bomonike

Efficient, secure, performant concurrent systems programming that compiles to machine code on multiple platforms

This page is NOT about the Rust game and Rustops.org

This is about installing and using the infrastructure around the Rust programming language – the quickest way to use AI to building production-quality practical applications while learning the Rust language.

This references my github.com/bomonike/rustlang-samples repo and
bomonike.github.io/rustlang website.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Summary of Rust: My RustOps Diagram

Click on this link to pop-up a full-screen image of this diagram, or
click here for a gradual-reveal video
rustlang-rustops.png

with narrative that logically explains how the various websites, folders, and files relate to each other within the sequence of work to create and run custom Rust programs. The narration below will soon be added to the video:

  1. Developers and users typically use the CLI (Command Line Interface) that come with operating systems such as macOS to run commands and scripts to install utilities such as
  2. Apple macOS Xcode low-level utilities and
  3. package manager Homebrew to install utilities such as
  4. git commands.
  5. IDE: VSCode is commonly installed to edit files, assisted by extensions to display code with colored prompts.

  6. Working with Rust begins with installing rustup which installs the cargo commands that work with the Rust language.
  7. rustup creates a hidden folder $HOME/.cargo in the user’s home directory.
  8. When the bin folder path is made part of the $PATH variable by start-up scripts, executables in it become visible system-wide, cargo executable files become available on any folder in the CLI.

  9. The cargo init package command initializes a new package (container) folder.
  10. perhaps one for each team, containing a
  11. README.md file for developers to add documentation.
  12. The package name is also the same as its repository name in GitHub.com.
  13. A .git folder is created to hold the history of changes so developers can “time travel” back to all files at each point in time.
  14. A .gitignore file is commonly defined to specify temporary files created during every session so should not be uploaded to public GitHub repositories.
  15. .gitconfig ???

  16. REMEMBER: Within the package folder are two levels of src (source) folders.
  17. Each module has its own src folder and
  18. target folder, which holds the results after
  19. cargo build compiles the Rust code.
  20. Thus, cargo commands are typically issued from the module folder

  21. But developers would reach temporarily reach into the lower src folder to edit Rust code based on
  22. the README.md file for the module, which explain the source code files.
  23. Each module/src folder is created with a file named main.rs as the entry point for the module.
  24. The “.rs” file type suffix says that it’s processed by the Rust compiler, cargo build.

  25. If –lib is specified, a lib.rs file is also created to hold functions() defined to be referenced by custom code, to control
  26. databases and
  27. services publishing external APIs.
  28. Additional custom .rs files can be added.

  29. Within each module folder, a Cargo.toml configuration file contains the official name and version of each library referenced within custom Rust program code.
  30. The specific version of each library are kept updated by the
  31. cargo audit command ensures that the latest version is referenced from the
  32. crates.io registry on the public internet.
  33. Some crates act on code, such as creating error.rs file that structures common error handling.
  34. Each day, changes in the crates.io website are reflected in the lib.rs website which provides advanced filtering and categories. There are also additional libraries not in crates.io.

  35. cargo fmt reformats your Rust code, based on settings in the
  36. rustfmt.toml file.
  37. cargo clippy scans your Rust code to identify warnings and errors, based on settings in the
  38. rustfmt.toml file.

  39. Specifying the –release parameter creates an optimized executable.
  40. Optimized executables can be added to the public crates.io registry of libraries. obtainable from shared registry are downloaded.

  41. A git clone command can create a package folder and its

Not Discussed

Table of Contents

Overview

##

Scan for sensitive data:

Type Count Severity Description Sensitive file extensions 2,053 Medium .pem, .key, .p12 files Connection strings 1,146 High Credentials in URLs Backup files 412 Low Editor or config backups Private key headers 233 Critical Actual private keys Database URLs 184 Critical Exposed DB credentials AWS access keys 20 Critical AWS API keys GitHub tokens 7 Critical Access tokens Stripe keys 4 Critical Payment API keys

AI FTW

AI today (in 2026) is not only able to respond to questions based on its vast accumulated knowledge but now also can analyze error messages and automatically fix many issues, even across layers of architecture. Example response:

Build succeeds now. Fixed a type mismatch at main.rs:110 — 
check_url_virustotal expects &str but api_key was a String; 
passed it by reference.

