Skip to content
munio

Architecture

munio is a 4-tier verification engine that checks AI agent tool calls before execution.

Pipeline Flow

Section titled “Pipeline Flow”
Agent → Action → Guard.check() → Verifier → Solver(s) → VerificationResult
                                      
                               ConstraintRegistry
                               (loaded from YAML)

Tier System

Section titled “Tier System”
TierEngineLatencyUse Case
1Python<0.01msDenylist, allowlist, regex, threshold checks
2Z3 subprocess~10msMulti-constraint satisfiability
3Z3 subprocess~50msComplex temporal/resource constraints
4Z3 (deploy-time)N/AStatic policy verification at deploy time

Tier 1 covers ~90% of real-world constraints. Z3 tiers are opt-in (pip install "munio[z3]").

Package Structure

Section titled “Package Structure”

The project is a single package with submodules:

src/munio/
├── models.py         Pydantic v2 data models
├── constraints.py    YAML loader, registry
├── solver.py         Facade: Tier 1 solver + Z3 subprocess pool
├── _matching.py      String matching logic
├── _composite.py     COMPOSITE expression evaluation
├── _z3_runtime.py    Z3 subprocess worker
├── _z3_regex.py      sre_parse → Z3 regex translator
├── _policy_verifier.py  Deploy-time policy verification
├── verifier.py       Orchestration: match → solve → aggregate
├── guard.py          High-level API: Guard class + decorators
├── server.py         HTTP API server (FastAPI)
├── cli.py            CLI interface (Typer)
├── scan/             MCP security scanner (8-layer analysis)
│   ├── layers/       L0 config, L1 schema, L2 heuristic, L2.5 ML,
│   │                 L2.6 multilingual, L3 static, L4 Z3, L5 compositional,
│   │                 L7 source
│   ├── orchestrator.py       Async scan pipeline
│   ├── config_scanner.py     Supply chain config scanning
│   ├── composition.py        Multi-server composition analysis
│   └── cli.py                CLI: munio scan/config-scan/compose
└── gate/             MCP stdio proxy
    ├── proxy.py          Async stdio proxy (JSON-RPC interception)
    ├── interceptor.py    Guard integration for tool calls
    └── cli.py            CLI: munio gate/init/status/restore/stats

Key Design Decisions

Section titled “Key Design Decisions”

Frozen Models

Section titled “Frozen Models”

All Pydantic models use ConfigDict(frozen=True, extra="forbid"). This prevents mutation after construction (TOCTOU safety) and rejects unknown fields (fail-closed).

Exception: HTTP API request models use extra="ignore" to remain forward-compatible with external callers (e.g., OpenClaw adding new fields to hook events).

Fail-Closed by Default

Section titled “Fail-Closed by Default”
  • Unmatched actions produce warnings by default (default_on_unmatched=warn); configurable to block for strict environments
  • Invalid inputs produce violations (not silent passes)
  • Z3 errors produce system violations (not allowed results)

Constraint Packs

Section titled “Constraint Packs”

Constraints are organized into packs (directories): generic/, openclaw/, fintech/, etc. Each pack can be loaded independently or combined.

Guard Preloading (Server)

Section titled “Guard Preloading (Server)”

The HTTP server preloads all constraint packs at startup. Per-request pack selection uses the preloaded set — never touches the filesystem at runtime. This prevents:

  • DoS via constraint loading (disk I/O per request)
  • Path traversal attacks via pack names
  • Silent fail-open on missing packs

Verification Modes

Section titled “Verification Modes”
ModeBehavior
ENFORCEBlock on violation (return allowed=false)
SHADOWLog violations but allow (return allowed=true)
DISABLEDSkip verification entirely

HTTP API

Section titled “HTTP API”

The server exposes a /v1/ prefixed REST API:

POST /v1/verify                      Universal verification
POST /v1/openclaw/before-tool-call   OpenClaw-native hook format
GET  /v1/health                      Health check
GET  /v1/packs                       Available constraint packs

See http-api.md for details.

Scan Architecture

Section titled “Scan Architecture”

The scanner uses 8 analysis layers (L0-L7), each progressively deeper:

LayerNameTechnique
L0ConfigSupply chain checks on MCP config files
L1SchemaJSON Schema validation (missing constraints)
L2HeuristicKeyword-based tool description analysis
L2.5ML ClassifierTrained char n-gram + structural features
L2.6Multilingual MLCross-language injection detection (188 languages)
L3StaticSemantic checks (path traversal, SSRF, SQL/cmd injection)
L4Z3 FormalZ3 constraint solving (proves schema bypass is possible)
L5CompositionalCross-tool taint flow and toxic capability chains
L7SourceServer source code analysis (planned)

Additional scan commands:

  • munio config-scan — scans MCP config files (Claude Desktop, Cursor, etc.) for supply chain security issues such as unsigned packages, HTTP transport, and overly broad permissions.
  • munio compose — analyzes multi-server MCP configurations for dangerous cross-server attack chains (e.g., read + exfiltrate). Uses a signal quality system to rank findings by confidence and reduce false positives.