Vision: A Swiss Army knife CLI tool for HSM operations - from troubleshooting to benchmarking to automation.
Last Updated: December 14, 2025
- Total Lines: ~6,200 lines of Rust source code
- Commands: 32 CLI commands implemented
- Tests: 12+ integration tests (benchmark suite)
- Documentation: 17 markdown files (~2,500 lines)
| Category | Features | Status | Coverage |
|---|---|---|---|
| Token Management | 4 commands | ✅ Complete | 100% |
| Key Generation | 5 commands | ✅ Complete | 100% |
| Asymmetric Ops | 4 commands | ✅ Complete | 100% |
| Symmetric Ops | 5 commands | ✅ Complete | 100% |
| Hashing & MACs | 6 commands | ✅ Complete | 100% |
| Key Management | 3 commands | ✅ Complete | 100% |
| Information | 3 commands | ✅ Complete | 100% |
| Benchmarking | 1 command | 🟡 Advanced | 85% |
| Troubleshooting | 4 commands | ✅ Complete | 100% |
| CI/CD | GitHub Actions | ⚪ Not Started | 0% |
| Automation | Scripting/API | ⚪ Planned | 0% |
Goal: Make the project CI/CD-ready and production-grade
Priority 1A: GitHub Actions CI/CD ⭐⭐⭐⭐⭐
- Automated testing on push/PR
- Multi-platform builds (Linux, macOS)
- Docker image publishing to GitHub Container Registry
- Performance regression detection
- Security scanning (cargo audit, Dependabot)
- Documentation deployment
Why Critical:
- Prevents regressions
- Enables confident contributions
- Automates releases
- Foundation for all future work
Estimated Effort: 4-6 hours
Priority 1B: Core Testing ⭐⭐⭐⭐
- Integration tests for all 32 commands
- Error path testing
- End-to-end workflows
- Test coverage reporting
Current: 12 benchmark tests only
Target: 80%+ code coverage
Estimated Effort: 8-12 hours
Goal: Enable automated HSM workflows
Priority 2A: Batch Operations ⭐⭐⭐⭐
# Generate multiple keys from config
rust-hsm-cli batch-gen --config keys.yaml
# Bulk key rotation
rust-hsm-cli rotate-keys --pattern "prod-*" --backupFeatures:
- YAML/TOML workflow definitions
- Batch key generation with templates
- Key rotation workflows
- Backup/restore operations
- Transaction-like rollback on failure
Use Cases:
- Initial HSM setup (100+ keys)
- Periodic key rotation
- Disaster recovery
- Migration between HSMs
Estimated Effort: 6-8 hours
Priority 2B: JSON Mode for All Commands ⭐⭐⭐
# Machine-readable output
rust-hsm-cli list-objects --json | jq '.keys[] | select(.type == "RSA")'
# Pipe to other tools
rust-hsm-cli audit-keys --json | vulnerability-scannerFeatures:
-
--jsonflag for all commands - Structured error output
- Progress as JSON stream
- Exit codes for automation
Why Important: Enables integration with other tools
Estimated Effort: 4-6 hours
Priority 2C: Scripting SDK ⭐⭐⭐
# Python bindings
from rust_hsm import HSM
hsm = HSM("DEV_TOKEN", pin="123456")
key = hsm.generate_keypair("my-key", key_type="rsa", bits=2048)
signature = hsm.sign(key, data)Features:
- Python bindings (PyO3)
- Node.js bindings (napi-rs)
- REST API server mode
- WebSocket for long operations
Use Cases:
- Application integration
- Custom automation scripts
- CI/CD pipelines
- Monitoring dashboards
Estimated Effort: 12-16 hours
Goal: Production-grade performance testing
Priority 3A: Concurrent Operations ⭐⭐⭐⭐
# Multi-threaded benchmark
rust-hsm-cli benchmark --threads 8 --duration 60sFeatures:
- Thread pool for concurrent testing
- Per-thread statistics
- Contention detection
- Scalability graphs
Why Important: Real HSMs handle concurrent requests
Estimated Effort: 4-6 hours
Priority 3B: Stress Testing ⭐⭐⭐
# Duration-based with error tracking
rust-hsm-cli stress --duration 5m --target-ops 1000Features:
- Time-based testing (not iteration-based)
- Error rate tracking
- Performance degradation detection
- Memory leak detection
Estimated Effort: 3-4 hours
Priority 3C: Visual Reports ⭐⭐
# Generate HTML report
rust-hsm-cli benchmark --report benchmark-report.htmlFeatures:
- HTML reports with charts
- ASCII histograms in terminal
- Flamegraphs for profiling
- Comparison dashboards
Estimated Effort: 6-8 hours
Goal: Production HSM deployment support
Priority 4A: HA & Clustering ⭐⭐⭐⭐
- Multiple HSM support (primary/backup)
