Sealed execution for AI agents

Run agents.
Not your secrets.

Every AI coding agent runs inside your shell. Your API keys, database URLs, and credentials are right there - readable, exfiltrable, permanent. ironrun injects secrets below the AI layer so the model never sees them.

View on GitHub How it works
$ brew install generalized-labs/tap/ironrun
01 The Exposure

You gave an AI access to your shell.
Think about what that means.

Everything in your environment is readable. $STRIPE_SECRET. $DATABASE_URL. Every key you've ever exported. Claude Code logs every tool call to ~/.claude/projects/ -- every argument, every value that passes through a command. If a secret touched a subprocess, it's in that file. Your keys are probably in there right now.

Without ironrun
# Agent runs your deploy script
$ ./deploy.sh --prod

# Your secrets hit stdout
STRIPE_SECRET=sk-live-...
AWS_SECRET=wJalrX...
# Now in the model's context.
# Logged. Cached. Permanent.
With ironrun
# Agent requests sealed execution
$ ironrun run deploy

# Secrets injected below the agent
Deploying to prod...
using key=[REDACTED]
exit_code: 0
# Agent sees [REDACTED], never
# the value. That's the seal.
02 Mechanism

Three gates.
Nothing gets through.

Drop a YAML file in your project. ironrun handles the vault, the subprocess, and the output. Your agent calls a tool, gets a result code. That's it. It never sees what ran inside.

1

Vault

Secrets stay in your vault until the moment they're needed. 1Password, Doppler, Infisical, or a local envfile. Pulled at exec time. Never written to disk.

provider: 1password
commands:
  - id: deploy
    env:
      STRIPE_SECRET: op://vault/stripe/key
      AWS_SECRET: op://vault/aws/secret
2

Execute

Command runs sealed. Parent env stripped. No shell - argv is exec'd directly, so no $(), no backticks, no pipes. Only the exact command you named can run.

commands:
  - id: deploy
    argv: [./deploy.sh, --prod]
    ttl: 30s
    no_network: true
3

Redact

Every byte of output runs through a rolling pattern match before the agent sees it. A secret shows up in stdout? Gone before it leaves the process.

# What the agent receives:
exit_code: 0
duration_ms: 191
stdout: "Deployed. key=[REDACTED]"
# secret values: [REDACTED]
Dithered dune ridge at dusk, orange on black the agent runs above the line
03 Security Model

Six layers because one isn't enough.

ironrun assumes your agent is compromised. Every layer independently blocks exfiltration. Fail any one, the others hold. This is defense in depth -- not a tagline, the actual design.

Shell Denial
No shell interpretation. Commands are exec'd directly. No backticks, no $(), no pipes - the shell never runs.
Env Sanitize
Parent environment stripped. Only declared variables injected. The subprocess starts clean.
Binary Allowlist
Only named executables can run. Everything else denied. No curl to arbitrary endpoints.
Rolling Redactor
Streaming match on stdout/stderr. Secrets replaced before buffering. Catches partial leaks across chunks.
TTL Enforcement
Commands have a time-to-live. Exceed it, the process is killed. No hanging shells leaking in the background.
MCP Native
First-class Model Context Protocol server. Agents call ironrun as a tool. No shell wrapper needed.
04 Architecture

The airgap is structural.

Secrets exist only inside the sealed process. Never serialized. Never logged. Never in the agent's context. This isn't a wrapper around your commands. It's a wall between your secrets and the model.

Agent
ironrun exec
Policy
Validate + Allow
Sealed Zone
Secrets + Process
Redactor
Strip + Return
Agent
Safe output
05 Works With

One policy file. Every agent.

ironrun sits between your agent and the shell. If it runs shell commands, it works with ironrun. Native MCP support means zero config for modern agents -- just ironrun init and done.

Claude Code
MCP tool or CLI wrapper
supported
Cursor
MCP tool integration
supported
OpenAI Codex
CLI wrapper mode
supported
Windsurf
MCP tool integration
supported
GitHub Actions
Native action
supported
Any MCP Client
Built-in MCP server
supported
macOS
arm64 + amd64
native
Linux
arm64 + amd64
native
06 Quickstart

Sealed in three commands.

Install, initialize, done. ironrun init writes your policy, the MCP config, and a CLAUDE.md - so the agent runs commands through ironrun automatically.

1

Install

One binary. macOS and Linux, arm64 and amd64. No runtime, no daemon.

# Homebrew
$ brew install generalized-labs/tap/ironrun
2

Initialize

Detects your project and writes ironrun.yml, .claude/mcp.json, and a CLAUDE.md. Edit the policy to name your commands and secrets.

$ cd your-project
$ ironrun init
  - Created ironrun.yml
  - Created .claude/mcp.json
  - Created CLAUDE.md
3

Run sealed

Your agent calls the run_sealed MCP tool instead of the shell. Secrets go in, only redacted output comes back.

# Agent calls the MCP tool:
run_sealed("test")
exit_code: 0
stdout: "ok - key=[REDACTED]"
6
Independent security layers
0
Secrets in agent context
1
YAML to configure
MIT
License

Stop hoping the agent won't look.

One YAML file. Full protection. Open source forever.

Get started on GitHub