Enforce 90 percent Rust coverage

Signed-off-by: lucarlig <luca.carlig@ibm.com>

Author: lucarlig

.github/workflows/ci-rust-python-package.yaml

@@ -122,7 +122,13 @@ jobs:
         working-directory: plugins/rust/python-package/${{ matrix.plugin }}
         run: make sync
 
+      - name: Plugin CI build verification
+        if: matrix.os == 'ubuntu-latest'
+        working-directory: plugins/rust/python-package/${{ matrix.plugin }}
+        run: make ci-build
+
       - name: Plugin CI verification
+        if: matrix.os != 'ubuntu-latest'
         working-directory: plugins/rust/python-package/${{ matrix.plugin }}
         run: make ci
 
@@ -163,22 +169,41 @@ jobs:
           rustup component add llvm-tools-preview
           cargo install cargo-llvm-cov --version 0.8.4 --locked
 
+      - name: Install Python build tooling
+        run: python -m pip install uv==0.9.30 maturin==1.12.6
+
       - name: Generate Rust coverage report
         env:
           CARGO_PACKAGES: ${{ needs.validate-and-detect.outputs.cargo_packages }}
+          PLUGINS: ${{ needs.validate-and-detect.outputs.plugins }}
+          PYO3_PYTHON: python
         run: |
           mkdir -p coverage
           mapfile -t cargo_packages < <(python3 -c 'import json, os; [print(package) for package in json.loads(os.environ["CARGO_PACKAGES"])]')
+          mapfile -t plugins < <(python3 -c 'import json, os; [print(plugin) for plugin in json.loads(os.environ["PLUGINS"])]')
           cargo_args=()
           for package in "${cargo_packages[@]}"; do
             cargo_args+=("-p" "${package}")
           done
-          cargo llvm-cov "${cargo_args[@]}" --cobertura --output-path coverage/cobertura.xml
+          cargo llvm-cov clean --workspace
+          eval "$(cargo llvm-cov show-env --sh)"
+          export CARGO_TARGET_DIR="${CARGO_LLVM_COV_TARGET_DIR}/llvm-cov-target"
+          export CARGO_LLVM_COV_BUILD_DIR="${CARGO_TARGET_DIR}"
+          export LLVM_PROFILE_FILE="${CARGO_TARGET_DIR}/cpex-plugins-%p-%10m.profraw"
+          mkdir -p "${CARGO_TARGET_DIR}"
+          for plugin in "${plugins[@]}"; do
+            (cd "plugins/rust/python-package/${plugin}" && make sync && uv run maturin develop)
+          done
+          cargo test "${cargo_args[@]}"
+          for plugin in "${plugins[@]}"; do
+            (cd "plugins/rust/python-package/${plugin}" && make test-integration)
+          done
+          env -u CARGO_TARGET_DIR -u CARGO_LLVM_COV_BUILD_DIR -u CARGO_LLVM_COV_TARGET_DIR -u LLVM_PROFILE_FILE cargo llvm-cov report "${cargo_args[@]}" --cobertura --output-path coverage/cobertura.xml
 
       - name: Enforce per-plugin coverage floor
         env:
           PLUGINS: ${{ needs.validate-and-detect.outputs.plugins }}
-        run: python3 tools/plugin_catalog.py coverage-check . coverage/cobertura.xml 50.00 "${PLUGINS}"
+        run: python3 tools/plugin_catalog.py coverage-check . coverage/cobertura.xml 90.00 "${PLUGINS}"
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238

