Cordon – Security gateway for MCP tool calls with HITL approvals

MCP lets LLMs call real tools, databases, file systems, APIs. The spec has no security model. An agent is either off or full admin, and "trust the model" is the current answer.

Cordon is an open source MCP gateway. It's a transparent proxy that sits between your LLM client and your MCP servers. Every tool call flows through it. You define policies per tool: allow, block, approve, read only, log only.

The piece I haven't seen elsewhere is synchronous human-in-the-loop approvals. When a tool call hits an "approve" policy, the agent pauses and I get a terminal prompt (or a Slack Block Kit message) with the exact args. I approve or deny. The agent resumes. Every decision is logged.

Install: `npx cordon-cli init` auto-patches your Claude Desktop config in about two minutes. Works with Claude Desktop, Claude Code, Cursor, Windsurf, and any stdio MCP client.

Open source, MIT. Published to the official MCP registry as io.github.marras0914/cordon. There's also a hosted dashboard for centralized audit logs, but the gateway runs local and the CLI is fully offline.

Happy to answer questions about the threat model, why I built it as a proxy vs. a client-side wrapper, or how write-detection works without me enumerating every dangerous tool name.

GitHub: https://github.com/marras0914/cordon Writeup with config examples: https://dev.to/marras0914/mcp-has-no-security-model-heres-ho... Approval flow demo: https://i.imgur.com/nDAVxqN.gif