Crate systemprompt_security

Source

Expand description

Security infrastructure for systemprompt.io.

Houses the request-level authentication primitives shared by the HTTP API and the runtime layer:

JWT minting (jwt) for admin tokens and (session) for session-scoped tokens.
Token extraction (extraction) from Authorization headers, MCP proxy headers, and cookies.
Request validation (auth) that turns those tokens into a systemprompt_models::execution::context::RequestContext.
Cowork manifest signing (manifest_signing) with Ed25519 keys.
Lightweight scanner / bot detection (services).

All public fallible APIs return typed errors from error — anyhow is not used in any public signature.

§Feature flags

This crate has no Cargo features; everything compiles by default.

§Example

use systemprompt_models::auth::JwtAudience;
use systemprompt_security::{AuthMode, AuthValidationService};

let svc = AuthValidationService::new(
    "secret".to_string(),
    "systemprompt.io".to_string(),
    vec![JwtAudience::standard()],
);
let _ctx = svc.validate_request(headers, AuthMode::Required)?;

Re-exports§

pub use auth::AuthMode;
pub use auth::AuthValidationService;
pub use error::AuthError;
pub use error::AuthResult;
pub use error::JwtError;
pub use error::JwtResult;
pub use error::ManifestSigningError;
pub use error::ManifestSigningResult;
pub use extraction::CookieExtractionError;
pub use extraction::CookieExtractor;
pub use extraction::ExtractionMethod;
pub use extraction::HeaderExtractor;
pub use extraction::HeaderInjectionError;
pub use extraction::HeaderInjector;
pub use extraction::TokenExtractionError;
pub use extraction::TokenExtractor;
pub use jwt::AdminTokenParams;
pub use jwt::JwtService;
pub use services::ScannerDetector;
pub use session::SessionGenerator;
pub use session::SessionParams;
pub use session::ValidatedSessionClaims;

Modules§

auth: Request validation: turns an axum::http::HeaderMap into a systemprompt_models::execution::context::RequestContext using a configured JWT secret, issuer, and audience set.
error: Error types raised by the security infrastructure.
extraction: Token extraction from inbound HTTP requests and id-header injection.
jwt: JWT minting service.
manifest_signing: Ed25519 signing of cowork manifests.
services: Stateless security services that don’t fit elsewhere — currently the ScannerDetector.
session: Session-scoped JWT minting and the validated-claims wrapper produced by crate::auth::AuthValidationService.

Crate systemprompt_security

Crate systemprompt_security Copy item path

§Feature flags

§Example

Re-exports§

Modules§

Crate systemprompt_security