Comparison

Cordon vs MCPX

Both are MCP gateways. They solve different problems. MCPX is built for teams enforcing automated policy on Kubernetes. Cordon is built for developers who want a human in the decision loop before dangerous tool calls run — installed in two minutes, no Docker required.

Get started with Cordon → View on GitHub

The core difference

MCPX enforces policy automatically: allow or block against a ruleset, no human in the loop. Cordon can do that too, but its defining feature is something neither MCPX nor any other MCP gateway does: synchronous human approval. The agent pauses, a person decides, and only then does the tool call run or get blocked.

✓ read_database("users") allowed   ? APPROVAL REQUIRED Tool : delete_rows Args : { "table": "users", "where": "created_at < '2024-01-01'" } Policy : approve-writes   Approve [A] / Deny [D]: _   The agent is waiting. Nothing runs until you decide.
Why this matters: automated allow/block rules can't anticipate every context. When an agent calls delete_rows, the correct answer depends on what it's deleting and why — information a static rule can't evaluate. A human checkpoint costs 10 seconds and catches the cases a ruleset misses.

Feature comparison

As of mid-2026, based on published documentation. Verify current MCPX features at lunar.dev.

Feature Cordon MCPX (Lunar.dev)
Human-in-the-loop approval Synchronous — agent pauses until a person decides Automated policy only
Installation npm install -g @getcordon/cli — 2 minutes Kubernetes / Docker deployment
Pricing Free and open source (MIT). Optional hosted dashboard. Enterprise pricing / contact sales
Policy enforcement allow / block / approve / approve-writes / log-only per tool Automated allow/block rules, RBAC
Call-graph / sequence policies Block patterns like read_* → write_file in the same turn Per-tool rules only
Audit log Every call, every arg, policy decision, timestamp — file or hosted Call logging
Approval via Slack Slack approval channel supported Not applicable — no HITL model
Works without a team / IDP Single-developer use case, no SSO or IDP required Designed for team/enterprise deployments
MCP clients supported Claude Desktop, Cursor, Windsurf, VS Code, any stdio client HTTP/SSE-based clients
Open source MIT — github.com/marras0914/cordon Closed source

When to use each

Use Cordon when

  • You want a human to approve dangerous tool calls before they run
  • You're a solo developer or small team without a Kubernetes cluster
  • You need call-graph sequence policies (block read-then-write patterns)
  • You want to be up and running in under 5 minutes
  • You need something free and self-hostable
  • You're securing Claude Desktop, Cursor, or Windsurf locally

Use MCPX when

  • You're deploying a team gateway on Kubernetes or Docker
  • You need SSO / IDP integration and centralized RBAC
  • Automated policy enforcement without human intervention is sufficient
  • You're buying enterprise tooling with a vendor support contract

Get started with Cordon

Three commands. No Docker, no Kubernetes. Works with Claude Desktop out of the box.

Step 1 — Install
npm install -g @getcordon/cli
Step 2 — Initialize (auto-patches Claude Desktop)
cordon init
Step 3 — Configure your policy
// cordon.config.ts
import { defineConfig } from '@getcordon/policy';

export default defineConfig({
  servers: [
    {
      name: 'database',
      transport: 'stdio',
      command: 'npx',
      args: ['-y', '@my-org/db-mcp'],
      policy: 'approve-writes',         // reads pass; writes pause for approval
      tools: {
        drop_table: { action: 'block' }, // this one never runs, full stop
      },
    },
  ],
  approvals: { channel: 'terminal' },   // or 'slack'
  audit: { enabled: true },
});
Step 4 — Start
cordon start
From here, any write operation your agent attempts pauses at the Cordon layer. You see the tool name, arguments, and which policy triggered — then type A to approve or D to deny. The agent resumes only after your decision.

FAQ

What is the difference between Cordon and MCPX?

Cordon is built around synchronous human-in-the-loop approval: dangerous tool calls pause and wait for a person before running. MCPX is an enterprise team gateway built for Kubernetes deployments with automated RBAC and policy enforcement. MCPX has no synchronous human approval mechanism. Cordon requires no Docker or Kubernetes and is free and open source.

Is there an open-source alternative to MCPX?

Yes — Cordon. It is MIT-licensed, installs with a single npm command, and requires no infrastructure. It covers automated allow/block policies, call-graph sequence rules, full audit logging, and adds synchronous human approval that MCPX does not have. Source: github.com/marras0914/cordon.

Does the agent actually wait during a human approval?

Yes. Cordon intercepts the tool call before it reaches the MCP server. The agent's turn is suspended — no tool call fires, no result is returned — until a person types A or D. There is no polling loop or eventual consistency. The approval is synchronous.

Does Cordon require Docker or Kubernetes?

No. Cordon runs as a local Node process. Install via npm, run cordon init to auto-patch Claude Desktop, and start it with cordon start. No containers, no cluster, no runtime besides Node.

Is Cordon free?

The CLI, proxy core, and policy SDK are MIT-licensed and free. An optional hosted dashboard at app.getcordon.com provides centralized audit logs and team management with a paid tier. The local gateway — including human approval, policy enforcement, and file-based audit logging — is entirely free.

Try Cordon

Open source, free to install, no Docker required. If you want a human in the loop before your agent does something it can't undo — Cordon is the only MCP gateway built for that.

Get started in 2 minutes → View on GitHub