Update all build files, workflows, and docs for Rust

- CI workflow: replace setup-go with dtolnay/rust-toolchain, use
  cargo test/clippy/fmt instead of go test/vet/staticcheck
- Release workflow: use dtolnay/rust-toolchain for pre-push tests
- jyq.Dockerfile: rewrite for Rust (rust:1.85-alpine builder, cargo build)
- Dockerfile: already updated in prior commit
- docs/design.md: update architecture diagram, directory structure,
  and 'How to Add a Subcommand' guide for Rust/clap
- docs/usage.md: update template mode description (Go text/template -> minijinja)
- README.md, FAQ.md: update image sizes (10MB -> 2MB), tool references
- CHANGELOG.md: add Rust rewrite entry, update references
- CLAUDE.md: add project config with cargo test references
- tests/README.md: update from go test to cargo test

Author: mikkeldamsgaard

.github/workflows/ci.yml

@@ -11,42 +11,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          go-version: "1.25"
-      - run: go vet ./...
-      - run: |
-          go install golang.org/x/tools/cmd/staticcheck@latest || true
-          if command -v staticcheck >/dev/null 2>&1; then
-            staticcheck ./...
-          else
-            echo "staticcheck not available, skipping"
-          fi
+          components: clippy, rustfmt
+      - run: cargo fmt --check
+      - run: cargo clippy -- -D warnings
   test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version: "1.25"
-      - run: go test ./... -count=1 -timeout 60s -race -coverprofile=coverage.out
-      - uses: actions/upload-artifact@v4
-        with:
-          name: coverage
-          path: coverage.out
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo test --all
   build:
     runs-on: ubuntu-latest
     needs: [lint, test]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version: "1.25"
-      - run: make build
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo build --release
       - uses: actions/upload-artifact@v4
         with:
           name: initium-binary
-          path: bin/initium
+          path: target/release/initium
   helm-lint:
     runs-on: ubuntu-latest
     steps:

.github/workflows/release.yml

@@ -1,40 +1,29 @@
 name: Release
-
 on:
   push:
     tags:
       - "v*"
-
 permissions:
   contents: read
   packages: write
   id-token: write
-
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
-      - uses: actions/setup-go@v5
-        with:
-          go-version: "1.25"
-
-      - run: go test ./... -count=1 -timeout 60s -race
-
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo test --all
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
-
       - uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Extract version
         id: version
         run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
-
       - uses: docker/build-push-action@v6
         with:
           context: .
@@ -47,7 +36,6 @@ jobs:
             ghcr.io/kitstream/initium:latest
           sbom: true
           provenance: true
-
       - uses: docker/build-push-action@v6
         with:
           context: .
@@ -61,4 +49,3 @@ jobs:
             ghcr.io/kitstream/initium-jyq:latest
           sbom: true
           provenance: true
-

CHANGELOG.md

@@ -7,16 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Complete rewrite from Go to Rust for ~76% smaller Docker images (7.4MB → 1.8MB)
+- CLI framework changed from cobra to clap
+- Template engine changed from Go text/template to minijinja (Jinja2-style); access env vars via `{{ env.VAR }}`
+- CI/CD workflows updated for Rust toolchain (cargo test, clippy, rustfmt)
+- Dockerfiles updated to use rust:1.85-alpine builder with musl static linking
+
 ### Added
 - `exec` subcommand: run arbitrary commands with structured logging, exit code forwarding, and optional `--workdir` for child process working directory
 - `jyq.Dockerfile` and `initium-jyq` container image variant with pre-built `jq` and `yq` tools
 - Documentation for building custom images using Initium as a base
 - `fetch` subcommand and `internal/fetch` package: fetch secrets/config from HTTP(S) endpoints with auth header via env var, retry with backoff, TLS options, redirect control (same-site by default), and path traversal prevention
-- `render` subcommand and `internal/render` package: render templates into config files with `envsubst` (default) and Go `text/template` modes, path traversal prevention, and automatic intermediate directory creation
+- `render` subcommand and `internal/render` package: render templates into config files with `envsubst` (default) and Jinja2 template modes, path traversal prevention, and automatic intermediate directory creation
 - `seed` subcommand: run database seed commands with structured logging and exit code forwarding (no idempotency — distinct from `migrate`)
 - `migrate` subcommand: run database migration commands with structured logging, exit code forwarding, and optional idempotency via `--lock-file`
 - FAQ.md with functionality, security, and deployment questions for junior-to-mid-level engineers
-- Project scaffolding with Go module, CLI framework (cobra), and repo layout
+- Project scaffolding with Rust/Cargo, CLI framework (clap), and repo layout
 - `wait-for` subcommand: wait for TCP and HTTP(S) endpoints with retries, exponential backoff, and jitter
 - `internal/retry` package with configurable retry logic, backoff, and jitter
 - `internal/logging` package with text and JSON structured logging, automatic secret redaction

