AgentMesh Rust crate
Rust crate for the Agent Governance Toolkit — policy evaluation, trust scoring, hash-chain audit logging, and Ed25519 agent identity.
Public Preview — APIs may change before 1.0.
Install
Full crate
[]
= "3.5.0"
Standalone MCP Package
If you only need the MCP governance/security surface, install the standalone crate:
[]
= "3.5.0"
agentmesh-mcp is the canonical MCP implementation. The broader agentmesh
crate keeps agentmesh::mcp only as a deprecated compatibility re-export.
Quick Start
use ;
OpenTelemetry Policy Spans
Policy-evaluation spans are available behind the opt-in telemetry feature. The
default library build has no OpenTelemetry dependency, and agentmesh does not
install or configure a global provider/exporter. Configure OpenTelemetry in the
embedding application, then install an explicit sink:
[]
= { = "3.7.0", = ["telemetry"] }
use ;
use Arc;
let client = with_options?;
let result = client.execute_with_governance;
assert!;
# Ok::
The span name is agentmesh.policy.evaluate. Attributes are deliberately
sanitized: decision label, allowed flag, elapsed milliseconds, action length,
action hash, and agent-id hash. Raw actions, agent IDs, policy YAML, context
values, prompt text, canaries, rule bodies, and denied reasons are not emitted.
Prometheus metrics and broader audit/trust/prompt/ring telemetry remain follow-up scope.
MCP-Only Quick Start
use ;
use Arc;
use Duration;
let signer = new?;
let message = signer.sign?;
signer.verify?;
let redactor = new;
let result = redactor.redact;
assert!;
# Ok::
MCP Gateway Authentication
McpGateway now requires session-backed authentication before it will evaluate
tool access. The legacy process_request path fails closed.
use ;
use Arc;
use ;
let redactor = new;
let audit = new;
let metrics = default;
let scanner = new?;
let limiter = new?;
let session_authenticator = new?;
let issued = session_authenticator.issue_session?;
let gateway = new
.with_session_authenticator;
let decision = gateway.process_authenticated_request?;
assert!;
# Ok::
Migration note
If you previously called McpGateway::process_request, switch to
process_authenticated_request and pass a session token issued by
McpSessionAuthenticator. Unauthenticated requests are now denied before
governance, audit, and rate-limit logic runs.
Prompt Injection Guard
Use PromptInjectionDetector directly when an agent needs deterministic prompt
screening before tool execution or model handoff. Custom configuration can tune
sensitivity, add local blocklist entries, allow known-benign quoted examples, and
hash custom regex bodies in public findings.
use ;
let config = DetectionConfig ;
let mut detector = with_config?;
let result = detector.detect_with_options;
assert!;
assert!;
# Ok::
Configuring built-in corpora and thresholds
Two optional DetectionConfig fields let operators tune the detector without
recompiling, while preserving secure defaults: rule_overrides and
threshold_overrides. Both default to empty, so existing YAML configs and
DetectionConfig::default() continue to behave exactly as before.
use ;
let config = DetectionConfig ;
let mut detector = with_config?;
# Ok::
The same overrides express equivalently in YAML and round-trip through
PromptInjectionDetector::from_yaml_str / from_yaml_file:
detection:
sensitivity: balanced
rule_overrides:
add:
- family: direct
name: company-rule
pattern: '(?i)leak\s+the\s+org\s+chart'
threat_level: high
confidence: 0.85
disable:
- direct:do_not_follow
threshold_overrides:
balanced:
min_threat_level: high
min_confidence: 0.85
Safety guarantees and validation. The detector fails closed on malformed input rather than silently dropping the override:
- An override
patternthat does not compile returnsPromptInjectionError::InvalidRuleOverridePattern. - An override
confidenceoutside[0.0, 1.0](or non-finite) returnsPromptInjectionError::InvalidRuleOverrideConfidence. - A
threshold_overridesmin_confidenceoutside[0.0, 1.0]returnsPromptInjectionError::InvalidThresholdOverride. - A
disableentry that does not match a known built-in rule ID returnsPromptInjectionError::UnknownBuiltInRuleId, so a typo never silently weakens detection.
Public findings remain hash-only for user-supplied content: an addition emits a
rule ID shaped like <family>:custom:sha256:<12-hex-chars>. The raw pattern
body and the optional name label never appear in DetectionResult,
AuditRecord, or any serialized form.
Operational warning. Loosening a threshold (Strict → lower
min_confidence, Balanced → lower min_threat_level, or Permissive →
either) weakens detection and is the operator's responsibility. The same
applies to disabling a built-in rule. Document any override in your repo's
threat model alongside the reason it was applied.
Performance note. Built-in rule additions are compiled when the detector is constructed, and every enabled rule is evaluated during each scan. Keep override corpora narrow, deduplicate overlapping regexes, and prefer the smallest rule family that captures the local policy.
