Skip to main content
The ironrun CLI is organized into four groups — everyday, agents, setup, and advanced — so you can find the right command for any task: managing secrets in the encrypted vault, controlling what AI agents can run, validating your policy file, or auditing what happened after the fact. Run ironrun with no arguments to open the global workspace TUI.

run

Execute a sealed policy command with secrets injected and output redacted

env

Create, switch, clone, import, and manage named secret environments

trust

Grant and revoke trusted agent workspace sessions

access

Manage per-command agent leases and secret requests

capsule

Encrypt secrets into chat-safe one-time ciphertexts

audit

Verify the tamper-evident hash-chained execution log

Command groups

Everyday

Agents and sharing

Setup and safety

Advanced

Global flag

Every ironrun command accepts one global flag:

Opening the TUI

Running ironrun with no arguments opens the global workspace TUI — environments, masked key names, approved commands, agent requests, leases, and audit state. Use arrow keys, Enter, Escape, and Tab to navigate; press / for the action palette and ? for help.