IBM
diff --git a/‎.github/workflows/ci-rust-python-package.yaml‎
Lines changed: 107 additions & 3 deletions b/‎.github/workflows/ci-rust-python-package.yaml‎
Lines changed: 107 additions & 3 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 8 additions & 8 deletions b/‎Cargo.lock‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SECURITY.md‎
Lines changed: 2 additions & 2 deletions b/‎SECURITY.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎deny.toml‎
Lines changed: 126 additions & 0 deletions b/‎deny.toml‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎plugins/rust/python-package/encoded_exfil_detection/deny.toml‎
Lines changed: 0 additions & 2 deletions b/‎plugins/rust/python-package/encoded_exfil_detection/deny.toml‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎plugins/rust/python-package/pii_filter/cpex_pii_filter/pii_filter_rust/__init__.pyi‎
Lines changed: 2 additions & 2 deletions b/‎plugins/rust/python-package/pii_filter/cpex_pii_filter/pii_filter_rust/__init__.pyi‎
Lines changed: 2 additions & 2 deletions
@@ -6,6 +6,8 @@ on:
     paths:
       - "Makefile"
       - "Cargo.toml"
+      - "Cargo.lock"
+      - "deny.toml"
       - "crates/**"
       - "README.md"
       - "DEVELOPING.md"
@@ -20,6 +22,8 @@ on:
     paths:
       - "Makefile"
       - "Cargo.toml"
+      - "Cargo.lock"
+      - "deny.toml"
       - "crates/**"
       - "README.md"
       - "DEVELOPING.md"
@@ -29,6 +33,7 @@ on:
       - "tools/**"
       - ".github/workflows/ci-rust-python-package.yaml"
       - ".github/workflows/release-rust-python-package.yaml"
+  workflow_dispatch:
 
 concurrency:
   group: ci-rust-python-package-${{ github.event.pull_request.head.repo.full_name || github.repository }}-${{ github.head_ref || github.ref_name }}
@@ -44,6 +49,8 @@ jobs:
     outputs:
       plugins: ${{ steps.detect.outputs.plugins }}
       has_plugins: ${{ steps.detect.outputs.has_plugins }}
+      plugin_count: ${{ steps.detect.outputs.plugin_count }}
+      cargo_packages: ${{ steps.detect.outputs.cargo_packages }}
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
@@ -59,20 +66,30 @@ jobs:
           set -euo pipefail
           if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
             selection="$(python3 tools/plugin_catalog.py ci-selection . diff "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}")"
+          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+            selection="$(python3 tools/plugin_catalog.py ci-selection . all '' '')"
           elif [[ "${{ github.event.before }}" == "0000000000000000000000000000000000000000" ]]; then
             selection="$(python3 tools/plugin_catalog.py ci-selection . all '' '')"
           else
             selection="$(python3 tools/plugin_catalog.py ci-selection . diff "${{ github.event.before }}" "${{ github.sha }}")"
           fi
 
+          selection="$(printf '%s' "${selection}" | python3 -c 'import json, re, sys; payload = json.load(sys.stdin); slug_re = re.compile(r"^[a-z0-9_]+$"); plugins = payload.get("plugins"); cargo_packages = payload.get("cargo_packages"); has_plugins = payload.get("has_plugins"); plugin_count = payload.get("plugin_count"); assert isinstance(plugins, list) and all(isinstance(item, str) and slug_re.fullmatch(item) for item in plugins); assert isinstance(cargo_packages, list) and all(isinstance(item, str) and slug_re.fullmatch(item) for item in cargo_packages); assert isinstance(has_plugins, bool); assert isinstance(plugin_count, int) and plugin_count == len(plugins); print(json.dumps({"plugins": plugins, "has_plugins": has_plugins, "plugin_count": plugin_count, "cargo_packages": cargo_packages}))')"
           plugins="$(printf '%s' "${selection}" | python3 -c 'import json, sys; print(json.dumps(json.load(sys.stdin)["plugins"]))')"
           has_plugins="$(printf '%s' "${selection}" | python3 -c 'import json, sys; print(str(json.load(sys.stdin)["has_plugins"]).lower())')"
-          echo "plugins=${plugins}" >> "$GITHUB_OUTPUT"
+          plugin_count="$(printf '%s' "${selection}" | python3 -c 'import json, sys; print(json.load(sys.stdin)["plugin_count"])')"
+          cargo_packages="$(printf '%s' "${selection}" | python3 -c 'import json, sys; print(json.dumps(json.load(sys.stdin)["cargo_packages"]))')"
           if [[ "${has_plugins}" == "false" ]]; then
-            echo "has_plugins=false" >> "$GITHUB_OUTPUT"
+            has_plugins_output="false"
           else
-            echo "has_plugins=true" >> "$GITHUB_OUTPUT"
+            has_plugins_output="true"
           fi
+          {
+            echo "plugins=${plugins}"
+            echo "plugin_count=${plugin_count}"
+            echo "cargo_packages=${cargo_packages}"
+            echo "has_plugins=${has_plugins_output}"
+          } >> "$GITHUB_OUTPUT"
 
   build-test:
     needs: validate-and-detect
@@ -109,6 +126,93 @@ jobs:
         working-directory: plugins/rust/python-package/${{ matrix.plugin }}
         run: make ci
 
