COMPLIANCE. BUILT TO SURVIVE AN AUDIT.
SOC 2, ISO 27001, HIPAA, and OWASP Agentic Top 10 controls that terminate in named columns, typed enums, and file-line references. The binary runs air-gapped, validates HS256 JWTs in-process, and writes one audit row per tool call to PostgreSQL.
Air-Gap Runtime
A CISO signing off on an AI governance control needs a clean answer to two questions. Does the runtime phone home, and can an incident be contained without cutting customer traffic? systemprompt.io runs as a single binary against a local PostgreSQL. The health endpoint calls SELECT 1 on that database. There is no outbound dependency to any vendor service at startup or at steady state. Outbound traffic leaves the process only when an operator configures an upstream inference route (your own inference cluster or any /v1/messages-compatible upstream; Anthropic, OpenAI, Gemini, Bedrock, Vertex are secondary), and the route goes through whatever proxy or egress firewall the security team already controls.
Auth stays inside the perimeter too. Every session is an HS256 JWT. The binary signs tokens with a shared secret and verifies them locally in under a microsecond, so authentication does not require a round trip to an external identity provider. The signing key is checked at boot, and a secret under the configured minimum length is rejected before the process accepts requests. That maps to the ISO 27001 A.10 cryptography requirement that key material meet a documented minimum strength.
The control that matters for an audit of SOC 2 CC6.1 (logical access) is where the token is issued and validated. Both happen inside the customer's network, against configuration the customer owns. An auditor confirming "no external auth service in the data path" reads the health and auth references below and sees the decision happens in the same process that handles the request.
- No Phone-Home, One Database Dependency — The health endpoint runs SELECT 1 against local PostgreSQL. Nothing in the hot path calls a vendor service, so an air-gap deployment for a regulated tenant does not require a firewall exception or a proxy exemption.
- Local JWT Issuer and Validator — The binary signs and verifies HS256 tokens in-process. A misconfigured deployment with a signing key below the minimum length fails to boot, so weak-secret findings never reach a production audit window.
- Identity Fields on Every Record — Sessions carry user, session, and token IDs that the logging layer writes to every audit row. When an auditor asks who took an action, the answer is a database query against named columns, not a grep across unstructured log files.
- health.rs Health handler validates database connectivity with SELECT 1, no external call.
- discovery.rs API discovery resolves OAuth, MCP, agent, and core routes in-process.
- jwt/mod.rs Local token issuer. HS256 signing, no external auth server in the issuance path.
- profile/security.rs Security configuration: issuer, audiences, and token expirations in operator-owned YAML.
- session/generator.rs Session generator embeds permissions, roles, and rate-limit tier into the token.
- auth/validation.rs Auth validation decodes HS256 claims, checks issuer and audience, returns 401 on failure.
- secrets.rs (JWT secret validation) Startup check rejects signing secrets shorter than the configured minimum (ISO 27001 A.10).
Credentials Off the Prompt Path
Every credential that enters a model prompt is one prompt injection away from being exfiltrated to a third party. A CISO reviewing an agentic AI deployment needs to confirm that API keys, database URLs, and OAuth tokens do not appear in prompts, completions, tool arguments, or stored conversation history. systemprompt.io handles this by injecting credentials on the MCP subprocess environment at spawn time, not in the request body the model builds its prompt from.
When an agent calls a tool, the system launches the tool as a separate subprocess and hands provider credentials (ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, GITHUB_TOKEN) to it as environment variables. The model sees the tool name and the returned result. It does not see the credential that authenticated the downstream API call, because the secret lives in the subprocess address space and never lands on the request the model is built from.
Custom credentials follow the same path. The secrets layer flattens an arbitrary key-value map, and each value lands on the child environment under both its original and uppercased name. Plugin variables with the secret flag are filtered out of anything the model can read. For an auditor reviewing SOC 2 CC6.7 (data classification) or the HIPAA encryption addressable specification, the evidence is the list of destinations a secret can and cannot appear in, backed by the spawner reference and the plugin variable definition below.
- Environment Variable, Not Prompt — The MCP subprocess spawner sets provider keys on the child command before it runs, so no credential enters the request body the model is built from. Without this gate, a prompt injection that reads its own context could hand an agent's API key to an attacker.
- Per-Provider Isolation — Each provider key lives in its own typed field alongside the others. A leak of one provider context does not expose the rest, so a compromised OpenAI token does not hand an attacker the Anthropic or GitHub credential.
- Validated at Boot — The startup check enforces a minimum length on the JWT signing key and rejects misconfigured source files, so a weak-secret finding cannot land in a production audit window.
- plugin.rs Plugin variable definition. Variables marked secret are filtered from model-readable fields.
