{"id":49112975,"url":"https://github.com/false-systems/rauta","last_synced_at":"2026-04-21T05:37:47.866Z","repository":{"id":320954390,"uuid":"1083862309","full_name":"false-systems/rauta","owner":"false-systems","description":"AI-native Kubernetes API gateway. Lock-free Rust proxy with MCP tools, diagnostics engine, and CLI. Part of FALSE Systems.","archived":false,"fork":false,"pushed_at":"2026-03-21T10:19:30.000Z","size":928,"stargazers_count":2,"open_issues_count":7,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-21T13:53:57.848Z","etag":null,"topics":["api","api-gateway","cloud-native","ingress","ingress-controller","kubernetes","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/false-systems.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-26T21:17:03.000Z","updated_at":"2026-03-21T00:08:43.000Z","dependencies_parsed_at":"2025-10-27T00:30:49.097Z","dependency_job_id":"e6c8a744-113c-46ea-b4e9-109732abba91","html_url":"https://github.com/false-systems/rauta","commit_stats":null,"previous_names":["yairfalse/rauta","false-systems/rauta"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/false-systems/rauta","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/false-systems%2Frauta","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/false-systems%2Frauta/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/false-systems%2Frauta/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/false-systems%2Frauta/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/false-systems","download_url":"https://codeload.github.com/false-systems/rauta/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/false-systems%2Frauta/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32079470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-21T02:38:07.213Z","status":"ssl_error","status_checked_at":"2026-04-21T02:38:06.559Z","response_time":128,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","api-gateway","cloud-native","ingress","ingress-controller","kubernetes","rust"],"created_at":"2026-04-21T05:37:47.207Z","updated_at":"2026-04-21T05:37:47.860Z","avatar_url":"https://github.com/false-systems.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cbr\u003e\n \u003ccode\u003eR A U T A\u003c/code\u003e\n \u003cbr\u003e\n \u003cbr\u003e\n AI-native Kubernetes API gateway. Lock-free. Agent-operable.\n \u003cbr\u003e\n \u003cbr\u003e\n \u003ca href=\"https://github.com/false-systems/rauta/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/false-systems/rauta/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n \u003cimg src=\"https://img.shields.io/badge/tests-220%2B-brightgreen\" alt=\"Tests\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/rust-1.83%2B-f74c00\" alt=\"Rust\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-blue\" alt=\"License\"\u003e\n\u003c/p\u003e\n\n---\n\nRAUTA is a Rust Kubernetes Gateway API controller and L7 HTTP proxy. It routes traffic with Maglev consistent hashing, manages backends with lock-free circuit breakers and rate limiters, and exposes everything to AI agents via MCP.\n\n```\ncargo build --release -p control # gateway\ncargo build --release -p rauta-cli # CLI + kubectl plugin\ncargo test --workspace # 220+ tests, 5 crates\n```\n\n---\n\n## How it works\n\nRAUTA watches Kubernetes Gateway API resources (GatewayClass, Gateway, HTTPRoute, EndpointSlice, Secret) and translates them into a routing table. Every HTTP request hitting the proxy gets:\n\n1. **Routed** — radix tree path match, then Maglev consistent hash to pick a backend\n2. **Filtered** — request/response header modification, redirects, timeouts, retries\n3. **Protected** — lock-free circuit breaker + rate limiter before forwarding\n4. **Forwarded** — HTTP/1.1 or HTTP/2 via per-worker connection pools\n\n```\nClient ──► Listener ──► Router ──► Filters ──► Forwarder ──► Backend\n │\n :9091 Admin API ◄───────┘\n MCP Tools (11)\n Diagnostics Engine (7 rules)\n Prometheus /metrics\n```\n\nThe admin server on `:9091` is completely separate from the data plane — you can always query gateway state even under load.\n\n---\n\n## Lock-free hot path\n\nEvery request goes through the hot path. No locks touch health data or rate/circuit state:\n\n| What | Old | New |\n|------|-----|-----|\n| Circuit breaker state check | 5 RwLock reads | 1 AtomicU64 load |\n| Rate limiter token acquire | 3 RwLock writes | 1 AtomicU64 CAS |\n| Backend health + drain check | 2 RwLock reads | 1 ArcSwap load (~1ns) |\n| Tried-backends tracking | HashSet (heap alloc) | u32 bitmask (stack) |\n| Hop-by-hop header check | to_lowercase() (heap) | eq_ignore_ascii_case (zero-alloc) |\n| Filter cloning for RouteMatch | Deep clone | Arc::clone (~1ns) |\n\nThe circuit breaker packs `state`, `failure_count`, `success_count`, and `half_open_requests` into a single `u64` and uses CAS loops for all transitions. The rate limiter packs tokens (16.16 fixed-point) and a timestamp into another `u64`.