kotro-proxy-engine
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Local AI/LLM proxy with semantic caching, MCP injection scanning, cost budgeting, and intelligent model routing — Rust/Axum
Kotro
Local Rust LLM proxy for Cursor & Claude Code — stop MCP prompt injection, cut agent token waste.
One binary on your machine. No SaaS. Sees every tool result before it reaches the model.
▶ 78s demo (narrated) · silent · dashboard · exploit guide
Who this is for
- You run Cursor, Claude Code, or any OpenAI / Anthropic-compatible agent with MCP tools
- You want injection scan + secret redaction without sending traffic through a third-party gateway
- You also want cache / budget / circuit breaker so runaway agents don’t bill you overnight
30-second install
curl -sL https://raw.githubusercontent.com/kotro-labs/kotro-proxy-engine/main/scripts/install.sh | bash
kotro-proxy
# Point your agent base URL at http://127.0.0.1:8080/v1
# Dashboard: http://127.0.0.1:9090/dashboard
| Also | |
|---|---|
| Homebrew | brew install kotro-labs/tap/kotro |
| npm | npm i -g @kotro-labs/proxy-engine |
| Cursor / VS Code | Marketplace extension |
Without Kotro → with Kotro
| Without | With |
|---|---|
| Poisoned MCP / tool text rides into the next LLM call | Scan → warn header or HTTP 400 hard-block; dashboard Detected / Blocked |
| Retries & identical turns pay full price | Exact-match cache replay (x-kotro-cache: HIT) — ~68% in the savings demo |
| Agent loops burn credits unnoticed | Circuit breaker + optional session token budget (HTTP 429) |
| Secrets leave with the prompt | Redacted outbound, restored on the stream |
See it yourself (no API key)
git clone https://github.com/kotro-labs/kotro-proxy-engine.git && cd kotro-proxy-engine
make demo-savings # ~68% savings story + secret redaction
make demo-injection # warn → HTTP 400 block + security tiles
Honest path: Kotro sits on the HTTP path to the provider — not raw MCP stdio. When an agent includes poisoned tool/file content in the next
/v1/chat/completionsor/v1/messagesbody, the scanner sees it.
Point your agent at it
Cursor
- Settings → Models
- Set OpenAI Base URL to
http://localhost:8080/v1 - Keep your provider API key
- Optional: Command Palette → Kotro: Verify Cache (MISS then HIT)
Claude Code
KOTRO_UPSTREAM_URL=https://api.anthropic.com kotro-proxy &
ANTHROPIC_BASE_URL=http://localhost:8080 claude
OpenAI-compatible (Aider, SDKs, …)
OPENAI_BASE_URL=http://localhost:8080/v1 your-tool
What it does
| Feature | Description |
|---|---|
| MCP prompt injection scanner | 14 regex patterns on tool / user text. Warn-by-default; KOTRO_INJECTION_BLOCK=true → HTTP 400. |
| Secret redaction | API keys, DB URLs, passwords, PII stripped before the cloud; restored in the stream. |
| Agent loop circuit breaker | 3+ identical tool calls → trip (X-Kotro-Circuit-Open). |
| Reasoning budget controller | Caps Anthropic thinking.budget_tokens / OpenAI max_completion_tokens. |
| Streaming prompt-state cache | Exact-match SSE replay on repeated prompts (redb). |
| Local semantic cache | On-device MiniLM (candle) for paraphrases — optional, ~26ms. |
| MCP tool result cache | TTL by category; writes invalidate reads. |
| Context compressor | Strips unchanged MCP schemas / trees across turns. |
| Per-session token budget | Hard cap → HTTP 429 + X-Kotro-Budget-Remaining. |
| WASM plugins | Bring-your-own guardrails (Go / TS / Python → WASM). |
| OpenTelemetry | OTLP traces per request. |
Is Kotro the right tool for you?
Kotro is deliberately narrow: a single-binary proxy for one developer’s coding-agent traffic. It is not a team-wide multi-provider gateway.
| Tool | Best fit |
|---|---|
| Kotro | Local security + efficiency for MCP-native agents; no third party in the request path |
| LiteLLM | Team/org routing to 100+ providers behind one API |
| Portkey | Heavier production guardrails / managed options |
| Hosted gateways | Zero infra — but a third party sees 100% of traffic |
That “nothing else in the path” property is structural, not a checkbox — a hosted gateway can’t offer it without changing its business model.
About the 99.3% upstream-token figure
In a published 3-turn codebase eval (benchmarks/eval-suite/RESULTS.md), billed upstream tokens dropped dramatically because request-shape stability let the provider’s prefix cache fire. Kotro’s local cache missed on those turns (new content each time). Treat 68% / make demo-savings as the honest “same day with local cache” story; treat 99.3% as an upstream-prefix interaction, not “local cache alone.”
Install details
| Channel | Command |
|---|---|
| 1-Click (macOS/Linux) | curl -sL https://raw.githubusercontent.com/kotro-labs/kotro-proxy-engine/main/scripts/install.sh | bash |
| Homebrew | brew install kotro-labs/tap/kotro |
| npm | npm install -g @kotro-labs/proxy-engine |
| Docker | docker run -p 8080:8080 kotrolabs/kotro-proxy |
| Marketplace | kotrolabs.kotro-proxy-engine |
| Release binary | GitHub Releases |
| From source | cargo install --path rust/kotro-proxy |
Verifying releases
Release binaries are signed keylessly via cosign + SPDX SBOM:
cosign verify-blob \
--certificate kotro-proxy-x86_64-apple-darwin.tar.gz.pem \
--signature kotro-proxy-x86_64-apple-darwin.tar.gz.sig \
--certificate-identity-regexp 'https://github.com/kotro-labs/kotro-proxy-engine/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
kotro-proxy-x86_64-apple-darwin.tar.gz
curl | bash / Homebrew / npm do not run this check automatically — verify the GitHub Release asset when you need that guarantee.
