IronCurtain – A Personal AI Assistant, Built Secure

IronCurtain — A Personal AI Assistant, Built Secure IronCurtain A personal AI assistant, built secure * from the ground up * what do we mean by “secure”? × When you read somebody writing the word “secure” you should immediately mistrust it. By and large, we don’t even know how to define secure and in the history of the internet, whenever some company or researcher claimed: this is secure , a year later we would find out how the system could be broken. When I write secure here, I don’t mean it in an absolute sense. There is a strong tension between secure and high utility. Humans are terrible at expressing their precise intent in prompts, so the agent has to guess. The boundary between what was intended and what was not is inherently blurry. My goal is to keep the agent from straying too far across that boundary into clearly unintended territory. The constitution and security policy will help with limiting major unintended consequences but cannot guarantee that nothing unintended is going to happen. When it does, the policy and sandbox constraints are there to limit the damage. $ npx @provos/ironcurtain > The problem AI agents hold your credentials, process untrusted input from emails and web pages, and execute code with your full permissions. The security model is “hope nothing goes wrong.” A single prompt injection can cause the agent to exfiltrate your data, and the agent has every capability it needs to do so. > What IronCurtain does about it example: agent organizes files and commits code allow Read and write files inside the project directory allow Run git status, diff, add, commit locally escalate Push to remote, delete branches, rewrite history deny Access files outside the project directory deny Read credentials, environment variables, or SSH keys The agent gets exactly the capabilities it needs. Everything else is blocked or requires your approval. > See it in action The agent is asked to clone a repository and push changes. Both git_clone and git_push are escalated by the policy engine, but the auto-approver approves them automatically. The user's trusted input from command mode (Ctrl-A) provided clear intent, so no manual /approve was needed. The agent connects to Signal, securely paired with your phone. Send a task from anywhere, get results back over end-to-end encrypted messaging. > Policy in plain English You write a constitution for your agent. No DSL, no YAML, no regex. IronCurtain compiles it into enforceable policy. constitution.md # Guiding Principles 1. Least privilege : The agent may only access resources explicitly permitted by policy. 2. No destruction : Delete operations outside the sandbox are never permitted. 3. Human oversight : Operations outside the sandbox require explicit human approval. # Concrete Guidance - The agent is allowed to read, write and delete content in the Downloads folder - The agent may perform read-only git operations within the sandbox without approval - The agent must receive human approval before git push, git pull, or any remote-contacting operation - The agent must receive human approval before git reset, rebase, merge, or any history-rewriting operation - The agent may fetch web content from popular news sites > What it can do today Filesystem 14 tools: read, write, edit, move, delete, search, list, directory tree Git 27 tools: full workflow from status and diff to commit, push, branch, merge, rebase GitHub 41 tools: issues, pull requests, code search, reviews, all governed by owner-scoped policy rules Web HTTP fetch with HTML-to-markdown conversion, web search via Brave/Tavily/SerpAPI, domain allowlists Signal Interact with your agent from anywhere via end-to-end encrypted messaging Google 128 tools: Gmail, Calendar, Drive, Docs, Sheets — connected via OAuth, credentials never enter the container Claude Code Run Claude Code in a Docker container via the built-in terminal multiplexer. Multiple tabs, inline escalation handling, and trusted input for auto-approval. Start in a fresh sandbox or an existing project directory. All tool calls pass through the same policy engine. IronCurtain uses standard, unmodified MCP servers. More servers will be integrated into IronCurtain over time. > The name In theater, an iron curtain is a fireproof safety barrier between the stage and the audience. If something catches fire on stage, the curtain drops and contains the disaster. The agent performs on stage. Your files, your credentials, your systems are in the audience. IronCurtain is the barrier. How It Works Why? GitHub * What do we mean by “secure”?