systemprompt-oauth 0.14.6

OAuth 2.0 / OIDC with PKCE, token introspection, and audience/issuer validation for systemprompt.io AI governance infrastructure. WebAuthn and JWT auth for the MCP governance pipeline.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

//! At-rest hashing for OAuth identifiers (refresh-token ids, authorisation
//! codes). The pepper is resolved once per call from the process-wide
//! [`systemprompt_config::SecretsBootstrap`] and combined with the value via
//! HMAC-SHA-256; the lowercase-hex digest is what hits the database.

use crate::error::{OauthError, OauthResult};

pub(super) fn hash_at_rest(value: &str) -> OauthResult<String> {
    let pepper = systemprompt_config::SecretsBootstrap::oauth_at_rest_pepper()
        .map_err(|e| OauthError::Internal(format!("oauth_at_rest_pepper unavailable: {e}")))?;
    Ok(systemprompt_security::hmac_sha256_hex(
        pepper.as_bytes(),
        value.as_bytes(),
    ))
}