Skip to main content

Crate systemprompt

Crate systemprompt 

Source
Expand description
systemprompt.io

§Run your AI agent fleet on your own infrastructure, with your own choice of inference.

systemprompt-core is the Rust library that compiles into a single ~50 MB binary. Install it, point Claude for Work, Claude Code, any Anthropic-SDK client, or any MCP host at it, and every request lands on a host you operate — on your network, in your air-gap, under your audit table. Pick the upstream per model pattern: Anthropic, OpenAI, Gemini, Moonshot (Kimi), Qwen, MiniMax, or a custom provider you register yourself via the inventory crate. One YAML block swaps it.

Every tool call authenticated, scoped, secret-scanned, rate-limited, and audited. Compile-time plugin model, compile-time verified SQL, zero-raw-String IDs. BSL-1.1 source-available; Apache 2.0 after four years.

Governance benchmark: 3,308 req/s

Crates.io Docs.rs License: BSL-1.1 Rust 1.75+ PostgreSQL 18+ Template Discord

Website · Documentation · Guides · Live Demo · Template · Discord

Building with this? ⭐ Star the repo — helps other Rust developers find it.

  • Embed itsystemprompt = { version = "0.9.0", features = ["full"] } in Cargo.toml, then jump to Extensions (technical) for the compile-time plugin model.
  • Evaluate it running — clone systemprompt-template for a turnkey demo. just build && just setup-local <key> && just start runs 40+ scripted demos against the live binary.
What's new
  • 0.5.0AppPaths singleton removed (now threaded via AppContext); shared/models stripped of all I/O (bootstrap and profile-catalog loading moved to systemprompt-config); typed OauthError, FilesError, McpDomainError, AgentError enums at every domain boundary. See CHANGELOG.md.
  • 0.4.x — independent ed25519 manifest signing key, RFC 8785 (JCS) canonical JSON for signatures, distinct JwtAudience::Bridge, tenant-scoped plugin file route, structured SyncSummary / ValidationReport returns.
  • 0.3.x — typed error enums via thiserror across the workspace, tracing in library code.
  • 0.2.x — workspace published to crates.io as 30 systemprompt-* crates.

The bin/bridge binary tracks an independent semver — see bin/bridge/README.md and bin/bridge/CHANGELOG.md.

§Capabilities

Every tool call governed. Synchronous evaluation before execution, not after. Four layers of enforcement in the request path: scope check → secret detection → blocklist → rate limit. Deny reasons are structured and auditable. Single-digit milliseconds overhead. No sidecar. No proxy. Compliance that survives an audit: SOC 2 Type II, ISO 27001, HIPAA, OWASP Top 10 for Agentic Applications.

Secrets never touch inference — the agent calls the tool, the MCP service injects the credential server-side, the LLM never sees it. Secrets-at-rest are protected via the customer’s envelope-encryption infrastructure (KMS / Vault / sops) — the binary sees plaintext only after the customer’s tooling opens the envelope, so the master key never enters the binary. Every tool call produces a five-point audit trace: Identity → Agent Context → Permissions → Tool Execution → Result. Everything linked by trace_id. Structured JSON events for Splunk, ELK, Datadog, Sumo Logic. Cost tracking in microdollars by model, agent, and department.

Where in the code

ConcernFile
Scope / RBAC middlewarecrates/domain/mcp/src/middleware/rbac.rs
Secret detection / scannercrates/infra/security/src/services/scanner.rs
Blocklist rulescrates/infra/security/src/services/
Rate limit middleware (tower_governor)crates/infra/security/src/
Audit queriescrates/infra/logging/src/trace/audit_queries.rs
Event broadcasterscrates/infra/events/src/services/broadcaster.rs
Secrets bootstrap (customer envelope encryption: KMS / Vault / sops)crates/shared/models/src/secrets_bootstrap.rs
Typed IDs (TraceId, ContextId, TaskId …)crates/shared/identifiers/src/lib.rs

MCP (crates/domain/mcp) is implemented natively — not proxied. Per-server OAuth2, scoped tool exposure, central registry with health monitoring, end-to-end access logs. Works with Claude Code, Claude Desktop, ChatGPT, Cursor, and any other MCP-compatible client.

{
  "mcpServers": {
    "my-server": {
      "url": "https://my-tenant.systemprompt.io/api/v1/mcp/my-server/mcp",
      "transport": "streamable-http"
    }
  }
}

Agent-to-Agent (crates/domain/agent) ships a standalone A2A server with streaming, a JSON-RPC protocol model, and .well-known discovery endpoints.

