Show HN: Cordon – open-source security gateway for MCP tool calls
cordon-server-production.up.railway.appMCP gives AI agents access to real tools — databases, filesystems, APIs. There's no built-in way to say "require human approval before any write" or "this tool is never allowed, ever."
Cordon is a stdio proxy that sits between Claude Desktop and your MCP servers. Every tool call flows through a policy engine before it reaches the upstream server.
Policies per server or per tool: allow, block, approve, approve-writes, read-only, log-only. Write detection by tool name prefix — drop_table gets caught, read_data passes through automatically.
When a tool call needs approval, Cordon pauses and prompts in the terminal. For teams, it can route approvals to a Slack channel instead — the agent waits, a human clicks Approve or Deny, the call continues or gets blocked.
One config file:
export default defineConfig({ servers: [{ name: 'db', command: 'npx', args: ['-y', '@my-org/db-mcp'], policy: 'approve-writes', tools: { drop_table: { action: 'block' } }, }], audit: { enabled: true, output: 'file' }, approvals: { channel: 'terminal' }, });
npx cordon-cli init # patches Claude Desktop config automatically npx cordon-cli start
Every tool call is logged to a structured audit trail. If you want a hosted dashboard with a live event viewer and team API key management, there's a free hosted option at https://cordon-server-production.up.railway.app/dashboard/ — but the CLI works entirely standalone.
Repo: github.com/marras0914/cordon
No comments yet.