chore(rust): restructure Rust plugins as independent crates#3147
Merged
crivetimihai merged 7 commits intomainfrom Mar 10, 2026
Merged
chore(rust): restructure Rust plugins as independent crates#3147crivetimihai merged 7 commits intomainfrom
crivetimihai merged 7 commits intomainfrom
Conversation
crivetimihai
requested review from
kevalmahajan and
madhav165
as code owners
crivetimihai
added
bug
3 tasks
Collaborator
|
looks same as before, LGTM |
lucarlig
previously approved these changes
Feb 24, 2026
lucarlig
force-pushed
the
2730_restructure_rust_plugins_as_independent_crates
branch
3 times, most recently
from
8783a0c to
23bc795
Compare
lucarlig
force-pushed
the
2730_restructure_rust_plugins_as_independent_crates
branch
2 times, most recently
from
3c69d04 to
8cefaee
Compare
Collaborator
|
rebased today, quite a few conflicts in CI |
lucarlig
force-pushed
the
2730_restructure_rust_plugins_as_independent_crates
branch
from
8cefaee to
4e3999b
Compare
lucarlig
force-pushed
the
2730_restructure_rust_plugins_as_independent_crates
branch
6 times, most recently
from
6e90308 to
e90f7e9
Compare
lucarlig
force-pushed
the
2730_restructure_rust_plugins_as_independent_crates
branch
from
9cea8ac to
1550323
Compare
lucarlig
previously approved these changes
Mar 9, 2026
Signed-off-by: lucarlig <luca.carlig@ibm.com>
Update Containerfiles, Makefile, CI workflow, and documentation to reflect the removal of the workspace-level Cargo.toml. Each Rust plugin is now built independently by iterating over plugin subdirectories instead of relying on a workspace root. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: lucarlig <luca.carlig@ibm.com>
Signed-off-by: lucarlig <luca.carlig@ibm.com>
- Skip cookiecutter template directories - Add .cache to ignored directories - Clean up code formatting Signed-off-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: lucarlig <luca.carlig@ibm.com>
… exfil detector Fix bug where encoded_exfil_detection.py_scan_container() was called as an attribute access on the already-imported function, causing an AttributeError at runtime when Rust is available. The function is already bound to py_scan_container via the import alias, so call it directly. Add comprehensive unit tests for internal helper functions covering edge cases: empty data handling, padding normalization, decode failures, oversized input skipping, disabled encodings, container type dispatch, and finding limits. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: lucarlig <luca.carlig@ibm.com>
…overage test Stub PydanticTool.model_validate and PydanticGateway.model_validate in test_invoke_tool_server_metric_recording_failure so that invoke_tool's plugin path does not validate MagicMock ORM objects (which caused 32 ValidationErrors for Tool and 23 for Gateway). The test only asserts that metrics recording failure is caught and logged; it does not need to exercise real Pydantic validation of tool/gateway. Signed-off-by: lucarlig <luca.carlig@ibm.com>
Sync pii_filter Cargo.toml version from 1.0.0-RC-1 to 1.0.0-RC-2 to match pyproject.toml, and update authors from "MCP Gateway Contributors" to "ContextForge Contributors" for consistency with the other two crates. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
crivetimihai
force-pushed
the
2730_restructure_rust_plugins_as_independent_crates
branch
from
1550323 to
f89ee09
Compare
Member
Author
Review SummaryRebased onto
Review FindingsArchitecture & Design — The restructuring from a workspace-level Cargo.toml to independent crates is well-executed. Each plugin has its own build/test/publish lifecycle. Import path breaking change is properly documented in Security — No issues. Changes are structural (import paths, build system). Detection logic unchanged. Performance — No concerns. Rust implementations use Tests — All 355 Python tests pass (114 Rust-specific properly skipped without compiled Rust). Parametrized test approach correctly covers both implementations. Differential coverage for changed lines is adequate (encoded_exfil_detector.py at 95%, BSN pattern changes fully covered). Logic — BSN pattern improvement (context-aware vs bare Minor Follow-up Items (non-blocking)
|
crivetimihai
deleted the
2730_restructure_rust_plugins_as_independent_crates
branch
crivetimihai
added a commit
that referenced
this pull request
Mar 10, 2026
After the restructure into independent crates (#3147), each crate has its own target/ directory. The existing pattern only covered the workspace-level plugins_rust/target/. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
MohanLaksh
pushed a commit
that referenced
this pull request
Mar 12, 2026
