Skip to main content
Install the Cordon CLI first. It runs the local proxy and provides the setup, configuration, and service commands.

CLI

npm install -g @codezero-io/cordon
This installs the cordon binary globally. Platform-specific binaries are bundled for:
  • macOS ARM64 (Apple Silicon)
  • macOS x64 (Intel)
  • Linux x64 (glibc 2.17+ — RHEL 7+, Ubuntu 18.04+, Debian 10+)
  • Linux ARM64 (glibc 2.17+ — RHEL 7+, Ubuntu 18.04+, Debian 10+)
Requires Node.js 20.18.1 or later.

Verify installation

cordon --version

Cordon Monitor macOS app

Cordon Monitor is an optional macOS menu bar app for observing local Cordon instances. It shows which project and user-scope instances are present, whether they are running, which ports they use, and the routes/listeners loaded from their configs. It is observability-only: Cordon Monitor does not start, stop, or reconfigure Cordon, and it does not handle credentials. Use the cordon CLI for setup and control.

Download Cordon Monitor macOS app

Observability-only companion app for macOS 14+. Signed and notarized.

SHA-256 checksum

Verify the downloaded DMG before opening it.
Open the DMG and drag Cordon Monitor to Applications. To verify the download, place the DMG and checksum file in the same directory and run (replace <version> with the downloaded version): 
shasum -a 256 -c Cordon-Monitor-<version>.dmg.sha256
Cordon Monitor does not install the cordon CLI. Install the CLI above to run the proxy.

Prerequisites

Cordon needs a secret source to fetch credentials from. You’ll need at least one of:
Install the 1Password CLI (op) and sign in:
# Install (macOS)
brew install --cask 1password-cli

# Sign in
op signin
The op CLI must be authenticated before starting cordon.
Cordon uses the operating system’s built-in credential store:
  • macOS: Keychain Access — no additional setup needed.
  • Linux: Secret Service API (via D-Bus), typically provided by GNOME Keyring or KDE Wallet. Requires a desktop session.
On Linux, ensure a Secret Service provider is installed:
sudo apt install gnome-keyring   # Debian/Ubuntu
After installing, log out and log back in so the keyring daemon starts and creates a default “login” collection.
The OS keyring requires a desktop session with D-Bus. It does not work in containers, CI, or headless servers.
Store credentials with the cordon secret set command (see Secret Sources).