cordon.sh

Team-wide access policies and visibility for AI coding agents.

---

Supported Agents

Agent	Support	Hook Based Enforcement	MCP Elicitation Support
Claude Code	First class	✓ Yes	✓ Yes
Cursor	First class	✓ Yes	✓ Yes
VS Code Chat (Copilot)	First class	✓ Yes	✓ Yes
Gemini CLI	Effective	✓ Yes	⤫ No
OpenCode	Effective	✓ Yes	⤫ No
Codex	Limited	⤫ No	⤫ No

---

Installation

Quick install:

curl -fsSL cordon.sh/install.sh | sh

From GitHub directly:

curl -fsSL https://raw.githubusercontent.com/cordon-co/cordon-cli/main/scripts/install.sh | sh

With Go (requires ~/go/bin on PATH):

go install github.com/cordon-co/cordon-cli/cmd/cordon@latest

Quick Start

1. Initialise Cordon in your repository:

cd your-repo
cordon init

The interactive setup will detect installed agents and let you select which ones to enforce policies on.

2. Commit or ignore the config:

• To share policies with your team, commit the .cordon/ directory and any agent config changes (e.g. .claude/settings.local.json, .codex/).
• For personal use only, add .cordon/ to your .gitignore.

Commands

cordon init                          Initialise Cordon in the current repository
cordon uninstall                     Uninstall Cordon from the current repository
cordon version

cordon log [--since] [--date] [--agent] [--file] [--allow] [--deny] [--granted] [--pass] [--follow] [--export csv]

cordon file add [--allow] [--prevent-read] <pattern>
cordon file list
cordon file remove <pattern>

cordon command add [--allow] <pattern>
cordon command list
cordon command remove <pattern>

cordon pass issue --file <path> [--duration 60m|24h|7d|1w|indefinite]
cordon pass list [--all]
cordon pass revoke <pass-id>

All commands accept --json for structured output. Schemas not finalised at this time.

Build

Requires Go 1.22+.

# current platform
make build

# all release targets (darwin/linux/windows, arm64/amd64)
make build-all VERSION=1.0.0

Binaries are written to build/.

Dev Install

./scripts/dev-install.sh
# installs to ~/.local/bin/cordon by default
# override with INSTALL_DIR=/usr/local/bin ./scripts/dev-install.sh

Test

./scripts/test.sh

Runs both store-level unit tests and CLI integration tests.

Uninstallation

1. Remove Cordon from a repository:

cd your-repo
cordon uninstall

This removes the .cordon/ directory and any agent hook configurations that were added by cordon init.

2. Remove app data (optional):

rm -rf ~/.cordon/

This removes credentials, cached policies, audit logs, and other local data.

3. Remove the binary:

If installed via the install script:

rm ~/.local/bin/cordon
# or /usr/local/bin/cordon if that's where it was installed

If installed via go install:

rm ~/go/bin/cordon

License

Business Source License 1.1 — see the LICENSE file for details.