AI-assisted C/C++ to Rust migration, governed by evidence.
RustLift analyzes large legacy codebases locally, selects bounded migration targets, routes minimal context to approved AI infrastructure, and treats every Rust draft as untrusted until compile, test, differential, unsafe, and human-review evidence supports it.
Not an AI transpiler. An AI-assisted migration control plane that treats model output as untrusted until evidence proves it. C first, with restricted C++ targets where the target is bounded and analyzable.
No Big-Bang Conversion
Large legacy C/C++ systems are too risky to convert all at once. RustLift is C first, with restricted C++ targets where targets are bounded and analyzable.
AI Drafts Are Not Evidence
Raw coding assistants can generate useful drafts, but RustLift keeps the trust boundary around verification and review.
Scoped Model Context
Send only target code, relevant declarations, build context, and constraints to approved AI infrastructure.
Operator-Approved Campaigns
Preview, approve, run, retry, and review many bounded migrations without surrendering control to bulk automation.
What RustLift produces
Concrete artifacts stay attached to the migration record so AI work can be inspected, reviewed, retried, and audited.
Workflow
Analyze locally. Generate narrowly. Verify before trust.
RustLift helps engineering teams run AI-assisted C/C++ to Rust migration campaigns with local analysis, bounded model context, verification gates, unsafe review, human approval, and audit-ready evidence. The workflow is C first, with restricted C++ targets where targets are bounded and analyzable.
Analyze locally
Inventory C/C++ sources, headers, build context, tests, risk signals, and migration candidates without uploading the repo.
Select bounded targets
Choose one file or function chunk at a time based on risk, test coverage, build context, prompt budget, and campaign policy.
Generate with approved AI
Send only bounded context to an approved adapter for tests, Rust drafts, compile repairs, unsafe explanations, or unsafe-reduction candidates.
Verify before trust
Run compile checks, generated tests, differential tests, unsafe review, human review, and campaign status tracking before accepting output.
AI trust boundary
AI generates drafts. RustLift decides what can be trusted.
RustLift can use approved model providers to generate characterization tests, translate bounded targets, repair compile errors, explain unsafe Rust, and propose unsafe reductions. But every model output remains an untrusted draft until RustLift records verification evidence and human review.
Bounded prompts
Only target code, relevant declarations, build context, and constraints are sent to the adapter. Never whole repositories by default.
Replaceable models
Designed to route through organization-approved adapters for OpenAI, Azure OpenAI, Bedrock, local models, or internal gateways.
Drafts, not truth
Model output is stored as untrusted evidence until compile checks, tests, differential verification, unsafe review, and human approval support it.
Audit trail
Every adapter call, repair, unsafe explanation, retry, review, and verification result is captured in structured artifacts and reports.
Trust boundary
Local repo
Analysis and context packing
Approved model adapter
Untrusted draft
Compile, tests, differential, unsafe, human review
Report
Evidence artifacts
A migration record engineers can review, not a black-box code dump.
RustLift records plans, bounded context, adapter outputs, verification results, unsafe findings, human review status, and Markdown/JSON reports so AI-backed work remains inspectable.
Local analysis
sources, headers, tests, build context, risk signals
Bounded context
target code, declarations, constraints, prompt budget
Adapter output
tests, Rust drafts, compile repairs, unsafe explanations
Verification
compile checks, generated tests, differential evidence
Review trail
unsafe tracked, human approval status, reports generated
.rustlift/report.md
## Top migration candidates
- 1. bounded target selected by campaign policy
- Risk, test coverage, and build context recorded.
- Adapter call requires scoped context only.
## AI draft status
- Generated tests: captured
- Rust draft: untrusted until gates pass
## Review gate
- Unsafe findings tracked
- Human approval required before acceptance
Verification gates
Model output is untrusted until evidence supports it.
RustLift defines success as recorded evidence: original behavior captured, Rust compiled, generated and existing tests passed, differential checks run where feasible, unsafe counted and justified, human review completed, and the outcome reported.
gate 01
analyzed
gate 02
planned
gate 03
context_packed
gate 04
draft_generated
gate 05
compiled
gate 06
generated_tests_run
gate 07
differential_verified
gate 08
unsafe_reviewed
gate 09
human_reviewed
gate 10
campaign_recorded
gate 11
reported
C behavior first
Existing tests, AI-generated characterization tests, golden fixtures, fuzz cases, and sanitizer evidence become migration inputs.
Risk is explicit
Pointers, macros, callbacks, global state, volatile access, packed structs, and platform conditionals are surfaced instead of hidden.
