systemprompt-cli 0.14.3

Unified CLI for systemprompt.io AI governance: agent orchestration, MCP governance, analytics, profiles, cloud deploy, and self-hosted operations.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

//! Typed section builders for the generated setup profile.
//!
//! Split out so [`super::profile::build`] reads as a thin orchestration over
//! well-named sections. Each builder returns a fully-typed profile struct; the
//! gateway and governance sections give `admin setup` a complete, bootable
//! profile rather than the empty shell it produced before.

use std::path::Path;

use systemprompt_cloud::ProjectContext;
use systemprompt_identifiers::ProviderId;
use systemprompt_loader::ExtensionLoader;
use systemprompt_models::auth::JwtAudience;
use systemprompt_models::profile::{
    AuthzConfig, AuthzHookConfig, AuthzMode, GatewayConfigSpec, GatewayState, GovernanceConfig,
    ProviderRegistry, default_resource_audiences,
};
use systemprompt_models::{
    ContentNegotiationConfig, Environment, LogLevel, OutputFormat, PathsConfig, RuntimeConfig,
    SecurityConfig, SecurityHeadersConfig, ServerConfig,
};

use super::catalog;
use super::secrets::SecretsData;

pub(super) fn server(is_prod: bool) -> ServerConfig {
    ServerConfig {
        host: if is_prod {
            "0.0.0.0".to_owned()
        } else {
            "127.0.0.1".to_owned()
        },
        port: 8080,
        api_server_url: "http://localhost:8080".to_owned(),
        api_internal_url: "http://localhost:8080".to_owned(),
        api_external_url: "http://localhost:8080".to_owned(),
        use_https: is_prod,
        cors_allowed_origins: vec![
            "http://localhost:8080".to_owned(),
            "http://localhost:5173".to_owned(),
            "http://127.0.0.1:8080".to_owned(),
        ],
        content_negotiation: ContentNegotiationConfig::default(),
        security_headers: SecurityHeadersConfig::default(),
        instance_id: None,
        max_concurrent_streams: systemprompt_models::config::DEFAULT_MAX_CONCURRENT_STREAMS,
        trusted_proxies: Vec::new(),
    }
}

pub(super) fn paths(
    project_root: &Path,
    bin_path: Option<&Path>,
    ctx: &ProjectContext,
) -> PathsConfig {
    PathsConfig {
        system: project_root.to_string_lossy().to_string(),
        services: project_root.join("services").to_string_lossy().to_string(),
        bin: bin_path.map_or_else(
            || {
                ExtensionLoader::resolve_bin_directory(project_root, None)
                    .to_string_lossy()
                    .to_string()
            },
            |p| p.to_string_lossy().to_string(),
        ),
        storage: Some(ctx.storage_dir().to_string_lossy().to_string()),
        geoip_database: None,
        web_path: None,
    }
}

pub(super) fn security(env_name: &str) -> SecurityConfig {
    SecurityConfig {
        issuer: format!("systemprompt-{}", env_name),
        access_token_expiration: 2_592_000,
        refresh_token_expiration: 15_552_000,
        audiences: vec![
            JwtAudience::Web,
            JwtAudience::Api,
            JwtAudience::A2a,
            JwtAudience::Mcp,
        ],
        allowed_resource_audiences: default_resource_audiences(),
        allow_registration: true,
        signing_key_path: std::path::PathBuf::from("signing_key.pem"),
        trusted_issuers: Vec::new(),
    }
}

pub(super) const fn runtime(environment: Environment, is_prod: bool) -> RuntimeConfig {
    RuntimeConfig {
        environment,
        log_level: if is_prod {
            LogLevel::Normal
        } else {
            LogLevel::Verbose
        },
        output_format: OutputFormat::Text,
        no_color: false,
        non_interactive: is_prod,
    }
}

pub(super) fn providers(secrets: &SecretsData) -> ProviderRegistry {
    catalog::build_registry(secrets)
}

pub(super) fn gateway(
    secrets: &SecretsData,
    default_provider: Option<&ProviderId>,
) -> GatewayState {
    GatewayState::Spec(GatewayConfigSpec {
        enabled: true,
        routes: catalog::build_routes(secrets),
        default_provider: default_provider.cloned(),
        ..GatewayConfigSpec::default()
    })
}

pub(super) fn governance(api_internal_url: &str) -> GovernanceConfig {
    GovernanceConfig {
        authz: Some(AuthzConfig {
            hook: AuthzHookConfig {
                mode: AuthzMode::Webhook,
                url: Some(format!("{}/api/public/govern/authz", api_internal_url)),
                timeout_ms: 500,
                acknowledgement: None,
            },
        }),
    }
}