This makes use of recent advances in “Chain-of-thought” which directs the LLM to reason sequentially through problems. Prompt chaining breaks complex analysis into discrete, verifiable pipeline stages.

To leverage creativity, developers are defining objectives and let the AI vary prompt text to iterative try then evaluate responses (adopting a TDD approach). Some call this “Iterative refinement”.

To work around being blocked when token credits ran out, Ollama (and its nomic-embed-text) is used with open-source models (from NVIDIA, Google, and China). OpenAI’s API supports the widest number of model providers. An example of messages about that:

The model is loaded and running (93% GPU), so it's not stuck loading — 
it's actively working but very slow (26GB model, 
mostly CPU-bound at only 7%/93% split suggests limited GPU offload). 
Since it's genuinely in-progress and not hung, let's just wait longer.

What is production-worthy?

By “robust enterprise-worthy production code”, “easy to extend”, “performant”, and other nice objectives are achieved not by empty promises but the extent that these features are implemented.

Emailrep.io Enum

{
  "email": "test@test.com",
  "reputation": "high",
  "suspicious": false,
  "malicious": false,
  "credentials_leaked": true, 
  "data_breaches": ["LinkedIn", "Adobe"],
  "first_seen": "2015-01-01",
  "last_seen": "2023-10-24"
}

Phone number

Secrets scanning

We look for secrets leaking at EACH step in the development process:

  1. Within the IDE, anomalies are instantly highlighted by extensions installed:

    creates

  2. For a fast, simple pre-commit hook to prevent committing secret keys into source code.

    ripsecrets is known for being extremely fast (reportedly 95 times faster than other tools). It detects secrets by looking for variable assignments with names like “token”, “secret”, or “password” that contain random-looking strings.

    security-harness-kit: A Rust CLI that scans for secrets, PII, and sensitive data. It can scan project paths and Git-staged files across many file types, including source code, Markdown, and even Office documents.

  3. On MCP agents:

    leakferret: An MCP-native secret scanner written in Rust. A key feature is that it can call the provider to verify which detected secrets are actually live and can rewrite the leak in your code to read from an environment variable instead.

  4. On git push, more comprehensive scans:

    SecretScout: A “blazingly fast, memory-safe CLI tool” for detecting secrets in git repositories. It’s a complete Rust rewrite of the popular gitleaks project, offering 10x faster performance with 60% less memory usage.

    Kingfisher: An open-source secret scanner built in Rust by MongoDB. It features live secret validation and ships with over 950 built-in rules to detect and triage leaked credentials.

  5. In the background, use advanced techniques that take longer:

    argus: A high-performance security scanner that uses Shannon entropy analysis and multi-pattern matching to identify both known and unknown credentials.

Beware of crates

Unless otherwise noted, crates mentioned above have signs of quality:

Please connect with me to join our code explaination and refactoring sessions.

https://linkedin.com/in/wilsonmar

Practical apps written in Rust

RANT: I think it’s a terrible idea to spend time writing another editor or operating system using Rust. Here I showcase creation of enterprise-worthy apps rather than basic/toy examples on the internet.

We are working on integrating here other code examples from GitHub.com:

Examples in Python:

Achilles Heel

This may be a popular trivia question that everyone may not know:

VIDEO Rust cannot handle double-linked lists, aka self-referential structs and cyclic graphs.

The workaround is the Arena Pattern which has a 36% performance penalty to maintain the sequence number.

Algorithms

Alogorithms in Rust

Install

rustup cargo installer

  1. PROTIP: Add to startup .bash_profile/.zshrc to update Rust utilities so have the latest version of the installer when you open a Terminal. This takes a few seconds.

    REMEMBER: If you used Homebrew to install rustup, instead of rustup command to upgrade itself, use:

    brew upgrade rustup-init
    
  2. Read rustup.rs

    You don’t need to rememeber that “toml” means (Tom’s Obvious Minimal Language).

    Inside the file, version=”0.1.0” is updated manually to semver.org (Semantic Versioning).

