DATABASE_URL. The agent gets back exit_code: 0 and tests passed — and never the connection string.
The threat: secrets leak through normal debugging
Coding agents (Claude Code, Codex, Cursor, and others) run shell commands on your machine, and those commands can see your environment. Most of the time that’s fine. The problem is the small set of commands that print the environment:“Three confirmed incidents at one operator workstation in ~6 days. Each incident forced a credential rotation. None of these are exotic — they’re shapes that came up during normal diagnosis work the model was asked to do.” — anthropics/claude-code#65122
The solution: secrets flow in, never out
The agents don’t redact their own output, and the secret managers you already use (op run, doppler run, infisical run) inject secrets but don’t redact either. ironrun adds the missing piece: it sits between the agent and the command so secrets flow in to commands but never flow back out to the agent.
argv only during a temporary session you explicitly trust. Strict policy commands remain available for CI, production, and sensitive projects. ironrun never has a tool that returns a secret’s value.
ironrun adds approximately 5–10 ms per command invocation: ~2 ms for provider lookup (env/envfile), up to ~100 ms for a 1Password CLI call. The redaction layer adds under 1 ms for typical output sizes.
Key capabilities
How it works
Deep dive into the sealed execution pipeline: secret resolution, process isolation, the rolling-buffer redactor, and encoded-secret detection.
Policy file
The full
ironrun.yml reference — commands, providers, TTLs, no_network, seccomp filters, and the audit log.Agent setup
Wire up Claude Code, Codex, and Cursor so every command they run goes through
run_sealed instead of a bare shell.MCP tools
The value-blind MCP tools ironrun exposes:
run_sealed, list_commands, request_workspace_access, workspace_status, and validate_policy.How ironrun compares to op run / doppler run / infisical run
Those tools resolve your secrets and inject them as environment variables — which is great, and ironrun does that too. The difference is everything that happens after the command starts printing output:
Doppler does ship an MCP server, but it gives agents direct read access to secret values — the opposite goal. ironrun’s MCP server lets agents run commands, never read secrets.
What ironrun protects — and what it doesn’t
ironrun keeps secrets out of:printenv,env,echo $VAR, and shell-expansion tricks the agent might run- The agent’s chat transcript and the model’s context window
- A screen share, recording, or screenshot of that session
- Claude Code’s JSONL conversation logs
- CI logs that a fork-PR author could read
- A command that deliberately writes a secret to a file and reads it back later
- Network exfiltration by a command running with
no_network: false(the default) - Secrets in files the command itself creates
- Anyone who already has direct access to the machine ironrun runs on