Discovery API

EndpointDescription
/.well-known/agent-card.jsonDefault agent card
/.well-known/agent-cardsList all available agents
/.well-known/agent-cards/{name}Specific agent card
/api/v1/agents/registryFull agent registry with status
/api/v1/mcp/registryAll MCP servers with endpoints

§Quick Start

Evaluation path — you get 40+ runnable demos:

gh repo create my-eval --template systempromptio/systemprompt-template --clone
cd my-eval
just build
just setup-local <anthropic-or-openai-or-gemini-key>
just start

Open http://localhost:8080, point Claude Code / Claude Desktop at it, and walk through demo/. Prerequisites: Rust 1.75+, just, Docker, jq, yq, ports 8080 and 5432 free.

Library path — add the facade to your own Rust workspace:

[dependencies]
systemprompt = { version = "0.9.0", features = ["full"] }

See Extensions (technical) for the compile-time plugin model.

Infrastructure

One binary. One database. Deploys anywhere. The same surface local and remote. Config-as-code: agents, MCP servers, skills, AI providers, content, scheduler jobs, and web theme all live as YAML or Markdown under services/. Built on open standards: MCP (Model Context Protocol), A2A (Agent-to-Agent), OAuth2/OIDC with PKCE, WebAuthn.

Where in the code

ConcernFile
Bootstrap sequenceProfileBootstrap → SecretsBootstrap → CredentialsBootstrap → Config → AppContext
AppContext wiringcrates/app/runtime/src/context.rs · builder.rs
Provider traits (LlmProvider, ToolProvider, …)crates/shared/provider-contracts/src/lib.rs
CLI entry point (8 domains)crates/entry/cli/src/commands/

One binary, eight domains. Every command is discoverable — systemprompt <domain> --help works everywhere.

DomainSourcePurpose
corecrates/entry/cli/src/commands/core/Skills, content, files, contexts, plugins, hooks, artifacts
infracrates/entry/cli/src/commands/infrastructure/Services, database, jobs, logs
admincrates/entry/cli/src/commands/admin/Users, agents, config, setup, session, rate limits
cloudcrates/entry/cli/src/commands/cloud/Auth, deploy, sync, secrets, tenant, domain
analyticscrates/entry/cli/src/commands/analytics/Overview, conversations, agents, tools, requests, sessions, content, traffic, costs
webcrates/entry/cli/src/commands/web/Content types, templates, assets, sitemap, validate
pluginscrates/entry/cli/src/commands/plugins/Extensions, MCP servers, capabilities
buildcrates/entry/cli/src/commands/build/Build core workspace and MCP extensions
Integrations

Provider-agnostic. Protocol-native. Fully extensible. Provider-agnostic by trait, not by adapter — swap Anthropic / OpenAI / Gemini at the profile level.

Architecture

A 30-crate Rust workspace that compiles into a single ~50 MB binary. Dependencies flow downward only — no circular references.

┌─────────────────────────────────────────────────────────────────────┐
│  ENTRY      api · cli                                               │
├─────────────────────────────────────────────────────────────────────┤
│  APP        runtime · scheduler · generator · sync                  │
├─────────────────────────────────────────────────────────────────────┤
│  DOMAIN     agent · ai · analytics · content · files · mcp ·        │
│             oauth · templates · users                               │
├─────────────────────────────────────────────────────────────────────┤
│  INFRA      cloud · config · database · events · loader ·           │
│             logging · security                                      │
├─────────────────────────────────────────────────────────────────────┤
│  SHARED     identifiers · provider-contracts · traits ·             │
│             extension · models · client · template-provider        │
└─────────────────────────────────────────────────────────────────────┘

All 30 crates publish on crates.io at matching workspace versions. Domain crates communicate via traits and the event bus, not direct dependencies. Database-touching crates ship a per-crate .sqlx/ query cache (committed) so downstream consumers compile offline.

Extensions (technical)

Extensions are discovered at compile time via the inventory crate — no runtime plugin loading, no dlopen. Your code compiles straight into your binary. Typed traits cover the full surface:

TraitFilePurpose
Extensioncrates/shared/extension/src/traits.rsIdentity, version, dependency metadata
SchemaExtensionTypedcrates/shared/extension/src/typed/schema.rsDDL + migrations via include_str!()
ApiExtensionTyped · ApiExtensionTypedDyncrates/shared/extension/src/typed/api.rsAxum route handlers
JobExtensionTypedcrates/shared/extension/src/typed/job.rsScheduled and background jobs
ProviderExtensionTypedcrates/shared/extension/src/typed/provider.rsCustom LLM / tool / data providers
ConfigExtensionTypedcrates/shared/extension/src/typed/config.rsStartup config validation

Registration is a single macro — register_extension! lives in crates/shared/extension/src/traits.rs and wraps inventory::submit!. Discovery goes through ExtensionBuilder<R> and TypedExtensionRegistry.