.github/workflows/release-rust-python-package.yaml

@@ -197,14 +197,19 @@ jobs:
           if [[ ! -f "${venv_python}" ]]; then
             venv_python="${tmpdir}/venv/Scripts/python.exe"
           fi
-          "${venv_python}" -m pip install dist/*.whl pytest pytest-asyncio
-          if [[ -d "${GITHUB_WORKSPACE}/${{ needs.resolve.outputs.plugin_path }}/tests" ]]; then
-            cp -R "${GITHUB_WORKSPACE}/${{ needs.resolve.outputs.plugin_path }}/tests" "${tmpdir}/tests"
-            printf "[pytest]\npythonpath = tests\nasyncio_mode = auto\n" > "${tmpdir}/pytest.ini"
+          "${venv_python}" -m pip install dist/*.whl pytest pytest-asyncio PyYAML
+          if [[ -d "${GITHUB_WORKSPACE}/plugins/tests/${{ needs.resolve.outputs.slug }}" ]]; then
+            mkdir -p "${tmpdir}/tests"
+            cp -R "${GITHUB_WORKSPACE}/plugins/tests/${{ needs.resolve.outputs.slug }}" "${tmpdir}/tests/${{ needs.resolve.outputs.slug }}"
+            cp "${GITHUB_WORKSPACE}/plugins/tests/conftest.py" "${tmpdir}/tests/conftest.py"
+            cp "${GITHUB_WORKSPACE}/plugins/tests/plugin_hooks.py" "${tmpdir}/tests/plugin_hooks.py"
+            cp "${GITHUB_WORKSPACE}/plugins/tests/pytest.ini" "${tmpdir}/pytest.ini"
             cd "${tmpdir}"
+            export CPEX_TEST_PLUGIN_HOOKS=1
+            export PYTHONPATH="${tmpdir}/tests"
             "${venv_python}" -m pytest \
               -c "${tmpdir}/pytest.ini" \
-              "${tmpdir}/tests" -v
+              "${tmpdir}/tests/${{ needs.resolve.outputs.slug }}" -v
           fi
 
   build-sdist:
@@ -244,14 +249,19 @@ jobs:
           if [[ ! -f "${venv_python}" ]]; then
             venv_python="${tmpdir}/venv/Scripts/python.exe"
           fi
-          "${venv_python}" -m pip install dist/*.tar.gz pytest pytest-asyncio
-          if [[ -d "${GITHUB_WORKSPACE}/${{ needs.resolve.outputs.plugin_path }}/tests" ]]; then
-            cp -R "${GITHUB_WORKSPACE}/${{ needs.resolve.outputs.plugin_path }}/tests" "${tmpdir}/tests"
-            printf "[pytest]\npythonpath = tests\nasyncio_mode = auto\n" > "${tmpdir}/pytest.ini"
+          "${venv_python}" -m pip install dist/*.tar.gz pytest pytest-asyncio PyYAML
+          if [[ -d "${GITHUB_WORKSPACE}/plugins/tests/${{ needs.resolve.outputs.slug }}" ]]; then
+            mkdir -p "${tmpdir}/tests"
+            cp -R "${GITHUB_WORKSPACE}/plugins/tests/${{ needs.resolve.outputs.slug }}" "${tmpdir}/tests/${{ needs.resolve.outputs.slug }}"
+            cp "${GITHUB_WORKSPACE}/plugins/tests/conftest.py" "${tmpdir}/tests/conftest.py"
+            cp "${GITHUB_WORKSPACE}/plugins/tests/plugin_hooks.py" "${tmpdir}/tests/plugin_hooks.py"
+            cp "${GITHUB_WORKSPACE}/plugins/tests/pytest.ini" "${tmpdir}/pytest.ini"
             cd "${tmpdir}"
+            export CPEX_TEST_PLUGIN_HOOKS=1
+            export PYTHONPATH="${tmpdir}/tests"
             "${venv_python}" -m pytest \
               -c "${tmpdir}/pytest.ini" \
-              "${tmpdir}/tests" -v
+              "${tmpdir}/tests/${{ needs.resolve.outputs.slug }}" -v
           fi
 
   publish:

DEVELOPING.md

@@ -40,7 +40,7 @@ make plugins-validate
 make plugin-test PLUGIN=pii_filter
 ```
 
-`make plugins-validate` runs the same convention checks that CI uses before the per-plugin build jobs run.
+`make plugins-validate` runs the same convention checks that the repo contract CI workflow runs.
 It runs the catalog validator plus the shared repo contract test modules:
 `tests/test_plugin_catalog.py` and `tests/test_install_built_wheel.py`.
 

README.md

@@ -17,10 +17,11 @@ Each managed plugin must include:
 - `Cargo.toml`
 - `Makefile`
 - `README.md`
-- `tests/`
 - `cpex_<slug>/__init__.py`
 - `cpex_<slug>/plugin-manifest.yaml`
 
+Python integration tests live under `plugins/tests/<slug>/`; Rust unit tests live in the plugin crate.
+
 Rust crates are owned by the top-level workspace in `Cargo.toml`. Python package names follow `cpex-<slug>`, Python modules follow `cpex_<slug>`, plugin manifests must declare a top-level `kind` in `module.object` form, and `pyproject.toml` must publish the matching `module:object` reference under `[project.entry-points."cpex.plugins"]`. Release tags use the hyphenated slug form `<slug-with-hyphens>-v<version>`, for example `rate-limiter-v0.0.2`.
 
 ## Helper Commands

TESTING.md

@@ -40,11 +40,46 @@ Equivalent repo-level helper:
 make plugin-test PLUGIN=rate_limiter
 ```
 
