systemprompt-security 0.9.0

Security infrastructure for systemprompt.io AI governance: JWT, OAuth2 token extraction, scope enforcement, ChaCha20-Poly1305 secret encryption, the four-layer tool-call governance pipeline, and the unified authz decision plane (deny-overrides resolver + AuthzDecisionHook) shared by gateway and MCP enforcement.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

use systemprompt_extension::prelude::*;

#[derive(Debug, Clone, Copy, Default)]
pub struct AuthzExtension;

impl Extension for AuthzExtension {
    fn metadata(&self) -> ExtensionMetadata {
        ExtensionMetadata {
            id: "authz",
            name: "Authorization",
            version: env!("CARGO_PKG_VERSION"),
        }
    }

    fn migration_weight(&self) -> u32 {
        110
    }

    fn is_required(&self) -> bool {
        true
    }

    fn schemas(&self) -> Vec<SchemaDefinition> {
        vec![
            SchemaDefinition::inline(
                "access_control_rules",
                include_str!("schema/access_control_rules.sql"),
            )
            .with_required_columns(vec![
                "id".into(),
                "entity_type".into(),
                "entity_id".into(),
                "rule_type".into(),
                "rule_value".into(),
                "access".into(),
            ]),
            SchemaDefinition::inline(
                "governance_decisions",
                include_str!("schema/governance_decisions.sql"),
            )
            .with_required_columns(vec![
                "id".into(),
                "user_id".into(),
                "session_id".into(),
                "tool_name".into(),
                "decision".into(),
                "policy".into(),
                "reason".into(),
            ]),
        ]
    }

    fn dependencies(&self) -> Vec<&'static str> {
        vec!["users"]
    }
}

register_extension!(AuthzExtension);