IBM
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 9 additions & 2 deletions b/‎.github/CODEOWNERS‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎.github/workflows/docker-scan.yml‎
Lines changed: 40 additions & 5 deletions b/‎.github/workflows/docker-scan.yml‎
Lines changed: 40 additions & 5 deletions
diff --git a/‎.github/workflows/license-check.yml‎
Lines changed: 10 additions & 0 deletions b/‎.github/workflows/license-check.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/pytest-rust.yml‎
Lines changed: 134 additions & 0 deletions b/‎.github/workflows/pytest-rust.yml‎
Lines changed: 134 additions & 0 deletions
diff --git a/‎.github/workflows/pytest.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/pytest.yml‎
Lines changed: 4 additions & 2 deletions
@@ -6,8 +6,15 @@
 /mcpgateway/plugins @araujof @terylt @jonpspri
 
 # Rust projects
-/tools_rust/ @lucarlig @dima-zakharov
-/mcp-servers/rust/ @lucarlig @dima-zakharov
+/crates/ @lucarlig @dima-zakharov @dawid-nowak
+/mcp-servers/rust/ @lucarlig @dima-zakharov @dawid-nowak
+/Cargo.toml @lucarlig @dima-zakharov @dawid-nowak
+/Cargo.lock @lucarlig @dima-zakharov @dawid-nowak
+/deny.toml @lucarlig @dima-zakharov @dawid-nowak
+/rust-toolchain.toml @lucarlig @dima-zakharov @dawid-nowak
+/supply-chain/ @lucarlig @dima-zakharov @dawid-nowak
+/.github/workflows/rust.yml @lucarlig @dima-zakharov @dawid-nowak
+/.github/workflows/pytest-rust.yml @lucarlig @dima-zakharov @dawid-nowak
 
 # Ownership for all tests
 /tests/ @crivetimihai @kevalmahajan @madhav165
 
@@ -19,6 +19,9 @@ on:
     branches: ["main"]
     paths:
       - 'Containerfile.lite'
+      - 'crates/**'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
       - 'mcpgateway/**'
       - 'plugins/**'
       - 'pyproject.toml'
@@ -28,6 +31,9 @@ on:
     branches: ["main"]
     paths:
       - 'Containerfile.lite'
+      - 'crates/**'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
       - 'mcpgateway/**'
       - 'plugins/**'
       - 'pyproject.toml'
@@ -76,15 +82,44 @@ jobs:
           cache-to: type=gha,mode=max,scope=scan-build-amd64
 
       - name: Generate SBOM (Syft)
-        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
-        with:
-          image: ${{ env.IMAGE_NAME }}:scan
-          output-file: sbom.spdx.json
-          upload-artifact: false
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v "${PWD}:/work" \
+            anchore/syft:v1.42.3 \
+            "docker:${IMAGE_NAME}:scan" -o spdx-json=/work/sbom.spdx.json
 
       - name: Upload SBOM
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: sbom
           path: sbom.spdx.json
           retention-days: 30
+
+  rust-enabled-build:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    name: Rust-enabled container smoke
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Build Rust-enabled image locally
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: .
+          file: Containerfile.lite
+          platforms: linux/amd64
+          push: false
+          load: false
+          build-args: |
+            ENABLE_RUST=true
+          cache-from: type=gha,scope=scan-build-rust-amd64
+          cache-to: type=gha,mode=max,scope=scan-build-rust-amd64
@@ -5,18 +5,28 @@ on:
     branches: ["main"]
     paths:
       - "pyproject.toml"
+      - "Cargo.toml"
       - "Cargo.lock"
+      - "crates/**"
+      - "mcp-servers/rust/**"
       - "package.json"
       - "package-lock.json"
+      - "license-policy.toml"
+      - "scripts/license_checker.py"
       - ".github/workflows/license-check.yml"
   pull_request:
     types: [opened, synchronize, ready_for_review]
     branches: ["main"]
     paths:
       - "pyproject.toml"
+      - "Cargo.toml"
       - "Cargo.lock"
+      - "crates/**"
+      - "mcp-servers/rust/**"
       - "package.json"
       - "package-lock.json"
+      - "license-policy.toml"
+      - "scripts/license_checker.py"
       - ".github/workflows/license-check.yml"
 
 concurrency:
 
