systemprompt-api 0.13.0

Axum-based HTTP server and API gateway for systemprompt.io AI governance infrastructure. Exposes governed agents, MCP, A2A, and admin endpoints with rate limiting and RBAC.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

//! JTI revocation gate for the JWT context extractor.
//!
//! Runs as the final stateful check after a token's claims, its backing user,
//! and the session row have all validated. It answers the one question
//! signature validation cannot: has this specific token been explicitly
//! revoked (logout, admin revoke, refresh rotation)? A negative result is
//! cached so the hot path costs one map lookup. Fails closed — a revocation
//! store error rejects the request rather than admitting an unverifiable token.

use std::sync::Arc;
use systemprompt_database::DbPool;
use systemprompt_models::execution::context::ContextExtractionError;
use systemprompt_oauth::OauthResult;
use systemprompt_oauth::repository::{JtiRevocationCache, OAuthRepository};

#[derive(Clone)]
pub struct JtiRevocationChecker {
    repo: Arc<OAuthRepository>,
    cache: Arc<JtiRevocationCache>,
}

impl std::fmt::Debug for JtiRevocationChecker {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("JtiRevocationChecker")
            .finish_non_exhaustive()
    }
}

impl JtiRevocationChecker {
    pub fn from_pool(db: &DbPool) -> OauthResult<Self> {
        Ok(Self {
            repo: Arc::new(OAuthRepository::new(db)?),
            cache: Arc::new(JtiRevocationCache::new()),
        })
    }

    pub async fn ensure_not_revoked(&self, jti: &str) -> Result<(), ContextExtractionError> {
        if jti.is_empty() {
            return Ok(());
        }
        match self.cache.peek(jti) {
            Some(true) => return Err(ContextExtractionError::Revoked),
            Some(false) => return Ok(()),
            None => {},
        }

        let revoked = self.repo.is_jti_revoked(jti).await.map_err(|e| {
            ContextExtractionError::DatabaseError(format!("JTI revocation lookup failed: {e}"))
        })?;
        self.cache.record(jti, revoked);
        if revoked {
            Err(ContextExtractionError::Revoked)
        } else {
            Ok(())
        }
    }
}