* refactor: restructure Rust plugins as independent crates Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: update references for independent Rust plugin crate structure Update Containerfiles, Makefile, CI workflow, and documentation to reflect the removal of the workspace-level Cargo.toml. Each Rust plugin is now built independently by iterating over plugin subdirectories instead of relying on a workspace root. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: CI error for exfil plugin, fmt and dereference error Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: improve license checker file filtering - Skip cookiecutter template directories - Add .cache to ignored directories - Clean up code formatting Signed-off-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: correct Rust function call and improve test coverage for encoded exfil detector Fix bug where encoded_exfil_detection.py_scan_container() was called as an attribute access on the already-imported function, causing an AttributeError at runtime when Rust is available. The function is already bound to py_scan_container via the import alias, so call it directly. Add comprehensive unit tests for internal helper functions covering edge cases: empty data handling, padding normalization, decode failures, oversized input skipping, disabled encodings, container type dispatch, and finding limits. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix(tests): avoid Pydantic validation of mocks in metrics exception coverage test Stub PydanticTool.model_validate and PydanticGateway.model_validate in test_invoke_tool_server_metric_recording_failure so that invoke_tool's plugin path does not validate MagicMock ORM objects (which caused 32 ValidationErrors for Tool and 23 for Gateway). The test only asserts that metrics recording failure is caught and logged; it does not need to exercise real Pydantic validation of tool/gateway. Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: align pii_filter version and authors with other Rust plugin crates Sync pii_filter Cargo.toml version from 1.0.0-RC-1 to 1.0.0-RC-2 to match pyproject.toml, and update authors from "MCP Gateway Contributors" to "ContextForge Contributors" for consistency with the other two crates. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: lucarlig <luca.carlig@ibm.com>
Yosiefeyob
pushed a commit
that referenced
this pull request
Mar 13, 2026
* refactor: restructure Rust plugins as independent crates Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: update references for independent Rust plugin crate structure Update Containerfiles, Makefile, CI workflow, and documentation to reflect the removal of the workspace-level Cargo.toml. Each Rust plugin is now built independently by iterating over plugin subdirectories instead of relying on a workspace root. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: CI error for exfil plugin, fmt and dereference error Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: improve license checker file filtering - Skip cookiecutter template directories - Add .cache to ignored directories - Clean up code formatting Signed-off-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: correct Rust function call and improve test coverage for encoded exfil detector Fix bug where encoded_exfil_detection.py_scan_container() was called as an attribute access on the already-imported function, causing an AttributeError at runtime when Rust is available. The function is already bound to py_scan_container via the import alias, so call it directly. Add comprehensive unit tests for internal helper functions covering edge cases: empty data handling, padding normalization, decode failures, oversized input skipping, disabled encodings, container type dispatch, and finding limits. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix(tests): avoid Pydantic validation of mocks in metrics exception coverage test Stub PydanticTool.model_validate and PydanticGateway.model_validate in test_invoke_tool_server_metric_recording_failure so that invoke_tool's plugin path does not validate MagicMock ORM objects (which caused 32 ValidationErrors for Tool and 23 for Gateway). The test only asserts that metrics recording failure is caught and logged; it does not need to exercise real Pydantic validation of tool/gateway. Signed-off-by: lucarlig <luca.carlig@ibm.com> * fix: align pii_filter version and authors with other Rust plugin crates Sync pii_filter Cargo.toml version from 1.0.0-RC-1 to 1.0.0-RC-2 to match pyproject.toml, and update authors from "MCP Gateway Contributors" to "ContextForge Contributors" for consistency with the other two crates. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: Yosief Eyob <yosiefogbazion@gmail.com>
jonpspri
added a commit
that referenced
this pull request
Apr 14, 2026
Release-readiness pass covering Phases 0-6 of
docs/docs/development/release-management.md plus partial Phases 9-13.
Version & metadata
- Bump version to 1.0.0-RC-3 across four canonical locations via bump2version;
extend .bumpversion.cfg with sections for Containerfile.scratch, tools_rust/
wrapper/Cargo.toml, charts/mcp-stack/Chart.yaml (version + appVersion), and
SECURITY.md so future bumps cover them too.
- Replace hardcoded "1.0.0-RC-2" strings in mcpgateway/observability.py with the
package __version__; fix pylint ungrouped-imports by moving the import into
the existing delayed First-Party block.
- Sweep ~55 stale RC-2 references across README, docs, charts, and docs/docs/**
(roadmap and CHANGELOG historical sections retained as-is).
