systemprompt-cloud 0.2.1

Cloud API client, credentials, OAuth, and tenant management for systemprompt.io AI governance deployments. Remote sync and multi-tenant orchestration for the MCP governance pipeline.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

use anyhow::{Context, Result};
use chrono::{DateTime, Duration, Utc};
use serde::{Deserialize, Serialize};
use std::fs;
use std::path::Path;
use systemprompt_identifiers::CloudAuthToken;
use systemprompt_logging::CliService;
use validator::Validate;

use crate::auth;
use crate::error::CloudError;

#[derive(Debug, Clone, Serialize, Deserialize, Validate)]
pub struct CloudCredentials {
    #[validate(length(min = 1, message = "API token cannot be empty"))]
    pub api_token: String,

    #[validate(url(message = "API URL must be a valid URL"))]
    pub api_url: String,

    pub authenticated_at: DateTime<Utc>,

    #[validate(email(message = "User email must be a valid email address"))]
    pub user_email: String,
}

impl CloudCredentials {
    #[must_use]
    pub fn new(api_token: String, api_url: String, user_email: String) -> Self {
        Self {
            api_token,
            api_url,
            authenticated_at: Utc::now(),
            user_email,
        }
    }

    pub fn token(&self) -> CloudAuthToken {
        CloudAuthToken::new(&self.api_token)
    }

    #[must_use]
    pub fn is_token_expired(&self) -> bool {
        auth::is_expired(&self.token())
    }

    #[must_use]
    pub fn expires_within(&self, duration: Duration) -> bool {
        auth::expires_within(&self.token(), duration)
    }

    pub fn load_and_validate_from_path(path: &Path) -> Result<Self> {
        let creds = Self::load_from_path(path)?;

        creds
            .validate()
            .map_err(|e| CloudError::CredentialsCorrupted {
                source: serde_json::Error::io(std::io::Error::new(
                    std::io::ErrorKind::InvalidData,
                    e.to_string(),
                )),
            })?;

        if creds.is_token_expired() {
            return Err(CloudError::TokenExpired.into());
        }

        if creds.expires_within(Duration::hours(1)) {
            CliService::warning(
                "Cloud token will expire soon. Consider running 'systemprompt cloud login' to \
                 refresh.",
            );
        }

        Ok(creds)
    }

    pub async fn validate_with_api(&self) -> Result<bool> {
        let client = reqwest::Client::new();

        let response = client
            .get(format!("{}/api/v1/auth/me", self.api_url))
            .header("Authorization", format!("Bearer {}", self.api_token))
            .timeout(std::time::Duration::from_secs(10))
            .send()
            .await?;

        Ok(response.status().is_success())
    }

    pub fn load_from_path(path: &Path) -> Result<Self> {
        if !path.exists() {
            return Err(CloudError::NotAuthenticated.into());
        }

        let content = fs::read_to_string(path)
            .with_context(|| format!("Failed to read {}", path.display()))?;

        let creds: Self = serde_json::from_str(&content)
            .map_err(|e| CloudError::CredentialsCorrupted { source: e })?;

        creds
            .validate()
            .map_err(|e| CloudError::CredentialsCorrupted {
                source: serde_json::Error::io(std::io::Error::new(
                    std::io::ErrorKind::InvalidData,
                    e.to_string(),
                )),
            })?;

        Ok(creds)
    }

    pub fn save_to_path(&self, path: &Path) -> Result<()> {
        self.validate()
            .map_err(|e| CloudError::CredentialsCorrupted {
                source: serde_json::Error::io(std::io::Error::new(
                    std::io::ErrorKind::InvalidData,
                    e.to_string(),
                )),
            })?;

        if let Some(dir) = path.parent() {
            fs::create_dir_all(dir)?;

            let gitignore_path = dir.join(".gitignore");
            if !gitignore_path.exists() {
                fs::write(&gitignore_path, "*\n")?;
            }
        }

        let content = serde_json::to_string_pretty(self)?;
        fs::write(path, content)?;

        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mut perms = fs::metadata(path)?.permissions();
            perms.set_mode(0o600);
            fs::set_permissions(path, perms)?;
        }

        Ok(())
    }

    pub fn delete_from_path(path: &Path) -> Result<()> {
        if path.exists() {
            fs::remove_file(path)?;
        }
        Ok(())
    }
}