Open Source

Cordon
for MCP

Security gateway for MCP tool calls. Cordon sits between your LLM client and MCP servers — enforcing policies, logging every tool call, and pausing dangerous operations for human approval.

Try the dashboard → View on GitHub

Free for individuals · GitHub OAuth · No credit card

          ✓  read_data("customers")        allowed
          ✓  read_data("sessions")         allowed
         
          ⚠  APPROVAL REQUIRED
             Server : demo-db
             Tool   : execute_sql
             Args   : { "query": "DELETE FROM sessions WHERE expires_at < NOW()" }
         
             [A]pprove  [D]eny
             > _
         
          ✗  drop_table("users")           blocked by policy
          ✗  delete_file("/var/log/app")   blocked by policy
      

Works with your setup

Any MCP client, any MCP server. Cordon speaks stdio — the transport every major client already uses. cordon init auto-patches supported clients; others drop in with a one-line config change.

Claude Desktop

Claude Code

Cursor

Windsurf

VS Code

Any stdio MCP client

Using an MCP server? If it runs over stdio, Cordon proxies it — no server-side changes required.

MCP has no security model

MCP lets LLMs call real tools — query databases, write files, call APIs. That's powerful. But out of the box, there's nothing between the model and your production systems. No audit log. No way to block a class of operations. No human checkpoint before something irreversible runs.

You're just trusting the model. Cordon closes that gap.

How it works

Cordon is a transparent proxy. It requires no changes to your existing MCP servers or Claude Desktop config — cordon init handles the wiring.

Claude Desktop ──stdio──▶ Cordon ──stdio──▶ MCP server A
──stdio──▶ MCP server B
──stdio──▶ MCP server N

What you get

🛡

Policy enforcement

Block entire tool categories or specific tools by name. Reads pass, writes require approval — or block everything except an explicit allowlist.

✋

Human-in-the-loop approvals

Dangerous operations pause and wait. Approve or deny from the terminal or a Slack channel before anything runs.

📋

Full audit log

Every tool call — args, result, policy decision, timestamp — logged to a file or shipped to the hosted dashboard.

☁️

Hosted dashboard

Centralized audit logs across your team. Manage API keys, view call history, export for compliance.

🔗

Sequence-aware policies

Per-agent rules with call-graph constraints. Block patterns like read database → write to disk — even when each call is individually allowed. The exfil shapes that per-tool rules can't see.

Pricing

Cordon is free. The CLI is open source, the hosted dashboard is free to use, no credit card. We'll charge for team and enterprise features later — for now, we're focused on getting the product right.

Free

Everything you need to ship safely.

Full proxy engine + policy enforcement
Terminal and Slack approvals
Hosted audit dashboard
Unlimited events
CSV / JSON export
Up to 5 API keys per account

Get started

Get started in 2 minutes

Step 1 — Install

npm install -g @getcordon/cli

Step 2 — Initialize (patches Claude Desktop automatically)

cordon init

Step 3 — Configure your policy

// cordon.config.ts
import { defineConfig } from '@getcordon/policy';

export default defineConfig({
  servers: [
    {
      name: 'my-db',
      transport: 'stdio',
      command: 'npx',
      args: ['-y', '@my-org/db-mcp'],
      policy: 'approve-writes',
      tools: {
        drop_table: { action: 'block' },
      },
    },
  ],
});

Step 4 — Start

cordon start

Design partners

Deploying AI agents at your company?

We're looking for a handful of teams to work closely with as we build out the enterprise features — centralized policy management, SSO, compliance exports. Early partners shape the roadmap and get priority support.

Get in touch →

Cordonfor MCP