systemprompt
The governance engine behind AI infrastructure you actually own. One Rust binary, one PostgreSQL, every agent and tool call through one audited path. This is the facade crate: it re-exports the systemprompt-core workspace behind feature flags.
Website · Documentation · Evaluation template · Discord
This README mirrors the systemprompt-core root README and is published to docs.rs.
systempromptre-exports the workspace crates behind feature flags; the full project documentation lives in thedocumentation/directory.
Why this exists
Most teams govern AI one of two ways. They rent a dashboard, and someone else's infrastructure holds their prompts, their keys, and their audit trail. Or they build it themselves, and eighteen months later they are maintaining a distributed system instead of shipping.
This is the third option. systemprompt-core compiles to a single Rust binary you run on your own infrastructure, backed by the only state it has: a PostgreSQL database you own. Every agent, MCP tool call, and inference request passes through one authenticated, authorized, audited path: a synchronous in-process pipeline under 5 ms, writing an 18-column audit row for every decision. Credentials live in a ChaCha20-Poly1305 store and are injected only into tool child processes, never into the LLM context.
Zero outbound telemetry by default. Air-gap capable. Built for SOC 2 Type II, ISO 27001, HIPAA, and the OWASP Agentic Top 10.
Live capture: an agent tries to pass a GitHub PAT through a tool argument and is denied before the tool process spawns. Evaluating? Start with the MIT-licensed systemprompt-template: 43 scripted demos run every claim on your laptop.
Capabilities
Six surfaces, one binary, one authenticated and audited path.
| Capability | What it provides |
|---|---|
| A2A agents | A standalone agent server speaking the agent-to-agent JSON-RPC protocol, with SSE streaming and .well-known discovery. Agents you host, not seats you rent. |
| MCP servers | Model Context Protocol servers hosted natively over streamable HTTP. Each is an isolated OAuth2 resource server with scoped tools and its own access log. |
| OAuth2 / OIDC | A built-in authorization server: OIDC discovery, PKCE (S256), WebAuthn, RS256 JWTs. No external identity dependency required to run. |
| Provider gateway | A /v1 proxy (POST /v1/messages, GET /v1/models) that routes model patterns to any configured upstream. Swap providers without touching clients. |
| Extensions | Compile-time Extension implementations registered with the inventory crate. Your code becomes part of your binary; no runtime plugin loading, nothing injected you didn't compile. |
| Governance | Fail-closed (default-deny) authorization, secret detection, rate limiting, and structured audit logging correlated by trace_id. Every deny reason is a queryable row. |
Use as a library
[]
= { = "0.21.1", = ["full"] }
use *;
| Feature | Includes |
|---|---|
core (default) |
traits, models, identifiers, extension |
database |
PostgreSQL abstraction (DbPool) |
api |
HTTP server and AppContext (requires core + database) |
cli |
CLI entry point |
full |
Everything: all domain modules + CLI |
slack |
Slack integration (opt-in; not included in full) |
teams |
Microsoft Teams integration (opt-in; not included in full) |
The full per-feature matrix, including the finer-grained flags (config, mcp, events, security, runtime, and the rest), is on the docs.rs crate root.
Requirements
- Rust 1.94+ (the workspace is edition 2024).
- PostgreSQL 18+.
justto run the build recipes.
Quickstart (building from source)
# Generate a profile + secrets, provision the database, and migrate
# Start the API server (binds 127.0.0.1:8080 by default)
Confirm it is serving:
The full walkthrough is in documentation/getting-started.md.
Performance
Governance overhead benchmarked at 3,308 req/s burst with p99 latency of 22.7 ms: under 1% of AI response time. Reproduce it yourself with just benchmark in the evaluation template.
License
Business Source License 1.1 (BSL-1.1). Source-available for evaluation, testing, and non-production use; production use requires a commercial license. Each version converts to Apache-2.0 four years after its publication. You will always be able to read, audit, and eventually own this code. See LICENSE. Licensing enquiries: ed@systemprompt.io.
Security
Report vulnerabilities to ed@systemprompt.io, not via public issues. See SECURITY.md.
systemprompt.io · Documentation · Guides · Live Demo · Template · crates.io · docs.rs · Discord
Rent your control plane and you rent your audit trail. This one compiles.