[dependencies]
systemprompt = { version = "0.9.0", features = ["full"] }
use systemprompt::extension::prelude::*;

struct MyExtension;

impl Extension for MyExtension {
    fn metadata(&self) -> ExtensionMetadata {
        ExtensionMetadata::new("my-extension", env!("CARGO_PKG_VERSION"))
    }

    fn schemas(&self) -> Vec<SchemaDefinition> {
        vec![SchemaDefinition::new(
            "my_extension",
            include_str!("../schema/001_init.sql"),
        )]
    }

    fn router(&self) -> Option<ExtensionRouter> { None }
}

register_extension!(MyExtension);
Typed identifiers

Zero raw-String IDs. Every identifier that crosses a boundary is a newtype in crates/shared/identifiers — the compiler prevents passing a UserId where an AgentId is expected.

UserId · SessionId · TraceId · ContextId · TaskId · AgentId · TenantId · McpServerId · McpExecutionId · AiRequestId · PluginId · SkillId · ArtifactId · FileId · ContentId · MessageId · TokenId · ClientId · RoleId · ProfileName · Email · ValidatedUrl · ValidatedFilePath · PolicyVersion

Database & repositories

Services call repositories, repositories issue SQL. All queries go through compile-time verified macrossqlx::query!(), sqlx::query_as!(), sqlx::query_scalar!(). No unverified sqlx::query().

DDL lives in {crate}/schema/*.sql and is embedded with include_str!() from extension.rs. The generic entity/repository traits live in crates/infra/database/src/repository/entity.rs (Entity, GenericRepository<E>).

use systemprompt_database::DbPool;
use systemprompt_identifiers::UserId;

pub struct UserRepository { pool: DbPool }

impl UserRepository {
    pub async fn find_by_id(&self, id: &UserId) -> Result<Option<User>> {
        sqlx::query_as!(User, "SELECT * FROM users WHERE id = $1", id.as_str())
            .fetch_optional(self.pool.as_ref())
            .await
            .map_err(Into::into)
    }
}
Facade crate & feature flags

Pull in only what you need through the systemprompt facade.

FeatureIncludes
core (default)traits · models · identifiers · extension · template-provider
databaseSQLx-backed DbPool
apiHTTP server, runtime, Axum (requires core + database)
cliCLI entry point
runtimeExtension runtime builder (requires cli)
mcprmcp macros
syncCloud synchronization
cloudCloud API client, credentials, OAuth
test-utilsCredential fixtures (requires cloud)
fullEverything: API + MCP + sync + cloud + CLI + all domain crates
# Embedded library usage
systemprompt = { version = "0.9.0", features = ["core", "database"] }

# Building a product binary
systemprompt = { version = "0.9.0", features = ["full"] }
use systemprompt::prelude::*;
use systemprompt::database::DbPool;
Performance

Sub-5 ms governance overhead, benchmarked. Each request performs JWT validation, scope resolution, three rule evaluations, and an async database write.

  • p50 < 5 ms
  • p99 < 12 ms
  • 200 concurrent governance requests
  • Zero GC pauses — hundreds of concurrent developers on a single instance

Numbers measured on the author’s laptop. Reproduce with ./demo/performance/02-benchmark.sh in the template. Full results and a live load test: systemprompt.io/features/demo.

§License

BSL-1.1 (Business Source License). Source-available for evaluation, testing, and non-production use. Production use requires a commercial license. Each version converts to Apache 2.0 four years after publication.

See LICENSE for the full terms. Licensing enquiries: ed@systemprompt.io.

§Security

Vulnerability disclosure, triage SLAs, and supply-chain integrity are documented in SECURITY.md. Report vulnerabilities to ed@systemprompt.io — not via public issues.

Release binaries are built in GitHub-hosted CI and signed with Sigstore cosign keyless. A CycloneDX SBOM is attached to every release.

§Enterprise Documentation

The documentation/ directory is the public evaluation pack for prospective customers, security reviewers, and RFI / procurement teams.

RFI and licensing contact: ed@systemprompt.io.

systemprompt.io · Documentation · Guides · Live Demo · Template · crates.io · docs.rs · Discord

Own how your organization uses AI. Every interaction governed and provable.

