ironrun doctor is your first stop when something isn’t working. It runs a complete read-only diagnostic on your ironrun setup in one shot — policy parsing, provider authentication, the redaction engine, and binary resolution for every command. It exits non-zero and points at exactly what is broken. Nothing is executed and no secrets are resolved.
Usage
Example output
What it checks
1
Policy file
Loads and parses
ironrun.yml (or the path set by --policy). Confirms the version is supported and reports the number of commands. If this check fails, no further checks run — fix the policy and re-run.2
Provider health
Instantiates the configured provider and runs a health check if the provider supports one. For providers with an external CLI (
1password, vault, doppler, infisical), this verifies the CLI is installed on PATH and that the current credentials are valid. For providers that need no external CLI (env, envfile, passthrough), it reports “no external CLI required” and passes.3
Redaction self-test
Writes a known canary value through the redaction engine and confirms that the value is replaced with
[REDACTED] in the output. If this fails, run output could reach the agent with real secret values in it.4
Command binary resolution
For each command in the policy, calls
exec.LookPath on argv[0] to confirm the binary exists and is executable. Reports a warning (○) for commands that use a shell invocation — those will be denied at runtime. Reports a failure (✗) for binaries that can’t be found.Exit codes
Difference from ironrun validate
ironrun validate only parses the policy file and checks that it’s syntactically valid. It does not check provider authentication, redaction, or binary resolution.
ironrun doctor runs all four checks. Use validate in CI to confirm a policy change is well-formed; use doctor when you’re diagnosing a real problem on a developer machine.