\n\n---\n\n## Agent API\n\nThree ways to talk to a running gateway. Same data, different interfaces:\n\n### MCP — for AI agents\n\n11 tools for Claude Code, Cursor, or any MCP-compatible client:\n\n```\nrauta_status rauta_list_routes rauta_get_route\nrauta_list_circuit_breakers rauta_list_rate_limiters rauta_diagnose\nrauta_drain_backend rauta_undrain_backend rauta_cache_stats\nrauta_list_listeners rauta_metrics_snapshot\n```\n\n### CLI — for humans and scripts\n\n```bash\nrauta status # table (default)\nrauta routes list --format=json # machine\nrauta diagnose circuit-breaker-cascade --format=agent # LLM-optimized\nrauta backends drain 10.0.1.5:8080\n```\n\nThe `--format=agent` output includes `_meta` and `_hints` blocks designed for LLM consumption. The binary is also available as `kubectl-rauta`.\n\n### REST — for everything else\n\n```\nGET /api/v1/status POST /api/v1/diagnose?symptom=...\nGET /api/v1/routes GET /api/v1/cache\nGET /healthz\n```\n\n---\n\n## Diagnostics engine\n\nDeterministic rules. No LLM. Each produces a structured diagnosis with a causal chain, evidence, and actionable commands:\n\n| Rule | What it detects | Severity |\n|------|-----------------|----------|\n| `RAUTA-CB-001` | 2+ circuit breakers open simultaneously (cascade) | Critical |\n| `RAUTA-CB-002` | Single circuit breaker open | Warning |\n| `RAUTA-RL-001` | Rate limit bucket exhausted (0 tokens) | Warning |\n| `RAUTA-BE-001` | Route with zero healthy backends | Critical |\n| `RAUTA-BE-002` | All backends draining on a route | Warning |\n| `RAUTA-CACHE-001` | Route cache hit rate below 50% | Info |\n| `RAUTA-LISTEN-001` | Multiple listeners competing for same port | Info |\n\n```bash\n$ rauta diagnose circuit-breaker-cascade\n[Critical] RAUTA-CB-001 (circuit-breaker-cascade)\n Cause: 2 backends have open circuit breakers\n Cause: Multiple simultaneous failures suggest upstream dependency issue\n Evidence: Backend 10.0.1.1:8080 is Open (failures: 5)\n Evidence: Backend 10.0.1.2:8080 is Open (failures: 5)\n Action: Check if backends share a common upstream dependency (rauta backends health)\n```\n\n---\n\n## Gateway API\n\nFull Kubernetes Gateway API v1:\n\n- **Resources**: GatewayClass, Gateway, HTTPRoute, EndpointSlice, Secret\n- **Matching**: path prefix (radix tree), headers (exact + regex), query params, methods\n- **Filters**: request/response header modification, redirects (301/302), timeouts, retries with exponential backoff\n- **Load balancing**: Maglev consistent hashing — O(1) lookup, weighted, sticky via `(client_ip, port)` hash, ~1/N disruption on backend changes\n\n```yaml\napiVersion: gateway.networking.k8s.io/v1\nkind: HTTPRoute\nmetadata:\n name: api\nspec:\n parentRefs:\n - name: my-gateway\n rules:\n - matches:\n - path:\n type: PathPrefix\n value: /api/v1\n backendRefs:\n - name: api-service\n port: 8080\n weight: 90\n - name: api-canary\n port: 8080\n weight: 10\n```\n\n---\n\n## Project layout\n\n```\nrauta/\n common/ no_std shared types — HttpMethod, Backend, Maglev, RouteKey\n control/ gateway controller + proxy + admin server (main binary)\n agent-api/ GatewayQuery trait, snapshot types, diagnostics engine\n mcp-server/ MCP tool definitions for AI agent integration\n rauta-cli/ CLI + kubectl-rauta plugin\n deploy/ K8s manifests, Grafana dashboards, Prometheus config\n docs/ architecture docs, research, ADRs\n scripts/ dev scripts, load tests, git hooks\n manifests/ raw K8s YAML (namespace, RBAC, DaemonSet)\n docker/ Dockerfiles for various build targets\n```\n\n---\n\n## Quick start\n\n```bash\n# standalone (no K8s)\nRAUTA_BACKEND_ADDR=127.0.0.1:9090 ./target/release/control\n\n# kubernetes\nRAUTA_K8S_MODE=true ./target/release/control\n\n# admin API always available\ncurl localhost:9091/api/v1/status\n```\n\n| Variable | Default | Purpose |\n|----------|---------|---------|\n| `RAUTA_K8S_MODE` | `false` | Start K8s controllers |\n| `RAUTA_BIND_ADDR` | `0.0.0.0:8080` | Proxy listen |\n| `RAUTA_BACKEND_ADDR` | — | Standalone backend |\n| `RAUTA_ADMIN_PORT` | `9091` | Admin server |\n| `RAUTA_TLS_CERT` / `_KEY` | — | TLS termination |\n| `RAUTA_GATEWAY_CLASS` | `rauta` | GatewayClass to watch |\n| `RUST_LOG` | `info` | Log level |\n\n---\n\n## Development\n\n```bash\ncargo test --workspace # all tests\ncargo clippy --all-targets --all-features -- -D warnings # lint\ncargo fmt --all -- --check # format check\nmake ci-local # full CI\n```\n\nPre-commit and pre-push hooks enforce fmt, clippy, and tests.\n\n---\n\n## Built with\n\n[hyper](https://hyper.rs) ·\n[tokio](https://tokio.rs) ·\n[kube-rs](https://kube.rs) ·\n[rustls](https://github.com/rustls/rustls) ·\n[matchit](https://github.com/ibraheemdev/matchit) ·\n[arc-swap](https://github.com/vorner/arc-swap) ·\n[jemalloc](https://jemalloc.net) ·\n[prometheus](https://github.com/tikv/rust-prometheus)\n\n---\n\n## Part of FALSE Systems\n\n| Tool | Finnish | Role |\n|------|---------|------|\n| **RAUTA** | iron | API gateway |\n| **AHTI** | god of the sea | Causality engine |\n| **POLKU** | path | Event transport |\n| **KULTA** | gold | Progressive delivery |\n| **TAPIO** | forest god | Infrastructure management |\n\n---\n\nApache 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffalse-systems%2Frauta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffalse-systems%2Frauta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffalse-systems%2Frauta/lists"}