[REDACTED]. The agent gets the information it needs to continue working; it never gets the credentials themselves.
The threat model: what happens without ironrun
Coding agents run shell commands on your machine. Most of the time that’s fine. The problem is the small set of commands that print the environment:The MCP layer: how a sealed run works
When ironrun runs as an MCP server (ironrun mcp), it exposes a run_sealed tool to the agent. Here is the complete sequence for a single command:
list_commands— returns command names and theirargv, nothing elserun_sealed— runs a policy command bycommand_idor runs arbitraryargvinside a human-trusted workspace session; returns exit code, duration, and redacted stdout/stderrrequest_workspace_accessandworkspace_status— requests temporary project/environment access and inspects safe session metadatavalidate_policy— confirms the policy is well-formed and returns provider and command countpropose_command— stages a new command for human approval; does not execute anything
Output redaction
ironrun’s redactor processes all stdout and stderr before they reach the agent. It covers:- Literal values — the exact string of each secret
- Base64-encoded forms — the base64 encoding of each secret value
- Hex-encoded forms — the hex encoding of each secret value
- URL-encoded forms — percent-encoded forms of each secret value
- Entropy scan — a warn-only pass that flags high-entropy tokens that look like secrets but weren’t registered values; the agent sees a note counting these, never the token itself
max_bytes limit, ironrun notes that in the result. If the entropy scan fires, the agent sees [ironrun] note: N high-entropy token(s) in the output may be an unredacted secret — a count, never the token.
Security hardening
Both of these hardening features are on by default and fail open: if the kernel or OS does not support them, ironrun logs a warning and continues rather than blocking execution.
ptrace, process_vm_readv, and similar memory-snooping syscalls. This prevents a child process from reading secrets out of the ironrun process’s own memory. You can turn it off per command with seccomp: false, policy-wide with seccomp_default: false, or globally with the environment variable IRONRUN_SECCOMP=off.
No-network option — set no_network: true on any command to block outbound network access for that command’s child process (Linux network namespace; macOS sandbox-exec). This is useful for test commands that should never phone home.
What ironrun does NOT protect against
ironrun guards the path between the agent and the command output. It is not a sandbox for hostile code. Be honest with yourself about these limits:- A command that deliberately writes a secret to a file and reads it back later will succeed.
- Network exfiltration by a command running with
no_network: false(the default) is not blocked. A trusted agent could deliberately exfiltrate a secret through a network request inside a trusted command. - Secrets in files that the command itself creates are not automatically cleaned up.
- Anyone who already has access to the machine ironrun runs on can read secrets through other paths.
SECURITY.md for the full threat model.
Audit log
Everyrun_sealed call appends a tamper-evident, hash-chained record to the audit log. The record includes the command, argv, and secret names — never values. The log lives at $XDG_STATE_HOME/ironrun/audit.log by default.
IRONRUN_AUDIT_LOG environment variable or the top-level audit_log: field in ironrun.yml:
Performance
ironrun adds approximately 5–10ms overhead per command invocation:- ~2ms for provider lookup with
envorenvfileproviders - Up to ~100ms for a 1Password CLI call (network + auth)
- Under 1ms for the redaction layer on typical output sizes