Skip to main content
ironrun exposes an MCP server that AI agents connect to. Once connected, the agent uses run_sealed for all commands that need credentials — secrets flow into the child process, output is redacted before it returns, and the agent’s context never contains a live secret value.

How it works

Running ironrun mcp starts the MCP server over stdio. Agents discover the run_sealed tool and call it with either a command_id (a saved command from ironrun.yml) or a literal argv array. ironrun checks the active session, resolves the encrypted environment, runs the command, streams output through the redactor, and hands back exit code plus cleaned output — nothing else. The MCP tools available to the agent are intentionally value-blind:

Setting up your agent

The fastest path is ironrun setup, which auto-creates both .mcp.json and CLAUDE.md in your project root. Run it once per project:
Setup previews every file it will write and detects .env key names without displaying values. Afterwards your project root contains:.mcp.json — wires Claude Code to the ironrun MCP server:
CLAUDE.md — instructs Claude Code to use run_sealed. The directive ironrun writes looks like:
Claude Code reads CLAUDE.md on startup and respects explicit directives strongly. After setup, start Claude Code normally — it will discover run_sealed and ask for a trusted workspace session before running commands.

Trusted workspace session flow

For normal local development, ironrun uses trusted workspace sessions — a lightweight approval flow that lets you authorize an agent once and have it work freely for two hours.
1

Agent requests access

When the agent first calls run_sealed with an argv array (or explicitly calls request_workspace_access), ironrun blocks the command and posts a request to the global Inbox.
2

You review and approve

Open the ironrun TUI (ironrun or ironrun tui) and navigate to the Inbox tab. You’ll see the agent’s request — the project, environment, and reason. Press Enter to approve.
3

Agent works normally

The same MCP session can now run commands for the selected project and environment for two hours without further prompts.
4

Session expires or you revoke it

After two hours the session expires automatically. You can also revoke it immediately:
Trusted sessions are pinned to the MCP session, project, and environment. A server restart creates a new session — an old grant does not carry over. staging and prod environments require a separate explicit grant from dev. You can also pause, extend, or inspect sessions:

What if the agent ignores run_sealed?

If the agent keeps running shell commands directly instead of using run_sealed, check the following:
  • CLAUDE.md / CODEX.md / .cursorrules exists in the project root and contains a clear directive to use run_sealed.
  • The MCP server is connected — confirm it in the agent’s settings or run ironrun mcp manually to verify it starts without errors.
  • The directive is explicit — vague instructions like “prefer ironrun” are less reliable than “Use run_sealed for all commands that need credentials. Do not run printenv, cat .env, or echo $VAR.”
Running ironrun setup regenerates all three files if they are missing or incomplete.
ironrun protects agent context, conversation logs, and routine command output — it prevents secrets from leaking into the agent’s transcript and Claude Code’s JSONL session files. However, a trusted agent session grants the agent the ability to run commands with network access. A trusted agent could still deliberately exfiltrate a secret through network or file actions if you allow it. ironrun is not an OS sandbox for a process you choose to trust.