Quick start (manual)
KOTRO_UPSTREAM_URL=https://api.openai.com kotro-proxy
# or: KOTRO_UPSTREAM_URL=https://api.anthropic.com kotro-proxy
Point the IDE/SDK at http://127.0.0.1:8080/v1. Dashboard: http://127.0.0.1:9090/dashboard.
Smoke curls
curl -N http://127.0.0.1:8080/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d '{"model":"gpt-4o","stream":true,"messages":[{"role":"user","content":"hello"}]}'
curl -N http://127.0.0.1:8080/v1/messages \
-H "Content-Type: application/json" \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-d '{"model":"claude-3-5-sonnet-20241022","max_tokens":256,"stream":true,"messages":[{"role":"user","content":"hello"}]}'
Cache hits return X-Kotro-Cache: HIT. Hard-block injections with KOTRO_INJECTION_BLOCK=true.
Aider + local Ollama
ollama run llama3
KOTRO_UPSTREAM_URL=http://localhost:11434/v1 kotro-proxy &
export ANTHROPIC_API_KEY="dummy"
aider --model anthropic/claude-3-5-sonnet-20241022 --openai-api-base http://localhost:8080/v1
Configuration
| Variable | Default | Purpose |
|---|---|---|
KOTRO_LISTEN_ADDR |
:8080 |
Proxy bind address |
KOTRO_UPSTREAM_URL |
http://127.0.0.1:9000 |
Provider base URL |
KOTRO_ENABLE_CACHE |
true |
Prompt-state SSE cache |
KOTRO_ENABLE_VECTOR_CACHE |
true |
On-device MiniLM layer |
KOTRO_ENABLE_REDACTION |
true |
PII / secret guardrail |
KOTRO_ENABLE_COMPRESSION |
true |
Context dedup |
KOTRO_ENABLE_INJECTION_SCAN |
true |
MCP injection patterns |
KOTRO_INJECTION_BLOCK |
false |
Hard-block → HTTP 400 |
KOTRO_CACHE_HIT_DELAY_MS |
2 |
Replay pacing |
KOTRO_CACHE_TTL |
24h |
Entry lifetime (0 = no expiry) |
KOTRO_EVICTION_INTERVAL |
10m |
Expired-key sweep |
KOTRO_ENABLE_METRICS |
true |
/metrics + /dashboard |
KOTRO_METRICS_ADDR |
127.0.0.1:9090 |
Telemetry bind |
KOTRO_DASHBOARD_USD_PER_TOKEN |
0.000015 |
Hero $ estimate rate |
KOTRO_OTEL_ENDPOINT |
(empty) | OTLP traces |
KOTRO_WASM_PLUGINS |
(empty) | Comma-separated .wasm paths |
KOTRO_REDIS_URL |
(empty) | Optional shared cache |
KOTRO_CACHE_KEY_STRATEGY |
window_n |
latest_only | window_n | full_digest |
KOTRO_CACHE_WINDOW_SIZE |
4 |
Turns hashed for window_n |
KOTRO_PROFILE |
(empty) | cursor | copilot | continue |
Cache key strategies
| Strategy | What is hashed | Recommended for |
|---|---|---|
window_n (default) |
System + last N turns | Production agent loops |
full_digest |
Entire conversation | Strict / multi-tenant |
latest_only |
System + latest user | Legacy only — risky for multi-turn |
Profiles
| Profile | Listen | Cache strategy | IDE |
|---|---|---|---|
cursor |
:8080 |
window_n |
Cursor |
copilot |
:8080 |
full_digest |
GitHub Copilot |
continue |
:8080 |
window_n |
Continue.dev |
Architecture
IDE / Agent → kotro-proxy (:8080)
├─ injection scan · redaction · loop / budget
├─ cache · compress · tool cache
├─ /v1/chat/completions
├─ /v1/messages
└─ /v1/* (passthrough)
↓
upstream (OpenAI, Anthropic, Ollama, mock, …)
Launch docs: Week 1 distribution · Dev.to article (cost → security) · Viral packaging notes
Cancel-storm leak audit
brew install k6
make cancel-audit
Rust (shipping target)
cd rust && cargo test && cargo run -p kotro-proxy
Architecture map: docs/RUST-ARCHITECTURE.md
The Go tree under internal/ is frozen at v0.1.0-go as a behavioral reference — not the runtime you should ship.
Benchmarks
make load-test
make eval-suite
Results: benchmarks/eval-suite/RESULTS.md. Threat model: docs/security/THREAT-MODEL.md.
Project layout
rust/kotro-proxy/ Active Rust implementation
cmd/mockupstream/ Offline OpenAI + Anthropic SSE mock
docs/launch/ Demo scripts, HN / Dev.to assets
internal/ Frozen Go reference
scripts/ install, demos, benches
License
MIT — contributions welcome.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found