Skip to main content
Trusted workspace sessions are the fast path for normal local development. Approve once, and the agent can run any command in the current project and environment for the session duration — without requiring a separate approval for each one. Secrets are still injected below agent visibility and redacted from all output; the agent never holds a raw credential value.

How sessions work

1

Agent requests access

The agent calls the request_workspace_access MCP tool with a reason, or simply attempts run_sealed with an argv array.
2

Request appears in your Inbox

The request shows up in the global Inbox — visible in the TUI (bare ironrun) or via ironrun agents list.
3

You grant the session

Review the request and grant it with a single command:
4

Agent works normally

For the duration of the session, the agent can call run_sealed with any argv. Each command still has secrets injected and output redacted — the agent sees [REDACTED] wherever a secret value would appear.
5

Session expires or you revoke it

The session expires automatically after the configured TTL (default: 2 hours). You can revoke it at any time with ironrun trust revoke <trust-id>.

Subcommands

trust list

Lists all trusted workspace sessions with their status, environment, session ID, network mode, and expiry time. Status values are active, paused, revoked, and expired.

trust grant

Approves a pending workspace access request and creates a trusted session. The --ttl flag sets the session lifetime; the default is the DefaultWorkspaceTTL (2 hours) and the maximum is 24 hours.
--ttl
duration
default:"2h"
Override the trusted session lifetime from now. Maximum is 24 hours. Accepts Go duration strings such as 1h, 2h, 8h.

trust pause

Suspends a trusted session without revoking it. The agent’s next run_sealed call will be blocked until you extend the session with a fresh expiry.

trust extend

Resumes a paused session or pushes the expiry forward from the current time.
--ttl
duration
default:"2h"
New lifetime measured from now. Maximum is 24 hours.

trust revoke

Immediately revokes a trusted session. The session cannot authorize any further commands after revocation.

Session pins

A trusted session is bound to the exact MCP server session, project, and environment. If the MCP server restarts, a new session is created and the old grant does not transfer — you need to approve a fresh request.

Scope

The default scope of a trusted session is the current dev environment. Granting access to dev does not allow the agent to run commands against staging or prod. Those environments require a separate explicit grant.
Trusted sessions allow the agent to supply arbitrary argv to run_sealed. A trusted agent could exfiltrate secrets through network requests or file writes, even though ironrun redacts values from command output. ironrun protects agent context, logs, and routine output — it is not an OS sandbox for a process you choose to trust. Use short TTLs and revoke sessions when the work is complete.
Run ironrun trust list before starting any sensitive work to see which sessions are currently active. Revoke any session you didn’t intend to leave open.