ironcurtain MCP工具
经 AI Skill Hub 精选评估,ironcurtain MCP工具 获评「推荐使用」。这款AI工具在功能完整性、社区活跃度和易用性方面表现出色,AI 评分 7.8 分,适合有一定技术背景的用户使用。
**为什么要使用开源工具而非商业 SaaS?**
对于个人开发者和有隐私需求的用户,本地部署的开源工具意味着数据不离本机,不受第三方服务商的数据政策约束。同时,开源工具通常没有使用次数限制和月度费用,一次安装即可长期使用,对于高频使用场景的总拥有成本(TCO)远低于订阅制商业工具。
**安装与环境准备**
ironcurtain MCP工具 依赖 TypeScript 运行环境。建议通过 pyenv(Python)或 nvm(Node.js)管理 TypeScript 版本,避免全局环境污染。对于新手用户,推荐先创建虚拟环境(python -m venv venv && source venv/bin/activate),再安装依赖,这样即使出现问题也可以随时删除虚拟环境重新开始,不影响系统稳定性。
**社区与维护**
GitHub Issue 和 Discussion 是获取帮助的最快渠道。在提问前建议先检查 Closed Issues(已关闭的问题),大多数常见问题都已有解答。遇到 Bug 时,提供 pip list 的输出、完整错误堆栈和最小可复现示例,能显著提高开发者响应速度。AI Skill Hub 将持续追踪 ironcurtain MCP工具 的版本更新,及时通知重要功能变化。
为自主AI代理提供安全隔离的运行时环境。通过纯英文宪法式策略实现精细权限控制,防止恶意操作。适合构建受信任的AI应用、多智能体系统和需要严格安全保障的自动化工作流。
ironcurtain MCP工具 是一款基于 TypeScript 开发的开源工具,专注于 沙箱隔离、策略控制、MCP协议 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
为自主AI代理提供安全隔离的运行时环境。通过纯英文宪法式策略实现精细权限控制,防止恶意操作。适合构建受信任的AI应用、多智能体系统和需要严格安全保障的自动化工作流。
ironcurtain MCP工具 是一款基于 TypeScript 开发的开源工具,专注于 沙箱隔离、策略控制、MCP协议 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
- 开源免费,支持本地部署,数据完全自主可控
- 活跃的 GitHub 开源社区,持续迭代更新
- 提供详细文档和使用示例,新手友好
- 支持自定义配置,灵活适配不同使用环境
- 可作为基础组件集成进现有技术栈或进行二次开发
- 本地部署运行,保护数据隐私,满足合规要求
- 自定义集成到现有系统,扩展技术栈能力
- 作为开源基础组件进行商业化二次开发
# 方式一:npm 全局安装 npm install -g ironcurtain # 方式二:npx 直接运行(无需安装) npx ironcurtain --help # 方式三:项目依赖安装 npm install ironcurtain # 方式四:从源码运行 git clone https://github.com/provos/ironcurtain cd ironcurtain npm install npm start
- 访问 GitHub 仓库页面
- 按照 README 文档完成依赖安装
- 根据系统环境完成初始化配置
- 参考官方示例或文档开始使用
- 遇到问题可在 GitHub Issues 中查找解答
# 命令行使用
ironcurtain --help
# 基本用法
ironcurtain [options] <input>
# Node.js 代码中使用
const ironcurtain = require('ironcurtain');
const result = await ironcurtain.run(options);
console.log(result);
# ironcurtain 配置说明 # 查看配置选项 ironcurtain --config-example > config.yml # 常见配置项 # output_dir: ./output # log_level: info # workers: 4 # 环境变量(覆盖配置文件) export IRONCURTAIN_CONFIG="/path/to/config.yml"
IronCurtain
**A secure\ runtime for autonomous AI agents, where security policy is derived from a human-readable constitution.*
_\*When someone writes "secure," you should immediately be skeptical. What do we mean by secure?
[!WARNING] Research Prototype. IronCurtain is an early-stage research project exploring how to make AI agents safe enough to be genuinely useful. APIs, configuration formats, and architecture may change. Contributions and feedback are welcome.
Built-in Capabilities
IronCurtain ships with six pre-configured MCP servers. All tool calls (except memory) are governed by your compiled policy.
| Server | Tools | Key capabilities |
|---|---|---|
| **Filesystem** | 14 | Read, write, edit, search files; directory tree; move; diff calculation |
| **Git** | 28 | Full git workflow: status, diff, log, commit, branch, push/pull/fetch, clone, stash, blame |
| **Fetch** | 2 | HTTP GET with HTML-to-markdown conversion; web search (Brave, Tavily, SerpAPI) |
| **GitHub** | 41 | Issues, PRs, code search, reviews via ghcr.io/github/github-mcp-server; requires a GitHub personal access token |
| **Google Workspace** | 128 | Gmail, Calendar, Drive, Docs, Sheets — requires OAuth setup via ironcurtain auth |
| **Memory** | 5 | Persistent semantic memory with hybrid vector+keyword search, LLM summarization, and automatic compaction. Enabled for persona and cron sessions. |
Read-only operations are allowed by default policy; mutations (writes, pushes, PR creation) escalate for human approval. Tools use server.tool naming (e.g., filesystem.read_file, memory.recall). See ADDING_MCP_SERVERS.md to add your own.
