cordon.toml directly. They validate the route shape, preserve existing config, and are intended to make route configuration safer and less error-prone.
All cordon route subcommands accept --scope project|user to select which config file they target, matching cordon start and cordon setup. --config and --scope are mutually exclusive — passing both is an error. Resolution:
--config <path>— explicit path.--scope <scope>— resolves to the scope’s default config path (project →$CWD/cordon.toml, user →~/.config/cordon/cordon.toml).- Neither flag — defaults to project scope (
$CWD/cordon.toml).
cordon route add --config <path> can create a default config skeleton when that explicit path is missing. With default project scope or --scope, run cordon setup first. Other route subcommands require the resolved config file to already exist.
cordon route add
Add a new route. With no flags, launches an interactive wizard that prompts for route match scope, auth, and secret fields.Non-interactive mode
Pass flags to skip the wizard. Requires--host, --auth-type, --source, and the fields required by the selected auth type and secret source:
Examples
The interactive wizard infers
path_exact vs path_glob from input syntax: a value containing * or ** becomes path_glob, anything else becomes path_exact. To configure a path_exact value that contains a literal * (rare — e.g. when matching a request path that includes percent-encoded %2A), use the --path-exact flag instead of the wizard.The 0.4.0
--path-prefix flag is still accepted for compatibility but hidden from help. Prefer --path-glob '/v1/**' for new routes. Legacy prefixes are converted to glob syntax only when the conversion preserves the same match behavior.cordon route edit
Edit an existing route. With no flags (other than--scope or --config), launches an interactive editor that pre-fills current values — press Enter to keep a value, or type a new one.
Non-interactive mode
Pass flags to change only specific fields without prompting:Partial updates
Non-interactive edit changes only the fields you specify. Unspecified fields keep their current values. For 1Password sources, you can update individual sub-fields without repeating the others:Switching secret sources
When switching from one source to another with--source:
- 1password to keyring:
--accountdefaults to the route name if omitted - keyring to 1password: requires
--vault,--item, and--field