The detector audit log is bounded and intentionally hash-only. Use the hashes, lengths, sanitized source labels, rule IDs, and threat levels for correlation without storing raw prompts, canary values, blocklist entries, or unsafe source labels.
use PromptInjectionDetector;
let mut detector = new?;
let _ = detector.detect;
for record in detector.audit_log
# Ok::
API Overview
Client (lib.rs)
Unified governance client combining all modules.
| Function / Method | Description |
|---|---|
AgentMeshClient::new(agent_id) |
Create a client with defaults |
AgentMeshClient::with_options(agent_id, opts) |
Create a client with custom config |
client.execute_with_governance(action, context) |
Run action through governance pipeline |
Policy (policy.rs)
YAML-based policy engine with four-way decisions (allow / deny / requires-approval / rate-limit).
| Function / Method | Description |
|---|---|
PolicyEngine::new() |
Create an empty policy engine |
engine.load_from_yaml(yaml) |
Load rules from a YAML string |
engine.load_from_file(path) |
Load rules from a YAML file |
engine.evaluate(action, context) |
Evaluate an action against loaded policy |
Trust (trust.rs)
Integer trust scoring (0–1000) across five tiers with optional JSON persistence.
| Function / Method | Description |
|---|---|
TrustManager::new(config) |
Create a trust manager |
TrustManager::with_defaults() |
Create with default config |
manager.get_trust_score(agent_id) |
Get current trust score |
manager.is_trusted(agent_id) |
Check against threshold |
manager.record_success(agent_id) |
Increase trust after success |
manager.record_failure(agent_id) |
Decrease trust after failure |
Trust tiers:
| Tier | Score Range |
|---|---|
| VerifiedPartner | 900–1000 |
| Trusted | 700–899 |
| Standard | 500–699 |
| Probationary | 300–499 |
| Untrusted | 0–299 |
Audit (audit.rs)
SHA-256 hash-chained audit log for tamper detection.
| Function / Method | Description |
|---|---|
AuditLogger::new() |
Create an audit logger |
logger.log(agent_id, action, decision) |
Append an audit entry |
logger.verify() |
Verify chain integrity |
logger.get_entries(filter) |
Query entries by filter |
Identity (identity.rs)
Ed25519-based agent identity with DID support.
| Function / Method | Description |
|---|---|
AgentIdentity::generate(agent_id, capabilities) |
Create a new identity |
identity.sign(data) |
Sign data with private key |
identity.verify(data, sig) |
Verify a signature |
identity.to_json() |
Serialise public identity |
AgentIdentity::from_json(json) |
Deserialise public identity |
Policy YAML Format
version: "1.0"
agent: my-agent
policies:
- name: capability-gate
type: capability
allowed_actions:
- "data.read"
- "data.write"
denied_actions:
- "shell:*"
- name: deploy-approval
type: approval
actions:
- "deploy.*"
min_approvals: 2
- name: api-rate-limit
type: rate_limit
actions:
- "api.call"
max_calls: 100
window: "60s"
Execution Rings (rings.rs)
Four-level privilege model inspired by hardware protection rings.
| Function / Method | Description |
|---|---|
RingEnforcer::new() |
Create a new enforcer with no assignments |
enforcer.assign(agent_id, ring) |
Assign an agent to a ring |
enforcer.get_ring(agent_id) |
Get assigned ring (if any) |
enforcer.check_access(agent_id, action) |
Check if action is permitted |
enforcer.set_ring_permissions(ring, actions) |
Configure allowed actions for a ring |
Ring levels:
| Ring | Level | Access |
|---|---|---|
Admin |
0 | All actions allowed |
Standard |
1 | Configurable actions |
Restricted |
2 | Configurable actions |
Sandboxed |
3 | All actions denied |
use ;
let mut enforcer = new;
enforcer.set_ring_permissions;
enforcer.assign;
assert!;
assert!;
Agent Lifecycle (lifecycle.rs)
Eight-state lifecycle model tracking an agent from provisioning through decommissioning.
| Function / Method | Description |
|---|---|
LifecycleManager::new(agent_id) |
Create a new manager (starts in Provisioning) |
manager.state() |
Get current lifecycle state |
manager.events() |
Get recorded transition events |
manager.transition(to, reason, initiated_by) |
Transition to a new state |
manager.can_transition(to) |
Check if a transition is valid |
manager.activate(reason) |
Convenience: transition to Active |
manager.suspend(reason) |
Convenience: transition to Suspended |
manager.quarantine(reason) |
Convenience: transition to Quarantined |
manager.decommission(reason) |
Convenience: transition to Decommissioning |
Lifecycle states: Provisioning -> Active <-> Suspended / Rotating / Degraded -> Quarantined -> Decommissioning -> Decommissioned
use ;
let mut mgr = new;
mgr.activate.unwrap;
assert_eq!;
mgr.suspend.unwrap;
assert_eq!;
mgr.activate.unwrap;
assert_eq!;
License
See repository root LICENSE.