Prerequisites
- Node.js 22+ (required by
isolated-vm; maximum Node 25) - Docker — not required but strongly recommended for Docker Agent Mode, which provides the strongest isolation
- An API key for at least one LLM provider (Anthropic, Google, or OpenAI)
Install
As a global CLI tool (end users):
npm install -g @provos/ironcurtainFrom source (development):
git clone https://github.com/provos/ironcurtain.git
cd ironcurtain
npm installOne-time setup
1. Set your API key:
export ANTHROPIC_API_KEY=sk-ant-...You can also place keys in a .env file in the project root (loaded automatically via dotenv), or add them to ~/.ironcurtain/config.json via ironcurtain config. Environment variables take precedence over config file values. Supported: ANTHROPIC_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, OPENAI_API_KEY.
2. Run the first-start wizard (runs automatically on first ironcurtain start, or explicitly):
ironcurtain setupWalks you through GitHub token setup, web search provider, model selection, and other settings. Creates ~/.ironcurtain/config.json with your choices.
Builtin agent (no Docker required)
For quick tasks or environments without Docker, IronCurtain's builtin agent runs entirely locally in a V8 sandbox:
ironcurtain start # Interactive multi-turn session
ironcurtain start "Summarize the files in ./src" # Single-shot mode
ironcurtain start -w ./my-project "Fix the tests" # Workspace mode
ironcurtain start --persona my-assistant "Check my email" # Use a personaWhat compiled rules look like
A constitution clause like:
- The agent may perform read-only git operations (status, diff, log) within the sandbox without approval.
- The agent must receive human approval before git push, pull, fetch, or any remote-contacting operation.compiles to:
[
{ "tool": "git_status", "decision": "allow", "condition": { "directory": { "within": "$SANDBOX" } } },
{ "tool": "git_diff", "decision": "allow", "condition": { "directory": { "within": "$SANDBOX" } } },
{ "tool": "git_push", "decision": "escalate", "reason": "Remote-contacting git operations require human approval" }
]Any call that doesn't match an explicit allow or escalate rule is denied by default.
ironcurtain annotate-tools --server filesystem # Annotate one server (merge with existing)
ironcurtain annotate-tools --all # Re-annotate all servers
ironcurtain compile-policy # Compile constitution into rules and verify
ironcurtain refresh-lists # Re-resolve dynamic lists without full recompilation
ironcurtain refresh-lists --list major-news # Refresh a single listReview the generated ~/.ironcurtain/generated/compiled-policy.json — these are the exact rules enforced at runtime.
Network Passthrough (Docker Agent Mode)
In Docker Agent Mode, the container has no network access — all traffic goes through IronCurtain's MITM proxy. By default, only LLM provider domains are reachable. The agent can request access to additional domains at runtime via the proxy virtual MCP server (add_proxy_domain). Each request requires human approval via the escalation flow.
Approved domains get a raw passthrough tunnel — HTTP, HTTPS, and WebSocket connections are forwarded without content inspection or credential injection. This gives the agent greater utility (calling third-party APIs, streaming data from external services) but means traffic to those domains is unmediated. See SECURITY_CONCERNS.md Section 2b-i for the threat model and DEVELOPER_GUIDE.md for usage details.
Quick Start
Demo
<p align="center"> <img src="demo.gif" alt="IronCurtain mux demo: trusted input from command mode enables auto-approval of git clone and git push" width="800"> </p>
The agent is asked to clone a repository and push changes. Both git_clone and git_push are escalated by the policy engine, but the auto-approver approves them automatically — the user's trusted input from command mode (Ctrl-A) provided clear intent, so no manual /approve was needed.
