t-ron 0.22.4

MCP security monitor — tool call auditing, rate limiting, injection detection, and anomaly analysis

Coverage
60.32%
76 out of 126 items documented0 out of 69 items with examples
Size
Source code size: 141.81 kB This is the summed size of all the files inside the crates.io package for this release.
Documentation size: 10.37 MB This is the summed size of all files generated by rustdoc for all configured targets
Ø build duration
this release: 43s Average build duration of successful builds.
all releases: 49s Average build duration of successful builds in releases after 2024-10-23.
Links
Homepage
MacCracken/t-ron
0 0 0
crates.io
Dependencies
Versions
- 0.26.3 (2026-03-26)
- 0.22.4 (2026-03-22)
Owners

T-Ron

T-Ron (the security program that fights the MCP) -- MCP security monitor for AGNOS

T-Ron is a security middleware library that sits between bote (MCP protocol layer) and tool handlers, enforcing per-agent permissions, rate limiting, payload scanning, pattern analysis, and auditing every call to a tamper-proof libro hash chain. Named after Tron, the security program that fights the Master Control Program.

Architecture

Agent --> bote (MCP protocol) --> t-ron (security gate) --> tool handler
                                    |-- policy check (per-agent ACLs)
                                    |-- rate limiting (token bucket)
                                    |-- payload scanning (injection detection)
                                    |-- pattern analysis (anomaly detection)
                                    '-- audit logging (libro hash chain)

T-Ron is a library crate -- no HTTP server, no CLI, no binary. Consumers embed it as middleware in their MCP tool dispatch pipeline via SecurityGate. The SecureYeoman T.Ron personality queries it for security insights.

Quick Start

use t_ron::{TRon, TRonConfig, middleware::SecurityGate, tools};
use bote::{Dispatcher, registry::ToolRegistry};

// Create monitor with deny-by-default policy
let tron = TRon::new(TRonConfig::default());

// Load per-agent ACLs from TOML
tron.load_policy(r#"
[agent."web-agent"]
allow = ["tarang_*", "rasa_*"]
deny = ["aegis_*", "phylax_*"]
"#)?;

// Register t-ron's tool definitions alongside your app tools
let mut registry = ToolRegistry::new();
for def in tools::tool_defs() {
    registry.register(def);
}
// ... register your app tools ...

// Wrap bote dispatcher with security gate
let dispatcher = Dispatcher::new(registry);
let mut gate = SecurityGate::new(tron, dispatcher);
gate.register_tool_handlers();

// Every tools/call is now security-checked before reaching your handler
let response = gate.dispatch(&request, "web-agent").await;

Features

SecurityGate Middleware -- wraps bote Dispatcher with pre-dispatch security checks on every tools/call; non-tool methods pass through unmodified
Policy Engine -- per-agent ACLs with glob pattern matching (tarang_*), deny-wins-over-allow semantics, TOML configuration
Rate Limiter -- per-agent, per-tool token bucket with configurable rates (default 60 calls/minute)
Payload Scanner -- regex-based injection detection: SQL injection, shell injection, template injection, path traversal
Pattern Analyzer -- anomaly detection on tool call sequences: tool enumeration detection, privilege escalation monitoring
Risk Scoring -- rolling per-agent threat score (0.0 = trusted, 1.0 = hostile) based on audit history
Audit Logger -- dual-write to an in-memory ring buffer (fast operational queries) and a libro cryptographic hash chain (tamper-proof audit trail with integrity verification)
MCP Tools -- tron_status, tron_risk, tron_audit, tron_policy registered as bote tool handlers for the T.Ron personality
Query API -- read-only interface for the T.Ron personality in SecureYeoman: security events, risk scores, chain verification
Default Deny -- unknown agents and tools are denied by default (configurable: allow, deny, or flag)

T.Ron Personality Integration

The TRonQuery API is designed for the T.Ron personality in SecureYeoman to query security state:

let query = tron.query();

// "What's the risk level for agent web-agent?"
let risk = query.agent_risk_score("web-agent").await;

// "Show me recent security events"
let events = query.recent_events(20).await;

// "How many calls have been blocked?"
let denials = query.total_denials().await;

// "What happened with agent data-pipeline?"
let trail = query.agent_audit("data-pipeline", 50).await;

// "Is the audit chain intact?"
query.verify_chain()?;

// "Give me a security summary"
let review = query.chain_review();

The same queries are available as MCP tools (tron_status, tron_risk, tron_audit, tron_policy) for agents to call directly through bote.

Roadmap

Post-release -- agnosticos integration

Load policy from /etc/agnos/t-ron.toml at startup
Hot-reload policy on SIGHUP
agnoshi intents for natural language security queries

Phase 2 -- Advanced Detection

ML-based anomaly detection (train on normal patterns, flag deviations)
Privilege escalation pattern detection (benign -> sensitive tool sequences)
Cross-agent correlation (detect coordinated attacks)
Prompt injection detection in tool parameters (LLM-assisted via hoosh)
Time-of-day anomaly detection

Phase 3 -- Hardening

Policy signing (sigil trust verification)
Encrypted audit log export
Real-time alerts via daimon event bus
Dashboard integration (aethersafha security panel)
Edge fleet policy distribution

Reference Code

Source	Relevance	Location
bote	MCP protocol layer -- t-ron wraps its Dispatcher via SecurityGate	`/home/macro/Repos/bote`
libro	Cryptographic audit chain -- t-ron writes every verdict to libro	`/home/macro/Repos/libro`
aegis `aegis.rs`	System security daemon -- t-ron is the MCP-specific complement	`userland/agent-runtime/src/aegis.rs`
phylax `phylax.rs`	Threat detection engine -- t-ron focuses on MCP layer	`userland/agent-runtime/src/phylax.rs`
SecureYeoman	T.Ron personality consumes query API and MCP tools	`/home/macro/Repos/SecureYeoman`

License

GPL-3.0 -- see LICENSE for details.