Own how your organization uses AI.

The narrow waist between your AI and everything it touches. Self-hosted. Air-gapped. Every interaction governed and provable.

Try it now

systemprompt.io · Documentation · Guides · Discord

3,308 req/s on a laptop. p50 13.5 ms. <1% overhead on AI response time. One compiled Rust binary. PostgreSQL. Nothing else.

A 50MB Rust binary that authenticates, authorises, rate-limits, logs, and costs every AI interaction. Four in-process services, 144 database tables, zero sidecars. The same artifact deploys to Docker, bare metal, cloud, or an air-gapped network. Config is profile-based YAML checked into version control. JWT validation and rate limiting execute locally per process without distributed infrastructure.

Every layer uses an open standard: MCP for tool communication, OAuth 2.0 and WebAuthn for identity, ChaCha20-Poly1305 for encryption at rest, PostgreSQL for storage, Git for distribution. No proprietary protocols at any layer.

Self-hosted deployment	Deploy anywhere

Self-Hosted Deployment · Deploy Anywhere · Unified Control Plane · No Vendor Lock-In

Four synchronous enforcement layers evaluate every tool call before execution. Scope check enforces a six-tier RBAC hierarchy (Admin, User, Service, A2A, MCP, Anonymous) where each tier inherits permissions through Permission::implies. Secret detection runs 35+ regex patterns against tool inputs to block AWS keys, GitHub PATs, PEM private keys, and database connection strings before they reach a model. Blocklist prevents destructive operations. Rate limiting caps at 300 requests per minute per session with role-based multipliers (Admin 10x, User 1x, Anonymous 0.5x).

Every decision lands in an 18-column audit table with 17 indexes, queryable from the CLI or exportable to your SIEM.

Credentials are encrypted at rest with ChaCha20-Poly1305 AEAD and injected server-side into subprocess environment variables at tool-call time. Secrets never enter the LLM context window, never appear in logs, and never transit the inference path. The detection layer blocks 12 dangerous file extensions (.env, .sql, .bak, .config, etc.) and identifies 20+ scanner tool signatures at the edge. JWT sessions use HS256 signing with a mandatory 32-character minimum secret. Token TTL is 5 minutes.

A single TraceId correlates every event from login through model output. Six correlation columns (UserId, SessionId, TaskId, TraceId, ContextId, ClientId) bind identity at construction time so a row that reaches the database without a trace is a programming error. Cost is tracked in integer microdollars to prevent floating-point drift, with attribution by model, provider, and agent. Anomaly detection flags values exceeding 2x (warning) or 3x (critical) of the rolling average. Nine CLI subcommands cover overview, conversations, agents, tools, requests, sessions, content, traffic, and costs.

Each MCP server operates as an independent OAuth2 resource server with isolated credentials and per-server scope validation. If a tool is not declared in the plugin manifest, it does not exist for that agent. Deploy-time validation runs four passes (port conflicts, server configs, OAuth requirements, server types) and all four pass or no servers start. The McpToolHandler trait enforces type safety at compile time via DeserializeOwned + JsonSchema inputs and Serialize + JsonSchema outputs.

Agents query their own error rate, cost, and latency through exposed MCP tools and adjust without a human in the loop. Every logged event carries eight correlation fields enabling complete request lineage reconstruction. The A2A protocol enables multi-provider agent workflows with full governance applied to every hop.

Governance pipeline	Secrets management	Compliance

Governance Pipeline · Secrets Management · MCP Governance · Analytics & Observability · Closed-Loop Agents · Compliance

Provider-agnostic governance for Anthropic, OpenAI, Gemini, or custom agents. The AiProvider trait abstracts 19 methods so switching providers changes config, not code. Cost attribution tracks spend across providers, models, and agents with microdollar precision.

The extension system compiles your code into the binary. The Extension trait exposes routes, schemas, migrations, jobs, LLM providers, tool providers, page prerenderers, roles, and config namespaces. 12 extensions ship by default with 71 sqlx-checked schemas and 13 background jobs. Registration happens at link time via register_extension!, so there is no runtime reflection and no dynamic loading.

Skills persist across Claude Desktop sessions via OAuth2. Slash commands activate business skills (brand voice, templates, policies) governed by the same four-layer pipeline. The same binary that governs AI agents also serves your website, blog, and documentation with Markdown content, PostgreSQL full-text search, and engagement analytics.

Any AI agent	Extensible architecture

Any AI Agent · Claude Desktop & Cowork · Web Server & Publisher · Extensible Architecture

Identity-bound, replayable audit trails via JWT. Policy-as-code on PreToolUse hooks with 10 lifecycle event variants. Tiered log retention from debug (1 day) through error (90 days). 25+ query methods in TraceQueryService for forensic analysis. All data stays on-premises with no outbound telemetry.

Built for SOC 2 Type II, ISO 27001, HIPAA, and OWASP Agentic Top 10.

just build                                               # compile the workspace
just setup-local <anthropic> <openai> <gemini>           # profile + Postgres + publish
just start                                               # serve on localhost:8080

Point Claude Code, Claude Desktop, or any MCP client at it. Permissions follow the user, not the client. Run systemprompt --help to explore 8 CLI domains covering governance, analytics, infrastructure, agents, plugins, content, cloud, and build.