Cordum Edge for Claude Code
This guide explains how Cordum Edge governs Claude Code through the command-hook
path and the cordumctl edge claude launcher.
Cordum stays quiet until governance matters. Developers see Cordum exactly when it protects them: before a risky tool runs, when approval is needed, and when evidence must be exported.
Command
CORDUM_GATEWAY=http://localhost:8081 \
CORDUM_API_KEY=<cordum-api-key> \
CORDUM_TENANT_ID=default \
cordumctl edge claude -- --print "summarize this repo"
Use cordumctl edge claude [edge flags] -- [claude args...]. Cordum flags stay
before --; Claude arguments go after it. The wrapper supplies the governed
--settings file and rejects a forwarded --settings override so the governed
settings cannot be accidentally replaced. See the CLI reference for
the full flag table.
Hook and agentd behavior
The runtime path is:
Claude Code command hook → cordum-hook → local cordum-agentd → Gateway evaluate
cordum-hookreads one bounded JSON payload from stdin, redacts/maps it, and calls only the local agentd URL — never the Gateway directly.cordum-agentdowns Edge session/execution lifecycle, heartbeat, local hook authentication, Gateway evaluate calls, optional safe-allow cache, optional inline approval wait, and shutdown evidence.- Gateway / Safety Kernel own tenant-aware policy evaluation, approvals, audit, metrics, and redaction before persistence.
What the wrapper does
- Resolves Gateway credentials, tenant, principal, cwd/repo/git/host metadata, policy mode, approval-wait timeout, and dashboard URL.
- Generates a high-entropy nonce and starts
cordum-agentdwith the nonce inCORDUM_AGENTD_NONCEplus Gateway credentials. - Waits for agentd to write session/execution/dashboard state.
- Renders temporary Claude command-hook settings with a bare loopback
CORDUM_AGENTD_URLandCORDUM_AGENTD_HOOK_TIMEOUT=4.5s. - Launches Claude with
CORDUM_AGENTD_HOOK_NONCEonly in the process environment. - Propagates Claude's exit code and cleans up the tempdir/agentd process.
Settings generation
Generated settings contain command hooks for supported Claude events and non-secret session metadata. They never contain:
CORDUM_API_KEY,CORDUM_AGENTD_NONCE,CORDUM_AGENTD_HOOK_NONCEnonce=URL query strings- provider API keys, bearer tokens, raw prompts, raw tool payloads, transcripts, or command output
Use --settings-output - to inspect the generated JSON safely. File output is
create-only and refuses to overwrite an existing operator/user settings file.
Approval UX
A REQUIRE_APPROVAL decision becomes a Claude-compatible deny with an
approval_ref and retry guidance. Reviewers approve/reject in Cordum; the agent
then retries the same action. Replay checks bind the approval to the action
hash, input hash, and policy snapshot — approval records a governance decision,
it does not edit command content.
For destructive actions, the backend approval must also have matching resolved
audit provenance before the retry is allowed: the tenant audit chain needs an
approved edge.approval_resolved event with the same approval_ref and
action_hash. A requested-only approval event is not proof of approval. See
Policy & modes for the full contract.
Why Cordum Edge?
Organizations often choose Cordum Edge over building custom hooks or relying on built-in agent permissions because it provides a unified governance layer that works across agents.
| Feature | Claude Built-ins | Custom Hooks (DIY) | Cordum Edge |
|---|---|---|---|
| Enforcement | Basic tool permissions | Custom code | Deterministic Action Gates |
| Auth/Identity | None | You own it | Tenant-aware Principal ID |
| Redaction | None | You own it | Zero-prompt/zero-secret persistence |
| Approvals | None | Manual CLI prompts | Dashboard + Hash-bound retries |
| Audit Chain | Local logs | Local logs | Cryptographic audit chain |
| Replay Safety | No | No | Snapshot-bound hash checks |
Hook and agentd behavior
...
Fail modes
Policy modes determine how the system behaves when the Cordum Gateway is unreachable or the policy classification is unknown.
| Mode | Use | Behavior when Cordum governance is unavailable |
|---|---|---|
observe | Discovery and low-friction dev visibility. | Allow degraded actions, record evidence where possible. |
enforce | Local enforcement for risky/unknown actions. | Allow known-safe actions only; deny risky/unclassified actions. |
enterprise-strict | Managed enterprise rollout. | Fail closed. |
Note:
local-dev-enforceis a hook-recognizedCORDUM_EDGE_MODEvalue for fail-closed enforcement (e.g. set via a settings file); it is not settable through--policy-mode.
Malformed hook input fails closed with redacted stderr. Hook timeout values must
stay below Claude Code's 5s command-hook deadline; generated settings use
4.5s.
Token tradeoffs
The developer wrapper avoids storing long-lived API keys or hook nonces in settings/evidence, but same-user process inspection may see runtime process env while a local session is running. That is acceptable for development only. Enterprise enforcement requires managed settings, endpoint controls, binary trust, and service-bootstrap/keychain secret handling — see Architecture.