Skip to main content

systemprompt_security/
lib.rs

1//! Security infrastructure for systemprompt.io.
2//!
3//! Houses the request-level authentication primitives shared by the HTTP
4//! API and the runtime layer:
5//!
6//! - JWT minting ([`jwt`]) for admin tokens and ([`session`]) for
7//!   session-scoped tokens.
8//! - Token extraction ([`extraction`]) from `Authorization` headers, MCP proxy
9//!   headers, and cookies.
10//! - Request validation ([`auth`]) that turns those tokens into a
11//!   [`systemprompt_models::execution::context::RequestContext`].
12//! - Bridge manifest signing ([`manifest_signing`]) with Ed25519 keys.
13//! - Lightweight scanner / bot detection ([`services`]).
14//! - Authorization decision plane ([`authz`]) — deny-overrides resolver,
15//!   `access_control_rules` repository, and `AuthzDecisionHook` extension
16//!   surface shared by the gateway and MCP enforcement sites.
17//!
18//! All public fallible APIs return typed errors from [`error`] — `anyhow`
19//! is not used in any public signature.
20//!
21//! # Feature flags
22//!
23//! This crate has no Cargo features; everything compiles by default.
24//!
25//! # Example
26//!
27//! ```no_run
28//! use systemprompt_models::auth::JwtAudience;
29//! use systemprompt_security::{AuthMode, AuthValidationService};
30//!
31//! # fn demo(headers: &axum::http::HeaderMap) -> systemprompt_security::AuthResult<()> {
32//! let svc = AuthValidationService::new(
33//!     "secret".to_string(),
34//!     "systemprompt.io".to_string(),
35//!     vec![JwtAudience::standard()],
36//! );
37//! let _ctx = svc.validate_request(headers, AuthMode::Required)?;
38//! # Ok(())
39//! # }
40//! ```
41
42pub mod auth;
43pub mod authz;
44pub mod error;
45pub mod extraction;
46pub mod jwt;
47pub mod manifest_signing;
48pub mod services;
49pub mod session;
50
51pub use auth::{AuthMode, AuthValidationService, HookTokenValidator, ValidatedHookClaims};
52pub use error::{
53    AuthError, AuthResult, JwtError, JwtResult, ManifestSigningError, ManifestSigningResult,
54};
55pub use extraction::{
56    CookieExtractionError, CookieExtractor, ExtractionMethod, HeaderExtractor,
57    HeaderInjectionError, HeaderInjector, TokenExtractionError, TokenExtractor,
58};
59pub use jwt::{AdminTokenParams, JwtService};
60pub use services::ScannerDetector;
61pub use session::{SessionGenerator, SessionParams, ValidatedSessionClaims};