ironrun mcp, it exposes a set of tools that AI agents — Claude Code, Cursor, Codex, and others — can call to run commands and interact with secrets. The key design constraint is that none of these tools ever return a raw secret value. Secrets flow into child processes, and anything that looks like a secret in the output is replaced with [REDACTED] before the agent sees it.
Starting the server
.mcp.json so the agent host starts it automatically. ironrun setup writes that file for you.
Available tools
Every tool the server exposes is value-blind by design: none of them accept a plaintext secret value as a parameter, and none of them return one.Audit session
When the MCP server starts, it opens one audit log session. Everyrun_sealed call from the same agent session shares a session ID in the audit log, so you can trace all commands back to a single agent interaction.
Key principle
None of these tools ever return a secret value. If you review the source atmcp/server.go, you’ll see there is no code path that reads a secret and returns it to the caller. The agent gets back exit codes, durations, and redacted output — nothing else.
run_sealed
Execute commands with secrets injected below agent visibility
Workspace Access
Request and check trusted development session status
propose_command
Let agents suggest new policy commands for human review
Agent Setup Guide
Configure Claude Code, Cursor, and Codex to use ironrun