{"id":50084247,"url":"https://github.com/systempromptio/systemprompt-template","last_synced_at":"2026-05-25T00:01:21.572Z","repository":{"id":328181254,"uuid":"1114475554","full_name":"systempromptio/systemprompt-template","owner":"systempromptio","description":"AI Governance Infrastructure — local evaluation. The governance layer for AI agents: a single compiled Rust binary that authenticates, authorises, rate-limits, logs, and costs every AI interaction. Self-hosted, air-gap capable, provider-agnostic.","archived":false,"fork":false,"pushed_at":"2026-05-21T10:47:08.000Z","size":10319,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-21T18:43:36.115Z","etag":null,"topics":["a2a","agent-orchestration","agentic-ai","ai-agents","ai-governance","ai-infrastructure","autonomous-agents","boilerplate","claude","claude-code","llm","mcp","mcp-server","model-context-protocol","oauth2","postgresql","rust","self-hosted","starter","template"],"latest_commit_sha":null,"homepage":"https://systemprompt.io","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/systempromptio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-12-11T12:29:41.000Z","updated_at":"2026-05-21T10:47:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/systempromptio/systemprompt-template","commit_stats":null,"previous_names":["systempromptio/systemprompt-template"],"tags_count":3,"template":true,"template_full_name":null,"purl":"pkg:github/systempromptio/systemprompt-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systempromptio%2Fsystemprompt-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systempromptio%2Fsystemprompt-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systempromptio%2Fsystemprompt-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systempromptio%2Fsystemprompt-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/systempromptio","download_url":"https://codeload.github.com/systempromptio/systemprompt-template/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systempromptio%2Fsystemprompt-template/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33455026,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-24T19:21:36.376Z","status":"ssl_error","status_checked_at":"2026-05-24T19:21:10.562Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["a2a","agent-orchestration","agentic-ai","ai-agents","ai-governance","ai-infrastructure","autonomous-agents","boilerplate","claude","claude-code","llm","mcp","mcp-server","model-context-protocol","oauth2","postgresql","rust","self-hosted","starter","template"],"created_at":"2026-05-22T18:00:36.858Z","updated_at":"2026-05-25T00:01:21.538Z","avatar_url":"https://github.com/systempromptio.png","language":"Rust","funding_links":[],"categories":["Ecosystem","🛠️ Tools \u0026 Libraries"],"sub_categories":["GateGuard — Fact-Forcing PreToolUse Gate","🏗️ Frameworks \u0026 SDKs"],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://systemprompt.io/files/images/logo.svg\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://systemprompt.io/files/images/logo-dark.svg\"\u003e\n  \u003cimg src=\"https://systemprompt.io/files/images/logo-dark.svg\" alt=\"systemprompt.io\" width=\"380\"\u003e\n\u003c/picture\u003e\n\n# Own how your organization uses AI.\n\nOne self-hosted binary governs inference, auditing, evals, and every tool call across your AI fleet. Native integration with Claude Cowork. Works with any agent, any model, any provider.\n\nThis repository is the evaluation template: clone it, compile it, point Claude for Work, Claude Code, or any Anthropic-SDK client at `http://localhost:8080`, and every request lands on a host you operate — on your network, in your air-gap, under your audit table. Single Rust binary, one PostgreSQL, four commands from `git clone` to serving inference. Built for SOC 2, ISO 27001, HIPAA, and the OWASP Agentic Top 10.