Skip to main content
ironrun acts as an MCP (Model Context Protocol) server. When you run ironrun mcp, it exposes a set of tools that AI agents — Claude Code, Cursor, Codex, and others — can call to run commands and interact with secrets. The key design constraint is that none of these tools ever return a raw secret value. Secrets flow into child processes, and anything that looks like a secret in the output is replaced with [REDACTED] before the agent sees it.

Starting the server

In practice you configure this once in .mcp.json so the agent host starts it automatically. ironrun setup writes that file for you.

Available tools

Every tool the server exposes is value-blind by design: none of them accept a plaintext secret value as a parameter, and none of them return one.

Audit session

When the MCP server starts, it opens one audit log session. Every run_sealed call from the same agent session shares a session ID in the audit log, so you can trace all commands back to a single agent interaction.

Key principle

None of these tools ever return a secret value. If you review the source at mcp/server.go, you’ll see there is no code path that reads a secret and returns it to the caller. The agent gets back exit codes, durations, and redacted output — nothing else.

run_sealed

Execute commands with secrets injected below agent visibility

Workspace Access

Request and check trusted development session status

propose_command

Let agents suggest new policy commands for human review

Agent Setup Guide

Configure Claude Code, Cursor, and Codex to use ironrun