EVERY LAYER, AN OPEN STANDARD. ZERO PROPRIETARY PROTOCOLS.

When the wire protocol between an agent and a governance layer is a vendor's private RPC, switching vendors means rewriting every client. Every integration ever shipped pays the exit cost. systemprompt.io blocks that at the protocol layer by picking the Model Context Protocol, the public spec every major coding agent already implements.

Agent traffic runs on MCP. A Claude Code, OpenAI Codex, or Gemini CLI client connects with no adapter. Admin traffic is plain HTTP JSON over the same request shape any HTTP client already makes. Real-time updates use Server-Sent Events, a native browser feature, not a proprietary websocket dialect. Replace systemprompt.io with another MCP server and the same clients keep pointing at it. CTOs can confirm this in one file. The rmcp dependency is declared in the workspace manifest, and every feature flag enabled is a standard MCP transport.

The marketplace MCP server exposes tool handlers across six categories. Skills, agents, MCP servers, plugins, secrets, and sync. Each is a public JSON Schema tool definition any MCP client can introspect. The reference below lists each handler in source.

A proprietary auth SDK is the deepest form of lock-in because every service that trusts the identity layer is coupled to one vendor's session format. Leaving means reissuing every token and reintegrating every IdP. systemprompt.io rules that out by running identity on three published standards. OAuth 2.0 (RFC 6749), WebAuthn (W3C), and JWT (RFC 7519).

OAuth 2.0 client records, scopes, and grant types live in three explicit SQL schema files, one per concern. Plain-text schemas, not an ORM's hidden model, so psql and pg_dump read them directly. WebAuthn credentials live in a separate schema file, per-user public keys and credential ids, no shared server-side secret, because the W3C spec designs out replay. A CISO auditing this has a one-line answer. The database holds no credential a phisher can replay, and that is a property of the standard, not a claim made about it.

JWT issue-and-verify lives in a dedicated services module under the oauth domain. Every library in every language already validates JWTs because RFC 7519 is ubiquitous. Walking away means pointing services at another OAuth 2.0 issuer, and the token format they validate is the same one.

An "export to open formats" feature on a SaaS product is a tell. It means the real format is something else, and the export is best-effort. When the storage format already is the open format, nothing needs exporting, and walking away is a git clone of the files on disk. systemprompt.io picks the second option for every user-facing artefact.

Skills are SKILL.md files with YAML frontmatter, and the data model in source maps one-to-one to what is on disk. A staff engineer reading the file and a developer querying the database see the same shape. Any text editor opens the file, any YAML parser reads the frontmatter, any Markdown renderer displays the body. The export-and-sync path round-trips the file back to disk without translation because no intermediate representation sits in between.

MCP tool inputs are JSON Schema, the IETF draft spec every JSON validator in every language implements. These schemas are generated at compile time from the Rust types that back each handler, so the schema in the wire protocol and the type in the code cannot drift. For a CTO, this means a client in Python, TypeScript, or Go can validate tool calls against the same schema the server enforces, regardless of which server is on the other end.

When governance content lives in a vendor SaaS, it cannot be diffed, cannot be reviewed in the tooling the team already uses for code, and cannot be moved. Reviewers lose the workflow they trust at the exact moment AI policy starts mattering. systemprompt.io stores content where reviewers already work. On disk, in Git, and in a PostgreSQL database they already know how to back up.

Skill, agent, and plugin definitions sync to and from disk, landing as plain files in a directory any team can commit to their own Git host. Branches, pull requests, and diffs work the same way they do for source code. Operational state lives in PostgreSQL with per-domain SQL schemas under each domain's schema directory. No proprietary migration format hides the table shape. A CTO evaluating a move answers "can I take the data with me" by running pg_dump, the standard Postgres backup tool packaged with every install.

Queries are checked against the live schema at compile time by sqlx, which validates each query against the database before the binary links. The data model is in plain SQL a reader can open, not hidden behind an ORM whose internal representation has to be reverse-engineered on exit. Two audit trails run in parallel. Git history for content changes, database rows for operational events. Both export with tooling every team already owns.

Custom cryptography is its own form of lock-in. A security team that cannot name the primitive cannot audit it, and an auditor cannot tell a regulator what is protecting secrets at rest. systemprompt.io picks named, peer-reviewed algorithms so that question has a one-line answer, and so the same primitives work in whatever system a team moves to.

Secrets at rest use an AEAD construction from the public RustCrypto family. The same class of construction secures TLS 1.3 sessions and WireGuard tunnels, so a CISO auditing it can point at two independent public specifications. The implementation lives in a single file under the admin extension, calling the public RustCrypto library declared in the template manifest. A staff engineer reads the call site and the dependency in two files.

Message integrity uses SHA-2 and HMAC from the same public RustCrypto family. SHA-2 is a NIST-standardised hash family parsed by every cryptography library in every language. Data encrypted or signed by systemprompt.io can be decrypted or verified by any library that implements the same RFCs, which is all of them. The exit cost on the crypto layer is a key export, not a re-encryption pass.

The honest version of "no lock-in" is not zero migration cost. Custom extensions built on top of systemprompt.io are still the customer's to port, and an integration with a customer IdP still has to be redone if the whole stack is replaced. What every layer above rules out is the worst case. A proprietary wire protocol, a proprietary storage format, and a hosted control plane a customer cannot run themselves.

Every interface on this page is a published standard and every identifier that matters is named in source. Authorisation for MCP requests runs through a single middleware function in the MCP domain that a reviewer reads end-to-end. The whole library compiles to one Rust binary with PostgreSQL as the only external dependency. The same binary runs on a laptop, a cloud VM, a bare-metal box, or an air-gapped network, and the rebuild step on another host is a standard Rust build, not a re-platforming project.

This is not an "open-source alternative" to a SaaS product. It is an infrastructure library that speaks the standards existing systems already speak. MCP clients connect without adapters. OAuth flows plug into an existing IdP. Git repositories clone with standard tooling. The exit story on every layer points to another open-standard implementation, not a blank page.