kotro-proxy-engine

mcp
Security Audit
Warn
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Pass
  • Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
  • Permissions — No dangerous permissions requested

No AI report is available for this listing yet.

SUMMARY

Local AI/LLM proxy with semantic caching, MCP injection scanning, cost budgeting, and intelligent model routing — Rust/Axum

README.md

Kotro

Kotro

Local Rust LLM proxy for Cursor & Claude Code — stop MCP prompt injection, cut agent token waste.

One binary on your machine. No SaaS. Sees every tool result before it reaches the model.

CI Release npm VS Code Marketplace License: MIT

▶ 78s demo (narrated) · silent · dashboard · exploit guide

Kotro dashboard — injections blocked + savings

Who this is for

  • You run Cursor, Claude Code, or any OpenAI / Anthropic-compatible agent with MCP tools
  • You want injection scan + secret redaction without sending traffic through a third-party gateway
  • You also want cache / budget / circuit breaker so runaway agents don’t bill you overnight

30-second install

curl -sL https://raw.githubusercontent.com/kotro-labs/kotro-proxy-engine/main/scripts/install.sh | bash
kotro-proxy
# Point your agent base URL at http://127.0.0.1:8080/v1
# Dashboard: http://127.0.0.1:9090/dashboard
Also
Homebrew brew install kotro-labs/tap/kotro
npm npm i -g @kotro-labs/proxy-engine
Cursor / VS Code Marketplace extension

Without Kotro → with Kotro

Without With
Poisoned MCP / tool text rides into the next LLM call Scan → warn header or HTTP 400 hard-block; dashboard Detected / Blocked
Retries & identical turns pay full price Exact-match cache replay (x-kotro-cache: HIT) — ~68% in the savings demo
Agent loops burn credits unnoticed Circuit breaker + optional session token budget (HTTP 429)
Secrets leave with the prompt Redacted outbound, restored on the stream

See it yourself (no API key)

git clone https://github.com/kotro-labs/kotro-proxy-engine.git && cd kotro-proxy-engine
make demo-savings      # ~68% savings story + secret redaction
make demo-injection    # warn → HTTP 400 block + security tiles

Honest path: Kotro sits on the HTTP path to the provider — not raw MCP stdio. When an agent includes poisoned tool/file content in the next /v1/chat/completions or /v1/messages body, the scanner sees it.


Point your agent at it

Cursor

  1. Settings → Models
  2. Set OpenAI Base URL to http://localhost:8080/v1
  3. Keep your provider API key
  4. Optional: Command Palette → Kotro: Verify Cache (MISS then HIT)

Claude Code

KOTRO_UPSTREAM_URL=https://api.anthropic.com kotro-proxy &
ANTHROPIC_BASE_URL=http://localhost:8080 claude

OpenAI-compatible (Aider, SDKs, …)

OPENAI_BASE_URL=http://localhost:8080/v1 your-tool

What it does

Feature Description
MCP prompt injection scanner 14 regex patterns on tool / user text. Warn-by-default; KOTRO_INJECTION_BLOCK=true → HTTP 400.
Secret redaction API keys, DB URLs, passwords, PII stripped before the cloud; restored in the stream.
Agent loop circuit breaker 3+ identical tool calls → trip (X-Kotro-Circuit-Open).
Reasoning budget controller Caps Anthropic thinking.budget_tokens / OpenAI max_completion_tokens.
Streaming prompt-state cache Exact-match SSE replay on repeated prompts (redb).
Local semantic cache On-device MiniLM (candle) for paraphrases — optional, ~26ms.
MCP tool result cache TTL by category; writes invalidate reads.
Context compressor Strips unchanged MCP schemas / trees across turns.
Per-session token budget Hard cap → HTTP 429 + X-Kotro-Budget-Remaining.
WASM plugins Bring-your-own guardrails (Go / TS / Python → WASM).
OpenTelemetry OTLP traces per request.

Is Kotro the right tool for you?

Kotro is deliberately narrow: a single-binary proxy for one developer’s coding-agent traffic. It is not a team-wide multi-provider gateway.

Tool Best fit
Kotro Local security + efficiency for MCP-native agents; no third party in the request path
LiteLLM Team/org routing to 100+ providers behind one API
Portkey Heavier production guardrails / managed options
Hosted gateways Zero infra — but a third party sees 100% of traffic

That “nothing else in the path” property is structural, not a checkbox — a hosted gateway can’t offer it without changing its business model.

About the 99.3% upstream-token figure

In a published 3-turn codebase eval (benchmarks/eval-suite/RESULTS.md), billed upstream tokens dropped dramatically because request-shape stability let the provider’s prefix cache fire. Kotro’s local cache missed on those turns (new content each time). Treat 68% / make demo-savings as the honest “same day with local cache” story; treat 99.3% as an upstream-prefix interaction, not “local cache alone.”


