Skip to main content

Module authz

systemprompt_security

Module authz 

Source
Expand description

Unified authorization decision plane.

Houses the deny-overrides resolver, access_control_rules repository, and AuthzDecisionHook extension surface shared by the gateway /v1/messages proxy and the MCP RBAC middleware. Both call resolve with different entity_type / entity_id pairs against the same table and audit shape.

Re-exports§

pub use audit::AuthzAuditSink;
pub use audit::AuthzSource;
pub use audit::DbAuditSink;
pub use audit::GovernanceDecisionRecord;
pub use audit::GovernanceDecisionRepository;
pub use audit::NullAuditSink;
pub use audit::insert_governance_decision;
pub use config::AccessControlConfig;
pub use config::DepartmentEntry;
pub use config::RuleEntry;
pub use error::AuthzBootstrapError;
pub use error::AuthzError;
pub use error::AuthzResult;
pub use extension::AuthzExtension;
pub use hook::AllowAllHook;
pub use hook::AuthzDecisionHook;
pub use hook::DenyAllHook;
pub use hook::WebhookHook;
pub use ingestion::AccessControlIngestionService;
pub use ingestion::IngestOptions;
pub use ingestion::IngestReport;
pub use repository::AccessControlRepository;
pub use repository::UpsertRuleParams;
pub use resolver::resolve;
pub use runtime::clear_global_hook;
pub use runtime::global_hook;
pub use runtime::install_from_governance_config;
pub use runtime::install_global_hook;
pub use types::Access;
pub use types::AccessRule;
pub use types::AuthzDecision;
pub use types::AuthzRequest;
pub use types::Decision;
pub use types::EntityKind;
pub use types::RuleType;

Modules§

audit
Audit sink for authorization decisions.
config
YAML schema for declarative access-control baselines.
error
Typed error surface for the authz crate.
extension
hook
Authorization decision hooks.
ingestion
Bootstrap-time projection of AccessControlConfig into access_control_rules.
repository
AccessControlRepository — sqlx-backed access to access_control_rules.
resolver
Pure deny-overrides resolver with user > role > department specificity.
runtime
Process-wide authz hook installed at server startup.
types
Wire and storage types for authorization decisions.