\n\n[![Built on systemprompt-core](https://img.shields.io/badge/built%20on-systemprompt--core-2b6cb0?style=flat-square)](https://github.com/systempromptio/systemprompt-core)\n[![Template · MIT](https://img.shields.io/badge/template-MIT-16a34a?style=flat-square)](LICENSE)\n[![Core · BSL--1.1](https://img.shields.io/badge/core-BSL--1.1-2b6cb0?style=flat-square)](https://github.com/systempromptio/systemprompt-core/blob/main/LICENSE)\n[![Rust 1.75+](https://img.shields.io/badge/rust-1.75+-f97316?style=flat-square\u0026logo=rust\u0026logoColor=white)](https://www.rust-lang.org/)\n[![PostgreSQL 18+](https://img.shields.io/badge/postgres-18+-336791?style=flat-square\u0026logo=postgresql\u0026logoColor=white)](https://www.postgresql.org/)\n\n[**systemprompt.io**](https://systemprompt.io) · [**Documentation**](https://systemprompt.io/documentation/) · [**Guides**](https://systemprompt.io/guides) · [**Enterprise factsheet (PDF)**](https://systemprompt.io/files/documents/systemprompt-io-enterprise-factsheet.pdf) · [**Discord**](https://discord.gg/wkAbSuPWpr)\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/cap-secrets.svg\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/cap-secrets.svg\"\u003e\n  \u003cimg src=\"demo/recording/svg/output/dark/cap-secrets.svg\" alt=\"An AI agent attempts to exfiltrate a GitHub PAT through a tool call. The secret-detection layer denies the call before the tool process spawns. One row is written to the audit table. The recording is a live capture of `./demo/governance/06-secret-breach.sh`.\" width=\"820\"\u003e\n\u003c/picture\u003e\n\n\u003csub\u003eLive capture of \u003ccode\u003e./demo/governance/06-secret-breach.sh\u003c/code\u003e. Secret exfiltration attempt denied before spawn. One audit row written. No model touched the key.\u003c/sub\u003e\n\n\u003c/div\u003e\n\n---\n\n## Quick start\n\n```bash\ngit clone https://github.com/systempromptio/systemprompt-template\ncd systemprompt-template\njust setup-local \u003canthropic_key\u003e [openai_key] [gemini_key]   # writes profile, starts Postgres, runs publish pipeline\njust start                                                   # serves governance + agents + MCP + admin on :8080\n```\n\nOne AI key is required; the other two are optional. Running a second clone side-by-side? `just setup-local \u003ckeys\u003e 8081 5433`. Discover the CLI with `systemprompt --help`.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePrerequisites\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n| Requirement | Purpose | Install |\n|---|---|---|\n| **Docker** | PostgreSQL runs in a container; `just setup-local` starts it | [docker.com](https://docs.docker.com/get-docker/) |\n| **Rust 1.75+** | Compiles the workspace binary | [rustup.rs](https://rustup.rs/) |\n| **`just`** | Task runner | [just.systems](https://just.systems/) |\n| **`jq`, `yq`** | JSON and YAML processing in the scripts | `brew install jq yq` / `apt install jq yq` |\n| **AI API keys** | One key per provider enabled in `services/ai/config.yaml`. Shipped config enables Anthropic, OpenAI, Gemini (default `gemini`). Disable providers you don't want or pass all three. | Provider dashboards |\n| **Ports 8080 + 5432** | HTTP + PostgreSQL | Free on localhost |\n\n\u003c/details\u003e\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eWhat a CISO gets\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n- **A single query answers every AI audit.** Every request, scope decision, tool call, model output, and cost lands in one 18-column Postgres table. Six correlation columns (UserId, SessionId, TaskId, TraceId, ContextId, ClientId) bind identity at construction time, so a row without a trace is a programming error.\n- **Credentials physically cannot enter the context window.** The governance process is the parent of every MCP tool subprocess. Keys are decrypted from a ChaCha20-Poly1305 store and injected into the child's environment by `Command::spawn()`. The parent, which owns the LLM context, never writes the value. 35+ regex patterns deny any tool call that tries to pass a secret through arguments.\n- **Self-hosted, air-gap capable, single artifact.** One Rust binary. One PostgreSQL. No Redis, no Kafka, no Kubernetes, no SaaS handoff. The same binary runs on a laptop, a VM, and an air-gapped appliance without modification. Zero outbound telemetry by default.\n- **Policy-as-code on PreToolUse hooks.** Destructive operations, blocklists, department scoping, six-tier RBAC (Admin, User, Service, A2A, MCP, Anonymous). Rate limiting at 300 req/min per session with role multipliers. Every deny reason is structured and auditable.\n- **Certifications-ready, not certification-marketing.** Tiered log retention from debug (1 day) through error (90 days). 10 identity lifecycle event variants. SIEM-ready JSON events for Splunk, ELK, Datadog, Sumo. Built for **SOC 2 Type II**, **ISO 27001**, **HIPAA**, and the **OWASP Agentic Top 10**.\n\nThis repo is the evaluation template. Fork it, clone it, compile it. 43 scripted demos execute every claim above against the live binary on your own laptop.