Product changelog

What's new in Cordon

Public release notes for Cordon, Codezero's local credential containment layer. Newest updates appear first.

Cordonv0.4.1

Cordon v0.4.1

This release simplifies route setup for wildcard and exact paths.

Improved

  • The route wizard now asks for a single path value and infers an exact match or wildcard glob automatically.
  • Paths containing `*` or `**` are treated as glob matches; paths without wildcards are treated as exact matches.
  • Existing `path_prefix` route configs continue to load, display, duplicate-check, and edit safely.

Fixed

  • No-op interactive edits preserve the existing path matcher kind instead of accidentally broadening credential injection.
  • Route validation now keeps legacy prefix compatibility without exposing prefix setup as the preferred new workflow.
Cordonv0.4.0

Cordon v0.4.0

This release adds wildcard and HTTP method matching for credential injection, and tightens release-readiness checks for real-world preview and staging URLs.

Added

  • Routes can now scope credential injection by exact path, wildcard path glob, and HTTP method.
  • `cordon route add` and `cordon route edit` include route-scope prompts and flags for path and method matching.
  • `cordon setup` now records coarse success or failure telemetry so setup problems are visible.

Improved

  • Credential stripping and injection now require a full route match, including any configured path and method filters.

Fixed

  • Interactive route setup re-prompts on invalid hosts instead of accepting unsafe wildcard shapes.
  • The CLI now auto-detects installed services more reliably when service commands are run without explicit platform flags.
Cordonv0.3.1

Cordon v0.3.1

This release adds explicit denylist exceptions for trusted local development services and makes startup failures much easier to diagnose after upgrades.

Added

  • New top-level `denylist_exceptions` config lets Cordon forward to specific `host:port` destinations that would otherwise be blocked by the SSRF denylist, without injecting credentials.
  • Denylist exceptions now canonicalize hosts and ports, and loopback entries automatically cover `localhost`, `127.0.0.1`, and `[::1]` for the same port.

Improved

  • Service install and start now wait longer for readiness and show the exact log command to run when startup does not complete.
  • Startup secret validation now reports keyring timeouts with the affected service and account, plus platform-specific recovery guidance.
  • `cordon doctor` now suggests exact commands for adding missing 1Password account selectors and warns when macOS services may need Keychain access approved with Always Allow.

Fixed

  • Matched `CONNECT` routes now bypass SSRF validation consistently with matched HTTP routes.
  • Pre-0.3.0 `tokens.toml` files using `[instance]` and `[integrations]` are accepted during startup and migrated through Cordon's git-safety checks when they can be rewritten safely.
  • Startup validation now serializes keyring-backed secret fetches to avoid stacking multiple macOS approval prompts at once.

Migration Notes

  • Place `denylist_exceptions` before any TOML table header in `cordon.toml`; TOML binds bare keys to the preceding table otherwise.
  • If a macOS service fails after upgrade because Keychain access is waiting for approval, stop the service, run `cordon start --config <path>` interactively, choose Always Allow, then restart the service.
  • Do not mix legacy token sections with new token sections in the same `tokens.toml`; keep either `[instance]`/`[integrations]` or `[default]`/`[clients]` until Cordon rewrites the file.
Cordonv0.3.0

Cordon v0.3.0

This release sharpens Cordon's diagnostics and reliability, with new doctor checks for post-upgrade service state and tool network isolation, plus fixes to CA bundle handling and logging.

Added

  • `cordon doctor` now warns when the running service is older than the installed binary after an upgrade, and shows the command to restart it.
  • `cordon doctor` now warns when a Go-based tool is missing the network-isolation setting it needs to route through Cordon.

Fixed

  • Linux builds now target an older glibc, so Cordon installs and runs on older distributions such as Ubuntu 18.04 without library version errors.
  • Disabling a single integration no longer removes the shared CA bundle that other integrations and tools depend on.
  • Service tracing now writes to stderr, so `cordon service log` shows startup errors and diagnostics in one chronological stream.
  • 1Password errors are now surfaced when a secret fetch fails, making misconfigurations easier to diagnose.
Cordonv0.2.7

Cordon v0.2.7

This release improves Cordon's local security model with audience-bound default and client tokens, adds OpenClaw setup support, and makes upgrades and service management smoother.

Added

  • New setup flows now create tokenized proxy URLs automatically for supported integrations.
  • Default and client tokens can now protect matched credential routes before Cordon injects upstream credentials.
  • Tokenized proxy URLs now include a local scope audience so tokens generated for one Cordon daemon are rejected by another.
  • New token commands list, rotate, and revoke local tokens.
  • Token status indicators and warnings in `cordon status` and `cordon doctor`.
  • Cordon can now upgrade itself through a dedicated `cordon upgrade` command and interactive update prompts.
  • OpenClaw setup configures Cordon-managed proxying, CA trust, daemon restart, and agent skill installation.
  • Service logs are now available directly from the CLI with `cordon service log`.
  • Added support for selecting a specific 1Password account in route secret configuration.

Improved

  • Service installation now verifies readiness before returning.
  • Existing services no longer prompt for reinstall unnecessarily.
  • Service commands preserve the logical config path used by the selected scope.
  • Doctor checks now only validate integration skill freshness when that integration is configured.
  • Expired cached TLS leaf certificates are automatically re-minted instead of reused.
  • Token redaction and git-safety checks now recognize audience-bound proxy URLs without flagging unrelated localhost credentials.
  • Update and telemetry checks now validate event names and payload shapes more strictly, while isolating telemetry failures from update-check responses.

Fixed

  • Clarified the error shown when attempting to revoke the non-revocable instance token.
  • Fixed setup and doctor behavior around service state and integration configuration.
  • Improved reliability around background service installation and startup detection.

Migration Notes

  • Existing configurations keep legacy behavior until tokens.toml is created.
  • To enable tokens for an existing config, initialize tokens for that config, then refresh any integration setup or shell environment that uses Cordon.
  • Tokenized proxy URLs now use `http://<audience>:<token>@127.0.0.1:<port>` instead of the earlier fixed `cordon` username; re-run setup or `cordon env` when refreshing tokenized integration files.
  • Tokenized proxy URLs should be treated as sensitive local configuration. New setup flows protect against writing token-bearing files into tracked or unignored Git paths.