systemprompt-cli 0.14.4

Unified CLI for systemprompt.io AI governance: agent orchestration, MCP governance, analytics, profiles, cloud deploy, and self-hosted operations.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

use std::collections::BTreeSet;

use anyhow::{Result, anyhow};
use systemprompt_runtime::AppContext;
use systemprompt_security::authz::repository::AccessControlRepository;
use systemprompt_security::authz::types::EntityKind;

use super::LintArgs;
use crate::CliConfig;

const ALL_KINDS: &[EntityKind] = &[
    EntityKind::GatewayRoute,
    EntityKind::McpServer,
    EntityKind::Plugin,
    EntityKind::Agent,
    EntityKind::Marketplace,
    EntityKind::Skill,
    EntityKind::Hook,
];

/// Iterate every `EntityKind` and report:
///
/// * **Unknown entities** — rows in `access_control_rules` whose `(entity_type,
///   entity_id)` has no matching catalog row. The FK added in migration 007
///   makes this impossible going forward, but the check is cheap and catches
///   manual SQL fixes that bypass the schema.
/// * **Unreachable entities** — catalog rows with `default_included = false`
///   and zero matching grants. The entity is registered but no one can reach
///   it.
pub(super) async fn run(_args: LintArgs, _config: &CliConfig) -> Result<(String, bool)> {
    let ctx = AppContext::new().await?;
    let repo =
        AccessControlRepository::new(ctx.db_pool()).map_err(|e| anyhow!("acquire repo: {e}"))?;

    let mut report = String::new();
    let mut unknown_total = 0usize;
    let mut unreachable_total = 0usize;

    for kind in ALL_KINDS {
        let catalog = repo
            .list_entities(*kind)
            .await
            .map_err(|e| anyhow!("list_entities({kind}): {e}"))?;
        let catalog_ids: BTreeSet<String> = catalog.iter().map(|e| e.id.clone()).collect();

        let rule_rows = repo
            .list_role_rules_for_export()
            .await
            .map_err(|e| anyhow!("list rules: {e}"))?;
        let rule_ids: BTreeSet<String> = rule_rows
            .iter()
            .filter(|r| r.entity_type == kind.as_str())
            .map(|r| r.entity_id.clone())
            .collect();

        let unknown: Vec<&String> = rule_ids.difference(&catalog_ids).collect();
        let unreachable: Vec<&str> = catalog
            .iter()
            .filter(|e| !e.default_included && !rule_ids.contains(&e.id))
            .map(|e| e.id.as_str())
            .collect();

        if !unknown.is_empty() || !unreachable.is_empty() {
            report.push_str(&format!("\n[{kind}]\n"));
            for id in &unknown {
                report.push_str(&format!(
                    "  UNKNOWN  {id} (rule rows present, no catalog row)\n"
                ));
            }
            for id in &unreachable {
                report.push_str(&format!(
                    "  UNREACHABLE  {id} (catalog row present, default_included=false, no \
                     grants)\n"
                ));
            }
            unknown_total += unknown.len();
            unreachable_total += unreachable.len();
        }
    }

    if unknown_total == 0 && unreachable_total == 0 {
        Ok(("OK — no access-control findings\n".to_owned(), false))
    } else {
        report.insert_str(
            0,
            &format!("FAIL — {unknown_total} unknown, {unreachable_total} unreachable\n"),
        );
        Ok((report, true))
    }
}