- secrets.rs Per-provider typed fields plus a custom map, with a minimum-length JWT secret check.
- profile/secrets.rs Secrets config: source selection and validation mode (strict, warn, skip) at boot.
- spawner.rs MCP subprocess spawner sets provider keys and secrets on the child environment.
- middleware/rbac.rs Permission check at the MCP entry point, before a credentialed subprocess runs.
- scanner.rs Scanner detector rejects probes for .env, .git, .sql, and known attack user-agents.
Replay Chain
The auditor question this section answers is simple. Show me every action this user took in a given window, and prove no action is missing. Every audit row in the logs table carries a user, a session, a trace, and an optional context and client identifier. Those fields are named columns in the schema, not parsed out of a free-text message, so the query is indexed and deterministic.
A lookup by request_id, task_id, or trace_id returns the original log event, the AI request, any MCP tool executions, and the per-step execution record in one response. A CISO or external auditor answering "what happened after this ticket was raised?" does not stitch together five log streams. They read one joined result set and replay the chain from identity to outcome. The underlying query service exposes the log search, tool execution listing, audit lookup, and level counts the admin dashboard and SIEM exporter use.
Retention is tiered by log level so debug chatter does not dominate the table compliance queries run against. Debug rows expire after one day, info after seven, warnings after thirty, errors after ninety, and the scheduler runs a vacuum after cleanup so the physical size of the table tracks policy. That maps to SOC 2 CC7.2 (system monitoring) and ISO 27001 A.12.4 (logging and monitoring). The retention period is a configurable policy, not an accident of disk space.
- Identity Columns — user_id, session_id, trace_id, context_id, and client_id live as typed columns on every audit row. An auditor asking 'who ran this tool' gets an indexed lookup instead of a regex guess across free-text messages.
- One Lookup, Full Replay — A request_id, task_id, or trace_id returns the log event, the AI request, the MCP tool executions, and the execution steps in one joined response, so an incident reviewer reconstructs the chain without writing a cross-stream join by hand.
- Tiered Retention With Vacuum — Debug, info, warning, and error rows expire on separate schedules, with a post-cleanup vacuum. Without tiered retention, either the audit window is too short for SOC 2 CC7.2 or the table grows past the point where compliance queries stay indexed.
- log_entry.rs Log entry schema: user, session, trace, context, client identifiers as typed fields.
- audit_queries.rs Audit lookup returns a request plus its linked MCP tool executions in one response.
- trace/service.rs Trace query service behind the admin dashboard and SIEM export.
- claims.rs JWT claims carry subject, session, token id, scopes, and roles into every audit write.
- retention/policies.rs Retention policy: debug 1d, info 7d, warnings 30d, errors 90d, scheduled vacuum.
- log.sql Base schema for the audit log table behind the columns and retention above.
Pre-Flight Policy Gate
A compliance control a CISO can rely on has to enforce before the risky action runs, not flag it afterwards. Every tool invocation fires a pre-tool-use hook before the model-facing handler touches inference. A denying hook short-circuits the call, and the audit row records the denial with the same identity fields as any other action. Without this gate, a policy violation is a post-mortem instead of a control.
Hooks load as YAML at boot. Matcher patterns, hook category (system or custom), visibility scope, and an action that dispatches to a shell command, a prompt, or a sub-agent. The security team owns the hook file, ships policy changes on its own release cadence, and reviews them in the same code-review pipeline as any other change. Because policies are code under version control, an auditor asking "show me when this rule was introduced and who approved it" reads a git log, not a ticket trail.
Lifecycle events give policy attachment points across the agent runtime. Pre-tool-use, post-tool-use, post-tool-use-failure, session start, session end, user prompt submit, notification, stop, subagent start, and subagent stop. That covers the excessive-agency risk directly. The pre-tool-use variant blocks an action before it executes, and the subagent-start variant blocks a sub-agent from being created with an unsanctioned capability.
- Deny Before Dispatch — Pre-tool-use hooks run before a tool handler reaches inference. A denying hook short-circuits the call, so a forbidden action is a block, not a post-mortem alert an auditor reads the morning after.
- Security Ships On Its Own Cadence — Hooks live in YAML the loader reads at boot. The security team ships a tightened policy without a product release, so a rule change in response to an incident takes minutes, not a release cycle.
- Policy Attached to the Plugin It Governs — Each plugin config embeds its own hook events, validated at load. A policy meant to govern one plugin lives with that plugin, so an auditor tracing 'which policy protects which tool' reads the plugin file, not a global matcher table.
- hooks.rs (event variants) Lifecycle event variants external policy can bind to.
- hooks.rs (events config) Per-event matcher arrays with dispatch type (command, prompt, sub-agent) and timeout.
