← blog

A Rust adoption playbook for teams that already ship

Incremental Rust in a C or Python codebase — what to migrate first, what to leave alone, and how to keep the old build green while the new one lands.

por Craton engineering

Adopting Rust in a greenfield project is easy. Adopting Rust in a codebase that already makes money is where the interesting engineering happens — and also where the failure cases live. Here is the playbook we use when we help customers start.

Pick the right first target

Not: "the whole backend." Not: "the performance-critical inner loop." The right first target is a component with three properties:

  1. High memory-safety exposure. Parsing untrusted input, handling network packets, decoding complex binary formats. Where Rust's guarantees pay off fastest.
  2. Clean interface. A narrow API surface you can wrap in FFI without leaking abstractions both ways.
  3. Moderate complexity. Complex enough to be worth a dedicated engineer-quarter, simple enough that you can finish in that quarter.

Real candidates we have seen work: binary file-format parsers, protocol state machines, cryptographic verifiers, packet inspection. Real candidates we have seen not work as a first step: framework-level scheduler rewrites, ORM replacements, web handlers.

FFI is the skeleton

If your host language is C or C++, the FFI story is mature and the binding discipline is well-understood. If it is Python, PyO3 is excellent. If it is JavaScript, WASM is the compile target and N-API for native nodes. Each has its idioms; each works.

The FFI boundary is also where discipline matters. The Rust side must never panic across the boundary — turn panics into error codes. Ownership semantics must be documented on every function. Key data must zeroize on drop. We have seen the boundary go wrong in every way there is, and the recovery cost is always higher than getting it right the first time.

Keep the old build green

The migration that fails is the one that holds up the weekly release. The one that succeeds runs the new component alongside the old one, feature-flagged, with shadow-mode verification where the outputs of both are compared under real traffic. Cut over when the flag has been green for a week.

We have sometimes kept a shadow mode running for months, long after the cut-over. It costs CPU. It also finds regressions you would otherwise ship.

Team-wise

A common mistake: ask the most senior engineer on the team to learn Rust alone, on evenings. They do, but slowly. A better pattern: week of onboarding together, followed by a ten-week pairing engagement with a Rust specialist. The specialist does not write the code; they review, unblock, and catch bad patterns before they compound. After ten weeks, the team owns the codebase, and the specialist is a Slack ping away.

This is exactly the shape of one of our common engagements. If your team is in that situation right now, that is the conversation to have.

What to read

  • The Rust book, obviously — but don't stop there.
  • Programming Rust (Blandy, Orendorff, Tindall) is the systems-programming companion.
  • Zero To Production in Rust for service-shaped learning.
  • The standard library source code. It is readable. The committee debates in their RFCs are more instructive than most textbooks.