+  security-policy:
+    needs: validate-and-detect
+    if: needs.validate-and-detect.outputs.has_plugins == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Verify Rust toolchain
+        run: |
+          rustc --version
+          cargo --version
+
+      - name: Install cargo deny
+        run: cargo install cargo-deny@0.19.0 --locked
+
+      - name: Run cargo deny
+        run: cargo deny check --config deny.toml
+
+  coverage:
+    needs: validate-and-detect
+    if: needs.validate-and-detect.outputs.has_plugins == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: "3.12"
+
+      - name: Install Rust coverage tooling
+        run: |
+          rustup component add llvm-tools-preview
+          cargo install cargo-llvm-cov --version 0.8.4 --locked
+
+      - name: Generate Rust coverage report
+        env:
+          CARGO_PACKAGES: ${{ needs.validate-and-detect.outputs.cargo_packages }}
+        run: |
+          mkdir -p coverage
+          mapfile -t cargo_packages < <(python3 -c 'import json, os; [print(package) for package in json.loads(os.environ["CARGO_PACKAGES"])]')
+          cargo_args=()
+          for package in "${cargo_packages[@]}"; do
+            cargo_args+=("-p" "${package}")
+          done
+          cargo llvm-cov "${cargo_args[@]}" --cobertura --output-path coverage/cobertura.xml
+
+      - name: Enforce per-plugin coverage floor
+        env:
+          PLUGINS: ${{ needs.validate-and-detect.outputs.plugins }}
+        run: python3 tools/plugin_catalog.py coverage-check . coverage/cobertura.xml 50.00 "${PLUGINS}"
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
+        with:
+          files: ./coverage/cobertura.xml
+          flags: rust-python-package-workspace
+          name: rust-python-package-workspace-coverage
+
+  documentation:
+    needs: validate-and-detect
+    if: needs.validate-and-detect.outputs.has_plugins == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Verify Rust toolchain
+        run: |
+          rustc --version
+          cargo --version
+
+      - name: Build Rust documentation
+        env:
+          CARGO_PACKAGES: ${{ needs.validate-and-detect.outputs.cargo_packages }}
+        run: |
+          mapfile -t cargo_packages < <(python3 -c 'import json, os; [print(package) for package in json.loads(os.environ["CARGO_PACKAGES"])]')
+          cargo_args=()
+          for package in "${cargo_packages[@]}"; do
+            cargo_args+=("-p" "${package}")
+          done
+          cargo doc "${cargo_args[@]}" --lib --no-deps --document-private-items
+
   release-validation:
     if: github.event_name == 'pull_request'
     needs: validate-and-detect
 
@@ -22,7 +22,7 @@ log = "0.4"
 pyo3-async-runtimes = { version = "0.28", features = ["tokio-runtime"] }
 pyo3 = { version = "0.28.2", features = ["abi3-py311"] }
 pyo3-log = "0.13"
-pyo3-stub-gen = "0.20.0"
+pyo3-stub-gen = "0.22.1"
 regex = "1.12"
 serde_json = "1.0"
 thiserror = "2.0"
 
@@ -26,7 +26,7 @@ When reporting, please include:
 
 ### Supply Chain
 
-- Rust dependencies are audited with [`cargo deny`](https://github.com/EmbarkStudios/cargo-deny). Each Rust+Python plugin includes a `deny.toml` configuration.
+- Rust dependencies are audited with [`cargo deny`](https://github.com/EmbarkStudios/cargo-deny). Rust+Python plugins share the workspace-level `deny.toml` configuration.
 - Python dependencies are managed with `uv` and locked via `uv.lock`.
 - GitHub Actions workflows use pinned action versions.
 
@@ -55,7 +55,7 @@ When contributing a new plugin:
 - [ ] Validate all configuration at startup, not at request time.
 - [ ] Do not store secrets in source code or configuration files.
 - [ ] Use Pydantic models for configuration validation.
-- [ ] Add `deny.toml` for Rust dependency auditing.
+- [ ] Use the workspace-level `deny.toml` for Rust dependency auditing.
 - [ ] Document any fail-open behavior and its trade-offs.
 - [ ] Include security-relevant test cases (e.g., malformed input, boundary conditions).
 - [ ] Ensure error messages do not leak internal state or sensitive information.
 