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eWhat you'll see in the first five minutes\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n- **http://localhost:8080** — admin UI, live audit table, session viewer.\n- **`systemprompt analytics overview`** — conversations, tool calls, costs in microdollars, anomalies flagged above 2x/3x of rolling average.\n- **`systemprompt infra logs audit \u003crequest-id\u003e --full`** — the full trace for any request: identity, scope, rule evaluations, tool call, model output, cost. One query, one row, one answer.\n- **Point Claude Code, Claude Desktop, or any MCP client at it.** Permissions follow the user, not the client. Try to exfiltrate a key through a tool argument and watch the secret-detection layer deny it before the tool process spawns.\n- **`./demo/governance/06-secret-breach.sh`** — the scripted version of that denial, recorded above.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eThe scripted demos\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n```bash\n./demo/00-preflight.sh                    # acquire token, verify services, create admin\n./demo/01-seed-data.sh                    # populate analytics + trace data\n\n# Governance — the audit line\n./demo/governance/01-happy-path.sh        # allowed tool call, full trace chain\n./demo/governance/05-governance-denied.sh # scope check rejects out-of-role call\n./demo/governance/06-secret-breach.sh     # secret-detection blocks exfiltration\n./demo/governance/07-rate-limiting.sh     # 300 req/min per session enforced\n./demo/governance/08-hooks.sh             # PreToolUse policy-as-code\n\n# Observability — the audit table\n./demo/analytics/01-overview.sh           # conversations, costs, anomalies\n./demo/infrastructure/04-logs.sh          # structured JSON events, SIEM-ready\n\n# Scale — the overhead budget\n./demo/performance/02-load-test.sh        # 3,308 req/s burst, p99 22.7 ms\n```\n\nFull index: [`demo/README.md`](demo/README.md). 41 of 43 scripts are free; two cost ~$0.01 each (real model calls).\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eThe governance pipeline\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nEvery tool call passes five in-process checks, synchronously, before it reaches a tool process. Every decision lands in an 18-column audit row.\n\n```\n  LLM Agent\n      │\n      ▼\n  Governance pipeline  (in-process, synchronous, \u003c5 ms p99)\n      │\n      ├─ 1. JWT validation       (HS256, verified locally, offline-capable)\n      ├─ 2. RBAC scope check     (Admin · User · Service · A2A · MCP · Anonymous)\n      ├─ 3. Secret detection     (35+ regex: API keys, PATs, PEM, AWS prefixes)\n      ├─ 4. Blocklist            (destructive operation categories)\n      └─ 5. Rate limiting        (300 req/min per session, role multipliers)\n      │\n      ▼\n  ALLOW or DENY   →  18-column audit row, always\n      │\n      ▼ (ALLOW)\n  spawn_server()\n      │\n      ├─ decrypt secrets from ChaCha20-Poly1305 store\n      └─ inject into subprocess env vars only (never parent)\n      │\n      ▼\n  MCP tool process     credentials live here, never in the LLM context path\n```\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/cap-governance.svg\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/cap-governance.svg\"\u003e\n  \u003cimg src=\"demo/recording/svg/output/dark/cap-governance.svg\" alt=\"Governance pipeline — terminal recording\" width=\"820\"\u003e\n\u003c/picture\u003e\n\n\u003csub\u003eRun it: \u003ccode\u003e./demo/governance/05-governance-denied.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/governance-pipeline\"\u003eFeature detail\u003c/a\u003e\u003c/sub\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eHow credential injection works\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nWhen a tool call passes the pipeline, `spawn_server()` decrypts credentials from the ChaCha20-Poly1305 store and injects them into the child process environment. The parent process — which owns the LLM context window — never writes the value.\n\nSource: [`systemprompt-core/crates/domain/mcp/src/services/process/spawner.rs`](https://github.com/systempromptio/systemprompt-core/blob/main/crates/domain/mcp/src/services/process/spawner.rs).\n\n```rust\nlet secrets = SecretsBootstrap::get()?;\n\nlet mut child_command = Command::new(\u0026binary_path);\n\n// Child env only. The parent (LLM context path) never touches the value.