statuspre-1.0 · shipping
licenseMIT or Apache-2.0
runtimego 1.26 · CGO_ENABLED=0
releasereproducible · cosign-signed
stado — three sheep standing guard amid a low-poly digital landscape of monitors and blocks ▍ stado / brand 01
noun · stado · /ˈsta.do/ · flock, herd

A herd of agents that keep your working tree clean.

stado is a sandboxed, git-native coding agent for the terminal. Sessions live in a sidecar repo until you explicitly land them. Every tool call is committed to a signed audit log. Tool execution is capability-gated through the OS sandbox.

install stado view on github
signed wasm plugins forkable session graph capability sandbox
a session, in flight

Streamed in the TUI. Signed on the way out.

Streaming responses. Bundled tools. Every read, edit, and shell invocation lands as a signed commit on the session's trace ref.

anthropic · openai · google · local tui · acp · mcp · headless 15 bundled plugins
~/code/myproject — stado
▍ session · react-hook-fix
$ stado ▍ session 7a3f9c2 (new) ▍ provider anthropic · claude-sonnet-4-6 ▍ sandbox landlock + bubblewrap + seccomp ▍ tools 15 bundled · auto-compact on refactor useEffect in src/hooks/useScroll.ts to handle StrictMode ▸ read src/hooks/useScroll.ts ✓ ok ▸ grep "useScroll" — 7 callsites ✓ ok ▸ edit src/hooks/useScroll.ts +18 −9 ✓ ok ▸ bash pnpm test useScroll ✓ 12/12 pass ─ audit ──────────────────────────────────────── turns/4 a1f2…cc91 signed · ed25519 trace/4 9b8e…2701 signed · ed25519 land into branch fix/strict-mode-scroll

commitments Four principles, on every architectural decision.

// 01

Read-only repo.

Agent state lives outside your working tree. Landing is always explicit.

// 02

Tamper-evident.

No unsigned commits, no un-logged tool calls, no "trust us."

// 03

OS enforces.

Capabilities declared in the manifest. The kernel — not a promise — keeps tools in their lane.

// 04

No lossy abstraction.

Thinking blocks, prompt caching, provider-native features round-trip verbatim.

§ how it works

Four primitives. Bend any of them to your shape.

▍ 01/ git-native sessions

Every turn is a commit. Fork from any of them.

Sessions live as a sidecar bare repo with per-session tree and trace refs that grow with every turn. The history is a branching graph you can walk, resume, search, and replay — not a flat chat log. Rewind to any earlier turn into a fresh session; the parent is never modified.

refs/sessions/7a3f9c2/tree · ~/code/myproject
* turns/6  edit CHANGELOG.md            a1f2…cc91
* turns/5  bash pnpm test useScroll     9b8e…2701
* turns/4  edit src/hooks/useScroll.ts  3c4d…f80a
│  ╲
│   ╲── fork → session a4e1b0  (--at turns/4)
│        * turns/4'  alt: useSyncExternalStore
│
* turns/3  grep "useScroll" — 7 sites   6e21…0042
* turns/2  read useScroll.ts            f9aa…b1c4
* turns/1  session start                0000…7a3f
signed · ed25519 / commit trace ref · every tool call tree ref · mutating turns parent never rewritten
cmdstado session fork <id> --at turns/4
cmdstado session tree <id> # interactive picker
cmdstado session land <id> fix/strict-mode-scroll (when you're ready)
▍ 02/ plugins, not internals

Almost nothing is built in. Swap any tool.

Stado core is the runtime, capability sandbox, and signed-distribution lifecycle. fs.read, shell.bash, web.fetch, rg.search — even auto-compact — ship as signed WASM plugins. Don't like one? Rewrite it in any language that targets wasm.

fs.readwasm · goswappable
shell.bashwasm · goswappable
web.fetchwasm · goswappable
rg.searchwasm · goswappable
auto-compactwasm · goswappable
Go Zig · 800 B Rust any wasip1 ed25519 · trust-pinned
cfg[tools].overrides = { webfetch = "webfetch-cached-0.1.0" }
cmdstado plugin init my-plugin · sign · trust · install
▍ 03/ capability sandbox

Declared in the manifest. Enforced by the kernel.

