Skip to main content

systemprompt_security/
lib.rs

1//! Security infrastructure for systemprompt.io.
2//!
3//! Houses the request-level authentication primitives shared by the HTTP
4//! API and the runtime layer:
5//!
6//! - Asymmetric signing key plane ([`keys`]) — the in-process `TokenAuthority`
7//!   holds the active RSA keypair, exposes the public set for
8//!   `/.well-known/jwks.json`, and caches federated JWKS documents under a
9//!   bounded LRU with an HTTPS allowlist.
10//! - JWT minting ([`jwt`]) for admin tokens and ([`session`]) for
11//!   session-scoped tokens. Tokens are signed RS256 via `TokenAuthority` and
12//!   carry a `kid` header; HS256 is rejected on validation.
13//! - Token extraction ([`extraction`]) from `Authorization` headers, MCP proxy
14//!   headers, and cookies.
15//! - Request validation ([`auth`]) that turns those tokens into a
16//!   [`systemprompt_models::execution::context::RequestContext`], resolving
17//!   non-self-issued tokens against `profile.security.trusted_issuers` and
18//!   propagating the RFC 8693 `act_chain` onto the per-request context.
19//! - At-rest hashing ([`at_rest`]) — `hmac_sha256` / `hmac_sha256_hex` under
20//!   the deployment `oauth_at_rest_pepper`, used to store refresh-token ids and
21//!   authorisation codes as digests rather than plaintext.
22//! - Bridge manifest signing ([`manifest_signing`]) with Ed25519 keys.
23//! - Lightweight scanner / bot detection ([`services`]).
24//! - Authorization decision plane ([`authz`]) — deny-overrides resolver,
25//!   `access_control_rules` repository, and `AuthzDecisionHook` extension
26//!   surface shared by the gateway and MCP enforcement sites.
27//!
28//! All public fallible APIs return typed errors from [`error`] — `anyhow`
29//! is not used in any public signature.
30//!
31//! # Feature flags
32//!
33//! This crate has no Cargo features; everything compiles by default.
34//!
35//! # Example
36//!
37//! ```no_run
38//! use systemprompt_models::auth::JwtAudience;
39//! use systemprompt_security::AuthValidationService;
40//!
41//! # fn demo(headers: &axum::http::HeaderMap) -> systemprompt_security::AuthResult<()> {
42//! let svc = AuthValidationService::new("systemprompt.io".to_string(), JwtAudience::standard());
43//! let _ctx = svc.validate_request(headers)?;
44//! # Ok(())
45//! # }
46//! ```
47
48pub mod at_rest;
49pub mod auth;
50pub mod authz;
51pub mod error;
52pub mod extraction;
53pub mod jwt;
54pub mod keys;
55pub mod manifest_signing;
56pub mod policy;
57pub mod services;
58pub mod session;
59
60pub use at_rest::{hmac_sha256, hmac_sha256_hex};
61
62pub use auth::{AuthValidationService, HookTokenValidator, ValidatedHookClaims};
63pub use authz::CompositeAuthzHook;
64pub use error::{
65    AuthError, AuthResult, JwtError, JwtResult, ManifestSigningError, ManifestSigningResult,
66};
67pub use extraction::{
68    CookieExtractionError, CookieExtractor, ExtractionMethod, HeaderExtractor,
69    HeaderInjectionError, HeaderInjector, TokenExtractionError, TokenExtractor,
70};
71pub use jwt::{AdminTokenParams, JwtService, JwtUserContext, extract_user_context};
72pub use services::ScannerDetector;
73pub use session::{SessionGenerator, SessionParams, ValidatedSessionClaims};