feat: port secrets detection plugin

Signed-off-by: lucarlig <luca.carlig@ibm.com>

Author: lucarlig

Cargo.lock

@@ -2,6 +2,7 @@
 members = [
     "plugins/rust/python-package/pii_filter",
     "plugins/rust/python-package/rate_limiter",
+    "plugins/rust/python-package/secrets_detection",
 ]
 resolver = "3"
 

Cargo.toml

@@ -0,0 +1,31 @@
+[package]
+name = "secrets_detection"
+version = "0.1.0"
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+description = "Rust-backed secrets detection plugin for MCP Gateway"
+
+[lib]
+name = "secrets_detection_rust"
+crate-type = ["cdylib", "rlib"]
+
+[[bin]]
+name = "stub_gen"
+path = "src/bin/stub_gen.rs"
+
+[dependencies]
+cpex_framework_bridge = { path = "../../../../crates/framework_bridge" }
+log = { workspace = true }
+pyo3 = { workspace = true }
+pyo3-log = { workspace = true }
+pyo3-stub-gen = { workspace = true }
+regex = "1.12"
+
+[dev-dependencies]
+criterion = { version = "0.8", features = ["html_reports"] }
+
+[[bench]]
+name = "secrets_detection"
+harness = false

plugins/rust/python-package/secrets_detection/Cargo.toml

@@ -0,0 +1,123 @@
+.PHONY: help
+help:
+	@grep '^# help\:' $(firstword $(MAKEFILE_LIST)) | sed 's/^# help\: //'
+
+PACKAGE_NAME := cpex-secrets-detection
+WHEEL_PREFIX := cpex_secrets_detection
+CARGO := cargo
+STUB_FILES := cpex_secrets_detection/__init__.pyi cpex_secrets_detection/secrets_detection_rust/__init__.pyi
+WHEEL_DIR := ../../../../target/wheels
+
+GREEN := \033[0;32m
+YELLOW := \033[0;33m
+NC := \033[0m
+
+# help: fmt                   - Format Rust code with rustfmt
+# help: fmt-check             - Check Rust code formatting (CI)
+# help: clippy                - Run clippy lints
+.PHONY: fmt fmt-check clippy
+
+fmt:
+	$(CARGO) fmt
+
+fmt-check:
+	$(CARGO) fmt -- --check
+
+clippy:
+	$(CARGO) clippy -- -D warnings
+
+# help: sync                  - Install plugin development dependencies
+# help: test                  - Run Rust unit tests
+# help: test-verbose          - Run Rust tests with verbose output
+# help: test-python           - Run Python plugin tests
+# help: test-all              - Run both Rust and Python tests
+.PHONY: sync test test-verbose test-python test-all verify-stubs
+
+sync:
+	uv sync --dev
+
+test:
+	@echo "$(GREEN)Running secrets_detection Rust tests...$(NC)"
+	$(CARGO) test
+
+test-verbose:
+	@echo "$(GREEN)Running secrets_detection Rust tests (verbose)...$(NC)"
+	$(CARGO) test -- --nocapture
+
+test-python:
+	@echo "$(GREEN)Running Python tests...$(NC)"
+	uv run pytest tests/ -v
+
+test-all: test test-python
+
+verify-stubs: stub-gen
+	@git diff --exit-code -- $(STUB_FILES)
+
+# help: stub-gen              - Generate Python type stubs (.pyi files)
+# help: build                 - Build release wheel (no install)
+# help: install               - Build and install editable extension into project venv
+# help: install-wheel         - Install the previously built wheel into project venv
+.PHONY: stub-gen build install install-wheel uninstall
+
+stub-gen:
+	@echo "$(GREEN)Generating Python type stubs...$(NC)"
+	$(CARGO) run --bin stub_gen
+	@echo "$(GREEN)Stubs generated$(NC)"
+
+build: stub-gen
+	@echo "$(GREEN)Building $(PACKAGE_NAME)...$(NC)"
+	uv run maturin build --release
+	@echo "$(GREEN)Build complete$(NC)"
+
+install: stub-gen
+	@echo "$(GREEN)Installing $(PACKAGE_NAME)...$(NC)"
+	uv run maturin develop --release
+	@echo "$(GREEN)Installation complete$(NC)"
+
+install-wheel: build
+	@echo "$(GREEN)Installing built wheel for $(PACKAGE_NAME)...$(NC)"
+	python3 ../../../../tools/install_built_wheel.py --wheel-dir "$(WHEEL_DIR)" --wheel-prefix "$(WHEEL_PREFIX)" --package-name "$(PACKAGE_NAME)" --venv-dir .venv
+	@echo "$(GREEN)Wheel installation complete$(NC)"
+
+uninstall:
+	@echo "$(YELLOW)Uninstalling $(PACKAGE_NAME)...$(NC)"
+	@uv pip uninstall -y $(PACKAGE_NAME) 2>/dev/null || true
+
+# help: bench                 - Run Criterion benchmarks
+# help: bench-no-run          - Compile Criterion benchmarks without running them
+.PHONY: bench bench-no-run
+
+bench:
+	@echo "$(GREEN)Running benchmarks...$(NC)"
+	$(CARGO) bench
+
+bench-no-run:
+	@echo "$(GREEN)Compiling benchmarks without running them...$(NC)"
+	$(CARGO) bench --no-run
+
+.PHONY: clean clean-all
+
+clean:
+	$(CARGO) clean
+	rm -rf target/ coverage/
+	find . -name "*.whl" -delete
+
+clean-all: clean
+
+# help: verify                - Verify plugin installation
+# help: check-all             - Run fmt-check + clippy + Rust tests
+# help: ci                    - Run the full CI-equivalent plugin verification flow
+.PHONY: verify check-all ci pre-commit
+
+verify:
+	@uv run python -c "from cpex_secrets_detection import secrets_detection_rust; print('secrets_detection_rust available')" || echo "secrets_detection_rust not installed — run: make install"
+
+check-all: fmt-check clippy test
+	@echo "$(GREEN)All checks passed$(NC)"
+
+ci: check-all verify-stubs build bench-no-run install-wheel test-python
+	@echo "$(GREEN)CI verification passed$(NC)"
+
+pre-commit: check-all
+
+.DEFAULT_GOAL := help

