cordon.toml config file, and provides language-specific trust guidance.
Usage
Options
| Option | Description |
|---|---|
--config, -c | Path to cordon.toml (default: ./cordon.toml) |
--yes | Skip confirmation prompts (useful for automation and non-interactive setup) |
--regenerate-ca | Regenerate the CA certificate |
--trust | Add CA to system trust store |
--no-trust | Skip trust store prompt |
Examples
Project setup and services
Cordon is project-based. Each project has its owncordon.toml with its own routes and secrets — there is no global config or shared route table. This means route policy travels with the project and can be reviewed, version-controlled, and shared with teammates like any other project file.
The config file references secrets by name (e.g., a 1Password vault/item or a keyring account), not by value. Sharing
cordon.toml via version control only works if each teammate’s secret store uses the same names. For local development setups where each developer manages their own secrets, you may want to gitignore cordon.toml and let each developer run cordon setup independently.cordon setup writes ./cordon.toml in the current directory by default, or to the path specified by --config. Certificates are stored under ~/.config/cordon/projects/<namespace>/certs/.
This keeps route policy with the project while keeping certificate material out of the project tree so it is not accidentally committed or deleted during normal project cleanup.
Setup does not install a background service. To run cordon as a launchd/systemd service for a project, install the service explicitly after setup:
Integration subcommands
Integrations configure cordon for a specific tool — setting up the proxy env vars and CA trust settings that the tool needs. Each integration knows where its target stores configuration (e.g.,settings.json for Claude Code, ~/.codex/.env for Codex, ~/.hermes/.env for Hermes) and handles setup and teardown automatically.
Currently supported: claude-code, codex, hermes.
cordon setup claude-code
Configure cordon for Claude Code. Runs the base setup automatically, then generates a combined CA bundle and writes proxy env vars to Claude Code’s settings.json.
| Option | Description |
|---|---|
--config, -c | Path to cordon.toml (default: ./cordon.toml) |
--yes | Skip confirmation prompts (useful for automation and non-interactive setup) |
--trust | Add the CA cert to the OS trust store |
--no-trust | Skip trust store prompt |
--regenerate-ca | Regenerate the CA certificate |
cordon setup codex
Configure cordon for OpenAI Codex. Runs the base setup automatically, then writes proxy env vars to Codex’s ~/.codex/.env.
| Option | Description |
|---|---|
--config, -c | Path to cordon.toml (default: ./cordon.toml) |
--yes | Skip confirmation prompts (useful for automation and non-interactive setup) |
--trust | Add the CA cert to the OS trust store |
--no-trust | Skip trust store prompt |
--regenerate-ca | Regenerate the CA certificate |
reqwest with rustls for HTTP/TLS. Setup generates a combined CA bundle (system CAs + Cordon CA) and sets SSL_CERT_FILE, REQUESTS_CA_BUNDLE, and CURL_CA_BUNDLE to point at it.
Codex filters out
CODEX_* prefixed variables from its .env file, so the setup uses SSL_CERT_FILE instead of CODEX_CA_CERTIFICATE. The CODEX_HOME env var can override the default ~/.codex/ path.cordon setup hermes
Configure cordon for Hermes Agent. Runs the base setup automatically, then builds a combined CA bundle and writes proxy env vars to Hermes’s ~/.hermes/.env.
| Option | Description |
|---|---|
--config, -c | Path to cordon.toml (default: ./cordon.toml) |
--yes | Skip confirmation prompts (useful for automation and non-interactive setup) |
--trust | Add the CA cert to the OS trust store |
--no-trust | Skip trust store prompt |
--regenerate-ca | Regenerate the CA certificate |
httpx library, which honors HTTPS_PROXY by default. Setup generates a combined CA bundle (system CAs + Cordon CA) because Python’s SSL_CERT_FILE replaces the default cert store rather than appending to it. REQUESTS_CA_BUNDLE is also set for the requests library.
The
HERMES_HOME env var can override the default ~/.hermes/ path. If the directory doesn’t exist, setup will warn but still write the .env file.What setup does
Runningcordon setup without an integration performs the base setup only:
- Checks platform dependencies — verifies that secret providers can function at runtime (e.g., D-Bus session on Linux for keyring, 1Password CLI sign-in status). Issues are reported as warnings but do not block setup.
- Detects the project type and language ecosystem
- Generates CA certificates at
~/.config/cordon/projects/<namespace>/certs/ - Detects available secret providers and adds them to the config (OS Keyring, 1Password CLI)
- Creates
cordon.tomlwith absolute cert paths - Provides language-specific trust guidance (e.g.,
NODE_EXTRA_CA_CERTSfor Node.js)
Node.js does not use the system trust store. You must also set
NODE_EXTRA_CA_CERTS to the absolute path of your CA certificate (found in cordon.toml under tls.ca_cert_path).Integration management
Usecordon integration enable and cordon integration disable to manage tool integrations independently of the base setup.
cordon.toml so you can re-enable the integration without rotating certificates.
| Command | Creates / modifies | Removes |
|---|---|---|
cordon setup | CA cert + key, cordon.toml | — |
cordon setup claude-code | CA cert + key, cordon.toml, Claude Code settings.json env vars | — |
cordon integration enable claude-code | Same as cordon setup claude-code | — |
cordon integration disable claude-code | — | Claude Code settings.json env vars |
cordon integration disable claude-code --trust | — | Claude Code settings.json env vars + CA from system trust store |
cordon setup codex | CA cert + key, cordon.toml, Codex ~/.codex/.env env vars | — |
cordon integration disable codex | — | Codex .env env vars |
cordon setup hermes | CA cert + key, cordon.toml, combined CA bundle, Hermes ~/.hermes/.env env vars | — |
cordon integration disable hermes | — | Hermes .env env vars + combined CA bundle |
cordon trust | Adds CA to system trust store | — |
cordon untrust | — | CA from system trust store |
cordon service uninstall NAME | — | launchd plist / systemd unit |
cordon setup --regenerate-ca | Replaces existing CA cert + key | Old cert + key |
If you run
--regenerate-ca and the old CA was already trusted, rerun cordon trust after setup. Regeneration replaces the certificate files, but it does not automatically update the system trust store to trust the new CA.Certificate storage
Certificates are stored outside your project directory, so they are not at risk of being committed to git with your app code.| Scope | Path |
|---|---|
| Project setup | ~/.config/cordon/projects/<namespace>/certs/ |
<namespace> is derived from your project directory: <dirname>-<short hash> (e.g., my-app-a1b2c3d4). The hash is the first 8 hex characters of the SHA-256 of the absolute path, so two projects named my-app in different locations get separate cert stores.
The CA private key is written with 0600 permissions (owner-only read/write).
The CA private key is only useful for interception where the CA is still trusted, whether through the system trust store or an app-specific trust configuration such as
NODE_EXTRA_CA_CERTS or a custom Java trust store.Multiple projects
Each project gets its owncordon.toml with its own listen port, routes, and certificate namespace. If you run Cordon in multiple projects simultaneously, each instance must listen on a different port:
Removal recipes
To disable an integration for the current project:If you’ve already deleted
cordon.toml and the cert files, cordon untrust won’t be able to locate the CA to remove. In that case, remove it manually — on macOS, open Keychain Access and search for “cordon”; on Linux, remove the cert from /usr/local/share/ca-certificates/ and run update-ca-certificates.