ironrun.yml is the single YAML file that controls what commands agents can run and which secrets they receive. Every command the agent can call via run_sealed must appear in this file, along with any secret references it needs. Humans write and maintain the policy; agents can only propose additions with propose_command, which does nothing until a human approves it with ironrun approve.
Version 2 policy (current)
Version 2 policies use the encrypted environment vault for all secret storage. Secrets are referenced by name — the same name you used when you ranironrun add or ironrun import. Storing or rotating a value never requires a policy edit.
ironrun setup to generate a starter v2 policy for your project. It detects your stack and pre-fills commands from your existing .env key names.
Version 1 policy
Version 1 policies use a top-levelprovider: field and reference secrets by provider path in each command’s env: block. They remain fully supported. Use ironrun migrate to preview a transactional migration to v2.
Field reference
Top-level fields
Policy schema version. Use
"2" for new policies. "1" remains supported for existing policies.Where secrets come from. Required for v1 policies. See Secret Providers for the full list of supported values and reference formats.Examples:
1password, envfile:~/.secrets/myapp.env, doppler, vault, infisical, env, passthroughSet to
"active" to use the encrypted vault managed by ironrun env and ironrun new. This is the default for v2 policies.When
true, agents must call request_lease and wait for human approval before run_sealed will execute any command. Useful for sensitive or production environments. Defaults to false for backwards compatibility.When
true, agents can call propose_command to stage a new command for human approval. The command is not runnable until a human runs ironrun approve <id>. Defaults to false.Path to the audit log file. Defaults to
$XDG_STATE_HOME/ironrun/audit.log. Set to off to disable. You can also override this with the IRONRUN_AUDIT_LOG environment variable.Whether to apply the seccomp syscall denylist to all commands by default on Linux. Defaults to
true. Override per command with the seccomp field. Set to false globally with IRONRUN_SECCOMP=off.Command fields
The name the agent uses to call this command via
run_sealed (e.g. command_id: "deploy"). Must be unique within the policy. Use only letters, digits, -, and _.The exact binary and arguments to run, as a YAML list. No shell expansion, no pipes, no globs, no
$VAR substitution. ["npm", "test"] runs npm test directly — there is no shell in between.Kill the command after this duration. Accepts Go duration strings:
30s, 10m, 2h. Set to 0 for no timeout (use with care for long-running dev servers).Cap the combined stdout + stderr at this many bytes. Output beyond the limit is dropped and the agent receives a truncation notice. Example:
10485760 for 10 MB.Block outbound network access for this command’s child process. On Linux, uses a network namespace. On macOS, uses
sandbox-exec. Defaults to false.Apply the seccomp syscall denylist to this command on Linux. Overrides
seccomp_default. Set to false to allow syscalls that the default filter blocks, such as ptrace for a debugger.Run the command from this directory instead of the project root. Accepts relative paths (relative to the policy file location) or absolute paths.
(v1 policies) Map of environment variable name → provider reference. The reference format depends on the top-level
provider: field. See Secret Providers.(v2 policies) List of encrypted environment entry names to inject for this command. These are the names you used when running
ironrun add KEY or ironrun import .env — not provider paths.Important: argv is a literal list, not a shell line
This is a security feature: an injected secret value can never be re-expanded, piped somewhere unexpected, or exfiltrated through shell substitution.Linting and validation
ironrun lint regularly. It catches common mistakes like a deploy command that injects secrets but has no_network: false and no ttl.
Use ironrun doctor for a full end-to-end check: policy parses, provider CLI is installed and authenticated, redactor self-test passes, and every command’s binary resolves on PATH.