systemprompt-security 0.15.2

Security infrastructure for systemprompt.io AI governance: JWT, OAuth2 token extraction, scope enforcement, ChaCha20-Poly1305 secret encryption, the four-layer tool-call governance pipeline, and the unified authz decision plane (deny-overrides resolver + AuthzDecisionHook) shared by gateway and MCP enforcement.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

use serde::{Deserialize, Serialize};
use systemprompt_identifiers::RuleId;

use super::kinds::{Access, EntityKind, RuleType};

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, sqlx::FromRow)]
pub struct AccessRule {
    pub id: RuleId,
    pub rule_type: RuleType,
    pub rule_value: String,
    pub access: Access,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub justification: Option<String>,
}

/// One row from `access_control_entities`.
///
/// The `source` provenance string identifies which loader pass first
/// registered the entity: `"profile:<name>"`, `"roles.yaml"`, or
/// `"bootstrap:*"` for rows promoted from older schemas by a migration.
///
/// A `None` lookup result means the entity is unknown to access control and
/// the resolver returns [`super::decision::DenyReason::UnknownEntity`] rather
/// than the generic `NotAssigned`.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct EntityRow {
    pub kind: EntityKind,
    pub id: String,
    pub default_included: bool,
    pub source: String,
}