MCP lets LLMs call real tools, databases, file systems, APIs. The spec has no security model. An agent is either off or full admin, and "trust the model" is the current answer.

Cordon is an open source MCP gateway. It's a transparent proxy that sits between your LLM client and your MCP servers. Every tool call flows through it. You define policies per tool: allow, block, approve, read only, log only.

The piece I haven't seen elsewhere is synchronous human-in-the-loop approvals. When a tool call hits an "approve" policy, the agent pauses and I get a terminal prompt (or a Slack Block Kit message) with the exact args. I approve or deny. The agent resumes. Every decision is logged.

Install: `npx cordon-cli init` auto-patches your Claude Desktop config in about two minutes. Works with Claude Desktop, Claude Code, Cursor, Windsurf, and any stdio MCP client.

Open source, MIT. Published to the official MCP registry as io.github.marras0914/cordon. There's also a hosted dashboard for centralized audit logs, but the gateway runs local and the CLI is fully offline.

Happy to answer questions about the threat model, why I built it as a proxy vs. a client-side wrapper, or how write-detection works without me enumerating every dangerous tool name.

GitHub: https://github.com/marras0914/cordon Writeup with config examples: https://dev.to/marras0914/mcp-has-no-security-model-heres-ho... Approval flow demo: https://i.imgur.com/nDAVxqN.gif

Author here. Built this after catching myself running autonomous agents on a NUC at home with direct Postgres access and realizing I didnt have an answer for "what happens when the model has a bad day?" The MCP spec doesn't draw any lines and "just don't connect the database" isn't really an answer.

Happy to go deep on the threat model, the proxy-vs-wrapper architecture decision, or the HITL approval design. Also open to arguments that this is solving the wrong problem.

[dead]