-`make plugin-test` runs the selected plugin's `make ci` target, including stub verification, build, bench compilation without execution, install, and Python tests.
+`make plugin-test` runs the selected plugin's `make ci` target, including stub verification, build, bench compilation where configured, install, and Python tests.
+
+## 3. Rust Coverage
+
+CI enforces at least 90% line coverage for each Rust plugin selected by the plugin catalog. The coverage job instruments Rust, runs Rust unit tests, then runs each plugin's repo-level Python integration tests so PyO3 paths are counted.
+
+To run the same coverage check locally for all managed Rust plugins:
+
+```bash
+rustup component add llvm-tools-preview
+cargo install cargo-llvm-cov --version 0.8.4 --locked
+mkdir -p coverage
+CARGO_PACKAGES="$(python3 tools/plugin_catalog.py ci-selection-field . all '' '' cargo_packages)"
+PLUGINS="$(python3 tools/plugin_catalog.py ci-selection-field . all '' '' plugins)"
+mapfile -t cargo_packages < <(python3 -c 'import json, os; [print(package) for package in json.loads(os.environ["CARGO_PACKAGES"])]')
+mapfile -t plugins < <(python3 -c 'import json, os; [print(plugin) for plugin in json.loads(os.environ["PLUGINS"])]')
+cargo_args=()
+for package in "${cargo_packages[@]}"; do
+  cargo_args+=("-p" "${package}")
+done
+cargo llvm-cov clean --workspace
+eval "$(cargo llvm-cov show-env --sh)"
+export CARGO_TARGET_DIR="${CARGO_LLVM_COV_TARGET_DIR}/llvm-cov-target"
+export CARGO_LLVM_COV_BUILD_DIR="${CARGO_TARGET_DIR}"
+export LLVM_PROFILE_FILE="${CARGO_TARGET_DIR}/cpex-plugins-%p-%10m.profraw"
+mkdir -p "${CARGO_TARGET_DIR}"
+for plugin in "${plugins[@]}"; do
+  (cd "plugins/rust/python-package/${plugin}" && make sync && uv run maturin develop)
+done
+cargo test "${cargo_args[@]}"
+for plugin in "${plugins[@]}"; do
+  (cd "plugins/rust/python-package/${plugin}" && make test-integration)
+done
+env -u CARGO_TARGET_DIR -u CARGO_LLVM_COV_BUILD_DIR -u CARGO_LLVM_COV_TARGET_DIR -u LLVM_PROFILE_FILE cargo llvm-cov report "${cargo_args[@]}" --cobertura --output-path coverage/cobertura.xml
+python3 tools/plugin_catalog.py coverage-check . coverage/cobertura.xml 90.00 "${PLUGINS}"
+```
 
 ## CI Behavior
 
-Whenever the Rust plugin CI workflow is triggered, it runs the repo contract tests before any plugin build jobs.
+Repo contract tests run in their own CI workflow. The Rust plugin CI workflow uses the same plugin catalog to select affected plugin build, integration, and coverage jobs.
 
