Documentation Index
Fetch the complete documentation index at: https://docs.codezero.io/llms.txt
Use this file to discover all available pages before exploring further.
What is Cordon?
Cordon is a credential containment layer by Codezero. It sits between the systems that protect credentials (vaults, identity providers, policy engines) and the systems that consume them: applications, AI agents, developer environments, CI/CD pipelines. Instead of handing credentials to a runtime, Cordon mediates every credential use at the exact moment of need. Credentials are injected in transit, per-request, and never enter the consuming runtime.Possession is the vulnerability
Credentials sprawl far beyond the vaults designed to protect them: .env files, dotfiles, CI/CD logs, Docker layers, shell history, and environment variables. Inside runtimes, they become the critical path for exploits: leaking through crash dumps, dependencies, and debug endpoints. AI agents multiply the exposure with every tool call and subprocess they spawn. Cordon eliminates the sprawl by ensuring credentials never leave the containment layer. It scales from a single developer’s laptop to shared team environments to enterprise-wide deployments. Same containment model, wider boundary.Developer Edition
These docs cover the Developer Edition of Cordon: a free local gateway that runs on your machine. It transparently intercepts outbound HTTP/HTTPS requests and TCP connections and injects credentials from 1Password or your OS keychain at the network layer. No code changes. No SDK wrappers. Your applications and AI agents make normal network calls and never hold a single credential.No secrets in your runtime
Credentials stay out of environment variables, logs, crash dumps, child processes, and
ps output entirely. Cordon injects them at the network layer.No code changes required
Set
HTTPS_PROXY / HTTP_PROXY and most HTTP clients route through Cordon automatically. See the SDK and language compatibility guide for details.Easy credential rotation
Rotate a secret in your secret store. The next request picks it up automatically. No restarts needed.
Bring your own vaults
Integrate with native keychains, secrets managers, and the infrastructure you already invested in.
How it works
Your app connects normally
Your app makes a normal API call or database connection. Cordon sits in the middle, transparent to your application.
Cordon matches the route
Cordon checks the destination against your configured routes in
cordon.toml.Credentials are injected at the moment of need
Cordon retrieves the credential from 1Password or the OS keyring and injects it into the outbound request. Your code doesn’t send any auth headers. Cordon adds them entirely.
Installation
Install Cordon via npm
Quickstart
Get up and running in minutes
Beyond Developer
The Developer Edition is free and runs locally with no account required. The credential containment layer also extends to shared and enterprise-wide environments:- Teams: A shared containment layer for engineering teams running agents and pipelines together. Bring your own identity provider, vault, and policy engine.
- Enterprise: One containment layer for every outbound request your organization makes. Self-hosted and air-gapped deployments, identity-aware audit trails, and negotiated SLAs.