\nif let Some(key) = \u0026secrets.anthropic {\n    child_command.env(\"ANTHROPIC_API_KEY\", key);\n}\nif let Some(key) = \u0026secrets.github {\n    child_command.env(\"GITHUB_TOKEN\", key);\n}\n\n// Detach; parent forgets the child after spawn.\nlet child = child_command.spawn()?;\nstd::mem::forget(child);\n```\n\nBefore spawn, a secret-detection pipeline scans tool arguments for 35+ credential patterns. A tool call that tries to pass a secret through the context window is blocked even if the agent has scope to run the tool. The hero recording above is the scripted proof: `./demo/governance/06-secret-breach.sh`.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePerformance\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nSub-5 ms governance overhead, benchmarked. Each request performs JWT validation, scope resolution, three rule evaluations, and an async audit write.\n\n| Metric | Result |\n|---|---|\n| Throughput | 3,308 req/s burst, sustained under 100 concurrent workers |\n| p50 latency | 13.5 ms |\n| p99 latency | 22.7 ms |\n| Added to AI response time | \u003c1% |\n| GC pauses | Zero |\n\nReproduce: `just benchmark`. Numbers measured on the author's laptop.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfiguration \u0026 CLI\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nRuntime configuration is flat YAML under `services/`, loaded through `services/config/config.yaml`. Unknown keys fail loudly (`#[serde(deny_unknown_fields)]`). No database-stored config, no admin UI required. Every change is a diff.\n\n```\nservices/\n  config/config.yaml        Root aggregator\n  agents/\u003cid\u003e.yaml          Agent: scope, model, tool access\n  mcp/\u003cname\u003e.yaml           MCP server: OAuth2 config, scopes\n  skills/\u003cid\u003e.yaml          Skill: config + markdown instruction body\n  plugins/\u003cname\u003e.yaml       Plugin bindings (references agents, skills, MCP)\n  ai/config.yaml            AI provider config (Anthropic, OpenAI, Gemini)\n  scheduler/config.yaml     Background job schedule\n  web/config.yaml           Web frontend, navigation, theme\n  content/config.yaml       Content sources and indexing\n```\n\nEight CLI domains cover every operational surface. No dashboard required for any task.\n\n| Domain | Purpose |\n|---|---|\n| `core` | Skills, content, files, contexts, plugins, hooks, artifacts |\n| `infra` | Services, database, jobs, logs |\n| `admin` | Users, agents, config, setup, session, rate limits |\n| `cloud` | Auth, deploy, sync, secrets, tenant, domain |\n| `analytics` | Overview, conversations, agents, tools, requests, sessions, content, traffic, costs |\n| `web` | Content types, templates, assets, sitemap, validate |\n| `plugins` | Extensions, MCP servers, capabilities |\n| `build` | Build core workspace and MCP extensions |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eMore recordings\u003c/strong\u003e — infrastructure, integrations, analytics, agents, compliance, MCP governance\u003c/summary\u003e\n\n\u003cbr\u003e\n\nEach recording is a live capture of the named script running against the binary.\n\n**Infrastructure** — one binary, one process, one database. Same artifact runs laptop to air-gap.\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/infra-self-hosted.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/infra-self-hosted.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/infra-self-hosted.svg\" alt=\"Self-hosted deployment\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eAll data on your infrastructure, zero outbound telemetry · \u003ccode\u003e./demo/infrastructure/01-services.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/self-hosted-ai-platform\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/infra-deploy-anywhere.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/infra-deploy-anywhere.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/infra-deploy-anywhere.svg\" alt=\"Deploy anywhere\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eProfile YAML promotes environments without rebuilding · \u003ccode\u003e./demo/cloud/01-cloud-overview.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/deploy-anywhere\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/infra-control-plane.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/infra-control-plane.