Security
TDP implements defense in depth -- every layer independently verifies access. HMAC authentication, command filtering, security profiles, Active Directory integration, and manifest signing work together so that compromising one layer does not compromise the system.
Six layers of protection
Each layer operates independently. An attacker must defeat all six to execute an unauthorized tool call.
HMAC-SHA256 Auth
Every connection cryptographically verified
Command Filter
Blocks destructive shell commands before execution
Security Profiles
Read-only, no-network, strict enforcement modes
AD Group Enforcement
Active Directory group membership verification
Manifest Signing
Only trusted server broadcasts are accepted
Per-Agent Permissions
Each agent gets its own secret and tool access
HMAC-SHA256 Authentication
Every agent must prove its identity before accessing any tool. Per-agent secrets mean compromising one agent does not compromise others.
256-bit secrets
Cryptographically random, per-agent
Challenge-response
Secrets never cross the wire
Env var required
TDP_SECRET must be set or server exits
Command Filter
A pre-tool-use hook that intercepts destructive commands across Bash, PowerShell, Shell, Terminal, Cmd, and MCP tool calls. Every blocked command is logged for audit.
Blocked patterns include:
Security Profiles
Four enforcement modes that classify every tool call as read, write, or network. Switch profiles without restarting servers.
| Profile | Read | Write | Network |
|---|---|---|---|
| read-write | Allowed | Allowed | Allowed |
| read-only | Allowed | Blocked | Allowed |
| no-network | Allowed | Allowed | Blocked |
| strict | Allowed | Blocked | Blocked |
Active Directory Group Enforcement
Server-level AD group verification before any tool executes. Prevents VM bypass attacks -- even with a valid HMAC key, users without the right AD group are denied.
Per-profile AD groups
read-write -- TDP-Users
read-only -- TDP-ReadOnly
strict -- TDP-Users
admin -- TDP-Admins
Design principles
Fail-closed: AD unreachable = denied
5-minute group cache (no AD hammering)
pywin32 native + LDAP3 cross-platform
Runs after HMAC (defense in depth)
Manifest Signing
Server broadcasts are signed with HMAC. Callers can be configured to only accept signed manifests, filtering out rogue servers on the network.
VM Bypass Prevention
Even if an attacker spins up a VM and connects directly over TCP, multiple layers block unauthorized access. HMAC alone is not enough -- AD group enforcement catches leaked keys.
Defense in depth means no single layer is a single point of failure. HMAC stops unknown agents. AD stops unauthorized users. Command filter stops destructive operations. Security profiles restrict tool categories. Manifest signing stops rogue servers. All six layers operate independently.
Built for teams that take security seriously
TDP gives AI agents access to tools without giving up control. Every connection is verified. Every command is filtered. Every action is logged.