systemprompt-security 0.9.0

Security infrastructure for systemprompt.io AI governance: JWT, OAuth2 token extraction, scope enforcement, ChaCha20-Poly1305 secret encryption, the four-layer tool-call governance pipeline, and the unified authz decision plane (deny-overrides resolver + AuthzDecisionHook) shared by gateway and MCP enforcement.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

//! Typed error surface for the authz crate.

use systemprompt_models::domain_error;
use thiserror::Error;

domain_error! {
    pub enum AuthzError {
        common: [repository, validation],

        #[error("invalid rule_type: {0}")]
        InvalidRuleType(String),

        #[error("invalid access value: {0}")]
        InvalidAccess(String),

        #[error("authz hook transport: {0}")]
        Hook(#[from] reqwest::Error),

        #[error("authz bootstrap: {0}")]
        Bootstrap(#[from] AuthzBootstrapError),
    }
}

impl From<sqlx::Error> for AuthzError {
    fn from(err: sqlx::Error) -> Self {
        Self::Repository(systemprompt_database::RepositoryError::from(err))
    }
}

pub type AuthzResult<T> = Result<T, AuthzError>;

#[derive(Debug, Clone, Copy, Error)]
pub enum AuthzBootstrapError {
    #[error(
        "governance.authz.hook.mode = webhook but `url` is missing or blank — refusing to start"
    )]
    MissingWebhookUrl,

    #[error(
        "governance.authz.hook.mode = unrestricted requires `acknowledgement` field equal to the \
         literal: {expected:?}"
    )]
    MissingUnrestrictedAcknowledgement { expected: &'static str },
}