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/infra-control-plane.svg\" alt=\"Unified control plane\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eEvery operational surface has a CLI verb · \u003ccode\u003e./demo/infrastructure/03-jobs.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/unified-control-plane\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/infra-open-standards.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/infra-open-standards.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/infra-open-standards.svg\" alt=\"Open standards\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eMCP, OAuth 2.0, PostgreSQL, Git · zero proprietary protocols · \u003ccode\u003e./demo/mcp/01-mcp-servers.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/no-vendor-lock-in\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n---\n\n**MCP governance, analytics, closed-loop agents, compliance.**\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/cap-mcp.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/cap-mcp.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/cap-mcp.svg\" alt=\"MCP governance\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eEach MCP server is an isolated OAuth2 resource server with per-server scope validation · \u003ccode\u003e./demo/mcp/02-mcp-access-tracking.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/mcp-governance\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/cap-analytics.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/cap-analytics.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/cap-analytics.svg\" alt=\"Analytics and observability\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eNine analytics subcommands, anomaly detection, SIEM-ready JSON · \u003ccode\u003e./demo/analytics/01-overview.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/analytics-and-observability\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/cap-agents.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/cap-agents.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/cap-agents.svg\" alt=\"Closed-loop agents\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eAgents query their own error rate, cost, and latency via MCP tools and adjust · \u003ccode\u003e./demo/agents/04-agent-tracing.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/closed-loop-agents\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/cap-compliance.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/cap-compliance.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/cap-compliance.svg\" alt=\"Compliance\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eTiered retention, 10 identity lifecycle events, SOC 2 / ISO 27001 / HIPAA / OWASP Agentic Top 10 · \u003ccode\u003e./demo/users/03-session-management.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/compliance\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n---\n\n**Integrations** — any provider, Claude Desktop, web publisher, extensions.\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/int-any-agent.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/int-any-agent.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/int-any-agent.svg\" alt=\"Any AI agent\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eAnthropic, OpenAI, Gemini swap at the profile level · cost attribution in integer microdollars · \u003ccode\u003e./demo/agents/01-list-agents.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/any-ai-agent\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/int-cowork.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/int-cowork.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/int-cowork.svg\" alt=\"Claude Desktop \u0026 Cowork\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eSkills persist across sessions via OAuth2 · \u003ccode\u003e./demo/skills/01-skill-lifecycle.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/cowork\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/int-web-publisher.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/int-web-publisher.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/int-web-publisher.svg\" alt=\"Web server \u0026 publisher\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eSame binary serves your website, blog, and docs · systemprompt.io runs on this binary · \u003ccode\u003e./demo/web/01-web-config.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/web-publisher\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/int-extensions.