docs: Rewrite README to cover full CLI

README.md

@@ -1,62 +1,147 @@
 # irons
 
-`irons` is a CLI tool for spinning up egress-secured cloud VMs (sandboxes) designed for use with AI agents. It lets you create isolated, SSH-accessible environments with fine-grained control over outbound network traffic.
+`irons` is a CLI for spinning up egress-secured cloud VMs designed for AI coding agents. Create isolated, SSH-accessible environments with fine-grained control over outbound network traffic — so you can give an agent a real machine without giving it unfettered internet access.
 
-## Get Access
+## Quick Start
+
+```sh
+curl -fsSL https://install.iron.sh | bash
+irons onboard
+```
+
+The onboarding flow walks you through account creation and then asks how you want to get started:
 
-**We're currently in early access.** [Schedule a call →](https://cal.com/matthew-slipper-ironcd/15min) and we'll get you set up with API keys in 15 minutes.
+- **Start coding with an agent** — configures a GitHub PAT, picks a harness (Claude Code or Codex), and launches an agent session against one of your repos.
+- **Create a VM to poke around** — spins up an example VM with a sample secret so you can SSH in and explore.
 
-## Installation
+## Agents
 
-### Install Script (recommended)
+Agent sessions boot a VM, clone a repo, and start an AI coding agent inside a tmux session you can attach to via SSH.
 
 ```sh
-curl -fsSL https://install.iron.sh | bash
+# Create an agent session
+irons agents new --repo acme/api
+
+# List active sessions
+irons agents list
+
+# Reattach to a session
+irons agents attach fix-auth
+
+# SSH into the underlying VM (plain shell, not tmux)
+irons agents ssh fix-auth
+
+# Tear it down
+irons agents destroy fix-auth
 ```
 
-### Download Binary
+## VMs
+
+Create and manage standalone VMs directly.
 
-Pre-built binaries for macOS and Linux are available on the [GitHub Releases](https://github.com/ironsh/irons/releases/latest) page.
+```sh
+# Create a VM and wait until it's ready
+irons create my-sandbox
+
+# SSH in
+irons ssh my-sandbox
+
+# Check status
+irons status my-sandbox
 
-### From Source
+# Stop, start, or destroy
+irons stop my-sandbox
+irons start my-sandbox
+irons destroy my-sandbox
+
+# List all VMs
+irons list
+```
 
-Requires Go 1.24+.
+Commands accept either a VM **name** or its **ID** (e.g. `vm_abc123`).
+
+## Secrets and Environment Variables
+
+Secrets are encrypted at rest and injected into VMs via iron.sh's secrets proxy — they never touch disk in plaintext.
 
 ```sh
-git clone https://github.com/ironsh/irons.git
-cd irons
-go install github.com/ironsh/irons@latest
+# Add a secret (injected as an env var in VMs)
+irons secrets add --name my-token --env-var API_TOKEN --secret "sk-..."
+
+# List, show, update, or remove secrets
+irons secrets list
+irons secrets show my-token
+irons secrets update my-token --secret "sk-new..."
+irons secrets remove my-token
 ```
 
-## Authentication
+Account-level environment variables are also available:
+
+```sh
+irons env set DEBUG=true
+irons env list
+irons env destroy DEBUG
+```
+
+## Egress Control
 
-Log in once with your IronCD account:
+All VM network traffic is logged and restricted by default. You can allowlist specific domains or set rules to warn mode for auditing before locking things down.
 
 ```sh
-irons login
+# View or set the egress mode
+irons egress mode
+irons egress mode enforce
+irons egress mode warn
+
+# Manage allowlist rules
+irons egress list
+irons egress add --host registry.npmjs.org
+irons egress remove <rule-id>
+
+# View egress audit logs
+irons audit egress
 ```
 
-This opens a browser-based authorization flow and saves your API token to `~/.config/irons/config.yml`. All subsequent commands will use it automatically.
+## Other Features
 
-You can also supply your key via the `IRONS_API_KEY` environment variable or the `--api-key` flag, which take precedence over the config file.
+```sh
+# Copy files to/from a VM
+irons scp local-file.txt my-sandbox:/tmp/
 
-## Quick Start
+# Port forwarding
+irons forward my-sandbox
+
+# Snapshot and restore VMs
+irons snapshots list
+irons snapshots create my-sandbox --name before-refactor
+
+# Fork/clone a VM
+irons fork my-sandbox --name my-sandbox-copy
+
+# Manage SSH public keys
+irons public-keys list
+irons public-keys add --name laptop --public-key "ssh-ed25519 AAAA..."
+```
+
+## Authentication
 
 ```sh
-# Log in
+# Interactive login (opens browser)
 irons login
 
-# Create a sandbox and wait until it's ready
-irons create my-sandbox
+# Or run the full onboarding flow
+irons onboard
+```
 
-# SSH in
-irons ssh my-sandbox
+Your API token is saved to `~/.config/irons/config.yml`. You can also authenticate via the `IRONS_API_KEY` environment variable or the `--api-key` flag.
 
-# Tear it down when done
-irons destroy my-sandbox
-```
+## Alternative Installation
+
+Pre-built binaries for macOS and Linux are available on the [GitHub Releases](https://github.com/ironsh/irons/releases/latest) page, or install from source (requires Go 1.24+):
 
-Commands accept either a sandbox **name** or its **VM ID** (e.g. `vm_abc123`) — whichever is more convenient.
+```sh
+go install github.com/ironsh/irons@latest
+```
 
 ## Documentation