- Automatic failover
- Load balancing across HSMs
- Split-key operations
Priority 4B: Key Lifecycle Management ⭐⭐⭐⭐
- Key versioning
- Automatic rotation policies
- Key usage auditing
- Compliance reporting (SOC2, PCI-DSS)
Priority 4C: Network HSM Support ⭐⭐⭐
- Remote HSM connections
- Latency-aware operations
- Credential management
- VPN/tunnel support
Files to create:
.github/
workflows/
ci.yml # Test + lint on push/PR
release.yml # Tagged releases
benchmark.yml # Performance tracking
security.yml # Security scanning
What it enables:
- ✅ Automated testing on every commit
- ✅ Pull request validation
- ✅ Docker image publishing
- ✅ Release automation
- ✅ Performance regression alerts
Deliverable: Green CI badge in README
Priority commands to test:
- Token operations (init, delete, init-pin)
- Key generation (RSA, ECDSA, AES, HMAC)
- Sign/verify operations
- Encrypt/decrypt operations
- Troubleshooting commands
Coverage goal: 70%+ by end of week
Deliverable: Comprehensive test suite with coverage report
New flags:
--threads <N> # Number of concurrent threads
--duration <TIME> # Run for fixed duration (60s, 5m, 1h)Deliverable: Multi-threaded performance testing
- Test Coverage: Target 80%+
- CI Pass Rate: Target 95%+
- Documentation: 100% of commands documented
- Security: Zero high/critical vulnerabilities
- Benchmark Stability: <5% variance between runs
- Container Build: <60 seconds
- CLI Response Time: <100ms for info commands
- GitHub Stars: Track growth
- Issues Resolved: Target <7 day average
- Documentation Clarity: Minimal "how to" questions
- WebAssembly: HSM operations in browser (demo/training)
- TUI Interface: Terminal UI for interactive workflows
- HSM Emulator: Software HSM for testing (no Docker needed)
- Cloud HSM Support: AWS CloudHSM, Azure Key Vault integration
- Smart Card Support: PIV/CAC operations
- Add bash completion scripts
- Improve error messages
- Add more examples to docs
- Test on macOS/Windows
- Implement missing PKCS#11 mechanisms
- Add FIPS 140-2 validation
- Performance optimizations
- Cloud HSM adapters
- ✅ Week 1-2: Priority 1 benchmarking features (DONE)
- 🔄 Week 3: GitHub Actions + Core testing (IN PROGRESS)
- ⏳ Week 4: Batch operations + JSON mode
- January: Concurrent benchmarking + stress testing
- February: Scripting SDK (Python bindings)
- March: Visual reports + documentation overhaul
- April: Network HSM support
- May: HA & clustering
- June: Enterprise features polish
- Error handling: Some commands need better error messages
- Performance: Benchmark setup could be faster
- Testing: Missing tests for edge cases
- Documentation: Some advanced features underdocumented
- Extract PKCS#11 wrapper: Reusable library crate
- Common CLI patterns: Shared flag handling
- Config validation: Better error messages
- Test helpers: Reduce test boilerplate
- ✅ Docker-based approach (consistent environment)
- ✅ Single binary (easy deployment)
- ✅ TOML config (user-friendly)
- ✅ Clap CLI (excellent UX)
- ✅ Comprehensive logging
- 🤔 PIN handling (need vault integration)
- 🤔 Long-running operations (need progress)
- 🤔 Large output (need pagination)
- 🤔 Remote access (need client-server mode)
- Core functionality complete
- Comprehensive documentation
- 80%+ test coverage
- CI/CD pipeline
- Security audit passed
- Performance benchmarked
- Error handling robust
- Monitoring/logging
- Backup/recovery tested
- Multi-platform support
Current Status: 6/10 complete (60%)
- README.md - Getting started
- BENCHMARKING.md - Performance testing
- Command Reference - All commands
- Troubleshooting - Common issues
- ✅ Implemented all Priority 1 benchmark features
- ✅ Added JSON/CSV export with metadata
- ✅ Comparison mode for regression detection
- ✅ Data size variation testing
- ✅ Comprehensive test suite (12 tests)
- ✅ Progress indicators
- ✅ Warmup iterations support
- ✅ Documentation overhaul (330+ lines added)
- ✅ Troubleshooting commands (explain-error, find-key, diff-keys)
- ✅ CMAC operations
- ✅ Enhanced key inspection
- ✅ Configuration file support
Next Review: January 2026