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/int-extensions.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/int-extensions.svg\" alt=\"Extensible architecture\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003eYour code compiles into your binary via the \u003ccode\u003eExtension\u003c/code\u003e trait · no runtime reflection · \u003ccode\u003e./demo/skills/04-plugin-management.sh\u003c/code\u003e · \u003ca href=\"https://systemprompt.io/features/extensible-architecture\"\u003eFeature\u003c/a\u003e\u003c/sub\u003e\n\n\u003cpicture\u003e\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"demo/recording/svg/output/dark/int-benchmark.svg\"\u003e\u003csource media=\"(prefers-color-scheme: light)\" srcset=\"demo/recording/svg/output/light/int-benchmark.svg\"\u003e\u003cimg src=\"demo/recording/svg/output/dark/int-benchmark.svg\" alt=\"Governance benchmark\" width=\"820\"\u003e\u003c/picture\u003e\n\n\u003csub\u003e3,308 req/s burst, p99 22.7 ms · \u003ccode\u003ejust benchmark\u003c/code\u003e\u003c/sub\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eClaude for Work, on your infrastructure\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nClaude for Work ships with extension points for inference, identity, and audit. Point them at this binary and every prompt, tool call, and cost line lands in a Postgres row you own.\n\n```\n  Managed Device                 Enterprise Gateway              Upstream Inference\n  (Cowork via MDM)               (this binary, your VPC)         (pluggable)\n  ───────────────── ──────────▶  ─────────────────────  ──────▶  ─────────────────\n  Credential helper              /v1/messages                    Anthropic direct\n  Managed MCP list               Governance pipeline             Bedrock / Vertex\n  Signed plugins                 Audit to Postgres               OpenAI / Groq\n                                                                 On-prem vLLM / Qwen\n                                                                 Air-gap capable\n```\n\nFour governance layers enforce before a byte leaves your network:\n\n- **Scope** — RBAC resolved from the JWT at request construction. Admin · User · Service · A2A · MCP · Anonymous.\n- **Secrets** — 35+ regex patterns scan every tool argument and every prompt. A credential in the context path is denied before the tool process spawns.\n- **Policy** — Blocklists, destructive-operation categories, tenant rules, PreToolUse hooks as code.\n- **Quota** — 300 req/min per session with role multipliers; per-tool and per-budget limits.\n\nIn-process evaluation against a cached entitlement table. Governance stays out of the latency budget — p99 **22.7 ms**, \u003c1% of AI response time.\n\n### How it compares\n\n| Dimension | Claude Enterprise | Cloud Custom | + systemprompt.io |\n|---|---|---|---|\n| **Data residency** | Anthropic infra | Cloud region | Your datacenter or air-gap |\n| **Audit trail** | Anthropic-held | OTLP only | Prompt → tool → MCP → cost in your Postgres |\n| **User revocation** | SSO / seat removal | Cloud IAM | IDP disable; next TTL fails closed |\n| **Inference provider** | Anthropic only | Bedrock / Vertex (Claude) | Any `/v1/messages`, per-call routing |\n| **MCP allowlist** | Anthropic-curated | Device-local config | One registry, per-principal policy |\n| **Plugin catalogue** | Anthropic-hosted | Files on disk | Signed, scoped, versioned distribution |\n\nManual install is tested and works end-to-end today; signed installers, MDM packages, and Homebrew / winget distribution land in a later release. Install steps in the **Advanced** fold below.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAdvanced — gateway routes, bridge install, org-plugins sync\u003c/strong\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nManual install is tested end-to-end. Automated distribution — signed installers, MDM packages, Homebrew / winget — is in progress; today you download a binary and drop a TOML file, documented below.\n\n### `/v1/messages` inference gateway\n\n`POST /v1/messages` at the Anthropic wire format. Every inference request flows through the same governance pipeline as every tool call — on infrastructure you operate.\n\n- **SDK- and Claude-Desktop-compatible.** Authenticated with a systemprompt JWT in `x-api-key` (falls back to `Authorization: Bearer`). No new credential type — existing user JWTs serve as the gateway credential.\n- **Routes by `model_pattern`.