    The edition=”2024” is described at https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html

  3. To find the version history of a crate such as “backup”
    cargo info backup
    

    The response at time of this writing:

         Updating crates.io index
       Downloaded backup v0.1.0
       Downloaded 1 crate (85.6KiB) in 0.39s
     backup #backup #cli #restore
     create encrypted backups
     version: 0.1.0
     license: BSD-3-Clause
     rust-version: unknown
     documentation: https://github.com/nbari/backup
     homepage: https://github.com/nbari/backup
     repository: https://github.com/nbari/backup
     crates.io: https://crates.io/crates/backup/0.1.0
            

    IDE install

    For code completions, documentation on hover, etc.

    VS Code is the most widely used editor for Rust.

  4. VSCode users: install rust-analyzer (not “rust-lang.rust”). https://code.visualstudio.com/docs/languages/rust

    IDEs are visual frontends for underlying debuggers like LLDB (on macOS/Linux) or GDB (on Linux) or the MSVC debugger (on Windows).

  5. To enable breakpoints in VSCode, install the CodeLLDB extension by Vadim Chugunov by clicking this, then “Install”, “Continue”, “Allow”, “Trust publisher”:

    https://marketplace.visualstudio.com/items?itemName=vadimcn.vscode-lldb

    https://github.com/vadimcn/vscode-lldb

  6. To set a breakpoint, click in the gutter (the empty space to the left of the line numbers) to place a red dot (your stop point). Then you press F5 (or go to Run -> Start Debugging). It will compile your code and stop execution exactly at that line, allowing you to inspect variables, view the call stack, and step through code line-by-line.

    Dynamic Linking (Default):

    By default, Rust dynamically links to your system’s C library (usually glibc on Linux). If you compile a binary on Ubuntu 22.04, it might refuse to run on an older server running CentOS 7 because the older server is missing the newer glibc version. (Low binary portability).

    Static Linking (musl): You can tell Rust to compile against musl libc (e.g., cargo build –target x86_64-unknown-linux-musl). This bakes the C library directly into your executable. The resulting binary is a single file that will run on almost any Linux distribution from the last 15 years. (High binary portability)

    Windows Binaries: By default, Rust statically links the Microsoft Visual C++ runtime into Windows executables. This means a Rust .exe is highly portable across different Windows versions and usually doesn’t require the user to install “VCRedist” packages.

  7. Assuming you have the CLI utilities (XCode, git, VSCode, rustup, etc.) to use Rust installed, to get this repo on your machine:
    git clone https://github.com/bomonike/rustlang-samples --depth 1
    cd rustlang-samples
    

    This repo currently has code for these sample Rust (.rs) program source packages:

    nato-phonetic-audio

    I created it with Claude’s help.

    Its Rust code is within a lib.rs file because the package is structured for upload to crates.io as a library for use by others.

  8. Navigate to the examples directory provided to execute it like clients would:
    cargo run --example speak_sentence -- "KLQ9" -v
    

    The example file .rs name is auto-discovered.

    Observe that the letters have a note to ensure proper pronounciation.

    useful-rust

  9. To work on it, first navigate to:
    cd src/useful-rust
    pwd
    ls -al
    

    At that folder, read the README.md for running useful-rust.

    REMEMBER: Unlike Python and other languages, your working folder with Rust is a folder up from the main.rs file which is what all Rust code files are named.

    Configure

  10. Edit the Cargo.toml file for its sample settings.

    PROTIP: Many enterprise teams host sample files like in this repo to provide the team a consistent starting point, which reduces endless discussions when new people join the team.

  11. To update your dependencies to the latest allowed versions, run:
    cargo update
    
  12. PROTIP: Clean the Build Cache: A corrupted build cache can cause weird errors. To resolve these issues:
    cargo clean
    cargo build
    

    Build (Compile) and run

  13. REMEMBER: The name of the program worked on is inferred from the folder name of the pwd (present working directory).
    pwd
    

    Example:

    /Users/johndoe/bomonike/rustlang-samples/src/useful-rust
    
  14. REMEMBER: Compile in release mode only after all reviews are done:
    cargo run --release
    

    The Rust compiler aggressively optimizes the code – rearrange lines, inline functions, and remove unused variables, making it impossible for the debugger to map your stop points to the actual executing machine code.

  15. After each edit, just compile (build):
    cargo build
    

    Success means a message such as:

    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.24s
    
  16. REMEMBER: Rust’s compile/run command has an extra before run parameters:
    RUST_LOG=debug cargo run -- -v -s
    

    Parameters for each program should be defined in the program’s README

    RUST_LOG=debug makes use of coding in the program to do logging. It can be removed.

