run_sealed call from an agent is blocked until a human explicitly approves it — no blanket session grants. This makes leases the right choice for staging, prod, or any policy where you want an audit trail of exactly which commands were allowed and when.
Difference from trust sessions
Enable leases in ironrun.yml
run_sealed is blocked until you approve a lease for the requested command IDs.
Subcommands
access as an alias:
agents list
Lists pending agent requests. Each line shows the request ID, kind (lease or secret), status, environment, session ID, and expiry. For lease requests, the requested command IDs and TTL are shown. For secret requests, the alias and key name are shown.
Include resolved and expired requests in the output, not just pending ones.
agents approve
Approves a pending lease request. ironrun creates a lease and immediately unblocks the waiting MCP call.
Override the lease lifetime. The agent’s requested TTL is used by default. Maximum is 24 hours.
agents deny
Denies a pending secret or lease request. The waiting MCP call is unblocked with a denial response.
agents leases
Lists all agent leases sorted by expiry time. Status values are active, revoked, and expired.
agents revoke
Immediately revokes a lease. The revocation is checked before the next command execution — a command already in flight is not interrupted.
agents fulfill
Fulfills a pending secret request through a masked local prompt. The value is stored directly in the encrypted vault and is never sent through the MCP channel.
Lease lifecycle
1
Agent requests a lease
The agent calls
request_lease with one or more command IDs from the policy, a reason, and a desired TTL.2
Command is blocked
The
run_sealed MCP call is blocked. The agent receives a wait response and polls for status.3
You review the request
The request appears in
ironrun agents list and in the TUI Inbox tab.4
You approve
5
Lease expires or is revoked
The lease expires after the approved TTL. You can revoke it at any time with
ironrun agents revoke.Lease pins
A lease is bound to the exact MCP server session, environment, command set, and expiry. Restarting the MCP server creates a new session and invalidates all leases associated with the old session — the agent must request new leases.Leases require opt-in via
require_agent_leases: true in ironrun.yml. They are off by default for compatibility. For normal local development where you trust the agent broadly, trusted sessions (ironrun trust) are simpler.