** Built-in tags: `anthropic`, `openai`, `moonshot` (Kimi), `qwen`, `gemini`, `minimax`. Anthropic is a transparent byte proxy (extended thinking, cache-control headers, SSE events preserved verbatim). OpenAI-compatible providers get full Anthropic↔OpenAI request/response/SSE conversion. Upstream API keys resolve from the secrets file by name.\n- **Zero overhead when disabled.** The `/v1` router mounts only if `gateway.enabled: true` in the active profile.\n\n\nProfile YAML:\n\n```yaml\ngateway:\n  enabled: true\n  routes:\n    - model_pattern: \"claude-*\"\n      provider: anthropic\n      endpoint: \"https://api.anthropic.com/v1\"\n      api_key_secret: \"anthropic_api_key\"\n    - model_pattern: \"moonshot-*\"\n      provider: moonshot\n      endpoint: \"https://api.moonshot.cn/v1\"\n      api_key_secret: \"kimi_api_key\"\n      upstream_model: \"moonshot-v1-8k\"\n    - model_pattern: \"MiniMax-*\"\n      provider: minimax\n      endpoint: \"https://api.minimax.io/anthropic\"\n      api_key_secret: \"minimax\"\n    - model_pattern: \"*\"\n      provider: anthropic\n      endpoint: \"https://api.anthropic.com/v1\"\n      api_key_secret: \"anthropic_api_key\"\n```\n\nRoutes evaluate in order; first `model_pattern` match wins. `upstream_model` aliases a client-requested model to a different upstream name without the client knowing.\n\n**Bridge credential helper endpoints.** `systemprompt-bridge` is a standalone ~2.4 MB Rust binary (no `tokio`, no `sqlx`, no `axum`) that trades a lower-privilege credential for a short-lived JWT. Progressive capability ladder — mTLS → dashboard session → PAT — mounted under `/v1/gateway/auth/cowork/`:\n\n- `POST /pat` — `Authorization: Bearer \u003cpat\u003e` → `{token, ttl, headers}` with a fresh JWT and the canonical identity header map (`x-user-id`, `x-session-id`, `x-trace-id`, `x-client-id`, `x-tenant-id`, `x-policy-version`, `x-call-source`).\n- `POST /session` — `501` (dashboard-cookie exchange not yet wired).\n- `POST /mtls` — `501` (device-cert exchange not yet wired).\n- `GET /capabilities` — `{\"modes\":[\"pat\"]}`; probes advertise which exchange modes this deployment accepts.\n\nThe helper writes the signed JWT + expiry to the OS cache dir with mode `0600`. Stdout contract is exactly one JSON object; all diagnostics go to stderr. Released out-of-band as `bridge-v*` tags. Install / configure / wire-up steps below.\n\n**Extensible provider registry.** `GatewayRoute.provider` is a free-form string resolved at dispatch time against a startup-built registry. Extension crates register new upstreams with:\n\n```rust\ninventory::submit! {\n    systemprompt_api::services::gateway::GatewayUpstreamRegistration {\n        tag: \"my-provider\",\n        factory: || std::sync::Arc::new(MyUpstream),\n    }\n}\n```\n\nThe `GatewayUpstream` trait (`async fn proxy(\u0026self, ctx: UpstreamCtx\u003c'_\u003e)`) is the single integration seam. Built-in tags seeded automatically; extension tags may shadow built-ins (logged as a warning). Full detail: [`core/CHANGELOG.md`](https://github.com/systempromptio/systemprompt-core/blob/main/CHANGELOG.md#030---2026-04-22).\n\n---\n\n### Install the bridge credential helper\n\nThe `systemprompt-bridge` binary is the **Credential helper script** slot in Claude for Work. It turns a PAT into a short-lived JWT that Claude Desktop merges into every inference request routed at this binary. Download the prebuilt macOS, Windows, or Linux binary from [systempromptio/systemprompt-core releases](https://github.com/systempromptio/systemprompt-core/releases/tag/bridge-v0.9.0).\n\nCurrent release: **[bridge-v0.9.0](https://github.com/systempromptio/systemprompt-core/releases/tag/bridge-v0.9.0)** — Linux x86_64, Windows x86_64 (MSVC ABI), macOS aarch64 (cosign-signed).\n\n#### 1. Download\n\n**Linux x86_64**\n\n```bash\ncurl -fsSL -o /usr/local/bin/systemprompt-bridge \\\n  https://github.com/systempromptio/systemprompt-core/releases/download/bridge-v0.9.0/systemprompt-bridge-x86_64-unknown-linux-gnu\nchmod +x /usr/local/bin/systemprompt-bridge\ncurl -fsSL -O https://github.com/systempromptio/systemprompt-core/releases/download/bridge-v0.9.0/SHA256SUMS\nsha256sum -c SHA256SUMS --ignore-missing\n```\n\n**Windows x86_64** (PowerShell as Administrator):\n\n```powershell\n$dir = \"C:\\Program Files\\systemprompt\"\nNew-Item -ItemType Directory -Force -Path $dir | Out-Null\nInvoke-WebRequest `\n  -Uri \"https://github.com/systempromptio/systemprompt-core/releases/download/bridge-v0.9.0/systemprompt-bridge-x86_64-pc-windows-msvc.exe\" `\n  -OutFile \"$dir\\systemprompt-bridge.exe\"\n[Environment]::SetEnvironmentVariable(\"PATH\", \"$env:PATH;$dir\", \"User\")\n```\n\nWindows Smart Screen will flag the unsigned binary on first run → \"More info\" → \"Run anyway\".