    Alternately, with JSON logs:

    RUST_LOG=info cargo run 2>&1 | jq
    

    2>&1 routes STDERR to screen.

    cargo dev dependencies

  17. Navigate to your project’s root directory (where your Cargo.toml is located) and run:
    cargo install cargo-udeps
    cargo udeps
    

    cargo outdated

  18. Widen your CLI window and/or set the font smaller.
  19. Navigate to your project’s root directory (where your Cargo.toml is located) and run:
    cargo install cargo-outdated
    cargo outdated --aggressive --offline
    

    Specify “–root-deps-only” instead of “–aggressive”.

    Exclude “–offline” if you’re not offline.

    Expect to see a table listing your dependencies, their current version, the latest compatible version, and the absolute latest version:

    Cargo audit

  20. Run cargo audit to scan the Cargo.lock file (generated by cargo run) against the RustSec Advisory Database, which tracks known vulnerabilities (including CVEs) and security advisories for published crates.
    cargo audit
    

    At time of running, it displayed “Vulnerable crates found!” within openai-client calling async-openai transitively calling backoff calling instant:

    Version:   0.4.0
    Warning:   unmaintained
    Title:     `backoff` is unmaintained.
    Date:      2025-03-04
    ID:        RUSTSEC-2025-0012
    URL:       https://rustsec.org/advisories/RUSTSEC-2025-0012
    Dependency tree:
    backoff 0.4.0
    └── async-openai 0.24.1
       └── openai-client 0.1.0
     
    Crate:     instant
    Version:   0.1.13
    Warning:   unmaintained
    Title:     `instant` is unmaintained
    Date:      2024-09-01
    ID:        RUSTSEC-2024-0384
    URL:       https://rustsec.org/advisories/RUSTSEC-2024-0384
    Dependency tree:
    instant 0.1.13
    └── backoff 0.4.0
       └── async-openai 0.24.1
          └── openai-client 0.1.0
    

    REMEMBER: As they say, “with Rust, you get the hangover before”. Use Clippy whinning as learning opportunities to write safer code.

  21. https://github.com/divviup/janus/issues/3725
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0012
    ├ The [backoff](https://crates.io/crates/backoff) crate is no longer actively maintained. For exponential backoffs/retrying, you can use the [backon](https://crates.io/crates/backon) crate.
    ├ Announcement: https://github.com/ihrwein/backoff/issues/66
    ├ Solution: No safe upgrade is available!
    
  22. If you decide to wait for fixes, so that the same error doesn’t appear, silence them by setting unmaintained crates to “warn” instead of “deny”:
    cargo deny
    
  23. Migrate backoff to backon https://github.com/divviup/janus/pull/3769 shows a resolution on Apr 14, 2025

  24. I asked AI “how to fix this” and got back:

    The most sustainable solution is to update async-openai to a version that no longer depends on backoff. The latest version (0.41.1) still lists backoff as a dependency, but the maintainers may address this in a future release.

    cargo update async-openai --verbose
    

    Clippy scans

  25. PROTIP: Run the built-in clippy code scanner utility different ways. First, get a summary:
    cargo clippy --manifest-path Cargo.toml 2>&1 | grep -E "warning:|error:|Finished" | sort -u
    

    TODO: Define the commands above as aliases so you can invoke the command easily and frequently. See my https://github.com/wilsonmar/mac-setup/main/blob/aliases.sh

    PROTIP: In the command above, “grep” creates a summary of one line per message. The “sort -u” presents only unique lines:

    </pre>

    Learn!

    If you’d rather be a pro than a mindless poser, do the work now to reap rewards in the years to come.

  26. The command to get the full details into a file so you can take notes on the response:
    timestamp=$(date "+%Y%m%d_%H%M%S");clear;cargo clippy --manifest-path Cargo.toml --all -- -D warnings 2>"clippy-$timestamp.txt"
    code "clippy-run-$timestamp.txt"
    

    PROTIP: A clear command would enable you to quickly reach the top of a long output by pressing command+up arrow.

    PROTIP: 2>”clippy_$timestamp.txt” sends the output to a file named with a ISO8601 UTC date/time stamp.

