IBM
diff --git a/‎mcpgateway/config.py‎
Lines changed: 4 additions & 0 deletions b/‎mcpgateway/config.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎mcpgateway/middleware/request_logging_middleware.py‎
Lines changed: 18 additions & 0 deletions b/‎mcpgateway/middleware/request_logging_middleware.py‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎tests/performance/test_request_logging_masking_sidecar_benchmark.py‎
Lines changed: 119 additions & 0 deletions b/‎tests/performance/test_request_logging_masking_sidecar_benchmark.py‎
Lines changed: 119 additions & 0 deletions
@@ -350,6 +350,10 @@ class Settings(BaseSettings):
 
     # Security Validation & Sanitization
     experimental_validate_io: bool = Field(default=False, description="Enable experimental input validation and output sanitization")
+    experimental_rust_request_logging_masking_enabled: bool = Field(
+        default=False,
+        description="Enable experimental Rust sidecar for request logging sensitive-data masking",
+    )
     validation_middleware_enabled: bool = Field(default=False, description="Enable validation middleware for all requests")
     validation_strict: bool = Field(default=True, description="Strict validation mode - reject on violations")
     sanitize_output: bool = Field(default=True, description="Sanitize output to remove control characters")
 
@@ -46,6 +46,7 @@
 """
 
 # Standard
+import importlib
 import logging
 import re
 import secrets
@@ -74,6 +75,8 @@
 # Initialize structured logger for gateway boundary logging
 structured_logger = get_structured_logger("http_gateway")
 
+_RUST_REQUEST_LOGGING_MODULE = None
+
 SENSITIVE_KEYS = frozenset(
     {
         "password",
@@ -183,6 +186,9 @@ def mask_sensitive_data(data, max_depth: int = 10):
         >>> mask_sensitive_data({"level": {"nested": {}}}, max_depth=1)
         {'level': '<nested too deep>'}
     """
+    if getattr(settings, "experimental_rust_request_logging_masking_enabled", False) is True:
+        return _load_rust_request_logging_module().mask_sensitive_data(data, max_depth)
+
     if max_depth <= 0:
         return "<nested too deep>"
 
@@ -262,6 +268,9 @@ def mask_sensitive_headers(headers):
         >>> "******" in result["Cookie"]
         True
     """
+    if getattr(settings, "experimental_rust_request_logging_masking_enabled", False) is True:
+        return _load_rust_request_logging_module().mask_sensitive_headers(headers)
+
     masked_headers = {}
     for key, value in headers.items():
         key_lower = key.lower()
@@ -275,6 +284,15 @@ def mask_sensitive_headers(headers):
     return masked_headers
 
 
+def _load_rust_request_logging_module():
+    """Load the experimental Rust masking sidecar on demand."""
+    global _RUST_REQUEST_LOGGING_MODULE
+
+    if _RUST_REQUEST_LOGGING_MODULE is None:
+        _RUST_REQUEST_LOGGING_MODULE = importlib.import_module("request_logging_masking_sidecar")
+    return _RUST_REQUEST_LOGGING_MODULE
+
+
 class RequestLoggingMiddleware(BaseHTTPMiddleware):
     """Middleware for logging HTTP requests with sensitive data masking.
 