Hard cases can wait
Planner outputs can recommend migrate now, generate more tests first, wrap behind FFI, defer, or require human review.
Campaign orchestration
Run migration campaigns without surrendering control.
RustLift composes many bounded migrations into operator-approved campaigns. Preview targets, estimate adapter calls, approve small batches, review every result, retry failed targets explicitly, and keep evidence attached to each migration record.
Preview before run
See runnable targets, blocked targets, manual-review candidates, and estimated adapter calls before running AI-backed work.
Approval tokens
Batch execution requires a preview token so stale approvals cannot silently run changed target sets.
Review-gated progress
Successful migrations stop at needs_review. RustLift does not auto-declare success.
Explicit retry
Failed or skipped targets can be requeued only through an operator-visible retry command with retry counts and history.
Deployment boundary
Keep approved AI infrastructure inside the engineering boundary.
RustLift is designed for teams with sensitive, proprietary, regulated, or high-assurance code. The model is replaceable. The local analysis, bounded context, campaign policy, verification workflow, and evidence trail are the control plane.
Local developer CLI
Run RustLift against a local repo and inspect generated `.rustlift/` artifacts before any model call is trusted.
Team and CI integration
Use the same commands in GitHub, GitLab, Azure DevOps, or internal build systems.
On-prem workbench
Keep repository indexing, test execution, report storage, policies, and audit logs inside the engineering environment.
Approved model infrastructure
Route bounded context through organization-approved adapter infrastructure for OpenAI, Azure OpenAI, Bedrock, local models, internal gateways, or other approved providers.
Relevant domains
Useful for industrial, medical, embedded, infrastructure, and regulated engineering contexts.
Current capability / next direction
Built around evidence, then scaled into campaigns.
RustLift is moving from verified bounded targets into larger campaign orchestration without changing the trust boundary around AI output.
Today
Verified single-target workflow
Local analysis, planning, bounded context packing, adapter-backed drafts, compile checks, generated tests, unsafe review, human review, and reports.
Today
Evidence corpus
Reference C and restricted C++ examples with sanitized fixtures, differential evidence, compile repair, unsafe explanations, generated tests, unsafe reduction, and review outcomes.
Today
Campaign orchestration
Campaign create/show/preview, batch approval tokens, run-next, run-batch, review queue, composed campaign review completion, explicit retry, retry visibility, and report rollups.
Next
Large-system scaling
Better module grouping, build-variant awareness, deployment policy controls, and evidence export for regulated teams.
Internal use
Use RustLift as an internal technical reference.
This page summarizes how bounded migration work should analyze source locally, generate narrowly, verify rigorously, review unsafe output, and keep evidence attached to every result.
Representative target
Use one bounded C/C++ module, file, or function group to reason about analysis, context packing, verification, and review evidence.
Fit assessment
Compare the workflow against build system constraints, test maturity, CI behavior, approved AI tooling, and required review gates.
Deployment boundary
Document local or on-prem execution, model gateway boundaries, audit logging, policy controls, and evidence storage.
Evidence package
Keep generated tests, Rust drafts, unsafe findings, verification results, review status, and reports attached to each migration record.
FAQ
Clear claims for a hard engineering problem.
RustLift is AI-assisted migration infrastructure, not magic translation or unattended whole-repository automation.
Is RustLift an AI transpiler?
No. RustLift uses AI as a draft-generation engine, not as the source of truth. The product is the migration control plane around the model: local analysis, bounded context packing, verification gates, unsafe tracking, human review, campaign orchestration, and audit-ready evidence.
Does source code have to leave our environment?
RustLift is designed local/on-prem first. Broad repo analysis happens locally. When AI adapters are enabled, RustLift sends bounded target context only to approved model infrastructure.
What can AI do inside RustLift?
Depending on the configured adapter, AI can generate characterization tests, translate bounded C/C++ targets, repair compile errors, explain unsafe Rust, and propose unsafe reductions. RustLift records those outputs as untrusted drafts until evidence supports them.
Does RustLift fully automate migration?
No. RustLift intentionally avoids unattended whole-repository conversion. It supports operator-approved, evidence-backed campaigns where each target is reviewed and verified.
Why not just use an AI coding assistant directly?
AI output is only useful when the surrounding workflow can prove what changed and what passed. RustLift is the control plane around approved assistants, test capture, context minimization, unsafe tracking, and audit-ready reports.
Start with one representative C/C++ target.
Run one bounded migration target through analysis, AI draft generation, compile and test gates, differential checks where feasible, unsafe review, human review, and a report.