  27. REMEMBER: Bookmark the link to Rust error codes

    Each error has both bad example and good example code.

  28. REMEMBER: To view on a browser from a Terminal app, hold down command to click on Clippy Lints for each of 809+ messages, such as:

    https://rust-lang.github.io/rust-clippy/rust-1.96.0/index.html#collapsible_if

  29. PROTIP: Open another Terminal window to read the output about messages, such as:
    rustc --explain E0502
    

    Press q to exit to the CLI prompt.

  30. If you have AI tokens to spend:
    explain errors
    

    Then:

    explain fixes
    

    An AI with an understanding of prior context would understand.

  31. PROTIP: Take notes such as my:

    https://bomonike.github.io/rustlang

    • cannot borrow * as mutable because it is also borrowed as immutable. CAUSE: an active immutable borrow when you try to create a mutable borrow. Restructure your code. Ensure the immutable borrow is no longer used before the mutable borrow occurs. Sometimes, you can end the borrow earlier by limiting its scope with a block {} or by cloning the data if performance allows.

    • does not live long enough. CAUSE: A value is dropped (goes out of scope) while it’s still being borrowed. Fix the lifetime. You may need to extend the lifetime of the value, take ownership (return an owned String instead of a &str), or add explicit lifetime annotations to your functions.

    • mismatched types. CAUSE: A variable or return value is of the wrong type. Convert the type. Use .into(), as, or another method to convert the value to the expected type.

    Forgetaboutit

  32. The Cargo.toml and clippy.toml files can contain specifications about what check to igore. Location is the ~/.cargo folder would apply to all Rust runs in any folder. Annoying examples:

    warning: doc paragraphs should end with a terminal punctuation mark

  33. https://doc.rust-lang.org/stable/cargo/ = The Cargo Book

Comments in code

These programs were created with the help of several AI tools, including Claude and Warp Oz.

Here I aim to provide specifics wisdom and examples, beyond platitudes such as “Leverage the Compiler, Don’t Fight It”.

Examples of what is applicable to many modules:

// POLICY: Generally, issue results from functions rather than print formatted output so that the calling function has a choice of natural languages to present results.

// POLICY: Within main(), uniquely identify each step to provide the AI a way to reference code rather than using more cumbersome line numbers. The AI can renumber sequentially numbered steps automatically when asked.

// POLICY: When printing sequential numbers, zero-fill 3-digit numbers (specified as “”) so columns line up vertically.

// POLICY: Do not store sensitive values in clear-text .env files, even though they are in the user home folder. Store secrets in a local secrets database such as KeepassXC.

// POLICY: Use the zeroize crate to securely wipe the master password from memory as soon as the database is decrypted. This is so other processes snooping can’t steal it.

// POLICY: To access a database from multiple threads (e.g., in a Tauri or Axum web app), wrap crypto keys in a Mutex inside a single thread, or decrypt what you need and pass the decrypted strings (carefully) to other threads.

// POLICY: When running in production (ENV_TYPE=”PROD”), verify that the hash (SHA-1) of the main.rs file is the same hash as the file in GitHub to ensure that the file has not been corrupted.

Using KeePassXC

To store API keys as secrets using the “Custom Attributes” Approach (Recommended)

This method allows you to store as many distinct API values as you need for a single service while keeping them organized and secure.

  1. Create a new .kdbx file for APIs separate from your personal secrets (for banking, etc.).

  2. Open KeePassXC and create a new entry (or open an existing one).
  3. In the Title field, enter the name of the service (e.g., OpenAI API or AWS Production). Leave the Username and Password fields blank (or put a dummy username like API_User if your workflow requires those fields not to be empty).
  4. Click on the Advanced tab in the right-hand panel of the entry window.
  5. Under the Additional Attributes section, click the + (Plus) button to add a new custom field.
  6. In the Key column, type the name of the value (e.g., API Key, Client Secret, Base URL, Refresh Token).
  7. In the Value column, paste your actual API value.

  8. CRITICAL: Check the box under the Protect column (the little shield icon). This ensures the value is hidden behind asterisks and cannot be read by casual shoulder-surfers. It also prevents the value from being stored in cleartext in certain plugin caches.

v033 feat: nato-audio @rustops.md created 2021-10-03