- Draft CHANGELOG entry consolidating 242 commits since RC-2 into a single
[1.0.0-RC-3] section, folding in the pre-existing UNRELEASED and GA-labelled
drafts; remove those obsolete sections.
- Restructure docs/docs/architecture/roadmap.md: new Release 1.0.0-RC-3 section
built from the 294 closed GitHub milestone items categorized into Epics,
Features, Security, Bugs, Performance, Testing, Documentation, Chores;
rebuild Release 1.0.0 section from the 104 pending items (79 carried over
from RC-3 milestone after bulk-move plus 25 dedicated GA items).
- Bump container base images across Containerfile, Containerfile.lite, and
Containerfile.scratch: ubi10/ubi-minimal -> 10.1-1776071394, ubi10/ubi ->
10.1-1776145136, manylinux2014 -> 2026.04.08-5.
Dependency updates
- Refresh dependencies across 15 Python manifests via
.github/tools/update_dependencies.py; honor the repo-wide exclude-newer=10
days uv policy by reverting bumps that land inside the window
(prometheus-client, pydantic, python-multipart, uvicorn, langchain-ollama,
hypothesis, opentelemetry-*, granian, memray).
- Preserve three intentional pins (requests==2.33.0, schemathesis<4.11.0,
protobuf<7.0.0) per inline comments; revert starlette floor because
prometheus-fastapi-instrumentator 7.1.0 caps at <1.0.0 with no newer release.
- cargo update across mcp-servers/rust/{fast-test-server,filesystem-server},
tools_rust/{wrapper,mcp_runtime}; fix five pre-existing clippy findings via
cargo clippy --fix plus one manual cmp_owned fix in
mcp_runtime/src/config.rs.
- go get -u across all four Go modules; bump go.mod toolchain directives and
the Makefile LINT_GO_TOOLCHAIN from go1.25.8 to go1.26.2, clearing three
stdlib govulncheck findings (GO-2026-4871, GO-2026-4946, GO-2026-4870).
- Bump CDN pins in scripts/cdn_resources.py, scripts/download-cdn-assets.sh,
and mcpgateway/templates/admin.html: alpinejs 3.15.8 -> 3.15.11, dompurify
3.3.2 -> 3.4.0; regenerate and verify SRI hashes. Four major-version bumps
(HTMX, marked, CodeMirror, Font Awesome) deferred to follow-up issues.
- Bump pillow to 12.2.0 in mcp-servers/python/qr_code_server/uv.lock to close
GHSA-whj4-6x5x-4v2j (CVE-2026-40192).
Makefile and release-doc improvements
- Remove 28 stale rust-* targets that referenced the long-removed plugins_rust/
aggregator (dropped in PR #3147); keep rust-ensure-deps, rust-check (now
iterates the four real crates), and rust-mcp-runtime-*. Simplify install-dev,
dist, and wheel by removing dead ENABLE_RUST_BUILD=1 call-sites.
- Replace gitleaks with detect-secrets in the release doc, SECURITY.md,
docs/docs/architecture/security-features.md, and the Makefile (phantom
gitleaks target, security-all fallback, and help text); the project has used
detect-secrets with .secrets.baseline for some time.
- Drop make pre-commit from the release doc since pre-commit hooks run on every
commit in CI; keeping it as a release gate was redundant.
Playwright test fixes
- Four conftests (tests/playwright/entities/test_entity_lifecycle.py,
security/owasp/conftest.py, operations/conftest.py, teams/conftest.py) now
prefer MCP_AUTH env var before falling back to locally-signed JWT, matching
the pattern of the top-level api_request_context fixture. Fixes 128 tests
that were failing or erroring with 401 because the Python Settings default
JWT_SECRET_KEY (11 bytes) did not match the gateway's compose default
(40 bytes). Refactoring tracked in issue #4190.
Packaging
- Exclude vite build artifacts (mcpgateway/static/bundle-*.js and
mcpgateway/static/.vite/) from the sdist via MANIFEST.in; they are gitignored
and regenerate per build with hashed filenames, so including them broke
check-manifest and twine verify.
README badge
- Remove Bandit Security badge from README.md; the bandit.yml workflow was
retired (renamed .inactive) and the badge 404'd. Bandit still runs locally
via make bandit.
Follow-ups opened during this cycle
- #4162 Makefile plugins_rust/ references (partially resolved by this commit)
- #4163 JavaScript test coverage baseline
- #4165-#4168 CDN major-version bumps (HTMX, marked, CodeMirror, Font Awesome)
- #4190 Consolidate Playwright admin_api fixture
Accepted risks documented with the release
- basic-ftp (GHSA-6v7q-wjvx-w8wg) transitive devDep via retire.js; patched
version blocked by repo min-release-age=10 npm policy until 2026-04-19.
