Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.codezero.io/llms.txt

Use this file to discover all available pages before exploring further.

Interactive setup wizard that detects your project type, generates CA certificates, creates a cordon.toml config file, and provides language-specific trust guidance.

Usage

cordon setup [OPTIONS]
cordon setup INTEGRATION [OPTIONS]

Options

OptionDescription
--config, -cPath to cordon.toml (default: ./cordon.toml)
--yesSkip confirmation prompts (useful for automation and non-interactive setup)
--regenerate-caRegenerate the CA certificate
--trustAdd CA to system trust store
--no-trustSkip trust store prompt

Examples

# Interactive setup
cordon setup

# Non-interactive setup with trust
cordon setup --yes --trust

Project setup and services

Cordon is project-first. By default, each project has its own cordon.toml with its own routes and credentials. A user scope is also available for tools that operate across projects. cordon setup writes ./cordon.toml in the current directory by default, or to the path specified by --config. Certificates are stored under ~/.config/cordon/projects/<namespace>/certs/, outside the project tree. Setup does not install a background service. To run cordon as a launchd/systemd service for a project, install the service explicitly after setup:
cordon service install my-project --config ./cordon.toml
See process management for more on running cordon as a service.

Integration subcommands

Integrations configure cordon for a specific tool — setting up the proxy env vars and CA trust settings that the tool needs. Each integration knows where its target stores configuration (e.g., settings.json for Claude Code, ~/.codex/.env for Codex, ~/.hermes/.env for Hermes) and handles setup and teardown automatically. Currently supported: claude-code, codex, hermes.
Cordon currently supports credential injection for API key authentication only. ChatGPT/OAuth-based Codex sessions may still route through the proxy transport, but cordon does not replace or manage Codex’s ChatGPT auth state.

cordon setup claude-code

Configure cordon for Claude Code. Runs the base setup automatically, then generates a combined CA bundle and writes proxy env vars to Claude Code’s settings.json.
cordon setup claude-code
To manage the integration later, see cordon integration.
OptionDescription
--config, -cPath to cordon.toml (default: ./cordon.toml)
--yesSkip confirmation prompts (useful for automation and non-interactive setup)
--trustAdd the CA cert to the OS trust store
--no-trustSkip trust store prompt
--regenerate-caRegenerate the CA certificate
--serviceInstall cordon as a background service at the end of setup
--no-serviceSkip the end-of-setup service install prompt
--service and --no-service are mutually exclusive.

cordon setup codex

Configure cordon for OpenAI Codex. Runs the base setup automatically, then writes proxy env vars to Codex’s .env and shell_environment_policy.set entries to Codex’s config.toml.
cordon setup codex
To manage the integration later, see cordon integration.
OptionDescription
--config, -cPath to cordon.toml (default: ./cordon.toml)
--yesSkip confirmation prompts (useful for automation and non-interactive setup)
--trustAdd the CA cert to the OS trust store
--no-trustSkip trust store prompt
--regenerate-caRegenerate the CA certificate
--serviceInstall cordon as a background service at the end of setup
--no-serviceSkip the end-of-setup service install prompt
--service and --no-service are mutually exclusive. Codex uses reqwest with rustls for HTTP/TLS. Setup generates a combined CA bundle (system CAs + Cordon CA) and sets SSL_CERT_FILE, REQUESTS_CA_BUNDLE, and CURL_CA_BUNDLE to point at it in both .env and config.toml.
Codex filters out CODEX_* prefixed variables from its .env file, so the setup uses SSL_CERT_FILE instead of CODEX_CA_CERTIFICATE. The CODEX_HOME env var can override the default ~/.codex/ path. For project scope, set CODEX_HOME="$PWD/.codex" if you want Codex to load the project-local .env for its own startup-time network traffic.
When you want Codex to run outside its command sandbox, launch it with:
export CODEX_HOME="$PWD/.codex"
codex --dangerously-bypass-approvals-and-sandbox
Running Codex with --dangerously-bypass-approvals-and-sandbox is inherently riskier because model-generated commands run without Codex’s normal sandbox boundary.We are working on a path that preserves credential protection while supporting fully sandboxed Codex sessions.

