `moat kiro`) share the following flags. These flags work identically across `moat claude`, `moat codex`, `moat gemini`, and `moat kiro`.

| Flag | Description |
|------|-------------|
Expand Down Expand Up @@ -388,6 +388,60 @@ moat gemini --rebuild

---

## moat kiro

Run the Kiro CLI in a container.

```
moat kiro [workspace] [flags] [-- initial-prompt]
```

In addition to the command-specific flags below, `moat kiro` accepts all [common agent flags](#common-agent-flags).

### Arguments

| Argument | Description |
|----------|-------------|
| `workspace` | Workspace directory (default: current directory) |
| `initial-prompt` | Text after `--` is passed to Kiro as an initial prompt (interactive mode) |

### Command-specific flags

| Flag | Description |
|------|-------------|
| `-p`, `--prompt TEXT` | Run non-interactive with prompt |

### Examples

```bash
# Interactive Kiro CLI
moat kiro

# In specific directory
moat kiro ./my-project

# Interactive with initial prompt (Kiro stays open)
moat kiro -- "explain this codebase"

# Non-interactive with prompt (exits when done)
moat kiro -p "explain this codebase"
moat kiro -p "fix the bug in main.py"

# With GitHub access
moat kiro --grant github

# Named run
moat kiro --name my-feature

# Run in a git worktree (non-interactive with prompt)
moat kiro --worktree=dark-mode --prompt "implement dark mode"

# Force rebuild
moat kiro --rebuild
```

---

## moat wt

Create or reuse a git worktree for a branch and start a run in it.
Expand Down Expand Up @@ -497,6 +551,7 @@ moat grant <provider>[:<scopes>]
| `anthropic` | Anthropic API key |
| `openai` | OpenAI (API key) |
| `gemini` | Google Gemini (Gemini CLI OAuth or API key) |
| `kiro` | Kiro API token |
| `npm` | npm registries (.npmrc, `NPM_TOKEN`, or manual) |
| `aws` | AWS (IAM role assumption) |
| `oauth` | OAuth 2.0 (authorization code flow with PKCE) |
Expand Down Expand Up @@ -555,6 +610,21 @@ If no Gemini CLI credentials are found, falls directly to the API key prompt.
moat grant gemini
```

### moat grant kiro

Stores a Kiro API token. Reads from the `KIRO_API_KEY` environment variable, or prompts interactively.

Kiro tokens are static credentials with no automatic refresh. When a token expires, re-run `moat grant kiro` to replace it.

```bash
# Enter token interactively
moat grant kiro

# Read from environment variable
export KIRO_API_KEY="..."
moat grant kiro
```

### moat grant npm

Grant npm registry credentials. Auto-discovers registries from `~/.npmrc` and `NPM_TOKEN` environment variable.
Expand Down Expand Up @@ -784,6 +854,9 @@ moat revoke <provider>
moat revoke github
moat revoke claude # revokes OAuth token
moat revoke anthropic # revokes API key
moat revoke openai
moat revoke gemini
moat revoke kiro
moat revoke npm
moat revoke ssh:github.com

Expand Down Expand Up @@ -1452,6 +1525,7 @@ This command scans for and removes temporary directories matching these patterns
- `agentops-aws-*` - AWS credential helper directories (legacy)
- `moat-claude-staging-*` - Claude configuration staging directories
- `moat-codex-staging-*` - Codex configuration staging directories
- `moat-kiro-staging-*` - Kiro configuration staging directories
- `moat-npm-*` - npm credential configuration directories

Only directories older than `--min-age` are removed.
Expand Down
Loading