 
@@ -0,0 +1,119 @@
+# -*- coding: utf-8 -*-
+"""Benchmark the request-logging masking Rust sidecar against the Python path."""
+
+# Standard
+from __future__ import annotations
+
+import importlib
+import statistics
+import subprocess
+import time
+from pathlib import Path
+from typing import Any, Callable
+
+# First-Party
+from mcpgateway.config import settings
+from mcpgateway.middleware.request_logging_middleware import mask_sensitive_data, mask_sensitive_headers
+
+REPO_ROOT = Path(__file__).resolve().parents[2]
+SIDECAR_MANIFEST = REPO_ROOT / "tools_rust" / "request_logging_masking_sidecar" / "Cargo.toml"
+
+
+def _ensure_sidecar_installed() -> Any:
+    subprocess.run(["uv", "run", "maturin", "develop", "--release", "--manifest-path", str(SIDECAR_MANIFEST)], check=True, cwd=REPO_ROOT)
+    return importlib.import_module("request_logging_masking_sidecar")
+
+
+def _measure(label: str, fn: Callable[[Any], Any], payload: Any, iterations: int) -> tuple[float, float]:
+    samples = []
+    for _ in range(iterations):
+        started = time.perf_counter_ns()
+        fn(payload)
+        samples.append(time.perf_counter_ns() - started)
+
+    median_ms = statistics.median(samples) / 1_000_000
+    p95_ms = statistics.quantiles(samples, n=100)[94] / 1_000_000
+    print(f"{label}: median={median_ms:.3f}ms p95={p95_ms:.3f}ms")
+    return median_ms, p95_ms
+
+
+def _assert_parity(python_fn: Callable[[Any], Any], rust_fn: Callable[[Any], Any], payloads: list[Any]) -> None:
+    for payload in payloads:
+        python_result = python_fn(payload)
+        rust_result = rust_fn(payload)
+        if python_result != rust_result:
+            raise AssertionError(f"Parity mismatch for payload {payload!r}: python={python_result!r} rust={rust_result!r}")
+
+
+def main() -> None:
+    sidecar = _ensure_sidecar_installed()
+    settings.experimental_rust_request_logging_masking_enabled = False
+
+    def python_data(payload: Any) -> Any:
+        return mask_sensitive_data(payload, 12)
+
+    def rust_data(payload: Any) -> Any:
+        return sidecar.mask_sensitive_data(payload, 12)
+
+    python_headers = mask_sensitive_headers
+    rust_headers = sidecar.mask_sensitive_headers
+
+    _assert_parity(
+        python_data,
+        rust_data,
+        [
+            {"password": "secret", "nested": {"authToken": "abc", "ok": "value"}},
+            {"token_count": 3, "tokenizer": "ok", "privateKey": "secret"},
+            [{"jwt_token": "abc"}, {"normal": "value"}],
+        ],
+    )
+    _assert_parity(
+        python_headers,
+        rust_headers,
+        [
+            {"Authorization": "Bearer abc", "Cookie": "jwt_token=abc; theme=dark", "X-Trace-Id": "123"},
+            {"X-Auth-Count": "5", "X-Api-Key": "secret"},
+        ],
+    )
+
+    scenarios = [
+        (
+            "nested_payload_masking",
+            python_data,
+            rust_data,
+            {
+                "events": [
+                    {
+                        "actor": {"userName": f"user-{index}", "sessionToken": f"token-{index}", "sessionCount": index},
+                        "request": {
+                            "clientSecret": f"secret-{index}",
+                            "payload": {"safeField": "value" * 8, "authDevice": f"device-{index}", "auth_count": index},
+                        },
+                    }
+                    for index in range(1024)
+                ]
+            },
+            120,
+        ),
+        (
+            "headers_masking",
+            python_headers,
+            rust_headers,
+            {
+                **{f"X-Custom-{index}": f"value-{index}" for index in range(512)},
+                **{f"X-Api-Key-{index}": f"secret-{index}" for index in range(256)},
+                "Cookie": "; ".join([f"jwt_token_{index}=abc{index}" for index in range(128)]),
+            },
+            300,
+        ),
+    ]
+
+    for name, python_fn, rust_fn, payload, iterations in scenarios:
+        print(f"\n{name} ({iterations} iterations)")
+        python_median, _ = _measure("python", python_fn, payload, iterations)
+        rust_median, _ = _measure("rust", rust_fn, payload, iterations)
+        print(f"speedup={python_median / rust_median:.2f}x")
+
+
+if __name__ == "__main__":
+    main()