IBM
diff --git a/‎.env.example‎
Lines changed: 7 additions & 0 deletions b/‎.env.example‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.secrets.baseline‎
Lines changed: 21 additions & 21 deletions b/‎.secrets.baseline‎
Lines changed: 21 additions & 21 deletions
diff --git a/‎Makefile‎
Lines changed: 13 additions & 2 deletions b/‎Makefile‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎charts/mcp-stack/values.schema.json‎
Lines changed: 3 additions & 0 deletions b/‎charts/mcp-stack/values.schema.json‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎charts/mcp-stack/values.yaml‎
Lines changed: 1 addition & 0 deletions b/‎charts/mcp-stack/values.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/config.schema.json‎
Lines changed: 6 additions & 0 deletions b/‎docs/config.schema.json‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/docs/best-practices/input-validation.md‎
Lines changed: 11 additions & 0 deletions b/‎docs/docs/best-practices/input-validation.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎docs/docs/config.schema.json‎
Lines changed: 6 additions & 0 deletions b/‎docs/docs/config.schema.json‎
Lines changed: 6 additions & 0 deletions
@@ -143,6 +143,8 @@ SECURE_COOKIES=false
 
 # Enable validation middleware and experimental IO validation for visibility
 EXPERIMENTAL_VALIDATE_IO=true
+# Optional: enable the Rust JSON validation sidecar after `make rust-sidecar-install`
+# EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED=false
 VALIDATION_MIDDLEWARE_ENABLED=true
 
 # Permission audit logging (RBAC checks) - disabled by default for performance
@@ -792,10 +794,15 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # Phase 0: EXPERIMENTAL_VALIDATE_IO=false (disabled, default)
 # Phase 1: EXPERIMENTAL_VALIDATE_IO=true, VALIDATION_STRICT=false (log-only)
 # Phase 2: EXPERIMENTAL_VALIDATE_IO=true, VALIDATION_STRICT=true (enforce in staging)
+# Optional accelerator: EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED=true after `make rust-sidecar-install`
 # Phase 3: Production deployment with all features enabled
 # Project defaults block enables EXPERIMENTAL_VALIDATE_IO for local dev
 # EXPERIMENTAL_VALIDATE_IO=false
 
+# Enable the experimental Rust sidecar for recursive JSON validation checks
+# Requires `make rust-sidecar-install` before enabling.
+# EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED=false
+
 # Enable validation middleware for all requests
 # When enabled, validates all incoming request parameters and paths
 # Options: true, false (default)
 
@@ -3,7 +3,7 @@
     "files": null,
     "lines": null
   },
-  "generated_at": "2026-04-03T13:20:55Z",
+  "generated_at": "2026-04-03T13:58:22Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,87 +92,87 @@
         "hashed_secret": "08cd923367890009657eab812753379bdb321eeb",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 509,
+        "line_number": 511,
         "type": "Basic Auth Credentials",
         "verified_result": null
       },
       {
         "hashed_secret": "14f8aa3e560a47851908ab0f04ec856dbc512d93",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 704,
+        "line_number": 706,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 964,
+        "line_number": 971,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7b4455a56fbf1d198e45e04c437488514645a82c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 990,
+        "line_number": 997,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ac371b6dcce28a86c90d12bc57d946a800eebf17",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1070,
+        "line_number": 1077,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0b6ec68df700dec4dcd64babd0eda1edccddace1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1075,
+        "line_number": 1082,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4ad6f0082ee224001beb3ca5c3e81c8ceea5ed86",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1080,
+        "line_number": 1087,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cb32747fcfb55eaa194c8cd8e4ba7d49ada08a94",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1086,
+        "line_number": 1093,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6c178d51b13520496dbc767ed3d9d7aa5803ac72",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1098,
+        "line_number": 1105,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ca45060a53fd8a255d1a83ee8d2f025283ccc66e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1116,
+        "line_number": 1123,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "910fbf00f58e9bcb095ea26a75cc1d9a3355e671",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1165,
+        "line_number": 1172,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -780,71 +780,71 @@
         "hashed_secret": "7b4455a56fbf1d198e45e04c437488514645a82c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 800,
+        "line_number": 801,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 955,
+        "line_number": 956,
         "type": "Basic Auth Credentials",
         "verified_result": null
       },
       {
         "hashed_secret": "d08f88df745fa7950b104e4a707a31cfce7b5841",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1055,
+        "line_number": 1056,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7288edd0fc3ffcbe93a0cf06e3568e28521687bc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1058,
+        "line_number": 1059,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "8674c9b302d20800e4ab3808f139704d8641a6e3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1224,
+        "line_number": 1225,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cff0d14e4337fa8bdb68dfa906f04b0df6fad72f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1263,
+        "line_number": 1264,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f865b53623b121fd34ee5426c792e5c33af8c227",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1311,
+        "line_number": 1312,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "acde39840735314af1300688b6c2324ea89770a3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1406,
+        "line_number": 1407,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1754,
+        "line_number": 1755,
         "type": "Secret Keyword",
         "verified_result": null
       }
 
@@ -8348,7 +8348,7 @@ upgrade-validate:                         ## Validate fresh + upgrade DB startup
 # help: rust-mcp-runtime-test                 - Run tests for the experimental Rust MCP runtime
 # help: rust-mcp-runtime-run                  - Run the experimental Rust MCP runtime against local gateway /rpc
 
