Roadmap
Certificate Discovery
| Feature |
Status |
| CT log scanning — alert on unexpected issuance |
TBD |
External CA Integration
| Feature |
Status |
| Sectigo |
TBD |
| GlobalSign |
TBD |
Bridges
| Feature |
Status |
| Bridge — self-updating binary |
TBD |
| Bridge — relay for Courier connections |
TBD |
Couriers
| Feature |
Status |
| Courier — Windows binary |
TBD |
| Courier — connect via Bridge |
Mostly Done |
| Courier auth — SPIFFE/SPIRE (JWT and X.509) |
TBD |
Secrets Management
| Feature |
Status |
| Bridge secrets caching |
Complete |
| Workload secrets access |
Complete |
| Service Account API for secrets |
Complete |
Target Systems
| Feature |
Status |
| Microsoft IIS — Windows Remote Management |
TBD |
| Microsoft Windows — Windows Remote Management |
TBD |
Virtual HSM (vHSM)
The vHSM is implemented as a dedicated Rust binary module within the back control plane, providing fine-grained control over cryptographic memory operations.
| Feature |
Status |
| vHSM — Rust binary module for back control plane |
TBD |
| vHSM — key pair generation (RSA, EC) |
TBD |
| vHSM — key storage |
TBD |
| vHSM — digital signature operations |
TBD |
| vHSM — key zeroization (explicit memory clearing) |
TBD |
| vHSM — approved random bit generation (DRBG) |
TBD |
| vHSM — symmetric key operations (AES) |
TBD |
| vHSM — power-up self-tests (known answer tests) |
TBD |
| vHSM — conditional self-tests (runtime health checks) |
TBD |
| vHSM — software integrity verification at startup |
TBD |
| vHSM — FIPS 140-3 Level 1 compliance |
TBD |
| Third-party HSM integration — Microsoft Azure |
TBD |
| Third-party HSM integration — Amazon Web Services |
TBD |
| Third-party HSM integration — physical HSM |
TBD |