cordon setup hermes

Configure cordon for Hermes Agent. Runs the base setup automatically, then builds a combined CA bundle and writes proxy env vars to Hermes’s ~/.hermes/.env.
cordon setup hermes
To manage the integration later, see cordon integration.
OptionDescription
--config, -cPath to cordon.toml (default: ./cordon.toml)
--yesSkip confirmation prompts (useful for automation and non-interactive setup)
--trustAdd the CA cert to the OS trust store
--no-trustSkip trust store prompt
--regenerate-caRegenerate the CA certificate
--serviceInstall cordon as a background service at the end of setup
--no-serviceSkip the end-of-setup service install prompt
--service and --no-service are mutually exclusive. Hermes uses Python’s httpx library, which honors HTTPS_PROXY by default. Setup generates a combined CA bundle (system CAs + Cordon CA) because Python’s SSL_CERT_FILE replaces the default cert store rather than appending to it. REQUESTS_CA_BUNDLE is also set for the requests library.
The HERMES_HOME env var can override the default ~/.hermes/ path. If the directory doesn’t exist, setup will warn but still write the .env file.

What setup does

Running cordon setup without an integration performs the base setup only:
  1. Checks platform dependencies — verifies that secret providers can function at runtime (e.g., D-Bus session on Linux for keyring, 1Password CLI sign-in status). Issues are reported as warnings but do not block setup.
  2. Detects the project type and language ecosystem
  3. Generates CA certificates at ~/.config/cordon/projects/<namespace>/certs/
  4. Detects available secret providers and adds them to the config (OS Keyring, 1Password CLI)
  5. Creates cordon.toml with absolute cert paths
  6. Provides language-specific trust guidance (e.g., NODE_EXTRA_CA_CERTS for Node.js)
If you’re using Claude Code, Codex, or Hermes, use the integration subcommands instead — they run the base setup automatically and then configure the tool’s proxy settings in one step.
Node.js does not use the system trust store. You must also set NODE_EXTRA_CA_CERTS to the absolute path of your CA certificate (found in cordon.toml under tls.ca_cert_path).

Certificate storage

Certificates are stored outside your project directory, so they are not at risk of being committed to git with your app code.
ScopePath
Project setup~/.config/cordon/projects/<namespace>/certs/
The <namespace> is derived from your project directory: <dirname>-<short hash> (e.g., my-app-a1b2c3d4). The hash is the first 8 hex characters of the SHA-256 of the absolute path, so two projects named my-app in different locations get separate cert stores. The CA private key is written with 0600 permissions (owner-only read/write).
The CA private key is only useful for interception where the CA is still trusted, whether through the system trust store or an app-specific trust configuration such as NODE_EXTRA_CA_CERTS or a custom Java trust store.

Multiple projects

Each project gets its own cordon.toml with its own listen port, routes, and certificate namespace. If you run Cordon in multiple projects simultaneously, each instance must listen on a different port:
# ~/project-a/cordon.toml
listen = 6790

# ~/project-b/cordon.toml
listen = 6791
Certificate namespaces are derived from the project directory path, so two projects with the same directory name in different locations get separate cert stores automatically. If you install background services for multiple projects, use distinct names:
cd ~/project-a && cordon service install project-a --config ./cordon.toml
cd ~/project-b && cordon service install project-b --config ./cordon.toml

Removal recipes

To disable an integration, see cordon integration disable. To remove cordon itself from a machine after all integrations are disabled:
# Remove CA from the system trust store, if present
cordon untrust --config /path/to/cordon.toml

# Remove any installed services
cordon service uninstall my-project
cordon service uninstall                      # uninstalls the current project's service

# Delete cordon-managed data
rm -rf ~/.config/cordon/
If you’ve already deleted cordon.toml and the cert files, cordon untrust won’t be able to locate the CA to remove. In that case, remove it manually — on macOS, open Keychain Access and search for “cordon”; on Linux, remove the cert from /usr/local/share/ca-certificates/ and run update-ca-certificates.