Author here. I built this after seeing OpenClaw (68K stars) give agents full access to ~/.ssh, ~/.aws, and browser cookies with zero container isolation.

  SecLaw runs 4 Docker containers with strict boundaries: non-root,
  cap_drop ALL, read-only filesystem, 512MB/1CPU limits per container,
  zero inbound ports via Cloudflare Tunnel. API keys are sealed per service,
  not shared across containers.

  The interesting part is multi-agent auto-routing. You install agents as
  templates (npx seclaw add inbox-agent, npx seclaw add research-agent)
  and they stack onto one Telegram bot. The LLM routes each message to the
  right capability — email questions go to Inbox, lead questions go to Sales.
  Every response shows which agent answered.

  Architecture: Node.js agent + Inngest for scheduled workflows + Desktop
  Commander (MCP server, read-only) + Cloudflare Tunnel. All orchestrated
  by a single CLI command.

  Setup is `npx seclaw` — walks you through LLM provider, API key, Telegram
  token, and runs docker compose up. 60 seconds, no YAML editing.