Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.codezero.io/llms.txt

Use this file to discover all available pages before exploring further.

Store and manage credentials in the OS keyring for use with cordon’s keyring secret source. Secret commands take a keyring account name directly — they are decoupled from routes and config files. Use cordon route show <name> or cordon listener show <name> to find the keyring account for a route or listener.
No --config or --scope flags — secret commands operate on the OS keyring directly by account name, independent of any config file.

cordon secret set

Store a secret in the OS keyring. 
cordon secret set ACCOUNT [--yes]
The keyring service name is always cordon. Prompts for the secret value interactively (the value is not echoed to the terminal). If an entry already exists for the account, prompts for confirmation before overwriting.
Argument / OptionDescription
ACCOUNTKeyring account name
--yes, -ySkip confirmation prompts (overwrite existing)

Example

# Find the keyring account for a route:
cordon route show stripe
# → account: stripe-api-key

# Store the credential:
cordon secret set stripe-api-key
# Enter secret value: ****

Piped input

cordon secret set also accepts piped stdin for automation. The secret source should be a secret manager or ephemeral credential — never echo, printf, or a plaintext file: 
# Good — secret comes from 1Password CLI, never touches disk or shell history
op read "op://Engineering/Stripe API Key/secret_key" | cordon secret set stripe-api-key --yes

# Bad — secret is in shell history
echo 'sk_live_...' | cordon secret set stripe-api-key --yes

# Bad — secret is in a plaintext file on disk
cat secret.txt | cordon secret set stripe-api-key --yes
Avoid passing secrets through echo, printf, or files. These expose the credential in shell history (~/.zsh_history, ~/.bash_history) or leave it as plaintext on disk. Use the interactive prompt (the default) or pipe from a secret manager.
On macOS, use cordon secret set rather than the security CLI to store credentials. Cordon needs to own the keychain entry to read it without triggering an authorization dialog on every request. See Secret Sources for details.
macOS SSH / headless sessions: If you run cordon secret set over SSH, in a headless CI job, or in a detached screen/tmux session, macOS Keychain will reject the operation with Platform secure storage failure: User interaction is not allowed.Unlock the login keychain first:
security unlock-keychain ~/Library/Keychains/login.keychain-db
This prompts for your macOS login password. Once unlocked, keychain operations work for the remainder of the session. If you have access to the Mac directly or via screen sharing, run cordon secret set from a terminal in the desktop session instead — the login keychain is already unlocked there.

cordon secret delete

Remove a secret from the OS keyring. Prompts for confirmation before deleting. 
cordon secret delete ACCOUNT [--yes]
Argument / OptionDescription
ACCOUNTKeyring account name
--yes, -ySkip confirmation prompt
# Delete a keyring entry
cordon secret delete stripe-api-key

# Skip confirmation
cordon secret delete stripe-api-key --yes