Dismissed on Dependabot with tolerable_risk justification.
- pytest CVE-2025-71176 (devDep) blocked by pytest-md-report cap at
pytest<9; will resolve when upstream publishes a pytest 9 compatible
release.
Signed-off-by: Jonathan Springer <jps@s390x.com>
jonpspri
added a commit
that referenced
this pull request
Apr 14, 2026
* chore: bump version to 1.0.0-RC-3
Release-readiness pass covering Phases 0-6 of
docs/docs/development/release-management.md plus partial Phases 9-13.
Version & metadata
- Bump version to 1.0.0-RC-3 across four canonical locations via bump2version;
extend .bumpversion.cfg with sections for Containerfile.scratch, tools_rust/
wrapper/Cargo.toml, charts/mcp-stack/Chart.yaml (version + appVersion), and
SECURITY.md so future bumps cover them too.
- Replace hardcoded "1.0.0-RC-2" strings in mcpgateway/observability.py with the
package __version__; fix pylint ungrouped-imports by moving the import into
the existing delayed First-Party block.
- Sweep ~55 stale RC-2 references across README, docs, charts, and docs/docs/**
(roadmap and CHANGELOG historical sections retained as-is).
- Draft CHANGELOG entry consolidating 242 commits since RC-2 into a single
[1.0.0-RC-3] section, folding in the pre-existing UNRELEASED and GA-labelled
drafts; remove those obsolete sections.
- Restructure docs/docs/architecture/roadmap.md: new Release 1.0.0-RC-3 section
built from the 294 closed GitHub milestone items categorized into Epics,
Features, Security, Bugs, Performance, Testing, Documentation, Chores;
rebuild Release 1.0.0 section from the 104 pending items (79 carried over
from RC-3 milestone after bulk-move plus 25 dedicated GA items).
- Bump container base images across Containerfile, Containerfile.lite, and
Containerfile.scratch: ubi10/ubi-minimal -> 10.1-1776071394, ubi10/ubi ->
10.1-1776145136, manylinux2014 -> 2026.04.08-5.
Dependency updates
- Refresh dependencies across 15 Python manifests via
.github/tools/update_dependencies.py; honor the repo-wide exclude-newer=10
days uv policy by reverting bumps that land inside the window
(prometheus-client, pydantic, python-multipart, uvicorn, langchain-ollama,
hypothesis, opentelemetry-*, granian, memray).
- Preserve three intentional pins (requests==2.33.0, schemathesis<4.11.0,
protobuf<7.0.0) per inline comments; revert starlette floor because
prometheus-fastapi-instrumentator 7.1.0 caps at <1.0.0 with no newer release.
- cargo update across mcp-servers/rust/{fast-test-server,filesystem-server},
tools_rust/{wrapper,mcp_runtime}; fix five pre-existing clippy findings via
cargo clippy --fix plus one manual cmp_owned fix in
mcp_runtime/src/config.rs.
- go get -u across all four Go modules; bump go.mod toolchain directives and
the Makefile LINT_GO_TOOLCHAIN from go1.25.8 to go1.26.2, clearing three
stdlib govulncheck findings (GO-2026-4871, GO-2026-4946, GO-2026-4870).
- Bump CDN pins in scripts/cdn_resources.py, scripts/download-cdn-assets.sh,
and mcpgateway/templates/admin.html: alpinejs 3.15.8 -> 3.15.11, dompurify
3.3.2 -> 3.4.0; regenerate and verify SRI hashes. Four major-version bumps
(HTMX, marked, CodeMirror, Font Awesome) deferred to follow-up issues.
- Bump pillow to 12.2.0 in mcp-servers/python/qr_code_server/uv.lock to close
GHSA-whj4-6x5x-4v2j (CVE-2026-40192).
Makefile and release-doc improvements
- Remove 28 stale rust-* targets that referenced the long-removed plugins_rust/
aggregator (dropped in PR #3147); keep rust-ensure-deps, rust-check (now
iterates the four real crates), and rust-mcp-runtime-*. Simplify install-dev,
dist, and wheel by removing dead ENABLE_RUST_BUILD=1 call-sites.
- Replace gitleaks with detect-secrets in the release doc, SECURITY.md,
docs/docs/architecture/security-features.md, and the Makefile (phantom
gitleaks target, security-all fallback, and help text); the project has used
detect-secrets with .secrets.baseline for some time.
