Skip to main content
Manage the routes that tell cordon which hosts to intercept and what credentials to inject. Prefer these commands over editing cordon.toml directly. They validate the route shape, preserve existing config, and are intended to make route configuration safer and less error-prone. All cordon route subcommands accept --scope project|user to select which config file they target, matching cordon start and cordon setup. --config and --scope are mutually exclusive — passing both is an error. Resolution:
  1. --config <path> — explicit path.
  2. --scope <scope> — resolves to the scope’s default config path (project → $CWD/cordon.toml, user → ~/.config/cordon/cordon.toml).
  3. Neither flag — defaults to project scope ($CWD/cordon.toml).
cordon route add --config <path> can create a default config skeleton when that explicit path is missing. With default project scope or --scope, run cordon setup first. Other route subcommands require the resolved config file to already exist.

cordon route add

Add a new route. With no flags, launches an interactive wizard that prompts for route match scope, auth, and secret fields.

Non-interactive mode

Pass flags to skip the wizard. Requires --host, --auth-type, --source, and the fields required by the selected auth type and secret source:

Examples

After adding a keyring-backed route, store the secret with cordon secret set ACCOUNT. Use cordon route show NAME to find the keyring account for a route. 1Password routes don’t need this step — credentials are fetched from 1Password directly.
The interactive wizard infers path_exact vs path_glob from input syntax: a value containing * or ** becomes path_glob, anything else becomes path_exact. To configure a path_exact value that contains a literal * (rare — e.g. when matching a request path that includes percent-encoded %2A), use the --path-exact flag instead of the wizard.
The 0.4.0 --path-prefix flag is still accepted for compatibility but hidden from help. Prefer --path-glob '/v1/**' for new routes. Legacy prefixes are converted to glob syntax only when the conversion preserves the same match behavior.

cordon route edit

Edit an existing route. With no flags (other than --scope or --config), launches an interactive editor that pre-fills current values — press Enter to keep a value, or type a new one.

Non-interactive mode

Pass flags to change only specific fields without prompting:

Partial updates

Non-interactive edit changes only the fields you specify. Unspecified fields keep their current values. For 1Password sources, you can update individual sub-fields without repeating the others:

Switching secret sources

When switching from one source to another with --source:
  • 1password to keyring: --account defaults to the route name if omitted
  • keyring to 1password: requires --vault, --item, and --field

Examples

cordon route list

List all configured routes.

cordon route show

Show details of a single route.

cordon route remove

Remove a route by name.