Move CLI (cli + pkcs11) into KMS workspace; merge docs; adapt CI (forward-proxy)

[Manuthor]

Move CLI (cli + pkcs11) into KMS; Merge Docs; Adapt CI (forward-proxy); Publish & Packages

Summary

Consolidate the CLI from Cosmian/cli (both cli and pkcs11 crates) into the Cosmian/kms repository as workspace members, merge CLI documentation into documentation, and adapt KMS CI to take back the forward-proxy tests. Additionally, publish the cli crate to crates.io (reusing ckms as previously), deliver signed Linux packages plus Windows/macOS packages, and introduce Nix derivations for CLI and server packaging.

Goals

• Unify cargo workspace to include server, CLI, and pkcs11 crates (rename KMS current crate cli to clap)
• Centralize documentation under documentation.
• Restore forward-proxy test coverage in KMS CI.
• Publish cli to crates.io, reusing ckms crate integration.
• Deliver signed Linux packages (Deb/RPM) and Windows/macOS packages.
• Add cli.nix (cli crate), cli_pkcs11.nix (for pkcs11 crate provider) and make kms-server.nix depend on cli.nix (server packaging depends on ckms binary).
• cli.nix and cli_pkcs11.nix must depend at most of glibc 2.28

Scope

• Move crates:
  • Cosmian/cli/crate/cli → Cosmian/kms/crate/cli
  • Cosmian/cli/crate/pkcs11/provider → Cosmian/kms/crate/pkcs11/provider
  • Cosmian/cli/crate/pkcs11/module → Cosmian/kms/crate/pkcs11/module
• Update Cargo.toml to include new [workspace] members.
• Merge Cosmian/cli/documentation/** into Cosmian/kms/documentation/**.
• Update KMS CI to include a forward-proxy job analogous to CLI’s (see forward-proxy in main_base.yml).
• Add crates.io publishing and packaging pipelines (Linux signed Deb/RPM, Windows/macOS via cargo packager).
• Create cli.nix and modify kms-server.nix to depend on cli.nix, using ckms binary where required.

Plan

• Workspace integration:
  • Add CLI and pkcs11 crates as members in Cargo.toml.
  • Adjust path dependencies and features to KMS workspace conventions.
  • Ensure rust-toolchain.toml alignment (KMS uses 1.90.0) and OpenSSL env compatibility.
• Documentation merge:
  • Copy cli/documentation into documentation.
  • Merge mkdocs.yml and includes.yml navigation.
  • De-duplicate overlapping topics; fix links and images.
• CI changes (forward-proxy):
  • Create forward-proxy job in kms/.github/workflows/* mirroring CLI (forward_proxy.yml).
  • Reference forward-proxy in needs for release where applicable.
  • Keep other CLI CI jobs (e.g., CLI docker image build) out of KMS.
• Publishing (crates.io):
  • Configure Cargo.toml with publish-ready metadata (name, description, license, repository, categories, keywords).
  • Ensure cli continues to reuse the ckms crate as previously; validate semver and features.
  • Add CI job to publish cli to crates.io using repository secret (e.g., CRATES_IO token).
• Packaging:
  • Linux:
    • Build Debian and RPM packages for CLI and server artifacts.
    • Sign packages using existing CI GPG key via nix.sh (import key, sign artifacts).
    • Ensure server Linux packages include the ckms binary (do not reference cosmian).
  • Windows/macOS:
    • Use cargo packager configuration modeled on crate/server/Cargo.toml (targets, bundle metadata, icons).
    • Produce Windows (.zip/installer) and macOS (.dmg/.pkg) artifacts.
• Nix derivations:
  • Create cli.nix to build/package the CLI, exposing the ckms binary and the DLL/SO libcosmian_pkcs11.so. The cli.nix must also builds the pkcs11 provider crate.
  • Update kms-server.nix so it depends on cli.nix (server packaging relies on ckms binary).

Work Items

• Move cli and register in Cargo.toml workspace.
• Move PKCS11 provider and module; register in workspace.
• Update inter-crate dependencies, features, and path imports; keep ckms integration unchanged.
• Merge Cosmian/cli/documentation/** → Cosmian/kms/documentation/**.
• Update mkdocs.yml and includes.yml with CLI topics.
• Add forward-proxy job to kms/.github/workflows/*; wire into needs.
• Configure Cargo.toml for crates.io publishing; add CI job using CRATES_IO token.
• Add Linux packaging pipeline (Deb/RPM) with GPG signing via nix.sh.
• Ensure server Linux packages include ckms binary (not cosmian).
• Add Windows/macOS packaging via cargo packager (follow crate/server/Cargo.toml pattern).
• Create cli.nix and integrate in CI; expose ckms binary for server packaging.
• Update kms-server.nix to depend on cli.nix (ckms binary dependency).
• Validate builds, docs, CI, publish, Nix derivations, and multi-OS packaging.

CI Notes (forward-proxy)

• CLI’s main_base.yml includes a forward-proxy job used in release.needs (see forward-proxy).
• KMS CI should:
  • Add an equivalent forward-proxy job in KMS.
  • Include it in the release needs graph where artifacts require it.
  • Keep non-forward-proxy CLI CI outside of KMS.

Packaging & Signing Notes

• Linux:
  • The new CLI Deb/RPM packages must be signed with existing CI GPG key.
  • Attach signed packages as release assets; verify signatures in pipeline.
• Windows/macOS:
  • Configure CLI cargo packager entries (bundle identifier, version, resources) modeled on crate/server/Cargo.toml.
  • Produce platform-appropriate installers and archives.

References

• Cosmian/cli: https://github.com/Cosmian/cli
• Cosmian/kms: https://github.com/Cosmian/kms
• CLI CI reference: main_base.yml (job forward-proxy)