- hooks.rs (disk config) Disk hook config: matchers, async flag, category, and visibility scope.
- plugin.rs Plugin config with embedded hook events, validated at load.
- middleware/rbac.rs Permission check that runs before hook evaluation on every request.
- domain/mcp/src/tool.rs Tool handler trait that receives the authenticated context hooks read.
RBAC and Department Scope
Role-based access control an auditor can trust has to enforce at two layers. A caller without the right role gets a typed denial, and a caller without the right role never sees the tool in the first place. systemprompt.io encodes role tiers as a single enum (admin, user, service, agent-to-agent, MCP, anonymous) with numeric hierarchy levels. A required tier either is or is not met. No fuzzy string match, no custom role sneaking past a whitelist because nobody added it.
A finance analyst and an engineering analyst sit in the same role tier, but their tool surface differs. The request context carries department scope, the caller's roles, and a session identifier alongside the tier. Tools the caller is not scoped to are absent from the manifest the caller loads. A finance agent does not see engineering's audit tools and cannot call them by URL, which closes the information-leak variant of access control that an external penetration test usually catches.
The permission check runs in middleware before any handler code executes, so a bypass attempt using a forged path or a stale token returns a typed denial rather than silently hitting application code. For an auditor scoring SOC 2 CC6.3 (role-based access), the artefact is the permission-tier enum and the middleware that loads it, both referenced below.
- Numeric Hierarchy — Admin inherits every lower tier by level comparison, not string match. A misread spreadsheet cannot introduce a 'senior admin' role that evades a check, so privilege drift is a compile error, not a silent allow.
- Invisible to the Out-of-Scope Caller — A caller loads a tool manifest filtered by role and department before calling anything. Tools outside scope are absent from the response, not hidden behind a 403, so a probe cannot even discover the name of a tool it has no right to call.
- Middleware Before Any Handler — The permission check runs in the request middleware before a handler executes. A request that fails the scope comparison returns a typed denial, so application code never gets a chance to grant access by accident.
- middleware/rbac.rs RBAC middleware validates scope per MCP server and builds the request context.
- auth/permission.rs Permission enum with hierarchy levels (Admin > User > Service > A2a > Mcp > Anonymous).
- auth/enums.rs Caller types, rate-limit tiers, and JWT audience variants via typed conversion.
- plugin.rs (component scoping) Plugin component reference with source, filter, and include/exclude lists.
- auth/roles.rs Base role definitions from admin wildcard to anonymous minimum (SOC 2 CC6.3).
- auth/claims.rs JWT claims with scope, roles, and user type read without a database round trip.
Compile-Time Floor
Every call enters through the API layer and is evaluated before reaching application code. Per-endpoint rate limits are sized to the workload. MCP tool traffic gets a higher base rate because real agent workflows batch, and inference gets a lower base rate because a tight inference loop is always a bug. Role multipliers scale the limit by tier so an admin script gets headroom that an anonymous caller does not, and so an unauthenticated runaway cannot saturate the backend.
The binary is compiled from a memory-safe systems language. The compiler rejects buffer overflows, use-after-free, double-free, data races, and null pointer dereferences at build time, not at runtime with a sanitizer. The memory-safety class of CVE that routinely appears on a CISO's supply-chain dashboard cannot ship in the artefact at all. An auditor reviewing OWASP A06 (vulnerable components) sees a build that fails before linking rather than a runtime mitigation that hopes to catch the bug in time.
The build is a single statically linked binary pinned by a cryptographic lockfile. The same source produces the same binary, so a later audit of a production artefact reproduces from a tagged commit without a floating dependency resolving to something new. A scanner detector compiled in blocks scanner probes (env-file sweeps, phpmyadmin fingerprints, cgi-bin walks) and named scanner tools at the edge of the request lifecycle, before any handler runs, so credential-exfiltration probes fail ahead of dispatch.
- Rate Limits Sized to the Workload — MCP traffic gets a higher base rate because real workflows batch. Inference gets a lower base rate because a high-rate inference loop is always a bug. Without sized limits, a rate cap is either too tight for legitimate traffic or too loose to block a runaway agent.
- Memory Safety at Compile Time — The compiler rejects buffer overflows, use-after-free, and data races before linking. A memory-safety CVE cannot ship in the artefact, so OWASP A06 (vulnerable components) is a build failure class, not a runtime detection problem.
- Reproducible Build, Scanner Block at the Edge — The lockfile pins every dependency, so the same source produces the same binary. The scanner detector blocks probes for .env, .git, .sql, and named scanner tools before a handler runs, so a credential-theft probe fails ahead of dispatch.
- profile/mod.rs Profile: security, rate limits, secrets, database, and server as typed YAML.
- rate_limits.rs Per-endpoint base rates and per-tier multipliers, re-read without rebuild.
