run_sealed for all commands that need credentials — secrets flow into the child process, output is redacted before it returns, and the agent’s context never contains a live secret value.
How it works
Runningironrun mcp starts the MCP server over stdio. Agents discover the run_sealed tool and call it with either a command_id (a saved command from ironrun.yml) or a literal argv array. ironrun checks the active session, resolves the encrypted environment, runs the command, streams output through the redactor, and hands back exit code plus cleaned output — nothing else.
The MCP tools available to the agent are intentionally value-blind:
Setting up your agent
- Claude Code
- Cursor
- Codex
The fastest path is Setup previews every file it will write and detects Claude Code reads
ironrun setup, which auto-creates both .mcp.json and CLAUDE.md in your project root. Run it once per project:.env key names without displaying values. Afterwards your project root contains:.mcp.json — wires Claude Code to the ironrun MCP server:CLAUDE.md — instructs Claude Code to use run_sealed. The directive ironrun writes looks like:CLAUDE.md on startup and respects explicit directives strongly. After setup, start Claude Code normally — it will discover run_sealed and ask for a trusted workspace session before running commands.Trusted workspace session flow
For normal local development, ironrun uses trusted workspace sessions — a lightweight approval flow that lets you authorize an agent once and have it work freely for two hours.1
Agent requests access
When the agent first calls
run_sealed with an argv array (or explicitly calls request_workspace_access), ironrun blocks the command and posts a request to the global Inbox.2
You review and approve
Open the ironrun TUI (
ironrun or ironrun tui) and navigate to the Inbox tab. You’ll see the agent’s request — the project, environment, and reason. Press Enter to approve.3
Agent works normally
The same MCP session can now run commands for the selected project and environment for two hours without further prompts.
4
Session expires or you revoke it
After two hours the session expires automatically. You can also revoke it immediately:
staging and prod environments require a separate explicit grant from dev.
You can also pause, extend, or inspect sessions:
What if the agent ignores run_sealed?
If the agent keeps running shell commands directly instead of usingrun_sealed, check the following:
CLAUDE.md/CODEX.md/.cursorrulesexists in the project root and contains a clear directive to userun_sealed.- The MCP server is connected — confirm it in the agent’s settings or run
ironrun mcpmanually to verify it starts without errors. - The directive is explicit — vague instructions like “prefer ironrun” are less reliable than “Use run_sealed for all commands that need credentials. Do not run printenv, cat .env, or echo $VAR.”
ironrun setup regenerates all three files if they are missing or incomplete.