-.PHONY: rust-build rust-dev rust-test rust-test-integration rust-python-test rust-test-all rust-bench rust-bench-build rust-bench-compare rust-compare rust-check rust-clean rust-verify rust-verify-stubs
+.PHONY: rust-build rust-dev rust-test rust-test-integration rust-python-test rust-test-all rust-bench rust-bench-build rust-bench-compare rust-compare rust-check rust-clean rust-verify rust-verify-stubs rust-sidecar-install rust-sidecar-test
 .PHONY: rust-ensure-deps rust-install-deps rust-install-targets rust-install
 .PHONY: rust-build-all-linux rust-build-all-platforms rust-cross rust-cross-install-build
 .PHONY: rust-mcp-runtime-build rust-mcp-runtime-test rust-mcp-runtime-run
@@ -8381,12 +8381,13 @@ rust-ensure-deps:                       ## Ensure Rust toolchain, maturin, and a
 
 rust-install: rust-ensure-deps          ## Install all Rust plugins into venv
 	@$(MAKE) -C plugins_rust install
+	@$(MAKE) rust-sidecar-install
 
 rust-build: rust-ensure-deps            ## Build Rust plugins (release)
 	@$(MAKE) -C plugins_rust build
 
 rust-dev: rust-ensure-deps              ## Build and install Rust plugins (development mode)
-	@$(MAKE) -C plugins_rust install
+	@$(MAKE) rust-install
 
 rust-test: rust-ensure-deps             ## Run Rust plugin tests
 	@$(MAKE) -C plugins_rust test
@@ -8410,6 +8411,16 @@ rust-compare: rust-ensure-deps          ## Run compare_performance.py only (skip
 
 rust-check: rust-ensure-deps            ## Run all Rust checks (format, lint, test)
 	@$(MAKE) -C plugins_rust check
+	@$(MAKE) rust-sidecar-test
+
+rust-sidecar-install: rust-ensure-deps  ## Build and install the validation middleware sidecar into the active venv
+	@test -d "$(VENV_DIR)" || $(MAKE) venv
+	@echo "🧪 Installing validation middleware sidecar..."
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && maturin develop --manifest-path tools_rust/validation_middleware_sidecar/Cargo.toml"
+
+rust-sidecar-test: rust-ensure-deps     ## Run tests for the validation middleware sidecar crate
+	@echo "🧪 Testing validation middleware sidecar..."
+	@cargo test --manifest-path tools_rust/validation_middleware_sidecar/Cargo.toml
 
 rust-doc: rust-ensure-deps              ## Build Rust documentation
 	@$(MAKE) -C plugins_rust doc
 
@@ -481,6 +481,9 @@
             "EXPERIMENTAL_VALIDATE_IO": {
               "type": "string"
             },
+            "EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED": {
+              "type": "string"
+            },
             "FEDERATION_TIMEOUT": {
               "type": "string",
               "description": "HTTP timeout in seconds for gateway and MCP server requests (health checks, tool invocations)",
 
@@ -657,6 +657,7 @@ mcpContextForge:
     # ─ Additional Settings (defaults from config.py) ─
     # Validation & sanitization
     EXPERIMENTAL_VALIDATE_IO: "false" # enable experimental input/output validation
+    EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED: "false" # enable the experimental Rust JSON validation sidecar (requires sidecar install)
     VALIDATION_MIDDLEWARE_ENABLED: "false" # enable validation middleware for all requests
     VALIDATION_STRICT: "true" # reject requests with validation failures
     JSON_SCHEMA_VALIDATION_STRICT: "true" # reject tool registrations with invalid JSON schemas
 
@@ -874,6 +874,12 @@
       "title": "Experimental Validate Io",
       "type": "boolean"
     },
+    "experimental_rust_validation_middleware_enabled": {
+      "default": false,
+      "description": "Enable experimental Rust sidecar for recursive validation middleware JSON checks",
+      "title": "Experimental Rust Validation Middleware Enabled",
+      "type": "boolean"
+    },
     "failed_login_min_response_ms": {
       "default": 250,
       "description": "Minimum response duration for failed login attempts to reduce timing side channels",
 
@@ -18,6 +18,9 @@ ContextForge provides comprehensive input validation and output sanitization to
 # Enable experimental validation (default: false)
 EXPERIMENTAL_VALIDATE_IO=true
 
+# Optional: enable the Rust JSON validation sidecar after `make rust-sidecar-install`
+EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED=false
+
 # Enable validation middleware (default: false)
 VALIDATION_MIDDLEWARE_ENABLED=true
 
@@ -49,6 +52,14 @@ The validation feature supports a phased roll-out approach:
 EXPERIMENTAL_VALIDATE_IO=false  # Disabled in production
 ```
 
+#### Optional Rust Sidecar
+```bash
+make rust-sidecar-install
+EXPERIMENTAL_RUST_VALIDATION_MIDDLEWARE_ENABLED=true
+```
+
+Enable this only after the sidecar is installed into the active virtual environment. If the sidecar is unavailable, the middleware falls back to the Python validator for standard validation failures.
+
 #### Phase 1: Log-Only Mode (Dev/Staging)
 ```bash
 EXPERIMENTAL_VALIDATE_IO=true
 
@@ -477,6 +477,12 @@
       "title": "Experimental Validate Io",
       "type": "boolean"
     },
+    "experimental_rust_validation_middleware_enabled": {
+      "default": false,
+      "description": "Enable experimental Rust sidecar for recursive validation middleware JSON checks",
+      "title": "Experimental Rust Validation Middleware Enabled",
+      "type": "boolean"
+    },
     "validation_middleware_enabled": {
       "default": false,
       "description": "Enable validation middleware for all requests",