> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codezero.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> The credential containment layer that mediates credential usage at the moment of need. Applications, agents, and pipelines never hold real secrets.

## What is Cordon?

Cordon is a credential containment layer by [Codezero](https://codezero.io). It sits between the systems that protect credentials (vaults, identity providers, policy engines) and the systems that consume them: applications, AI agents, developer environments, CI/CD pipelines. Instead of handing credentials to a runtime, Cordon mediates credential use at the network boundary so secrets never enter the consuming runtime.

## Possession is the vulnerability

Credentials sprawl far beyond the vaults designed to protect them: .env files, dotfiles, CI/CD logs, Docker layers, shell history, and environment variables. Inside runtimes, they become the critical path for exploits: leaking through crash dumps, dependencies, and debug endpoints. AI agents multiply the exposure with every tool call and subprocess they spawn. Cordon eliminates the sprawl by ensuring credentials never leave the containment layer. It scales from a single developer's laptop to shared team environments to enterprise-wide deployments. Same containment model, wider boundary.

## Developer Edition

These docs cover the **Developer Edition** of Cordon: a free local gateway that runs on your machine. It transparently intercepts outbound HTTP/HTTPS requests and TCP connections and injects credentials from [1Password](https://1password.com) or your OS keychain at the network layer. No code changes. No SDK wrappers. Your applications and AI agents make normal network calls and never hold a single credential.

<CardGroup cols={2}>
  <Card title="No secrets in your runtime" icon="shield-halved">
    Credentials stay out of environment variables, logs, crash dumps, child processes, and `ps` output entirely. Cordon injects them at the network layer.
  </Card>

  <Card title="No code changes required" icon="code">
    Set `HTTPS_PROXY` / `HTTP_PROXY` and most HTTP clients route through Cordon automatically. See the [SDK and language compatibility guide](/guides/sdk-compatibility) for details.
  </Card>

  <Card title="Easy credential rotation" icon="arrows-rotate">
    Rotate an HTTP route secret in your secret store. The next matching request picks it up automatically. No restarts needed.
  </Card>

  <Card title="Bring your own vaults" icon="users">
    Integrate with native keychains, secrets managers, and the infrastructure you already invested in.
  </Card>
</CardGroup>

## How it works

<Steps>
  <Step title="Your app connects normally">
    Your app makes a normal API call or database connection. Cordon sits in the middle, transparent to your application.
  </Step>

  <Step title="Cordon matches the route">
    Cordon checks the destination against your configured routes in `cordon.toml`.
  </Step>

  <Step title="Credentials are injected at the moment of need">
    Cordon retrieves the credential from 1Password or the OS keyring and injects it into the outbound request. Your code doesn't send any auth headers. Cordon adds them entirely.
  </Step>

  <Step title="Request is forwarded">
    The request continues to the upstream service with the injected credentials. Your code never holds the real secret.
  </Step>
</Steps>

<CardGroup cols={2}>
  <Card title="Installation" icon="download" href="/installation">
    Install Cordon via npm
  </Card>

  <Card title="Quickstart" icon="rocket" href="/quickstart">
    Get up and running in minutes
  </Card>
</CardGroup>

## Beyond Developer

The Developer Edition is free and runs locally with no account required. The credential containment layer also extends to shared and enterprise-wide environments:

* **Teams**: A shared containment layer for engineering teams running agents and pipelines together. Bring your own identity provider, vault, and policy engine.
* **Enterprise**: One containment layer for every outbound request your organization makes. Self-hosted and air-gapped deployments, identity-aware audit trails, and negotiated SLAs.

[Learn more at codezero.io](https://codezero.io).