# ironcurtain

> A secure* runtime for autonomous AI agents. Policy from plain-English constitutions. (*https://ironcurtain.dev)

- **URL**: https://www.freshcrate.ai/projects/ironcurtain
- **Author**: provos
- **Category**: MCP Servers
- **Latest version**: `v0.11.0` (2026-05-18)
- **License**: Apache-2.0
- **Source**: https://github.com/provos/ironcurtain
- **Homepage**: https://ironcurtain.dev
- **Language**: TypeScript
- **GitHub**: 165 stars, 24 forks
- **Registry**: github
- **Tags**: `agent`, `mcp`, `model-context-protocol`, `policy`, `sandbox`, `security`, `trusted-process`, `typescript`

## Description

A secure* runtime for autonomous AI agents. Policy from plain-English constitutions. (*https://ironcurtain.dev)

## Recent releases

| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `v0.11.0` | 2026-05-18 | High | ### Features  - **Vulnerability discovery workflow** — the marquee 0.11.0 feature: an orchestrator-driven, hub-and-spoke FSM that hunts memory-safety and logic bugs in native code under a user-supplied threat model. **Run it from the web UI** (`ironcurtain daemon --web-ui` → Workflows → New run): the visual state-machine graph, per-state agent-message timeline, gate review panel, artifact browser, and live escalation modal are the intended way to follow a multi-hour discovery run — agent sessio |
| `v0.10.0` | 2026-04-02 | High | ### Features  - **Custom API gateway support** — route LLM traffic through API gateways (LiteLLM, Ollama, etc.) via `ANTHROPIC_BASE_URL`, `OPENAI_BASE_URL`, and `GOOGLE_API_BASE_URL` environment variables or config file fields; the MITM proxy intercepts container traffic as usual but forwards upstream to the custom gateway; Code Mode passes `baseURL` directly to AI SDK providers (#148) - **`--model` CLI flag** — override the agent model on `start` and `mux` commands (e.g., `--model jaahas/qwen3 |
| `v0.9.1` | 2026-03-25 | Medium | ### Fixes  - **macOS mux text selection** — replace X11 mouse tracking with alternate scroll mode on macOS so native text selection (Shift+drag) works in Terminal.app; scroll wheel works in command mode via arrow key mapping (#130) - **macOS OAuth Keychain refresh** — refresh expired OAuth tokens from the macOS Keychain instead of silently falling back to API key auth; write refreshed tokens back to the Keychain via `security add-generic-password -U`; enable `OAuthTokenManager` self-refresh for |
| `v0.9.0` | 2026-03-24 | Medium | ### Features  - **Third-party OAuth onboarding** — full OAuth 2.0 flow for MCP servers with PKCE, callback server, token store with auto-refresh, interactive scope picker for Google services, `ironcurtain auth` CLI with setup guides, import, revocation, and incremental consent (#108) - **Google Workspace MCP server integration** — credential-file rendezvous pattern (access-token-only, no refresh token in MCP server), `TokenFileRefresher` with proactive refresh, strict filesystem sandbox with `d |
| `v0.8.0` | 2026-03-15 | Low | ### Features  - **Secure package installation proxy** — npm and PyPI registries are proxied through the MITM layer with metadata filtering (age-gate quarantine, allow/denylists), tarball backstop validation, and per-package audit logging; containers can now `npm install` and `pip install` packages at runtime without direct network access (#101) - **Debian apt registry proxy** — `apt-get install` works inside Docker containers by proxying `deb.debian.org` and `security.debian.org` through the MI |
| `memory-mcp-server/v0.1.3` | 2026-03-15 | Low | ## What's Changed * feat: integrate memory MCP server with personas and sessions by @provos in https://github.com/provos/ironcurtain/pull/98 * feat: server-namespace tool naming with prefix stripping by @provos in https://github.com/provos/ironcurtain/pull/102 * feat: secure package installation proxy for Docker agent mode by @provos in https://github.com/provos/ironcurtain/pull/101 * fix: memory_context missing memories and LLM config passthrough by @provos in https://github.com/provos/ironcurt |
| `memory-mcp-server/v0.1.2` | 2026-03-14 | Low | ## What's Changed * fix: retry tool call after roots expansion race condition by @provos in https://github.com/provos/ironcurtain/pull/93 * feat: session resume for Docker PTY sessions by @provos in https://github.com/provos/ironcurtain/pull/94 * feat: add memory MCP server with semantic search and retrieval by @provos in https://github.com/provos/ironcurtain/pull/95   **Full Changelog**: https://github.com/provos/ironcurtain/compare/v0.7.2...memory-mcp-server/v0.1.2 |
| `v0.7.2` | 2026-03-11 | Low | ### Fixes  - **Mux command-mode input retention** — preserve the input buffer when toggling between command mode and PTY mode with Ctrl-A; previously any typed text was lost on mode switch - **Stay in command mode after /new** — spawning a new session via `/new` (quick-spawn or directory picker) now returns to command mode instead of switching to PTY mode |
| `v0.7.1` | 2026-03-10 | Low | ### Fixes  - **macOS PTY session networking** — reverse PTY socat direction in the sidecar so the host can reach the container's PTY socket (MCP/MITM remain container→host); skip the readiness probe for TCP since the container's socat only accepts one connection; add retry logic in `attachPty` that polls until the connection receives data; allocate dynamic host ports via `findFreePort()` to avoid collisions between concurrent PTY sessions (#89) - **Filesystem server path in PTY sessions** — exp |
| `v0.7.0` | 2026-03-06 | Low | Release v0.7.0 |

## Citation

- HTML: https://www.freshcrate.ai/projects/ironcurtain
- Markdown: https://www.freshcrate.ai/projects/ironcurtain.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/ironcurtain/deps

_Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._