Install details

Channel Command
1-Click (macOS/Linux) curl -sL https://raw.githubusercontent.com/kotro-labs/kotro-proxy-engine/main/scripts/install.sh | bash
Homebrew brew install kotro-labs/tap/kotro
npm npm install -g @kotro-labs/proxy-engine
Docker docker run -p 8080:8080 kotrolabs/kotro-proxy
Marketplace kotrolabs.kotro-proxy-engine
Release binary GitHub Releases
From source cargo install --path rust/kotro-proxy

Verifying releases

Release binaries are signed keylessly via cosign + SPDX SBOM:

cosign verify-blob \
  --certificate kotro-proxy-x86_64-apple-darwin.tar.gz.pem \
  --signature kotro-proxy-x86_64-apple-darwin.tar.gz.sig \
  --certificate-identity-regexp 'https://github.com/kotro-labs/kotro-proxy-engine/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  kotro-proxy-x86_64-apple-darwin.tar.gz

curl | bash / Homebrew / npm do not run this check automatically — verify the GitHub Release asset when you need that guarantee.


Quick start (manual)

KOTRO_UPSTREAM_URL=https://api.openai.com kotro-proxy
# or: KOTRO_UPSTREAM_URL=https://api.anthropic.com kotro-proxy

Point the IDE/SDK at http://127.0.0.1:8080/v1. Dashboard: http://127.0.0.1:9090/dashboard.

Smoke curls

curl -N http://127.0.0.1:8080/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -d '{"model":"gpt-4o","stream":true,"messages":[{"role":"user","content":"hello"}]}'
curl -N http://127.0.0.1:8080/v1/messages \
  -H "Content-Type: application/json" \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -d '{"model":"claude-3-5-sonnet-20241022","max_tokens":256,"stream":true,"messages":[{"role":"user","content":"hello"}]}'

Cache hits return X-Kotro-Cache: HIT. Hard-block injections with KOTRO_INJECTION_BLOCK=true.

Aider + local Ollama

ollama run llama3
KOTRO_UPSTREAM_URL=http://localhost:11434/v1 kotro-proxy &
export ANTHROPIC_API_KEY="dummy"
aider --model anthropic/claude-3-5-sonnet-20241022 --openai-api-base http://localhost:8080/v1

Configuration

Variable Default Purpose
KOTRO_LISTEN_ADDR :8080 Proxy bind address
KOTRO_UPSTREAM_URL http://127.0.0.1:9000 Provider base URL
KOTRO_ENABLE_CACHE true Prompt-state SSE cache
KOTRO_ENABLE_VECTOR_CACHE true On-device MiniLM layer
KOTRO_ENABLE_REDACTION true PII / secret guardrail
KOTRO_ENABLE_COMPRESSION true Context dedup
KOTRO_ENABLE_INJECTION_SCAN true MCP injection patterns
KOTRO_INJECTION_BLOCK false Hard-block → HTTP 400
KOTRO_CACHE_HIT_DELAY_MS 2 Replay pacing
KOTRO_CACHE_TTL 24h Entry lifetime (0 = no expiry)
KOTRO_EVICTION_INTERVAL 10m Expired-key sweep
KOTRO_ENABLE_METRICS true /metrics + /dashboard
KOTRO_METRICS_ADDR 127.0.0.1:9090 Telemetry bind
KOTRO_DASHBOARD_USD_PER_TOKEN 0.000015 Hero $ estimate rate
KOTRO_OTEL_ENDPOINT (empty) OTLP traces
KOTRO_WASM_PLUGINS (empty) Comma-separated .wasm paths
KOTRO_REDIS_URL (empty) Optional shared cache
KOTRO_CACHE_KEY_STRATEGY window_n latest_only | window_n | full_digest
KOTRO_CACHE_WINDOW_SIZE 4 Turns hashed for window_n
KOTRO_PROFILE (empty) cursor | copilot | continue

Cache key strategies

Strategy What is hashed Recommended for
window_n (default) System + last N turns Production agent loops
full_digest Entire conversation Strict / multi-tenant
latest_only System + latest user Legacy only — risky for multi-turn

Profiles

Profile Listen Cache strategy IDE
cursor :8080 window_n Cursor
copilot :8080 full_digest GitHub Copilot
continue :8080 window_n Continue.dev

Architecture

IDE / Agent  →  kotro-proxy (:8080)
                 ├─ injection scan · redaction · loop / budget
                 ├─ cache · compress · tool cache
                 ├─ /v1/chat/completions
                 ├─ /v1/messages
                 └─ /v1/*  (passthrough)
                        ↓
                 upstream (OpenAI, Anthropic, Ollama, mock, …)

Launch docs: Week 1 distribution · Dev.to article (cost → security) · Viral packaging notes

Cancel-storm leak audit

brew install k6
make cancel-audit

Rust (shipping target)

cd rust && cargo test && cargo run -p kotro-proxy

Architecture map: docs/RUST-ARCHITECTURE.md

The Go tree under internal/ is frozen at v0.1.0-go as a behavioral reference — not the runtime you should ship.

Benchmarks

make load-test
make eval-suite

Results: benchmarks/eval-suite/RESULTS.md. Threat model: docs/security/THREAT-MODEL.md.

Project layout

rust/kotro-proxy/    Active Rust implementation
cmd/mockupstream/    Offline OpenAI + Anthropic SSE mock
docs/launch/         Demo scripts, HN / Dev.to assets
internal/            Frozen Go reference
scripts/             install, demos, benches

License

MIT — contributions welcome.

Reviews (0)

No results found