> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ironrun.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# ironrun — Sealed Command Execution for AI Coding Agents

> ironrun injects secrets into commands while keeping them invisible to AI agents — your credentials never appear in chat transcripts or agent logs.

ironrun is a local-first tool that lets AI coding agents run commands with live secrets — without ever seeing those secrets. It sits between the agent and every command it executes, injecting credentials at runtime and stripping them back out of all output before the agent reads the result.

<CardGroup cols={2}>
  <Card title="Quickstart" icon="rocket" href="/quickstart">
    Set up a project and run your first sealed command in under five minutes
  </Card>

  <Card title="Installation" icon="download" href="/installation">
    Install ironrun on Linux, macOS, or Windows using curl, Go, or npm
  </Card>

  <Card title="How It Works" icon="shield-halved" href="/concepts/how-it-works">
    Understand the airgap model, output redaction, and trust architecture
  </Card>

  <Card title="Agent Setup" icon="robot" href="/guides/agent-setup">
    Connect ironrun to Claude Code, Cursor, or Codex via MCP
  </Card>
</CardGroup>

## The problem ironrun solves

AI coding agents run shell commands on your machine, and some of those commands print secrets:

```bash theme={null}
printenv                 # dumps every env var, including secrets
cat .env                 # prints your local secrets file
echo $STRIPE_SECRET_KEY  # a normal debugging step
docker inspect web       # config blobs often contain credentials
```

When an agent runs one of these commands — even while legitimately debugging — the secret value lands in the chat transcript, the model's context window, and potentially the provider's logs. ironrun adds the missing piece: secrets flow **in** to commands, but never flow back **out** to the agent.

## How it works

```
Agent → run_sealed(argv) → ironrun → inject secrets → run command
                                           ↓
                               redact values from output
                                           ↓
                           Agent sees: exit_code=0, stdout="ok"
                           Agent never sees: DATABASE_URL=postgres://...
```

<Steps>
  <Step title="Install ironrun">
    Download the binary and add it to your PATH.

    ```bash theme={null}
    curl -fsSL https://ironrun.dev/install.sh -o /tmp/ironrun-install.sh
    bash /tmp/ironrun-install.sh
    ```
  </Step>

  <Step title="Run setup in your project">
    ironrun detects your stack, creates an encrypted environment, and wires up your AI agent automatically.

    ```bash theme={null}
    cd your-project
    ironrun setup
    ```
  </Step>

  <Step title="Start your agent">
    Launch Claude Code, Cursor, or Codex. The agent uses `run_sealed` instead of raw shell commands — and never sees secret values.
  </Step>
</Steps>

## Key capabilities

<CardGroup cols={2}>
  <Card title="Policy File" icon="file-lines" href="/concepts/policy-file">
    Define approved commands and bind them to secret references in a single YAML file
  </Card>

  <Card title="Secret Providers" icon="vault" href="/concepts/secret-providers">
    Pull secrets from 1Password, Doppler, Infisical, HashiCorp Vault, or local envfiles
  </Card>

  <Card title="Trusted Sessions" icon="user-check" href="/cli/trust">
    Grant an agent a two-hour revocable session for normal development work
  </Card>

  <Card title="CI / GitHub Actions" icon="github" href="/guides/ci-github-actions">
    Block fork PRs from accessing production secrets automatically
  </Card>

  <Card title="MCP Tools" icon="plug" href="/mcp/overview">
    Value-blind MCP tools: run\_sealed, list\_commands, propose\_command, and more
  </Card>

  <Card title="Audit Log" icon="list-check" href="/cli/audit">
    Tamper-evident hash-chained log of every sealed execution
  </Card>
</CardGroup>