- scanner.rs Scanner detector rejects named tools, bad user-agents, and high-velocity bursts inline.
- permission.rs Permission hierarchy with typed level comparison, not a runtime string check.
- secrets.rs Provider isolation plus JWT key minimum-length check (ISO 27001 A.10).
- auth/validation.rs HS256 decode, issuer and audience checks, typed auth modes (SOC 2 CC6.1).
Clause-to-Code Map
systemprompt.io's architecture does not certify an organisation. It provides technical controls an auditor maps to specific clauses in the frameworks the organisation is certified against. For a CISO presenting an AI governance layer to a SOC 2, ISO 27001, or HIPAA auditor, the evidence is a specific reference in this codebase paired with a specific clause in the framework.
SOC 2 Trust Services Criteria. The air-gap runtime supports CC6.1 (logical access controls) through the in-process token issuer and validator. Credentials off the prompt path support CC6.7 (data classification) through environment-variable injection that keeps keys out of the prompt. The replay chain supports CC7.2 (system monitoring) through the named-column log schema. RBAC supports CC6.3 (role-based access) through the permission-tier enum.
ISO 27001 Annex A. Secrets management supports A.10 (cryptography) through the HS256 signing-key minimum. RBAC and department scope support A.9 (access control policy) through the tier-plus-department claim structure. The replay chain supports A.12.4 (logging and monitoring) through the retention policy and query service. The retention policy itself addresses A.18 (compliance with legal requirements).
HIPAA Security Rule. The server-side credential injection path supports the encryption addressable specification. RBAC and department scope support the access control standard. The replay chain supports the audit controls standard. Each maps to a specific code reference an auditor reads directly.
OWASP Top 10 for Agentic Applications. The governance pipeline addresses excessive agency through pre-tool-use hook denial. RBAC with department scoping addresses privilege escalation through scope-filtered manifests. Scanner detection addresses credential leakage through boot-time validation and inline probe rejection. The replay chain addresses lack of traceability through the named-column log schema. Risks outside current scope (hallucination detection, retrieval-augmented generation poisoning) are documented in the OWASP implementation guide, so an auditor sees what the architecture covers and what it does not.
- SOC 2 Type II (CC6.1, CC6.3, CC6.7, CC7.2) — Air-gap, RBAC, secrets isolation, and identity-bound audit map to logical access, role-based access, data classification, and system monitoring criteria. Without these mappings, a SOC 2 control owner writes policy documents an auditor cannot tie to a running system.
- ISO 27001 Annex A (A.9, A.10, A.12.4, A.18) — Access control policy, cryptography, logging and monitoring, and legal compliance clauses all terminate in a specific code reference. Without that, an ISO 27001 evidence pack lists controls without naming the control surface that enforces them.
- HIPAA Security Rule (Encryption, Access, Audit) — The encryption addressable specification, the access control standard, and the audit controls standard each map to a code artefact, so HIPAA review treats AI agent activity as part of the covered log surface rather than a blind spot.
- OWASP Top 10 for Agentic Applications — Pre-tool-use denial, scope-filtered manifests, boot-time secret validation, and identity-bound audit address excessive agency, privilege escalation, credential leakage, and traceability. Risks outside scope are documented, not hidden.
- retention/policies.rs Tiered retention with scheduled vacuum (SOC 2 CC7.2, ISO 27001 A.12.4).
- trace/service.rs Trace service: identity to tool execution to cost, for dashboard and SIEM export.
- log_entry.rs Identity-bound audit schema: user, session, trace, context, client (SOC 2 CC7.2).
- permission.rs Permission tiers with hierarchy levels (SOC 2 CC6.3, ISO 27001 A.9).
- middleware/rbac.rs RBAC middleware: per-server scope validation (SOC 2 CC6.1).
- hooks.rs Lifecycle hook events covering pre-tool-use denial and subagent delegation.
- profile/secrets.rs Secrets validation mode and source selection (SOC 2 CC6.7).
Founder-led. Self-service first.
No sales team. No demo theatre. The template is free to evaluate — if it solves your problem, we talk.
Who we are
One founder, one binary, full IP ownership. Every line of Rust, every governance rule, every MCP integration — written in-house. Two years of building AI governance infrastructure from first principles. No venture capital dictating roadmap. No advisory board approving features.
How to engage
Evaluate
Clone the template from GitHub. Run it locally with Docker or compile from source. Full governance pipeline.
Talk
Once you have seen the governance pipeline running, book a meeting to discuss your specific requirements — technical implementation, enterprise licensing, or custom integrations.
Deploy
The binary and extension code run on your infrastructure. Perpetual licence, source-available under BSL-1.1, with support and update agreements tailored to your compliance requirements.