Skip to main content

Crate systemprompt_security

Crate systemprompt_security 

Source
Expand description

Security infrastructure for systemprompt.io.

Houses the request-level authentication primitives shared by the HTTP API and the runtime layer:

  • JWT minting (jwt) for admin tokens and (session) for session-scoped tokens.
  • Token extraction (extraction) from Authorization headers, MCP proxy headers, and cookies.
  • Request validation (auth) that turns those tokens into a systemprompt_models::execution::context::RequestContext.
  • Bridge manifest signing (manifest_signing) with Ed25519 keys.
  • Lightweight scanner / bot detection (services).
  • Authorization decision plane (authz) — deny-overrides resolver, access_control_rules repository, and AuthzDecisionHook extension surface shared by the gateway and MCP enforcement sites.

All public fallible APIs return typed errors from erroranyhow is not used in any public signature.

§Feature flags

This crate has no Cargo features; everything compiles by default.

§Example

use systemprompt_models::auth::JwtAudience;
use systemprompt_security::{AuthMode, AuthValidationService};

let svc = AuthValidationService::new(
    "secret".to_string(),
    "systemprompt.io".to_string(),
    vec![JwtAudience::standard()],
);
let _ctx = svc.validate_request(headers, AuthMode::Required)?;

Re-exports§

pub use auth::AuthMode;
pub use auth::AuthValidationService;
pub use auth::HookTokenValidator;
pub use auth::ValidatedHookClaims;
pub use error::AuthError;
pub use error::AuthResult;
pub use error::JwtError;
pub use error::JwtResult;
pub use error::ManifestSigningError;
pub use error::ManifestSigningResult;
pub use extraction::CookieExtractionError;
pub use extraction::CookieExtractor;
pub use extraction::ExtractionMethod;
pub use extraction::HeaderExtractor;
pub use extraction::HeaderInjectionError;
pub use extraction::HeaderInjector;
pub use extraction::TokenExtractionError;
pub use extraction::TokenExtractor;
pub use jwt::AdminTokenParams;
pub use jwt::JwtService;
pub use services::ScannerDetector;
pub use session::SessionGenerator;
pub use session::SessionParams;
pub use session::ValidatedSessionClaims;

Modules§

auth
Request validation: turns an axum::http::HeaderMap into a systemprompt_models::execution::context::RequestContext using a configured JWT secret, issuer, and audience set.
authz
Unified authorization decision plane.
error
Error types raised by the security infrastructure.
extraction
Token extraction from inbound HTTP requests and id-header injection.
jwt
JWT minting service.
manifest_signing
Ed25519 signing of bridge manifests.
services
Stateless security services that don’t fit elsewhere — currently the ScannerDetector.
session
Session-scoped JWT minting and the validated-claims wrapper produced by crate::auth::AuthValidationService.