Configuration
IronCurtain stores configuration and session data in ~/.ironcurtain/:
~/.ironcurtain/
├── config.json # User configuration
├── constitution.md # User-local base constitution (overrides package default)
├── constitution-user.md # Your policy customizations (generated by customize-policy)
├── generated/ # User-compiled policy artifacts (overrides package defaults)
├── personas/ # Persona directories (constitution, policy, workspace, memory)
├── skills/ # User-global SKILL.md packages, mounted into every Docker session
├── jobs/ # Cron job definitions, workspaces, and run records
├── sessions/
│ └── {sessionId}/
│ ├── sandbox/ # Per-session filesystem sandbox
│ ├── escalations/ # File-based IPC for human approval
│ ├── audit.jsonl # Per-session audit log
│ └── session.log # Diagnostics
└── workflow-runs/ # Shared-container workflow runs (see below)Single-session runs (ironcurtain start, mux tabs, cron jobs) write under sessions/. Shared-container workflow runs write under workflow-runs/ instead — see the next section.
Multi-agent workflows
IronCurtain orchestrates multiple AI agents through structured workflows. The bundled vulnerability discovery workflow hunts memory-safety and logic bugs in native code through a tiered harness pipeline (Tier 1 isolated function → Tier 2 multi-component → Tier 3 full build) with libFuzzer/AFL++ coverage gating, hypothesis-driven discover/triage states, and a final human report-review gate. The design-and-code workflow runs plan / design / implement / review cycles, also with human gates. Each agent runs in its own Docker container with role-specific policy boundaries; the engine manages state transitions, artifact passing, and crash-resume checkpointing automatically. Open source, runs entirely on your machine, enforces per-agent security policies via the constitution-based policy engine, and works with any Docker-containerized agent — comparable in scope to Amazon Kiro and Google Jules for coding tasks, but with first-class security and an extensible workflow definition format.
The web UI is the intended interface for workflow runs. Start the daemon, open the printed URL, and drive runs from the Workflows page — the state-machine graph above is live, the agent-message timeline streams with markdown rendering, gate reviews include a workspace + artifact browser, and past runs stay listed.
ironcurtain daemon --web-uiCLI access is available for scripting, automation, and debugging:
ironcurtain workflow start vuln-discovery \
"Find memory-safety bugs in libical" --workspace ~/src/libical
ironcurtain workflow start design-and-code \
"Build a REST API with authentication"See WORKFLOWS.md for the full documentation.
Workflow run layout
A workflow definition can opt in to a shared Docker container by setting settings.sharedContainer: true in its YAML. In that mode every agent state runs inside the same long-lived container and shares one policy engine instance; between states the orchestrator hot-swaps the active policy so each persona sees its own rules. All artifacts for the run land in a single tree:
~/.ironcurtain/workflow-runs/<workflowId>/
├── audit.jsonl # Persona-tagged append-only audit
├── messages.jsonl # Orchestrator message log
├── workspace/ # Agent workspace (filesystem MCP root)
├── bundle/ # Shared container support (claude-state, orientation, sockets, escalations, system-prompt.txt)
├── states/
│ └── <stateId>.<visitCount>/ # session.log + session-metadata.json per invocation
└── proxy-control.sock # Coordinator UDS for policy hot-swapNo per-session entries are created under ~/.ironcurtain/sessions/ for a shared-container workflow run. User-visible commands (ironcurtain workflow start|resume|inspect|list) are unchanged. See WORKFLOWS.md for authoring workflow definitions and the full lifecycle.
Edit configuration interactively:
ironcurtain configKey configuration areas: models and API keys, resource budgets (token/step/time/cost limits), auto-approve escalations, web search provider, audit redaction, and memory server LLM settings. See CONFIG.md for the full reference.
To route LLM traffic through a gateway like LiteLLM or OpenRouter (in both Code Mode and Docker Agent Mode), see MODEL_ROUTING.md.