- Drop make pre-commit from the release doc since pre-commit hooks run on every
commit in CI; keeping it as a release gate was redundant.
Playwright test fixes
- Four conftests (tests/playwright/entities/test_entity_lifecycle.py,
security/owasp/conftest.py, operations/conftest.py, teams/conftest.py) now
prefer MCP_AUTH env var before falling back to locally-signed JWT, matching
the pattern of the top-level api_request_context fixture. Fixes 128 tests
that were failing or erroring with 401 because the Python Settings default
JWT_SECRET_KEY (11 bytes) did not match the gateway's compose default
(40 bytes). Refactoring tracked in issue #4190.
Packaging
- Exclude vite build artifacts (mcpgateway/static/bundle-*.js and
mcpgateway/static/.vite/) from the sdist via MANIFEST.in; they are gitignored
and regenerate per build with hashed filenames, so including them broke
check-manifest and twine verify.
README badge
- Remove Bandit Security badge from README.md; the bandit.yml workflow was
retired (renamed .inactive) and the badge 404'd. Bandit still runs locally
via make bandit.
Follow-ups opened during this cycle
- #4162 Makefile plugins_rust/ references (partially resolved by this commit)
- #4163 JavaScript test coverage baseline
- #4165-#4168 CDN major-version bumps (HTMX, marked, CodeMirror, Font Awesome)
- #4190 Consolidate Playwright admin_api fixture
Accepted risks documented with the release
- basic-ftp (GHSA-6v7q-wjvx-w8wg) transitive devDep via retire.js; patched
version blocked by repo min-release-age=10 npm policy until 2026-04-19.
Dismissed on Dependabot with tolerable_risk justification.
- pytest CVE-2025-71176 (devDep) blocked by pytest-md-report cap at
pytest<9; will resolve when upstream publishes a pytest 9 compatible
release.
Signed-off-by: Jonathan Springer <jps@s390x.com>
* chore: address PR CI follow-ups
- Bump Go toolchain pin from 1.25.8 to 1.26.2 in .github/workflows/
linting-full.yml and its paired sync-check assertions in
tests/unit/test_go_toolchain_pinning.py so CI matches the Makefile's
LINT_GO_TOOLCHAIN (already updated) and clears GO-2026-4871 /
GO-2026-4946 / GO-2026-4870 on the CI runner.
- Rename Go module paths in a2a-agents/go/a2a-echo-agent/go.mod and
mcp-servers/go/benchmark-server/go.mod from github.com/cmihai/
mcp-context-forge/... to github.com/ibm/... to match the project's
canonical GitHub location; update the stale GitHub Issues URL in
docs/docs/manage/api-usage.md.
- Add missing `license = "Apache-2.0"` (plus a short description) to
tools_rust/request_logging_masking_native_extension/pyproject.toml so
the license-check CI job stops failing on missing license metadata for
request-logging-masking-native-extension.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
---------
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
gcgoncalves
pushed a commit
that referenced
this pull request
Apr 23, 2026
* chore: bump version to 1.0.0-RC-3
Release-readiness pass covering Phases 0-6 of
docs/docs/development/release-management.md plus partial Phases 9-13.
Version & metadata
- Bump version to 1.0.0-RC-3 across four canonical locations via bump2version;
extend .bumpversion.cfg with sections for Containerfile.scratch, tools_rust/
wrapper/Cargo.toml, charts/mcp-stack/Chart.yaml (version + appVersion), and
SECURITY.md so future bumps cover them too.
- Replace hardcoded "1.0.0-RC-2" strings in mcpgateway/observability.py with the
package __version__; fix pylint ungrouped-imports by moving the import into
the existing delayed First-Party block.
- Sweep ~55 stale RC-2 references across README, docs, charts, and docs/docs/**
(roadmap and CHANGELOG historical sections retained as-is).
- Draft CHANGELOG entry consolidating 242 commits since RC-2 into a single
[1.0.0-RC-3] section, folding in the pre-existing UNRELEASED and GA-labelled
drafts; remove those obsolete sections.
- Restructure docs/docs/architecture/roadmap.md: new Release 1.0.0-RC-3 section
built from the 294 closed GitHub milestone items categorized into Epics,
Features, Security, Bugs, Performance, Testing, Documentation, Chores;
rebuild Release 1.0.0 section from the 104 pending items (79 carried over
from RC-3 milestone after bulk-move plus 25 dedicated GA items).