 Per-plugin build/test jobs are then scoped by the plugin catalog:
 

plugins/rust/python-package/encoded_exfil_detection/Makefile

@@ -27,28 +27,29 @@ clippy:
 	$(CARGO) clippy -- -D warnings
 
 # help: sync                  - Install plugin development dependencies
-# help: test                  - Run Rust unit tests
-# help: test-python           - Run Python plugin tests
-# help: test-integration      - Run integration tests only
-# help: test-all              - Run both Rust and Python tests
-.PHONY: sync test test-python test-integration test-all verify-stubs
+# help: test                  - Run Rust unit tests and Python integration tests
+# help: test-unit             - Run Rust unit tests
+# help: test-integration      - Run repo-level integration tests for encoded_exfil_detection
+# help: test-all              - Alias for test
+.PHONY: sync test test-unit test-python test-integration test-all verify-stubs
 
 sync:
 	uv sync --dev
 
-test:
+test-unit:
 	@echo "$(GREEN)Running encoded_exfil_detection Rust tests...$(NC)"
 	$(CARGO) test
 
+test: test-unit test-integration
+
 test-python:
-	@echo "$(GREEN)Running Python tests...$(NC)"
-	uv run pytest tests/ -v
+	$(MAKE) test-integration
 
 test-integration:
 	@echo "$(GREEN)Running integration tests...$(NC)"
-	uv run pytest tests/integration/ -v
+	CPEX_TEST_PLUGIN_HOOKS=1 uv run pytest ../../../tests/encoded_exfil_detection -v --asyncio-mode=auto
 
-test-all: test test-python
+test-all: test
 
 verify-stubs: stub-gen
 	@git diff --exit-code -- $(STUB_FILES)
@@ -106,16 +107,19 @@ clean-all: clean
 
 # help: verify                - Verify plugin installation
 # help: check-all             - Run fmt-check + clippy + Rust tests
+# help: ci-build              - Run CI build/static verification without integration tests
 # help: ci                    - Run the full CI-equivalent plugin verification flow
-.PHONY: verify check-all ci
+.PHONY: verify check-all ci-build ci
 
 verify:
 	@uv run python -c "from cpex_encoded_exfil_detection import encoded_exfil_detection_rust; print('encoded_exfil_detection_rust available')" || echo "encoded_exfil_detection_rust not installed — run: make install"
 
-check-all: fmt-check clippy test
+check-all: fmt-check clippy test-unit
 	@echo "$(GREEN)All checks passed$(NC)"
 
-ci: check-all verify-stubs build bench-no-run install-wheel test-python
+ci-build: check-all verify-stubs build bench-no-run install-wheel
+
+ci: ci-build test-integration
 	@echo "$(GREEN)CI verification passed$(NC)"
 
 .DEFAULT_GOAL := help

plugins/rust/python-package/encoded_exfil_detection/cpex_encoded_exfil_detection/encoded_exfil_detection.py

@@ -28,32 +28,18 @@
 from pydantic import BaseModel, Field, field_validator
 
 # First-Party
-try:
-    from mcpgateway.plugins.framework import (
-        Plugin,
-        PluginConfig,
-        PluginContext,
-        PluginViolation,
-        PromptPrehookPayload,
-        PromptPrehookResult,
-        ResourcePostFetchPayload,
-        ResourcePostFetchResult,
-        ToolPostInvokePayload,
-        ToolPostInvokeResult,
-    )
-except ModuleNotFoundError:
-    from mcpgateway_mock.plugins.framework import (  # type: ignore[no-redef]
-        Plugin,
-        PluginConfig,
-        PluginContext,
-        PluginViolation,
-        PromptPrehookPayload,
-        PromptPrehookResult,
-        ResourcePostFetchPayload,
-        ResourcePostFetchResult,
-        ToolPostInvokePayload,
-        ToolPostInvokeResult,
-    )
+from mcpgateway.plugins.framework import (
+    Plugin,
+    PluginConfig,
+    PluginContext,
+    PluginViolation,
+    PromptPrehookPayload,
+    PromptPrehookResult,
+    ResourcePostFetchPayload,
+    ResourcePostFetchResult,
+    ToolPostInvokePayload,
+    ToolPostInvokeResult,
+)
 
 logger = logging.getLogger(__name__)
 

plugins/rust/python-package/encoded_exfil_detection/pyproject.toml

@@ -29,14 +29,6 @@ module-name = "cpex_encoded_exfil_detection.encoded_exfil_detection_rust"
 python-source = "."
 features = ["pyo3/extension-module"]
 
-[tool.pytest.ini_options]
-testpaths = ["tests"]
-pythonpath = ["tests"]
-asyncio_mode = "auto"
-markers = [
-    "integration: end-to-end tests exercising the full plugin pipeline",
-]
-
 [dependency-groups]
 dev = [
     "maturin>=1.12.6",