\n\n**macOS** (source build):\n\n```bash\ngit clone https://github.com/systempromptio/systemprompt-core.git\ncd systemprompt-core\ncargo build --manifest-path bin/bridge/Cargo.toml --release \\\n  --target \"$(rustc -vV | awk '/host:/ {print $2}')\"\nsudo install -m 755 \\\n  \"bin/bridge/target/$(rustc -vV | awk '/host:/ {print $2}')/release/systemprompt-bridge\" \\\n  /usr/local/bin/\n```\n\n#### 2. Configure\n\nLinux/macOS: `~/.config/systemprompt/systemprompt-bridge.toml`\nWindows: `%APPDATA%\\systemprompt\\systemprompt-bridge.toml`\n\n```toml\n[gateway]\nurl = \"http://localhost:8080\"   # for the local-trial template; swap to your production host\n\n[pat]\ntoken = \"sp-live-your-personal-access-token\"\n```\n\nIssue a PAT from the running binary with `systemprompt admin users pat issue \u003cuser-id\u003e --name bridge-laptop`. Absent config sections are silently skipped. Dev overrides: `SP_BRIDGE_GATEWAY_URL`, `SP_BRIDGE_PAT`.\n\n#### 3. Verify\n\n```bash\nsystemprompt-bridge           # prints exactly one JSON {token, ttl, headers}\nsystemprompt-bridge --check   # exits 0 if a token can be issued\n```\n\nDiagnostics go to stderr only. The stdout JSON matches Anthropic's `inferenceCredentialHelper` contract byte-for-byte.\n\n#### 4. Point Claude Desktop at it\n\nIn Claude Desktop **Enterprise → Settings → Inference**:\n\n- **Credential helper script**: `/usr/local/bin/systemprompt-bridge` (or `C:\\Program Files\\systemprompt\\systemprompt-bridge.exe`).\n- **API base URL**: the `gateway.url` from your TOML.\n\nEvery Claude Desktop request now lands a row in `ai_requests` with `user_id`, `tenant_id`, `session_id`, `trace_id`, tokens, cost, and latency — identical governance to every other tool call. Run `systemprompt infra logs audit \u003crequest-id\u003e --full` after a prompt to see the trace end-to-end.\n\n#### 5. (Optional) Install the `org-plugins/` sync agent\n\nThe same binary manages the bridge's signed plugin / managed-MCP mount:\n\n```bash\nsystemprompt-bridge install     # register launchd (macOS) / scheduled task (Windows) / systemd --user (Linux)\nsystemprompt-bridge sync        # pull signed plugin manifest + allowlist now\nsystemprompt-bridge validate    # verify the ed25519 signature\nsystemprompt-bridge uninstall   # remove\n```\n\nMount targets: `/Library/Application Support/Claude/org-plugins/` (macOS), `C:\\ProgramData\\Claude\\org-plugins\\` (Windows), `${XDG_DATA_HOME:-$HOME/.local/share}/Claude/org-plugins/` (Linux).\n\n\u003c/details\u003e\n\n---\n\n## License\n\n**This template** is [MIT](LICENSE). Fork it, modify it, use it however you like.\n\n**[systemprompt-core](https://github.com/systempromptio/systemprompt-core)** is [BSL-1.1](https://github.com/systempromptio/systemprompt-core/blob/main/LICENSE): free for evaluation, testing, and non-production use. Production use requires a commercial license. Each version converts to Apache 2.0 four years after publication. Licensing enquiries: [ed@systemprompt.io](mailto:ed@systemprompt.io).\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n[![systemprompt.io](https://img.shields.io/badge/systemprompt.io-2b6cb0?style=for-the-badge)](https://systemprompt.io) \u0026nbsp; [![Core](https://img.shields.io/badge/systemprompt--core-2b6cb0?style=for-the-badge)](https://github.com/systempromptio/systemprompt-core) \u0026nbsp; [![Documentation](https://img.shields.io/badge/documentation-16a34a?style=for-the-badge)](https://systemprompt.io/documentation/) \u0026nbsp; [![Guides](https://img.shields.io/badge/guides-f97316?style=for-the-badge)](https://systemprompt.io/guides) \u0026nbsp; [![Discord](https://img.shields.io/badge/discord-5865F2?style=for-the-badge\u0026logo=discord\u0026logoColor=white)](https://discord.gg/wkAbSuPWpr)\n\n\u003csub\u003eOwn how your organization uses AI. Every interaction governed and provable.\u003c/sub\u003e\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystempromptio%2Fsystemprompt-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsystempromptio%2Fsystemprompt-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystempromptio%2Fsystemprompt-template/lists"}