{"id":"provos-ironcurtain","name":"ironcurtain","homepage":"https://ironcurtain.dev","repo_url":"https://github.com/provos/ironcurtain","category":"security","subcategories":[],"tags":["ai-ml","agent","security","sandbox","mcp","policy","trusted-process","typescript","cli"],"what_it_does":"IronCurtain is a TypeScript runtime/CLI for autonomous AI agents that enforces a human-readable “constitution” (policy) compiled into deterministic rules. It mediates all agent tool calls via MCP servers (e.g., filesystem/git/github/workspace) and a policy engine that allows/denies/escalates actions for user approval, with agent code isolated in a V8 sandbox (builtin mode) or an external agent constrained by Docker + network/MCP mediation (docker mode).","use_cases":["Autonomous code-related workflows (git operations, repo changes) with user-controlled escalation","Agent access control via natural-language policy for development/CI tooling","Running AI agents that can interact with external systems (GitHub, Google Workspace) under explicit allow/escalate/deny rules","Building personas/workspaces with different access levels and persistent memory"],"not_for":["High-assurance regulated environments without independent security review/verification","Use where you need a stable, long-term API/contract for programmatic access (it appears to be a research/early-stage project)","Environments where you cannot provide/handle required LLM API keys or required third-party tokens (GitHub/Google)"],"best_when":"You want autonomous agent functionality (including mutations) but require a boundary that routes risky actions through explicit policy and interactive approval, with defense-in-depth against prompt injection/drift.","avoid_when":"You need a simple drop-in HTTP API service; IronCurtain is a local runtime/CLI with mediated tool calls and may require setup of multiple external integrations (LLM provider, optional GitHub/Google auth).","alternatives":["Other agent sandboxing/permissioning frameworks (agent tool permissioning + sandbox)","Human-in-the-loop agent frameworks that require explicit approval per action","Custom MCP server + policy gateway solutions (build your own allow/deny/escalate layer)"],"af_score":52.8,"security_score":63.8,"reliability_score":26.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:41:37.708662+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["TypeScript/JavaScript"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["LLM provider API keys (Anthropic/Google/OpenAI) via environment variables or config","GitHub Personal Access Token for GitHub MCP server","OAuth setup for Google Workspace MCP server"],"oauth":true,"scopes":false,"notes":"Auth model is primarily configuration-based for local runtime. The README mentions OAuth setup via `ironcurtain auth` for Google Workspace; GitHub uses a personal access token. No public fine-grained OAuth scope list was provided in the provided content."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Pricing is not described. Costs likely come from underlying LLM usage and optional third-party APIs/tokens."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":52.8,"security_score":63.8,"reliability_score":26.2,"mcp_server_quality":80.0,"documentation_accuracy":75.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":60.0,"rate_limit_clarity":10.0,"tls_enforcement":95.0,"auth_strength":70.0,"scope_granularity":35.0,"dependency_hygiene":55.0,"secret_handling":60.0,"security_notes":"Security posture is centered on defense-in-depth: mediation of every tool call through a policy engine, deny-by-default policy matching, and isolation (V8 isolate for builtin agent; Docker/no-network plus MITM proxy for docker mode). Authentication is supported for external MCP servers (GitHub PAT, Google OAuth) and LLM API keys. However, provided content does not include details on OAuth scopes granularity, formal threat-model coverage for all dependencies, explicit secret-redaction guarantees, or detailed runtime error-handling for policy bypass attempts.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":20.0,"error_recovery":50.0,"idempotency_support":"false","idempotency_notes":"No explicit idempotency guidance for tool calls/escalations was provided in the excerpt.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Default policy denies by default unless rules explicitly allow/escalate; agent may require policy compilation/constitution adjustments for desired actions.","Because escalations may be required for mutations, workflows that expect fully autonomous behavior may need auto-approval/whitelisting configuration.","Policy compilation uses an LLM pipeline to compile/verify; if the constitution or dynamic lists are ambiguous, enforcement outcomes may be surprising until revised."]}}