EVERY LAYER. AN OPEN STANDARD.

When the wire protocol between your agent and your governance layer is proprietary, switching providers means rewriting every client. The cost of leaving is paid by every integration you ever shipped. That is the failure mode systemprompt.io rules out at the protocol layer.

Agent communication runs on MCP through the rmcp crate. The marketplace MCP server registers 24 tools across six categories (skills, agents, MCP servers, plugins, utilities, analytics) in register_all_tools, and every category is wired by an explicit register_*_tools function. REST handlers are Axum routes returning structured JSON. Real-time updates use Server-Sent Events and Streamable HTTP.

Any MCP-compatible client connects with no adapter. Claude Code, OpenAI Codex, and Gemini CLI all speak MCP today. The compatibility guarantee is the public specification, not a private SDK.

A proprietary auth SDK is the deepest form of lock-in. Every service that trusts your identity layer is now coupled to one vendor's session format. When you leave, the IdP integrations leave with you. systemprompt.io refuses that trade by issuing identity through three published standards instead.

OAuth 2.0 client records, scopes, and grant types are stored in three explicit schema files (oauth_clients.sql, oauth_client_scopes.sql, oauth_client_grant_types.sql). WebAuthn credentials are stored in webauthn_credentials.sql, which keeps a public key and credential id per user, not a shared secret. JWT validation lives in crates/domain/oauth/src/services/jwt.

Because webauthn_credentials stores only a public key, the database holds no credential a phisher can replay. That is a property of the W3C WebAuthn schema, not a marketing claim about it.

An "export to open formats" feature is a tell. It means the real format is something else, and the export is best effort. When the storage format is the open format, there is nothing to export. systemprompt.io picks the second option.

Skills are SKILL.md files with YAML frontmatter, modelled by the Skill struct in crates/domain/agent/src/models/skill.rs and round-tripped by the sync code in crates/app/sync/src/export/skills.rs. JSON Schemas for MCP tool inputs are generated from Rust types by schemars at compile time. Any text editor opens the files. Any language parses them.

What sits on disk is what the library reads. There is no internal representation to convert from.

When governance content lives in a vendor SaaS, you cannot diff it, you cannot review it, and you cannot move it. Reviewers lose the workflow they trust for source code at the exact moment AI policy starts mattering. systemprompt.io stores content where reviewers already work.

Skill, agent, and plugin definitions sync to and from disk through crates/app/sync/src/local/skills_sync.rs and the export module under crates/app/sync/src/export. Operational state lives in PostgreSQL, with table definitions split into per-domain SQL schema files under crates/domain/*/schema. Queries are checked against the live schema by sqlx at compile time, so an ORM is not hiding the data model.

Two audit trails run in parallel: Git history for content changes, database rows for operational events. Both are queryable with tooling your team already owns.

Custom cryptography is its own form of lock-in. A security team that cannot name the primitive cannot audit it, and an auditor cannot tell a regulator what is protecting secrets at rest. systemprompt.io picks named, peer-reviewed primitives so that question has a one-line answer.

Secrets at rest use ChaCha20-Poly1305 AEAD via the chacha20poly1305 crate. Password hashing uses Argon2 via the argon2 crate. Message integrity uses SHA-2 and HMAC via sha2 and hmac. Every primitive is declared in the template Cargo.toml and called from the secret tools under extensions/mcp/marketplace/src/tools/get_secrets and manage_secrets.

The dependencies are public crates with public source. The same primitives are the same ones in every cryptography textbook. There is nothing compiled in that an auditor cannot read.

The honest version of "no lock-in" is not zero migration cost. Custom extensions you build on top of systemprompt.io are still yours to port, and an integration with your IdP still has to be redone if you replace the whole stack. What systemprompt.io rules out is the worst case: a proprietary wire protocol, a proprietary storage format, and a hosted control plane you cannot run yourself.

Every interface on this page is a published standard. The RBAC enforcement that gates MCP requests is enforce_rbac_from_registry in crates/domain/mcp/src/middleware/rbac.rs, a named function any reviewer can read. The whole library compiles to a single Rust binary with PostgreSQL as the only external dependency. The same binary runs on a laptop, a cloud VM, a bare metal box, or an air-gapped network.

This is not an "open-source alternative" to a SaaS product. It is an infrastructure library that speaks the standards your existing systems already speak. MCP clients connect without adapters. OAuth flows plug into your existing IdP. Git repositories clone with standard tooling.