@@ -0,0 +1,126 @@
+# Workspace-level cargo-deny config: applies to all crates in the workspace.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[advisories]
+# pyo3-stub-gen 0.22.1 still pulls rustpython-parser's unmaintained unic-* parser crates.
+# Keep this scoped to the known transitive advisories so new unmaintained dependencies fail CI.
+ignore = [
+    "RUSTSEC-2025-0075", # unic-char-range via rustpython-parser
+    "RUSTSEC-2025-0080", # unic-common via rustpython-parser
+    "RUSTSEC-2025-0081", # unic-char-property via rustpython-parser
+    "RUSTSEC-2025-0090", # unic-emoji-char via rustpython-parser
+    "RUSTSEC-2025-0098", # unic-ucd-version via rustpython-parser
+    "RUSTSEC-2025-0100", # unic-ucd-ident via rustpython-parser
+]
+
+[licenses]
+# Listed licenses are allowed even if not encountered in the dependency tree.
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    "0BSD",
+    "AFL-1.1",
+    "AFL-1.2",
+    "AFL-2.0",
+    "AFL-2.1",
+    "AFL-3.0",
+    "Adobe-2006",
+    "ANTLR-PD",
+    "Apache-1.0",
+    "Apache-1.1",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "Artistic-1.0",
+    "Artistic-1.0-Perl",
+    "Artistic-1.0-cl8",
+    "Artistic-2.0",
+    "Beerware",
+    "BlueOak-1.0.0",
+    "BSL-1.0",
+    "BSD-1-Clause",
+    "BSD-2-Clause",
+    "BSD-2-Clause-FreeBSD",
+    "BSD-2-Clause-NetBSD",
+    "BSD-2-Clause-Patent",
+    "BSD-2-Clause-Views",
+    "BSD-3-Clause",
+    "BSD-3-Clause-Attribution",
+    "BSD-3-Clause-Clear",
+    "BSD-4-Clause",
+    "BSD-Protection",
+    "BSD-Source-Code",
+    "bzip2-1.0.6",
+    "CC-BY-1.0",
+    "CC-BY-2.0",
+    "CC-BY-2.5",
+    "CC-BY-2.5-AU",
+    "CC-BY-3.0",
+    "CC-BY-3.0-AT",
+    "CC-BY-3.0-DE",
+    "CC-BY-3.0-NL",
+    "CC-BY-3.0-US",
+    "CC-BY-4.0",
+    "CC0-1.0",
+    "CDDL-1.0",
+    "CDDL-1.1",
+    "ClArtistic",
+    "CPL-1.0",
+    "curl",
+    "ECL-2.0",
+    "eGenix",
+    "EPL-1.0",
+    "EPL-2.0",
+    "ErlPL-1.1",
+    "FSFAP",
+    "FTL",
+    "HPND",
+    "ICU",
+    "IJG",
+    "Info-ZIP",
+    "ISC",
+    "JSON",
+    "Libpng",
+    "MIT",
+    "MIT-0",
+    "MIT-Modern-Variant",
+    "MPL-1.0",
+    "MPL-1.1",
+    "MPL-2.0",
+    "MS-PL",
+    "Net-SNMP",
+    "OLDAP-1.4",
+    "OLDAP-2.8",
+    "OFL-1.0",
+    "OFL-1.1",
+    "OpenSSL",
+    "PHP-3.0",
+    "PHP-3.01",
+    "Plexus",
+    "PostgreSQL",
+    "PSF-2.0",
+    "Python-2.0",
+    "Python-2.0.1",
+    "RSA-MD",
+    "Ruby",
+    "SISSL",
+    "SISSL-1.2",
+    "TCL",
+    "Unicode-3.0",
+    "Unicode-DFS-2015",
+    "Unicode-DFS-2016",
+    "Unicode-TOU",
+    "Unlicense",
+    "UPL-1.0",
+    "W3C",
+    "W3C-19980720",
+    "W3C-20150513",
+    "X11",
+    "X11-distribute-modifications-variant",
+    "Xnet",
+    "Zend-2.0",
+    "Zlib",
+    "zlib-acknowledgement",
+    "ZPL-1.1",
+    "ZPL-2.0",
+    "ZPL-2.1",
+]
@@ -55,9 +55,9 @@ class PIIDetectorRust:
         * `max_text_bytes` (int): Maximum text payload size to inspect
         * `max_nested_depth` (int): Maximum nested container depth to inspect
         * `max_collection_items` (int): Maximum items to inspect per collection
-        * `custom_patterns` (list[dict]): Additional regex-based PII patterns.
+        * `custom_patterns` (`list[dict]`): Additional regex-based PII patterns.
           `mask_strategy` is optional and inherits `default_mask_strategy` when omitted or `None`.
-        * `whitelist_patterns` (list[str]): Regex patterns to exclude from detection
+        * `whitelist_patterns` (`list[str]`): Regex patterns to exclude from detection
         """
     def detect(self, text: builtins.str) -> typing.Any:
         r"""