Refresh CPEX plugin dependencies, bump versions, and publish packages

[lucarlig]

Problem

All managed CPEX plugin packages need dependency refreshes, new plugin versions, and published PyPI artifacts.

Documentation for the release-to-PyPI process is tracked separately in #70.

Investigation notes

Managed plugin root: plugins/rust/python-package/<slug>/.

Current managed plugins:

• encoded_exfil_detection / cpex-encoded-exfil-detection / current 0.2.1
• pii_filter / cpex-pii-filter / current 0.2.1
• rate_limiter / cpex-rate-limiter / current 0.0.4
• retry_with_backoff / cpex-retry-with-backoff / current 0.2.0
• secrets_detection / cpex-secrets-detection / current 0.2.1
• url_reputation / cpex-url-reputation / current 0.2.0

Repo contract from DEVELOPING.md and tools/plugin_catalog.py:

• version source of truth is each plugin Cargo.toml
• each cpex_<slug>/plugin-manifest.yaml version must match Cargo.toml
• each plugin must remain in top-level workspace Cargo.toml
• make plugins-validate enforces catalog/version/entry point rules
• release tags are per-plugin and must be <hyphenated-slug>-v<version>
• release workflow .github/workflows/release-rust-python-package.yaml publishes only the plugin mapped by the tag

Dry-run dependency findings on 2026-05-01:

• cargo update --dry-run --verbose reports about 50 compatible lockfile updates, including pyo3 0.28.2 -> 0.28.3, pyo3-stub-gen 0.22.1 -> 0.22.2, tokio 1.50.0 -> 1.52.1, uuid 1.23.0 -> 1.23.1, and many transitive ICU/wasm crates.
• Same dry run says redis v0.27.6 remains unchanged, with 1.2.0 available, so a major redis update needs deliberate compatibility work for rate_limiter rather than blind lock refresh.
• Same dry run says rand v0.8.6 is compatible while 0.10.1 is available, so a major rand update needs deliberate compatibility work for retry_with_backoff rather than blind lock refresh.
• Per-plugin uv lock --upgrade --dry-run reports updates such as maturin 1.12.6 -> 1.13.1, packaging 26.0 -> 26.2, pytest 9.0.2 -> 9.0.3, and pydantic/pydantic-core patch/minor updates where those plugins use Pydantic.

Required work

1. Decide dependency policy for this release:
   • compatible lockfile refresh only, or
   • include selected direct dependency upgrades such as redis and rand major updates after code/test review.
2. Refresh Rust dependencies:
   • update workspace dependency versions when appropriate in top-level Cargo.toml
   • run cargo update
   • keep Cargo.lock changed only by the chosen dependency update scope
3. Refresh Python dependency lockfiles for every plugin:
   • run uv lock --upgrade in each plugin directory
   • keep package runtime constraints intentional; do not add mcpgateway to plugin pyproject.toml
4. Bump every plugin version:
   • update plugins/rust/python-package/<slug>/Cargo.toml
   • update matching plugins/rust/python-package/<slug>/cpex_<slug>/plugin-manifest.yaml
   • ensure Cargo.lock reflects new package versions
5. Validate locally:
   • make plugins-validate
   • make plugin-test PLUGIN=<slug> for all six plugins, or equivalent all-plugin CI path
   • for any major direct dependency update, add/adjust focused tests that exercise the changed API path
6. Merge release commit to main.
7. Publish one tag per plugin on main, for example:
   • encoded-exfil-detection-v<new-version>
   • pii-filter-v<new-version>
   • rate-limiter-v<new-version>
   • retry-with-backoff-v<new-version>
   • secrets-detection-v<new-version>
   • url-reputation-v<new-version>
8. Confirm release workflow publishes wheels/sdists to PyPI for all expected platforms.

Acceptance criteria

• All six managed plugins have refreshed dependencies per chosen policy.
• All six plugins have new versions in Cargo.toml, matching plugin-manifest.yaml, and updated Cargo.lock.
• make plugins-validate passes.
• Full plugin test coverage passes for all six plugins.
• Six release tags are created from main and the release workflow publishes all packages.
• Published PyPI versions are recorded in this issue or linked release notes.