systemprompt-sync 0.15.0

Cloud sync services for systemprompt.io AI governance infrastructure. File, database, and crate deployment across governance tenants in the MCP governance pipeline.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Bootstrap job that projects the access-control baseline into the database:
//! the YAML grants at `access-control/config.yaml` plus the marketplace-access
//! grants declared in the services config.
//!
//! Mirrors [`super::ContentSyncJob`] but with a fixed direction
//! (config → DB). Disabled by default; operators wire it in via
//! `scheduler_config.bootstrap_jobs` so it runs once at startup.

use std::path::PathBuf;
use std::sync::Arc;

use async_trait::async_trait;
use systemprompt_database::{Database, DbPool};
use systemprompt_models::AppPaths;
use systemprompt_security::authz::{AccessControlIngestionService, IngestOptions};
use systemprompt_traits::{Job, JobContext, JobResult, ProviderError, ProviderResult};

use crate::local::AccessControlLocalSync;

const DEFAULT_YAML_RELATIVE: &str = "access-control/config.yaml";

#[derive(Debug, Clone, Copy)]
pub struct AccessControlSyncJob;

#[async_trait]
impl Job for AccessControlSyncJob {
    fn name(&self) -> &'static str {
        "access_control_sync"
    }

    fn description(&self) -> &'static str {
        "Project services/access-control YAML into access_control_rules"
    }

    fn schedule(&self) -> &'static str {
        ""
    }

    fn tags(&self) -> Vec<&'static str> {
        vec!["access-control", "sync", "bootstrap"]
    }

    fn enabled(&self) -> bool {
        false
    }

    async fn execute(&self, ctx: &JobContext) -> ProviderResult<JobResult> {
        let start = std::time::Instant::now();

        let db_pool: &DbPool = ctx.db_pool::<DbPool>().ok_or_else(|| {
            ProviderError::Configuration("DbPool not available in job context".into())
        })?;

        let paths = ctx
            .app_paths::<Arc<AppPaths>>()
            .ok_or_else(|| {
                ProviderError::Configuration("AppPaths not available in job context".into())
            })?
            .as_ref();

        let yaml_path = resolve_yaml_path(ctx, paths.system().services());
        let override_existing = bool_param(ctx, "override_existing", true);
        let delete_orphans = bool_param(ctx, "delete_orphans", true);

        tracing::info!(
            yaml_path = %yaml_path.display(),
            override_existing,
            delete_orphans,
            "access_control_sync job started",
        );

        let sync = AccessControlLocalSync::new(Arc::<Database>::clone(db_pool), yaml_path);
        let acl = sync
            .sync_to_db(override_existing, delete_orphans)
            .await
            .map_err(|e| ProviderError::RenderFailed(e.to_string()))?;

        let services = systemprompt_loader::ConfigLoader::load().map_err(|e| {
            ProviderError::Configuration(format!("Failed to load services config: {e}"))
        })?;
        let svc = AccessControlIngestionService::new(db_pool)
            .map_err(|e| ProviderError::Configuration(e.to_string()))?;
        let mkt = svc
            .ingest_marketplace_access(
                &services.marketplaces,
                IngestOptions {
                    override_existing,
                    delete_orphans,
                },
            )
            .await
            .map_err(|e| ProviderError::RenderFailed(e.to_string()))?;

        let items_synced = acl.items_synced + mkt.inserted + mkt.updated;
        let items_skipped = acl.items_skipped + mkt.skipped;
        let items_deleted = acl.items_deleted + mkt.deleted;

        let duration_ms = u64::try_from(start.elapsed().as_millis()).unwrap_or(u64::MAX);
        tracing::info!(
            items_synced,
            items_skipped,
            items_deleted,
            duration_ms,
            "access_control_sync job completed",
        );

        Ok(JobResult::success()
            .with_stats(items_synced as u64, acl.errors.len() as u64)
            .with_duration(duration_ms))
    }
}

fn resolve_yaml_path(ctx: &JobContext, services_path: &std::path::Path) -> PathBuf {
    ctx.parameters().get("yaml_path").map_or_else(
        || services_path.join(DEFAULT_YAML_RELATIVE),
        |raw| {
            let p = std::path::Path::new(raw);
            if p.is_absolute() {
                p.to_path_buf()
            } else {
                services_path.join(p)
            }
        },
    )
}

fn bool_param(ctx: &JobContext, key: &str, default: bool) -> bool {
    ctx.parameters().get(key).map_or(default, |v| {
        matches!(v.as_str(), "true" | "1" | "yes" | "TRUE" | "True")
    })
}

systemprompt_provider_contracts::submit_job!(&AccessControlSyncJob);