How sessions work
1
Agent requests access
The agent calls the
request_workspace_access MCP tool with a reason, or simply attempts run_sealed with an argv array.2
Request appears in your Inbox
The request shows up in the global Inbox — visible in the TUI (bare
ironrun) or via ironrun agents list.3
You grant the session
Review the request and grant it with a single command:
4
Agent works normally
For the duration of the session, the agent can call
run_sealed with any argv. Each command still has secrets injected and output redacted — the agent sees [REDACTED] wherever a secret value would appear.5
Session expires or you revoke it
The session expires automatically after the configured TTL (default: 2 hours). You can revoke it at any time with
ironrun trust revoke <trust-id>.Subcommands
trust list
Lists all trusted workspace sessions with their status, environment, session ID, network mode, and expiry time. Status values are active, paused, revoked, and expired.
trust grant
Approves a pending workspace access request and creates a trusted session. The --ttl flag sets the session lifetime; the default is the DefaultWorkspaceTTL (2 hours) and the maximum is 24 hours.
Override the trusted session lifetime from now. Maximum is 24 hours. Accepts Go duration strings such as
1h, 2h, 8h.trust pause
Suspends a trusted session without revoking it. The agent’s next run_sealed call will be blocked until you extend the session with a fresh expiry.
trust extend
Resumes a paused session or pushes the expiry forward from the current time.
New lifetime measured from now. Maximum is 24 hours.
trust revoke
Immediately revokes a trusted session. The session cannot authorize any further commands after revocation.
Session pins
A trusted session is bound to the exact MCP server session, project, and environment. If the MCP server restarts, a new session is created and the old grant does not transfer — you need to approve a fresh request.Scope
The default scope of a trusted session is the currentdev environment. Granting access to dev does not allow the agent to run commands against staging or prod. Those environments require a separate explicit grant.