Own Your Stack.

Own Your Stack/The Guard/cordon

Own your prompts

cordon

A PII-redacting gateway that fails closed — strip or reversibly tokenize names, emails, and secrets before a prompt ever reaches a model.

github → MIT the guard pii gateway
01What it is

The prompt is where the private data leaks. The moment you send a request to a model, the provider — and everything downstream of it: logs, retention, subprocessors — sees whatever was in it. A customer email, a card number, an API key pasted into context. Once it's sent, you can't take it back.

cordon is a drop-in compliance gateway that sits between your app and the provider. Point any OpenAI- or Anthropic-compatible client at it and change nothing but the base URL. Raw PII, PHI, PCI, and secrets are detected and stripped or tokenized before the request is forwarded, so the model only ever sees placeholders. It is fail-closed — if detection errors, the request is blocked, never forwarded with PII intact — and self-hosted, so the data never leaves your network.

cordon · reversible
# client sends a normal request
email john@acme.com re card 4012-8888-8888-1881

# the model receives
email <EMAIL_1> re card <CREDIT_CARD_1>

# the client receives (restored)
email john@acme.com re card 4012-8888-8888-1881
Fig. 1 — de-identify upstream, restore in the reply.
02What it does

Redacts before the request leaves your network

Every generation request to /v1/messages or /v1/chat/completions is de-identified first: emails, phone numbers, SSNs, addresses, card numbers, IBANs, routing numbers, and provider keys are replaced with placeholders. The model never sees the raw value, and neither does anything downstream of it.

Strip, reversibly tokenize, or pass through

Three modes, set per-tenant or per-request via X-Redact-Mode. reversible swaps real values for placeholders upstream and restores them in the reply — including across a streaming frame boundary — so the answer stays usable. strip leaves irreversible placeholders for when the value never needs to come back. off passes through, still audited as a bypass.

Deterministic detection, no ML dependency

Regex plus checksum validators — Luhn for cards, ISO 7064 mod-97 for IBANs, ABA for routing numbers, area/group rules for SSNs — so a wrong redaction doesn't corrupt the prompt. Overlapping matches resolve by precedence, so a 16-digit card isn't also clipped as a phone number. Fully auditable; an optional NER sidecar can slot in without touching the proxy spine.

Fail-closed, with a tamper-evident audit

If detection errors, the request is blocked and the upstream is never called — never forwarded with PII intact. Every request appends one record to a hash-chained log carrying counts and types only, never values; hash = sha256(prevHash + record), so any edit, deletion, or reorder breaks the chain and is provable.

Drop-in and stateless

Change only the base URL — provider auth is forwarded verbatim, cordon never terminates it. The per-request vault is ephemeral and there's no shared cache, so it runs as a single self-contained container with no Redis or DB sidecar. Consistent pseudonyms and per-tenant data-residency routing are policy knobs. MIT-licensed.

03Where it sits

Part of The Guard.

cordon scrubs the prompt. The rest of The Guard contains the action, vets the tools, holds the keys, and guards the browser — all five compose behind one MCP server.

warden

An action firewall — classify, gate, and audit every tool call.

 canon

Supply-chain gate — scan, pin, and verify the skills an agent may load.

 keeper

Scoped, short-lived secret leases instead of raw keys.

 picket

A governed browser that withholds injection from hostile pages.

 agent-security-stack

All five composed into one layered defense and one MCP server.

Redact the prompt, not your usefulness.

cordon is open source and MIT-licensed. Read the code, point a client at it, run it on your own box.

View cordon on GitHub →