Tool execution is gated through real OS sandboxing — not a promise the agent makes about itself. Subprocess networking is mediated through a CONNECT-allowlist proxy in a private netns; plugins run inside wazero with capabilities declared in the signed manifest.

ossubprocess sandboxstatus
linux landlock · bubblewrap · seccomp BPF · pasta CONNECT proxystrongest path; whole-process --sandbox-fs available ▮ shipped
macos sandbox-exec with generated profilessame capability vocabulary; no whole-process path ▮ shipped
windows warning-only passthroughv2: job objects + restricted tokens — phase 3.6 ◐ v2 planned
wasm wazero with manifest-declared capabilitiesfs:read · fs:write · net:<host> · exec · env ▮ shipped
▍ 04/ mcp server

Bring stado's tools to your other agent.

stado mcp-server exposes your entire installed registry over stdio MCP. Mount it in Claude Code, Codex, or anything that speaks MCP — and inherit every plugin you've signed and trusted locally.

shell.bashpersistent PTY + VT100mcp
web.clientstateful · cookie jarmcp
rg · ast-grepcode searchmcp
lsp.finddefinitions · refsmcp
your-pluginwhatever you installmcp
cmdstado mcp-server
cfg[tools].overrides applies here too
§ install

Three paths. Pick the one that fits your threat model.

▍ option i

Install script

One curl. Cosign-verified manifest. Lands in ~/.local/bin by default.

linuxmacoscurlcosign
curl -fsSL https://raw.githubusercontent.com/foobarto/stado/main/install.sh | bash
▍ option ii

Homebrew

For folks who already trust the tap. Updates land through brew upgrade.

macoslinuxbrew
brew install foobarto/tap/stado
▍ option iii

From source

Go 1.26+. Pure Go, CGO_ENABLED=0. Bundled wasm tools are built at make time.

go 1.26+any os
git clone https://github.com/foobarto/stado && cd stado && make
Verify what you're running.

Release archives ship with checksums.txt.sig + checksums.txt.cert (cosign keyless, Rekor-logged). The minisign root is embedded in tagged stado builds — stado verify --show-builtin-keys prints it offline, with no network call. CI-side minisign signing of the checksum manifest is planned, so the airgap-verify path lands end-to-end.

cosign keyless · minisign-ready keyless cert · GHA OIDC issuer
sha256 manifest · per-asset · Rekor-logged
§ providers · surfaces

Point it at any model. Drive it from any shell.

Anthropic
claude · provider-native thinking
$ ANTHROPIC_API_KEY
OpenAI
gpt · reasoning content preserved
$ OPENAI_API_KEY
Google
gemini · prompt caching round-trips
$ GOOGLE_API_KEY
Local · OpenAI-compat
ollama · lmstudio · llama.cpp · vllm
$ STADO_DEFAULTS_PROVIDER
‹ tui ›
Terminal UI

Bubbletea. Streaming. Slash commands. Model picker. Theme picker. Task manager.

‹ run ›
One-shot CLI

stado run --prompt "…". With or without the audited tool loop.

‹ acp ›
Editor (ACP)

Speaks Zed's Agent Client Protocol. Drive from your editor.

‹ mcp ›
MCP · both ways

Run as a server (mcp-server) or consume capability-gated MCP servers via config.

‹ rpc ›
Headless JSON-RPC

Long-running daemon. Drive from any JSON-RPC 2.0 client.

§ supply chain

A release you can verify from an airgapped laptop.

Reproducible builds. Cosign-keyless signatures over a per-asset checksums.txt, Rekor-logged. The minisign root is embedded in tagged binaries so once CI starts publishing checksums.txt.minisig, self-update verifies it without ever falling back to unsigned manifest verification — airgap-friendly. Audit the chain yourself.

versionv0.58.2 · 2026-05-29
manifestchecksums.txt · 17 assets
cosign▮ keyless · GHA OIDC · token.actions.githubusercontent.com
minisign▮ embedded root in binary · CI signing planned
scorecard▮ openssf · best practices
break from the flock

For the Herd!

Pre-1.0 and shipping fast. Open source. Built by people who didn't want to choose between agent velocity and a clean working tree.

For the Herd!

A single sheep breaking away from the herd