Skip to main content
ironrun doctor is your first stop when something isn’t working. It runs a complete read-only diagnostic on your ironrun setup in one shot — policy parsing, provider authentication, the redaction engine, and binary resolution for every command. It exits non-zero and points at exactly what is broken. Nothing is executed and no secrets are resolved.

Usage

Example output

When all checks pass:

What it checks

1

Policy file

Loads and parses ironrun.yml (or the path set by --policy). Confirms the version is supported and reports the number of commands. If this check fails, no further checks run — fix the policy and re-run.
2

Provider health

Instantiates the configured provider and runs a health check if the provider supports one. For providers with an external CLI (1password, vault, doppler, infisical), this verifies the CLI is installed on PATH and that the current credentials are valid. For providers that need no external CLI (env, envfile, passthrough), it reports “no external CLI required” and passes.
3

Redaction self-test

Writes a known canary value through the redaction engine and confirms that the value is replaced with [REDACTED] in the output. If this fails, run output could reach the agent with real secret values in it.
4

Command binary resolution

For each command in the policy, calls exec.LookPath on argv[0] to confirm the binary exists and is executable. Reports a warning (○) for commands that use a shell invocation — those will be denied at runtime. Reports a failure (✗) for binaries that can’t be found.

Exit codes

Difference from ironrun validate

ironrun validate only parses the policy file and checks that it’s syntactically valid. It does not check provider authentication, redaction, or binary resolution. ironrun doctor runs all four checks. Use validate in CI to confirm a policy change is well-formed; use doctor when you’re diagnosing a real problem on a developer machine.
Run ironrun doctor after any of the following: initial setup, changing the provider, rotating credentials, adding a new command, or when an agent reports unexplained command failures.