Added: Benchmarks and plotting for performance analysis

.codacy.yml

@@ -3,6 +3,7 @@
 #
 # This repository is primarily Rust.
 # Note: clippy and rustfmt are not supported by Codacy and are handled by GitHub Actions CI.
+# cspell:ignore pyproject
 
 engines:
   # === DOCUMENTATION / SCRIPTS ===
@@ -22,6 +23,29 @@ engines:
       severity: warning
       include_code: true
 
+  # === PYTHON / SECURITY ===
+  # Ruff for Python linting and formatting (reads from pyproject.toml)
+  ruff:
+    enabled: true
+    include_paths:
+      - "scripts/**/*.py"
+      - "**/*.py"
+    config:
+      file: "pyproject.toml"
+
+  # Bandit for Python security analysis
+  bandit:
+    enabled: true
+    include_paths:
+      - "scripts/**/*.py"
+      - "**/*.py"
+    config:
+      severity: high
+      confidence: high
+      skips: ["B101", "B102", "B103", "B108", "B110", "B404", "B603", "B607"]
+      exclude_info: true
+      exclude_dirs: ["tests"]
+
   # === RUST / SECURITY ===
   lizard:
     enabled: true
@@ -30,8 +54,9 @@ engines:
       - "tests/**/*.rs"
       - "examples/**/*.rs"
       - "benches/**/*.rs"
+      - "scripts/**/*.py"
     config:
-      languages: ["rust"]
+      languages: ["rust", "python"]
       threshold:
         cyclomatic_complexity: 15
         token_count: 300
@@ -46,6 +71,7 @@ engines:
       - "tests/**/*.rs"
       - "examples/**/*.rs"
       - "benches/**/*.rs"
+      - "scripts/**/*.py"
 
   trivy:
     enabled: true
@@ -75,14 +101,26 @@ exclude_paths:
   - ".git/**"
   - ".cspellcache"
   - ".DS_Store"
+  # Python artifacts
+  - "__pycache__/**"
+  - "*.pyc"
+  - ".pytest_cache/**"
+  - ".ruff_cache/**"
+  - ".mypy_cache/**"
+  - "venv/**"
+  - ".venv/**"
+  - "uv.lock"
 
 # Focus analysis on source, docs, and CI configuration
 include_paths:
   - "src/**"
   - "benches/**"
   - "examples/**"
   - "tests/**"
+  - "scripts/**"
+  - "*.py"
   - "Cargo.toml"
+  - "pyproject.toml"
   - "rust-toolchain.toml"
   - "rustfmt.toml"
   - "justfile"
@@ -100,6 +138,9 @@ languages:
   rust:
     extensions:
       - ".rs"
+  python:
+    extensions:
+      - ".py"
   markdown:
     extensions:
       - ".md"

.github/workflows/ci.yml

@@ -55,6 +55,12 @@ jobs:
         with:
           tool: just
 
+      - name: Install uv (for Python scripts and pytest)
+        if: matrix.os != 'windows-latest'
+        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a  # v7.1.5
+        with:
+          version: "0.9.17"  # Pinned for reproducible CI
+
       - name: Install Node.js (for markdownlint and cspell)
         if: matrix.os != 'windows-latest'
         uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0

.github/workflows/codacy.yml

@@ -61,6 +61,19 @@ jobs:
           mkdir -p "$CODACY_WORKDIR"
           rsync -a --delete --exclude '.git' ./ "$CODACY_WORKDIR/"
 
+      - name: Verify Codacy config includes Python security tooling
+        run: |
+          set -euo pipefail
+          config="$CODACY_WORKDIR/.codacy.yml"
+          if [ ! -f "$config" ]; then
+            echo "::error::.codacy.yml not found in workspace copy ($config)"
+            exit 1
+          fi
+          if ! grep -qE '^[[:space:]]*bandit:' "$config"; then
+            echo "::error::Bandit engine not configured in .codacy.yml; Python security scanning will be skipped."
+            exit 1
+          fi
+
       # Execute Codacy Analysis CLI and generate a SARIF output with
       # the security issues identified during the analysis
       - name: Run Codacy Analysis CLI

.gitignore

@@ -4,3 +4,13 @@
 /build*
 /cobertura.xml
 .DS_Store
+
+# Python / uv
+**/__pycache__/
+*.egg-info/
+.venv/
+venv/
+.ruff_cache/
+.pytest_cache/
+.mypy_cache/
+uv.lock

.python-version

@@ -0,0 +1 @@
+3.11