Skip to content
← all posts

reliakit 1.0

2026-06-20·3 min read·0 views
rustreliability

When I wrote the first post about reliakit, it was still v0.1 - an experiment, with an API that could change anytime. Not anymore: all 18 reliakit crates are now 1.0 on crates.io. The toolkit went stable.

What reliakit is (briefly)

Reliability building blocks for Rust: the "boring" things that quietly blow up in production - rate limiting, circuit breakers, retries, timeouts, input validation, keeping secrets out of logs. Small, composable, no_std + zero-dependency wherever possible. Not a framework; you take only what you need. The full story is here.

What 1.0 means

On 0.x, any minor release is allowed to change the API - you update, your code can break. On 1.0, I commit to semver: the public API is stable, no breaking changes without a 2.0. That means you can put reliakit-* = "1" in your Cargo.toml and sleep well. That's the difference between an experiment and something you can actually depend on.

Why 1.0 now

Not because it "felt old enough." Because the API has been pressure-tested by real use. The site you're reading is guarded by 10 of the 18 reliakit crates in production - not a demo. When you use something for real, the parts of an API that are awkward or wrong show up fast. Once those were fixed and nothing else felt off, I tagged it stable.

The family today (18 crates)

They compose rather than overlap:

Types & data at the boundary

  • primitives - validated types: Email, HttpUrl, Port, Hostname, BoundedStr, Percent, SemVer, Uuid, and more.
  • validate - a Validate trait + an error that collects every field violation, not just the first.
  • collections - BoundedVec<T, MIN, MAX> that can't exceed its bounds.
  • secret - Secret<T> / SecretString, never printed in logs or errors unless you ask.

Deterministic encoding

  • codec - canonical binary encoding (same bytes for the same value).
  • json - a strict JSON parser + limits, deterministic output.
  • csv - a bounded reader + deterministic writer.
  • derive - #[derive(...)] macros for the encode/decode traits above.

Resilience (all clock-agnostic - you pass the time in)

  • ratelimit - a token-bucket rate limiter.
  • circuit - a circuit breaker; when a dependency is down, fail fast.
  • backoff - exponential/linear/constant backoff + jitter.
  • timeout - deadlines with no runtime.
  • bulkhead - a concurrency limiter (semaphore).
  • retry - RetryPolicy + retry; never sleeps on its own, so it's easy to test.

Glue

  • health - a status + criticality-aware aggregator for a /health endpoint.
  • core - a Clock trait + ManualClock / MonotonicClock.
  • decide - deterministic, utility-based decisions.

Plus the reliakit umbrella crate that re-exports them.

Used on this site

To make it concrete, the 10 crates guarding this blog:

  • ratelimit · circuit · secret · primitives · validate - guard the write endpoints (newsletter & contact): anti-spam, a breaker around email, the API key never leaks, emails are validated, and every contact-form field error is reported at once.
  • bulkhead · json - cap concurrent OG-image renders and fetches at /tools/rpc-check, plus a bounded parse of the RPC JSON response (anti-DoS).
  • health - powers the public /health endpoint.
  • csv - builds the subscriber export in the dashboard.
  • retry - wraps email sending (fire-and-forget, so it never blocks the response).

Honest about where it stands

reliakit is still small and niche - downloads in the hundreds, not the millions. I'm not claiming it's used everywhere. The only claim I'm making is this: stable, tested, and actually used in production (here). For a Rust dev tired of copying the same reliability utilities from project to project, there's now a version you can cargo add and rely on.

Code on GitHub · all crates on crates.io. Feedback and issues welcome.