Skip to main content
run_sealed is the core tool agents use to run commands. It accepts either a policy command ID (strict mode) or an argv array (trusted workspace session mode), runs the command with secrets injected, and returns cleaned output. The agent never sees the secret values — only the results of running the command with them.

Two modes

Strict mode — command_id

Pass a command_id that matches an entry in ironrun.yml. The command runs with exactly the secrets declared in its policy entry, under whatever constraints the policy sets (TTL, network, seccomp, workdir). No trust session is required.
Use this for CI, production, or any workflow where you want to guarantee only pre-approved commands can run.

Trusted session mode — argv

Pass an argv array after a human has granted a workspace trust session. Any argv is accepted — this is the fast path for normal local development.
If no trust session exists yet, run_sealed creates a pending request and blocks until the human approves it. The agent does not need to call request_workspace_access first; run_sealed handles the blocking wait automatically.
Exactly one of command_id or argv must be provided. Passing both, or neither, returns an error.

Parameters

command_id
string
A policy command ID for strict mode. Must match an id in ironrun.yml. Do not provide argv when using this parameter.
argv
array of strings
The exact binary and arguments for trusted workspace session mode, for example ["npm", "test"]. No shell, no glob expansion, no $VAR substitution. Do not provide command_id when using this parameter.

Response

The tool always returns a text result, even when the command exits non-zero. A non-zero exit code is a valid result the agent should see and reason about — it is not treated as a tool error.
exit_code
integer
The process exit code. Zero means success; anything else is a failure from the command itself.
duration_ms
integer
How long the command ran in milliseconds.
stdout
string
Standard output from the command, with all secret values redacted.
stderr
string
Standard error from the command, with all secret values redacted.

Example response

If the output was cut by the max_bytes limit set in policy, a note is appended:
If ironrun detects a high-entropy token in the output that wasn’t a registered secret (and therefore wasn’t redacted), it appends an advisory note — the count only, never the token:

Redaction

Before any output reaches the agent, ironrun runs it through a redaction layer that replaces:
  • The literal secret value
  • Base64-encoded forms of the value
  • Hex-encoded forms of the value
  • URL-encoded forms of the value
All of these become [REDACTED]. This means a command that prints Authorization: Bearer sk_live_abc123 will produce Authorization: Bearer [REDACTED] — even if the encoding was applied by the command itself.

What triggers a wait

All blocking waits are visible in the global Inbox TUI. The agent continues to wait with no further action needed on its part.
run_sealed never accepts a secret value as a parameter. There is no field on this tool for passing credentials. Secrets flow from the encrypted vault into the child process environment, not through the agent.