Troubleshooting
| Issue | Guidance |
|---|---|
| **Missing API key** | Set the environment variable (ANTHROPIC_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, or OPENAI_API_KEY) or add the corresponding key to ~/.ironcurtain/config.json. |
| **Sandbox unavailable** | OS-level sandboxing requires bubblewrap and socat. Install both, or set "sandboxPolicy": "warn" in your MCP server config for development. |
| **Budget exhausted** | Adjust limits in ~/.ironcurtain/config.json under resourceBudget. Set any individual limit to null to disable it. |
| **Node version errors** | Node.js 22+ is required (isolated-vm needs >=22.0.0). Maximum supported is Node 25 (<26). |
| **Policy doesn't match intent** | Review compiled-policy.json to see the generated rules. Run ironcurtain customize-policy to refine your constitution, then ironcurtain compile-policy to recompile. Specific wording produces better rules — vague phrasing leads to vague policy. |
| **Auto-approve not triggering** | The auto-approver only approves when the user's message explicitly authorizes the action (e.g., "push to origin" for git_push). Vague messages always escalate to human review. Verify autoApprove.enabled is true in config.json. |
| **PTY/mux terminal garbled after exit** | Run reset in that terminal to restore normal mode. This is needed when the process is killed ungracefully and raw mode is not restored. |
| **Mux/listener: "already running"** | Only one mux or escalation-listener can run at a time. The lock at ~/.ironcurtain/escalation-listener.lock is auto-cleared if the previous process is dead. If it persists, check the PID in the lock file. |
| **Signal bot not responding** | Verify the signal-cli container is running (docker ps \| grep ironcurtain-signal). Check that Signal is configured (ironcurtain setup-signal). See [TRANSPORT.md](TRANSPORT.md) for detailed troubleshooting. |
IronCurtain 是一个强大的 AI 工具,提供六个预配置的 MCP 服务器。它可以帮助开发者在 Node.js 环境中安全地使用 AI 服务。
IronCurtain 内置了六个 MCP 服务器,每个服务器都提供了特定的功能,包括文件系统操作、读取、写入、编辑和搜索文件等。
环境依赖与系统要求中文说明:IronCurtain 需要 Node.js 22+、Docker(强烈推荐)以及至少一个 LLM 提供商的 API 密钥(Anthropic、Google 或 OpenAI)。
安装步骤:使用 npm 安装 IronCurtain,或者从源码中安装(需要 Git 和 npm);设置 API 密钥和 Docker 环境(如果使用 Docker);启动 IronCurtain 服务。
使用教程:使用 IronCurtain 的 CLI 工具,或者从源码中启动服务;设置 API 密钥和 Docker 环境(如果使用 Docker);使用 IronCurtain 的内置代理(无需 Docker)或 Docker 代理(推荐)。
配置说明:IronCurtain 使用 MCP 服务器提供的功能,用户可以自定义政策和配置文件;环境变量和配置文件都可以使用;支持的配置文件包括 `config.json`、`.env` 和 `~/.ironcurtain/config.json`。
工作流 / 模块说明:IronCurtain 支持多个 AI 代理的工作流,包括漏洞发现工作流和内置代理;用户可以自定义工作流和代理;支持的工作流包括 `vulnerability discovery` 和 `builtin agent`。
常见问题:问题和解决方案,包括环境设置、API 密钥设置和 Docker 环境设置等。
创新的策略驱动安全架构,MCP集成良好。代码质量高,适合企业级场景,但文档和生产案例需充实。
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 构建多智能体协作系统的 Agent 开发者
- 跨境业务、多语言内容运营团队
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- 生产部署优先使用 Docker Compose 隔离依赖,并挂载 volume 持久化数据
- Agent 任务先做 dry-run 验证工具调用链,再开启自主执行
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- 容器内无法访问宿主机 localhost — 使用 host.docker.internal
- Docker:ironcurtain 提供官方镜像,docker compose up 一键启动
- CLI:直接 npm install -g / pip install,命令行调用
- 云端托管:可放在 Vercel / Railway / Fly.io 等 PaaS 平台
- 开源免费,支持本地部署,数据完全自主可控
- 活跃的 GitHub 开源社区,持续迭代更新
- 提供详细文档和使用示例,新手友好
- 支持自定义配置,灵活适配不同使用环境
- 可作为基础组件集成进现有技术栈或进行二次开发
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 构建多智能体协作系统的 Agent 开发者
- 跨境业务、多语言内容运营团队
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- 生产部署优先使用 Docker Compose 隔离依赖,并挂载 volume 持久化数据
- Agent 任务先做 dry-run 验证工具调用链,再开启自主执行
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- 容器内无法访问宿主机 localhost — 使用 host.docker.internal
- 本地部署运行,保护数据隐私,满足合规要求
- 自定义集成到现有系统,扩展技术栈能力
- 作为开源基础组件进行商业化二次开发
- +Apache-2.0 协议,可免费商用
- +完全开源免费,无授权费用
- +本地部署,数据完全自主可控
- +开发者社区支持,遇问题可查可问
- −安装和初始配置可能需要一定技术基础
- −功能完整性通常不如成熟商业产品
- −技术支持主要依赖开源社区,响应速度不稳定
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ Apache 2.0 — 宽松开源协议,可商用,需保留版权声明和 NOTICE 文件,含专利授权条款。
AI Skill Hub 点评:ironcurtain MCP工具 的核心功能完整,质量良好。对于AI爱好者来说,这是一个值得纳入个人工具库的选择。建议先在非生产环境试用,再逐步推广。
| 原始名称 | ironcurtain |
| 原始描述 | 开源MCP工具:A secure* runtime for autonomous AI agents. Policy from plain-English constituti。⭐424 · TypeScript |
| Topics | 沙箱隔离策略控制MCP协议自主代理TypeScript |
| GitHub | https://github.com/provos/ironcurtain |
| License | Apache-2.0 |
| 语言 | TypeScript |
收录时间:2026-05-17 · 更新时间:2026-05-19 · License:Apache-2.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。