- Bump container base images across Containerfile, Containerfile.lite, and
Containerfile.scratch: ubi10/ubi-minimal -> 10.1-1776071394, ubi10/ubi ->
10.1-1776145136, manylinux2014 -> 2026.04.08-5.
Dependency updates
- Refresh dependencies across 15 Python manifests via
.github/tools/update_dependencies.py; honor the repo-wide exclude-newer=10
days uv policy by reverting bumps that land inside the window
(prometheus-client, pydantic, python-multipart, uvicorn, langchain-ollama,
hypothesis, opentelemetry-*, granian, memray).
- Preserve three intentional pins (requests==2.33.0, schemathesis<4.11.0,
protobuf<7.0.0) per inline comments; revert starlette floor because
prometheus-fastapi-instrumentator 7.1.0 caps at <1.0.0 with no newer release.
- cargo update across mcp-servers/rust/{fast-test-server,filesystem-server},
tools_rust/{wrapper,mcp_runtime}; fix five pre-existing clippy findings via
cargo clippy --fix plus one manual cmp_owned fix in
mcp_runtime/src/config.rs.
- go get -u across all four Go modules; bump go.mod toolchain directives and
the Makefile LINT_GO_TOOLCHAIN from go1.25.8 to go1.26.2, clearing three
stdlib govulncheck findings (GO-2026-4871, GO-2026-4946, GO-2026-4870).
- Bump CDN pins in scripts/cdn_resources.py, scripts/download-cdn-assets.sh,
and mcpgateway/templates/admin.html: alpinejs 3.15.8 -> 3.15.11, dompurify
3.3.2 -> 3.4.0; regenerate and verify SRI hashes. Four major-version bumps
(HTMX, marked, CodeMirror, Font Awesome) deferred to follow-up issues.
- Bump pillow to 12.2.0 in mcp-servers/python/qr_code_server/uv.lock to close
GHSA-whj4-6x5x-4v2j (CVE-2026-40192).
Makefile and release-doc improvements
- Remove 28 stale rust-* targets that referenced the long-removed plugins_rust/
aggregator (dropped in PR #3147); keep rust-ensure-deps, rust-check (now
iterates the four real crates), and rust-mcp-runtime-*. Simplify install-dev,
dist, and wheel by removing dead ENABLE_RUST_BUILD=1 call-sites.
- Replace gitleaks with detect-secrets in the release doc, SECURITY.md,
docs/docs/architecture/security-features.md, and the Makefile (phantom
gitleaks target, security-all fallback, and help text); the project has used
detect-secrets with .secrets.baseline for some time.
- Drop make pre-commit from the release doc since pre-commit hooks run on every
commit in CI; keeping it as a release gate was redundant.
Playwright test fixes
- Four conftests (tests/playwright/entities/test_entity_lifecycle.py,
security/owasp/conftest.py, operations/conftest.py, teams/conftest.py) now
prefer MCP_AUTH env var before falling back to locally-signed JWT, matching
the pattern of the top-level api_request_context fixture. Fixes 128 tests
that were failing or erroring with 401 because the Python Settings default
JWT_SECRET_KEY (11 bytes) did not match the gateway's compose default
(40 bytes). Refactoring tracked in issue #4190.
Packaging
- Exclude vite build artifacts (mcpgateway/static/bundle-*.js and
mcpgateway/static/.vite/) from the sdist via MANIFEST.in; they are gitignored
and regenerate per build with hashed filenames, so including them broke
check-manifest and twine verify.
README badge
- Remove Bandit Security badge from README.md; the bandit.yml workflow was
retired (renamed .inactive) and the badge 404'd. Bandit still runs locally
via make bandit.
Follow-ups opened during this cycle
- #4162 Makefile plugins_rust/ references (partially resolved by this commit)
- #4163 JavaScript test coverage baseline
- #4165-#4168 CDN major-version bumps (HTMX, marked, CodeMirror, Font Awesome)
- #4190 Consolidate Playwright admin_api fixture
Accepted risks documented with the release
- basic-ftp (GHSA-6v7q-wjvx-w8wg) transitive devDep via retire.js; patched
version blocked by repo min-release-age=10 npm policy until 2026-04-19.
Dismissed on Dependabot with tolerable_risk justification.
- pytest CVE-2025-71176 (devDep) blocked by pytest-md-report cap at
pytest<9; will resolve when upstream publishes a pytest 9 compatible
release.
