@getcordon/core

Intercepts tool calls from MCP clients before execution, applies configurable security policies (allowlists, denylists, parameter validation rules), and either permits or blocks execution based on policy evaluation. Implements a proxy pattern that sits between the MCP client and server, inspecting the tool name, parameters, and context to enforce organizational security boundaries without modifying the underlying MCP protocol.

Routes tool calls flagged by policy rules to a human reviewer queue, pausing execution until explicit approval or rejection is provided. Implements a callback-based workflow where blocked or high-risk calls are held in a state machine, allowing async human review via API or UI integration, then resuming or aborting the original MCP request based on the decision.

Validates MCP tool call requests and responses against schema definitions, ensuring type correctness and structural integrity. Implements schema-based validation where tool definitions include parameter schemas and response schemas, and the proxy validates incoming requests and outgoing responses against these schemas. Supports JSON Schema or similar schema formats and provides detailed validation error messages.

Routes tool calls to appropriate MCP servers based on tool availability, load, or custom routing rules, implementing a load balancing strategy that distributes calls across multiple server instances. Supports round-robin, least-connections, and custom routing algorithms. Maintains health checks on server instances and automatically removes unhealthy servers from the routing pool.

Logs all tool call attempts, policy evaluations, approval decisions, and execution results to a structured audit trail with timestamps, actor information, and decision rationale. Implements a logging pipeline that captures both successful and blocked calls, enabling forensic analysis, compliance reporting, and security investigations. Logs are structured (JSON) for easy querying and integration with SIEM systems.

Allows security policies to be defined declaratively (likely JSON or YAML) with support for composing multiple rules (allowlists, denylists, parameter constraints, rate limits) into a cohesive policy. Policies are evaluated against tool call metadata at runtime, supporting logical operators (AND, OR) and context-aware conditions (e.g., 'allow only if user role is admin'). Policies are loaded at proxy startup and can be versioned for audit purposes.

Evaluates tool call requests in the context of the requesting agent or user identity, applying identity-based access control rules. Extracts identity information from MCP request metadata (e.g., client ID, user ID, role) and uses it to make allow/block decisions, enabling fine-grained access control where different agents have different tool permissions. Supports role-based access control (RBAC) and attribute-based access control (ABAC) patterns.

Validates and optionally sanitizes parameters in tool calls before execution, enforcing constraints like type checking, value ranges, string length limits, and regex patterns. Implements a schema-based validation approach where tool parameters are validated against a schema definition, rejecting calls with invalid parameters and optionally logging violations. Supports both strict validation (reject invalid calls) and lenient modes (log and allow).

Enforces rate limits and quotas on tool calls, tracking usage per agent/user/tool and blocking calls that exceed configured limits. Implements a quota tracking system (likely using in-memory counters or external state store) that increments on each call and checks against configured limits before allowing execution. Supports multiple quota dimensions (per-minute, per-hour, per-day, per-user, per-tool) and graceful degradation (reject, queue, or throttle).

Provides a middleware pipeline architecture for transforming MCP requests and responses, allowing custom logic to be injected at various stages (pre-policy, post-policy, pre-execution, post-execution). Implements a chain-of-responsibility pattern where middleware components can inspect, modify, or reject requests/responses before they proceed to the next stage. Supports both built-in middleware (logging, metrics, validation) and custom middleware.

Filters and redacts sensitive information from tool call results before returning them to the MCP client, implementing data loss prevention (DLP) rules that identify and mask/remove sensitive data patterns. Uses pattern matching (regex, keyword lists) or semantic analysis to detect sensitive data (PII, credentials, API keys) in tool results and redacts or blocks them based on policy. Supports both automatic redaction and manual review workflows.

Collects metrics on tool call execution (latency, success rate, policy violations, approval times) and exposes them for monitoring and alerting. Implements a metrics pipeline that tracks key performance indicators (KPIs) like tool call volume, policy block rate, approval queue depth, and execution latency. Supports integration with monitoring systems (Prometheus, CloudWatch, Datadog) via standard metrics formats.