@@ -0,0 +1,134 @@
+# ===============================================================
+# 🧪🦀  PyTest With Rust Build - Quality Gate
+# ===============================================================
+#
+#   - builds/install Rust-backed components required by the Python suite
+#   - runs the full pytest suite with Rust enabled
+#   - measures branch + line coverage (fails < 90% main, < 35% doctest)
+#   - posts changed-line coverage for PRs
+# ---------------------------------------------------------------
+
+name: Tests & Coverage (Rust)
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - "crates/**"
+      - "Cargo.toml"
+      - "Cargo.lock"
+      - "rust-toolchain.toml"
+      - "deny.toml"
+      - "tests/e2e_rust/**"
+      - ".github/workflows/pytest-rust.yml"
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
+    branches: ["main"]
+    paths:
+      - "crates/**"
+      - "Cargo.toml"
+      - "Cargo.lock"
+      - "rust-toolchain.toml"
+      - "deny.toml"
+      - "tests/e2e_rust/**"
+      - ".github/workflows/pytest-rust.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    name: pytest-rust
+    runs-on: ubuntu-latest
+    timeout-minutes: 40
+    services:
+      redis:
+        image: redis:7-bookworm
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 5s
+          --health-timeout 3s
+          --health-retries 20
+
+    env:
+      PYTHONUNBUFFERED: "1"
+      PIP_DISABLE_PIP_VERSION_CHECK: "1"
+      REQUIRE_RUST: "1"
+      AUTH_ENCRYPTION_SECRET: ci-rust-auth-encryption-secret-1234567890 # pragma: allowlist secret
+      REDIS_URL: redis://127.0.0.1:6379/0
+      MCP_RUST_REDIS_URL: redis://127.0.0.1:6379/0
+
+    steps:
+      - name: ⬇️  Checkout code
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: 🐍  Setup Python 3.12
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: "3.12"
+          cache: pip
+
+      - name: ⚡ Install uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+        with:
+          version: "0.10.11"
+          python-version: "3.12"
+
+      - name: 🦀  Install Rust stable
+        run: |
+          rustup toolchain install stable
+          rustup default stable
+
+      - name: 📦  Cache Cargo dependencies
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-pytest-rust-${{ hashFiles('**/Cargo.lock', 'Cargo.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-pytest-rust-
+
+      - name: 🔨  Build Rust extensions
+        run: make rust-install && make rust-verify-stubs
+
+      - name: 🧪  Run pytest
+        run: |
+          uv run --extra plugins pytest -n 0 \
+            --durations=5 \
+            --ignore=tests/fuzz \
+            --ignore=tests/e2e/test_entra_id_integration.py \
+            --cov=mcpgateway \
+            --cov-report=xml \
+            --cov-report=html \
+            --cov-report=term \
+            --cov-branch \
+            --cov-fail-under=95
+
+      - name: 📈  Diff-cover (changed lines)
+        if: github.event_name == 'pull_request'
+        run: |
+          uv run diff-cover coverage.xml \
+            --compare-branch=origin/${{ github.base_ref }} \
+            --fail-under=93
+
+      - name: 📊  Doctest coverage with threshold
+        run: |
+          uv run --extra plugins pytest -n 0 \
+            --doctest-modules mcpgateway/ \
+            --cov=mcpgateway \
+            --cov-report=term \
+            --cov-report=json:doctest-coverage.json \
+            --cov-fail-under=30 \
+            --tb=short
@@ -18,15 +18,19 @@ on:
     # paths:
     #   - "mcpgateway/**"
     #   - "tests/**"
+    #   - "!tests/e2e_rust/**"
     #   - "pyproject.toml"
+    #   - "uv.lock"
     #   - ".github/workflows/pytest.yml"
   pull_request:
     types: [opened, synchronize, ready_for_review]
     branches: ["main"]
     # paths:
     #   - "mcpgateway/**"
     #   - "tests/**"
+    #   - "!tests/e2e_rust/**"
     #   - "pyproject.toml"
+    #   - "uv.lock"
     #   - ".github/workflows/pytest.yml"
   # schedule:
   #   - cron: '42 3 * * 1'   # Monday 03:42 UTC
@@ -86,8 +90,6 @@ jobs:
       # Note: Rust plugin builds removed - all plugins now distributed as PyPI packages
       # Rust MCP runtime (tools_rust/mcp_runtime) not needed for main pytest suite
       # (e2e_rust tests are excluded and run in separate workflow)
-      # -----------------------------------------------------------
-
       # -----------------------------------------------------------
       # 3️⃣  Run the tests with coverage (fail under 95 %total  coverage)
       # -----------------------------------------------------------