# Feature flags
FeaturePulls inUse case
core (default)traits, models, identifiers, extension, template-providerAuthor extensions, share types, no I/O.
databasesystemprompt-database, sqlxSQLx-backed DbPool and repository helpers.
configsystemprompt-configProfile, secrets, and credential bootstrap loaders.
mcprmcpImplement Model Context Protocol servers.
apisystemprompt-api, systemprompt-runtime, axum (implies core + database)HTTP server, AppContext, Axum router.
syncsystemprompt-syncCloud synchronisation primitives.
cloudsystemprompt-cloudCloud API client, credentials bootstrap, OAuth.
loggingsystemprompt-loggingTracing setup with the workspace’s layer stack.
loadersystemprompt-loaderFilesystem and module discovery.
eventssystemprompt-eventsIn-process event bus and SSE plumbing.
clientsystemprompt-clientHTTP API client used by the CLI.
securitysystemprompt-securityJWT, scope/RBAC, secret scanning, rate limit.
clisystemprompt-cliThe systemprompt CLI as a library entry point.
runtimecli + extension injectionRuntimeBuilder for embedding with custom extensions.
test-utilscloud plus credential fixturesTest scaffolding; not for production.
fullAll of the above plus all domain crates (agent, ai, mcp, oauth, users, content, analytics, scheduler, generator, files)Building a product binary.
systemprompt = { version = "0.5", features = ["full"] }

Re-exports§

pub use runtime::RuntimeBuilder;runtime
pub use runtime::RuntimeError;runtime
pub use crate::prelude::*;

Modules§

agentfull
Agent-to-Agent (A2A) protocol surface from systemprompt-agent — message types, task lifecycle, streaming server, agent registry.
aifull
LLM integration surface from systemprompt-ai — provider selection, request/response types, cost accounting.
analyticsfull
Analytics domain from systemprompt-analytics — request, conversation, agent, tool, cost metrics.
apiapi
HTTP server entry: Axum router, middleware stack, listener bootstrap.
clicli
CLI entry surface: run, CliConfig, OutputFormat, ColorMode, VerbosityLevel.
clientclient
HTTP API client used by the CLI and external tooling to drive a running instance.
cloudcloud
Cloud API client from systemprompt-cloud — credentials bootstrap, tenant management, deployment.
configconfig
Profile / secrets / credentials configuration loaders. Drives the ProfileBootstrap → SecretsBootstrap → CredentialsBootstrap → Config sequence.
contentfull
Content management domain from systemprompt-content — pages, articles, markdown ingestion.
credentialscloud
Cloud credentials bootstrap from systemprompt-cloud — loads OAuth client credentials and tenant identity at startup.
databasedatabase
SQLx-backed database abstraction: DbPool, DatabaseProvider, repositories, introspection.
eventsevents
In-process event bus and SSE broadcasting from systemprompt-events.
extensioncore
Compile-time extension framework: the Extension trait, typed variants, register_extension! macro, and registry.
filesfull
File-storage domain from systemprompt-files.
generatorfull
Static-site generator from systemprompt-generator — Tera-based renderer driving the web CLI domain.
identifierscore
Typed identifiers from systemprompt-identifiers (UserId, AgentId, TaskId, TraceId, …).
loaderloader
Filesystem and module discovery for services, plugins, and config files.
logginglogging
Tracing/logging setup helpers (startup-mode gating, layered subscribers).
marketplacefull
Marketplace filtering domain from systemprompt-marketplace — the MarketplaceFilter trait that gates per-user visibility of plugins, skills, agents, and managed MCP servers in the bridge manifest.
mcpfull
Model Context Protocol implementation from systemprompt-mcp — server orchestrator, network/proxy layer, RBAC middleware.
modelscore
I/O-free data models from systemprompt-models — config structs, profile types, domain DTOs.
oauthfull
OAuth2 / OIDC / WebAuthn flows from systemprompt-oauth.
prelude
Curated re-exports for ergonomic use systemprompt::prelude::*. See prelude for the full list. Curated re-exports for use systemprompt::prelude::*.
profilecore
Profile types — the on-disk profile schema (Profile, CloudConfig, ProfileStyle, CloudValidationMode) plus the ProfileBootstrap loader when the config feature is enabled.
runtimeruntime
RuntimeBuilder for embedding the platform with compile-time injected extensions and a custom web-asset strategy. Embedding helper for the systemprompt CLI.
schedulerfull
Background-job scheduler from systemprompt-scheduler.
securitysecurity
Security primitives: JWT verification, scope/RBAC, secret scanning, rate-limit middleware.
syncsync
Cloud synchronisation primitives from systemprompt-sync.
systemapi
Application runtime / AppContext wiring. Construct via AppContextBuilder from the prelude.
template_providercore
Template provider trait surface for custom rendering backends (Tera, Handlebars, MJML, …).
traitscore
Core trait surface from systemprompt-traits.
usersfull
User management domain from systemprompt-users — accounts, roles, scopes.

Structs§

CredentialsBootstrapcloud
Top-level re-exports of CredentialsBootstrap and its error.

Enums§

CredentialsBootstrapErrorcloud
Top-level re-exports of CredentialsBootstrap and its error.
WebAssetsruntime
WebAssets strategy re-export — controls how the runtime serves the static web bundle (in-binary, on-disk, or disabled). Web-asset serving strategy re-exported from systemprompt-extension.