Signed-off-by: Jonathan Springer <jps@s390x.com>
* chore: address PR CI follow-ups
- Bump Go toolchain pin from 1.25.8 to 1.26.2 in .github/workflows/
linting-full.yml and its paired sync-check assertions in
tests/unit/test_go_toolchain_pinning.py so CI matches the Makefile's
LINT_GO_TOOLCHAIN (already updated) and clears GO-2026-4871 /
GO-2026-4946 / GO-2026-4870 on the CI runner.
- Rename Go module paths in a2a-agents/go/a2a-echo-agent/go.mod and
mcp-servers/go/benchmark-server/go.mod from github.com/cmihai/
mcp-context-forge/... to github.com/ibm/... to match the project's
canonical GitHub location; update the stale GitHub Issues URL in
docs/docs/manage/api-usage.md.
- Add missing `license = "Apache-2.0"` (plus a short description) to
tools_rust/request_logging_masking_native_extension/pyproject.toml so
the license-check CI job stops failing on missing license metadata for
request-logging-masking-native-extension.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
---------
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
gcgoncalves
pushed a commit
that referenced
this pull request
Apr 24, 2026
* chore: bump version to 1.0.0-RC-3
Release-readiness pass covering Phases 0-6 of
docs/docs/development/release-management.md plus partial Phases 9-13.
Version & metadata
- Bump version to 1.0.0-RC-3 across four canonical locations via bump2version;
extend .bumpversion.cfg with sections for Containerfile.scratch, tools_rust/
wrapper/Cargo.toml, charts/mcp-stack/Chart.yaml (version + appVersion), and
SECURITY.md so future bumps cover them too.
- Replace hardcoded "1.0.0-RC-2" strings in mcpgateway/observability.py with the
package __version__; fix pylint ungrouped-imports by moving the import into
the existing delayed First-Party block.
- Sweep ~55 stale RC-2 references across README, docs, charts, and docs/docs/**
(roadmap and CHANGELOG historical sections retained as-is).
- Draft CHANGELOG entry consolidating 242 commits since RC-2 into a single
[1.0.0-RC-3] section, folding in the pre-existing UNRELEASED and GA-labelled
drafts; remove those obsolete sections.
- Restructure docs/docs/architecture/roadmap.md: new Release 1.0.0-RC-3 section
built from the 294 closed GitHub milestone items categorized into Epics,
Features, Security, Bugs, Performance, Testing, Documentation, Chores;
rebuild Release 1.0.0 section from the 104 pending items (79 carried over
from RC-3 milestone after bulk-move plus 25 dedicated GA items).
- Bump container base images across Containerfile, Containerfile.lite, and
Containerfile.scratch: ubi10/ubi-minimal -> 10.1-1776071394, ubi10/ubi ->
10.1-1776145136, manylinux2014 -> 2026.04.08-5.
Dependency updates
- Refresh dependencies across 15 Python manifests via
.github/tools/update_dependencies.py; honor the repo-wide exclude-newer=10
days uv policy by reverting bumps that land inside the window
(prometheus-client, pydantic, python-multipart, uvicorn, langchain-ollama,
hypothesis, opentelemetry-*, granian, memray).
- Preserve three intentional pins (requests==2.33.0, schemathesis<4.11.0,
protobuf<7.0.0) per inline comments; revert starlette floor because
prometheus-fastapi-instrumentator 7.1.0 caps at <1.0.0 with no newer release.
- cargo update across mcp-servers/rust/{fast-test-server,filesystem-server},
tools_rust/{wrapper,mcp_runtime}; fix five pre-existing clippy findings via
cargo clippy --fix plus one manual cmp_owned fix in
mcp_runtime/src/config.rs.
- go get -u across all four Go modules; bump go.mod toolchain directives and
the Makefile LINT_GO_TOOLCHAIN from go1.25.8 to go1.26.2, clearing three
stdlib govulncheck findings (GO-2026-4871, GO-2026-4946, GO-2026-4870).
- Bump CDN pins in scripts/cdn_resources.py, scripts/download-cdn-assets.sh,
and mcpgateway/templates/admin.html: alpinejs 3.15.8 -> 3.15.11, dompurify
3.3.2 -> 3.4.0; regenerate and verify SRI hashes. Four major-version bumps
(HTMX, marked, CodeMirror, Font Awesome) deferred to follow-up issues.
- Bump pillow to 12.2.0 in mcp-servers/python/qr_code_server/uv.lock to close
GHSA-whj4-6x5x-4v2j (CVE-2026-40192).