CLAUDE.md

@@ -0,0 +1,96 @@
+                                    AGENT SAFEGUARDS (non-negotiable)
+
+Operating principles
+1) Prefer clear code over comments.
+    - Use comments only for: non-obvious reasoning, security invariants, protocol quirks, or “why” that code cannot express.
+    - Prefer descriptive names, small functions, and explicit types over commentary.
+
+2) Solve root cause, not band-aids.
+    - Do not add retries/timeouts/logging to hide failures unless the root cause is addressed or explicitly impossible to fix.
+    - If a workaround is necessary, document the root cause and the exact reason it can’t be fixed now.
+
+3) Use idioms of the language and ecosystem.
+    - Follow standard style guides, conventions, directory layout, and tooling.
+    - Avoid clever patterns that fight the ecosystem. Prefer boring, maintainable solutions.
+
+Quality gates
+4) Tests must run after each modification.
+    - After any functional change, run the relevant test suite locally (or in CI steps) and ensure it passes.
+    - If tests cannot run (missing dependency, environment), add or update a runnable test harness or clearly state what is required.
+    - Never leave the repo in a state where tests are known failing.
+
+5) Documentation for all features.
+    - Every new feature must have usage docs + one runnable example.
+    - Docs must include intent, flags/config, and failure modes.
+    - Prefer docs that answer user questions (“How do I…”) and include copy/paste snippets.
+
+6) Update CHANGELOG with all changes.
+    - Every user-visible change must be added to CHANGELOG.md under “Unreleased”.
+    - Use categories: Added / Changed / Fixed / Security / Deprecated / Removed.
+    - Mention migration steps if behavior changes.
+
+Robustness & correctness
+7) Include error handling everywhere it matters.
+    - Never ignore errors; propagate with context.
+    - Wrap/annotate errors so the caller has actionable info.
+    - Ensure exit codes/return values are correct and consistent.
+
+8) Test edge cases and invariants.
+    - Add tests for: empty inputs, invalid inputs, boundary values, timeouts, large payloads (reasonable), and concurrency/ordering if relevant.
+    - Include at least one test for each bug fixed to prevent regressions.
+
+Security & safety (important for agentic tooling)
+9) No harmful actions by default.
+    - Do not delete data, rotate secrets, publish releases, or mutate external systems unless explicitly requested.
+    - Treat external calls (network, cloud APIs) as “dangerous”: require explicit opt-in via config/flags.
+
+10) Least privilege and safe defaults.
+- Minimize permissions, capabilities, scopes, and access tokens.
+- For Kubernetes artifacts: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation=false, drop ALL capabilities unless justified.
+
+11) No secret leakage.
+- Never print tokens, passwords, or full credential material to logs.
+- Redact known secret patterns; avoid echoing env vars that might contain secrets.
+
+12) Deterministic builds and reproducibility.
+- Prefer pinned versions, lockfiles, and deterministic packaging.
+- Avoid “download latest at build time” unless necessary.
+
+Change management rules
+13) Small, reviewable diffs.
+- Prefer incremental changes with clear commit boundaries.
+- If a refactor is needed, do it in a separate commit/PR before feature changes.
+
+14) Respect existing standards and tooling.
+- Use the repo's existing lint/format/test tools (Makefile/package scripts/cargo test/etc.).
+- If tooling is missing, add it in a minimal conventional way.
+
+15) Provide a “How to verify” section in PR descriptions/output.
+- Include exact commands: build, lint, unit tests, integration tests (if any).
+
+Agent execution constraints (for local runners / GH actions)
+16) Only modify files that are in-scope for the task.
+- Do not reformat unrelated files.
+- Do not introduce new dependencies unless justified.
+
+17) When uncertain, choose the safer option and make it explicit.
+- Prefer failing fast with actionable errors over silent fallback.
+- If ambiguity remains, implement a guardrail and document the decision.
+
+18) When really uncertain, ask for help.
+- Avoid making assumptions without asking for confirmation.
+
+19) When running locally, prefer the mcp edit tool to direct file edits.
+- If issues arise where files seems unedited, alert the user before continuing
+
+20) Prefer bash commands/scripts to python3 when investigating
+
+Definition of done
+- Code compiles.
+- Code is formatted.
+- Tests pass.
+- Docs updated.
+- CHANGELOG updated.
+- Edge cases tested.
+- Security posture maintained.
+- Output includes a concise summary of changes + how to verify.

FAQ.md

@@ -280,7 +280,7 @@ A `scratch` base image contains zero OS packages, zero libraries, zero shells. T
 
 - **Zero CVEs** from base image packages — nothing to scan, nothing to patch
 - **No shell** for attackers to use if the container is compromised
-- **Tiny image** — the final image is ~10MB (just the Go binary + CA certificates)
+- **Tiny image** — the final image is ~2MB (just the Rust binary + CA certificates)
 
 The trade-off is that you cannot `kubectl exec` into the container for debugging. This is acceptable for initContainers, which run once and exit.
 
@@ -424,9 +424,9 @@ Then reference your internal registry in the pod spec. If your registry requires
 ```bash
 git clone https://github.com/KitStream/initium.git
 cd initium
-make build        # produces bin/initium
-make test         # runs all unit tests with race detector
-make lint         # runs go vet + staticcheck
+make build        # produces target/release/initium
+make test         # runs all unit tests
+make lint         # runs cargo clippy + cargo fmt --check
 ```
 
 ### How do I build a custom Docker image?

README.md

@@ -44,8 +44,8 @@ kubectl apply -f https://raw.githubusercontent.com/kitstream/initium/main/exampl
 | **Structured logging** | `echo` statements | JSON or text with timestamps |
 | **Security** | Runs as root, full shell | Non-root, no shell, read-only FS |
 | **Secret handling** | Easily leaked in logs | Automatic redaction |
-| **Multiple tools** | Install curl, netcat, psql… | Single 10MB image |
-| **Reproducibility** | Shell differences across distros | Single Go binary, `FROM scratch` |
+| **Multiple tools** | Install curl, netcat, psql… | Single 2MB image |
+| **Reproducibility** | Shell differences across distros | Single Rust binary, `FROM scratch` |
 | **Vulnerability surface** | Full OS + shell utils | Zero OS packages |
 
 ## Subcommands