plugins/rust/python-package/secrets_detection/Makefile

@@ -0,0 +1,3 @@
+# cpex-secrets-detection
+
+Rust-backed secrets detection plugin for MCP Gateway / CPEX.

plugins/rust/python-package/secrets_detection/README.md

@@ -0,0 +1,17 @@
+use criterion::{Criterion, criterion_group, criterion_main};
+use secrets_detection_rust::config::SecretsDetectionConfig;
+use secrets_detection_rust::scanner::detect_and_redact;
+
+fn bench_detect_and_redact(c: &mut Criterion) {
+    let config = SecretsDetectionConfig {
+        redact: true,
+        ..Default::default()
+    };
+    let text = "prefix AWS_ACCESS_KEY_ID=AKIAFAKE12345EXAMPLE suffix";
+    c.bench_function("detect_and_redact/aws", |b| {
+        b.iter(|| detect_and_redact(text, &config))
+    });
+}
+
+criterion_group!(benches, bench_detect_and_redact);
+criterion_main!(benches);

plugins/rust/python-package/secrets_detection/benches/secrets_detection.rs

@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+"""Secrets detection plugin package."""
+
+from __future__ import annotations
+
+
+def __getattr__(name: str):
+    if name == "SecretsDetectionPlugin":
+        from cpex_secrets_detection.secrets_detection import SecretsDetectionPlugin
+
+        return SecretsDetectionPlugin
+    if name == "py_scan_container":
+        from cpex_secrets_detection.secrets_detection_rust import py_scan_container
+
+        return py_scan_container
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+
+
+__all__ = ["SecretsDetectionPlugin", "py_scan_container"]

plugins/rust/python-package/secrets_detection/cpex_secrets_detection/__init__.py

@@ -0,0 +1,10 @@
+# This file is automatically generated by pyo3_stub_gen
+# ruff: noqa: E501, F401, F403, F405
+
+from .secrets_detection import SecretsDetectionPlugin
+from .secrets_detection_rust import py_scan_container
+
+__all__ = [
+    "SecretsDetectionPlugin",
+    "py_scan_container",
+]

plugins/rust/python-package/secrets_detection/cpex_secrets_detection/__init__.pyi

@@ -0,0 +1,24 @@
+description: "Detect likely credentials and secrets in prompt input, tool output, and resource content"
+author: "ContextForge Contributors"
+version: "0.1.0"
+available_hooks:
+  - "prompt_pre_fetch"
+  - "tool_post_invoke"
+  - "resource_post_fetch"
+default_configs:
+  enabled:
+    aws_access_key_id: true
+    aws_secret_access_key: true
+    google_api_key: true
+    github_token: true
+    stripe_secret_key: true
+    generic_api_key_assignment: false
+    slack_token: true
+    private_key_block: true
+    jwt_like: false
+    hex_secret_32: false
+    base64_24: false
+  redact: false
+  redaction_text: "***REDACTED***"
+  block_on_detection: true
+  min_findings_to_block: 1

plugins/rust/python-package/secrets_detection/cpex_secrets_detection/plugin-manifest.yaml

@@ -0,0 +1,36 @@
+# -*- coding: utf-8 -*-
+"""Thin compatibility shim for the Rust-owned secrets detection plugin."""
+
+from __future__ import annotations
+
+try:
+    from mcpgateway.plugins.framework import Plugin
+except ModuleNotFoundError:
+    class Plugin:  # type: ignore[no-redef]
+        def __init__(self, config) -> None:
+            self._config = config
+
+from cpex_secrets_detection.secrets_detection_rust import (
+    SecretsDetectionPluginCore,
+    py_scan_container,
+)
+
+
+class SecretsDetectionPlugin(Plugin):
+    """Gateway-facing Plugin subclass that delegates behavior to Rust."""
+
+    def __init__(self, config) -> None:
+        super().__init__(config)
+        self._core = SecretsDetectionPluginCore(config.config or {})
+
+    async def prompt_pre_fetch(self, payload, context):
+        return self._core.prompt_pre_fetch(payload, context)
+
+    async def tool_post_invoke(self, payload, context):
+        return self._core.tool_post_invoke(payload, context)
+
+    async def resource_post_fetch(self, payload, context):
+        return self._core.resource_post_fetch(payload, context)
+
+
+__all__ = ["SecretsDetectionPlugin", "py_scan_container"]