Makefile and release-doc improvements
- Remove 28 stale rust-* targets that referenced the long-removed plugins_rust/
aggregator (dropped in PR #3147); keep rust-ensure-deps, rust-check (now
iterates the four real crates), and rust-mcp-runtime-*. Simplify install-dev,
dist, and wheel by removing dead ENABLE_RUST_BUILD=1 call-sites.
- Replace gitleaks with detect-secrets in the release doc, SECURITY.md,
docs/docs/architecture/security-features.md, and the Makefile (phantom
gitleaks target, security-all fallback, and help text); the project has used
detect-secrets with .secrets.baseline for some time.
- Drop make pre-commit from the release doc since pre-commit hooks run on every
commit in CI; keeping it as a release gate was redundant.
Playwright test fixes
- Four conftests (tests/playwright/entities/test_entity_lifecycle.py,
security/owasp/conftest.py, operations/conftest.py, teams/conftest.py) now
prefer MCP_AUTH env var before falling back to locally-signed JWT, matching
the pattern of the top-level api_request_context fixture. Fixes 128 tests
that were failing or erroring with 401 because the Python Settings default
JWT_SECRET_KEY (11 bytes) did not match the gateway's compose default
(40 bytes). Refactoring tracked in issue #4190.
Packaging
- Exclude vite build artifacts (mcpgateway/static/bundle-*.js and
mcpgateway/static/.vite/) from the sdist via MANIFEST.in; they are gitignored
and regenerate per build with hashed filenames, so including them broke
check-manifest and twine verify.
README badge
- Remove Bandit Security badge from README.md; the bandit.yml workflow was
retired (renamed .inactive) and the badge 404'd. Bandit still runs locally
via make bandit.
Follow-ups opened during this cycle
- #4162 Makefile plugins_rust/ references (partially resolved by this commit)
- #4163 JavaScript test coverage baseline
- #4165-#4168 CDN major-version bumps (HTMX, marked, CodeMirror, Font Awesome)
- #4190 Consolidate Playwright admin_api fixture
Accepted risks documented with the release
- basic-ftp (GHSA-6v7q-wjvx-w8wg) transitive devDep via retire.js; patched
version blocked by repo min-release-age=10 npm policy until 2026-04-19.
Dismissed on Dependabot with tolerable_risk justification.
- pytest CVE-2025-71176 (devDep) blocked by pytest-md-report cap at
pytest<9; will resolve when upstream publishes a pytest 9 compatible
release.
Signed-off-by: Jonathan Springer <jps@s390x.com>
* chore: address PR CI follow-ups
- Bump Go toolchain pin from 1.25.8 to 1.26.2 in .github/workflows/
linting-full.yml and its paired sync-check assertions in
tests/unit/test_go_toolchain_pinning.py so CI matches the Makefile's
LINT_GO_TOOLCHAIN (already updated) and clears GO-2026-4871 /
GO-2026-4946 / GO-2026-4870 on the CI runner.
- Rename Go module paths in a2a-agents/go/a2a-echo-agent/go.mod and
mcp-servers/go/benchmark-server/go.mod from github.com/cmihai/
mcp-context-forge/... to github.com/ibm/... to match the project's
canonical GitHub location; update the stale GitHub Issues URL in
docs/docs/manage/api-usage.md.
- Add missing `license = "Apache-2.0"` (plus a short description) to
tools_rust/request_logging_masking_native_extension/pyproject.toml so
the license-check CI job stops failing on missing license metadata for
request-logging-masking-native-extension.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
---------
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2730
Closes #2906
🚀 Summary
Restructures Rust plugins as independent crates with proper workspace architecture and consolidates CI testing to eliminate duplication. The PII filter plugin testing is migrated to the new structure as the reference implementation.
Key changes:
plugins_rust/workspaceCargo.toml,Makefile, and isolated build system🧪 Checks
make lintpassesmake testpasses📓 Notes
Architecture Decision
This PR implements Option 2: Fully Independent Plugin Crates from issue #2730:
pipdistribution viamaturinTesting Strategy
Implements Python-based integration testing shared between Rust and Python implementations:
tests/unit/mcpgateway/plugins/plugins/pii_filter/test_pii_filter.py@pytest.mark.parametrizeREQUIRE_RUST_PLUGINS=1CI Consolidation
rust-plugins.ymlworkflowpytest.ymlThis PR has 3 independent parts; found issues with:
License check was broken → added commit to fix it
Exfil plugin Rust version had bugs → needed to be addressed
Main plugin refactoring