20260147 迭代优化全量测试和覆盖率测试，时间从325秒降低到90+秒，覆盖率维持在90%

README.md

@@ -26,3 +26,38 @@ cargo install cargo-llvm-cov --locked
 cargo llvm-cov --fail-under-lines 90
 ```
 
+默认会复用现有插桩产物，不会先 clean。需要强制全量重编译时：
+
+```
+COVERAGE_FORCE_CLEAN=1 ./scripts/coverage.sh
+```
+
+说明：
+- 默认行为适合本地重复确认覆盖率，避免每次都重编译整套插桩目标；
+- 默认还会设置 `RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS=1`，跳过会拉起 shell replay pipeline 的重型集成测试，避免 coverage 期间额外触发 `target/release` 构建；
+- 默认还会设置 `RPKI_SKIP_HEAVY_BLACKBOX_TESTS=1`，跳过更慢的 blackbox CLI / CIR record 脚本测试，进一步降低日常 coverage 成本；
+- 默认还会设置 `RPKI_SKIP_HEAVY_CRYPTO_TESTS=1`，跳过需要大量 OpenSSL 生成证书/CRL 的重型密码学测试，进一步压缩日常 coverage 时长；
+- 如需把这批脚本回放测试也纳入 coverage，可显式关闭该开关：
+
+```
+RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS=0 ./scripts/coverage.sh
+```
+
+如需连同第二批 blackbox 测试一起跑：
+
+```
+RPKI_SKIP_HEAVY_BLACKBOX_TESTS=0 ./scripts/coverage.sh
+```
+
+如需连同重型 OpenSSL 证书路径测试一起跑：
+
+```
+RPKI_SKIP_HEAVY_CRYPTO_TESTS=0 ./scripts/coverage.sh
+```
+
+- replay 脚本现在也支持通过环境变量注入现成二进制，避免找不到二进制时自动 `cargo build --release`：
+  - `RPKI_BIN`
+  - `CIR_MATERIALIZE_BIN`
+  - `CIR_EXTRACT_INPUTS_BIN`
+  - `CCR_TO_COMPARE_VIEWS_BIN`
+- `COVERAGE_FORCE_CLEAN=1` 适合需要完全从零重建插桩目标时使用。

scripts/cir/run_cir_replay_ours.sh

@@ -24,10 +24,10 @@ RAW_STORE_DB=""
 OUT_DIR=""
 REFERENCE_CCR=""
 KEEP_DB=0
-RPKI_BIN="$ROOT_DIR/target/release/rpki"
-CIR_MATERIALIZE_BIN="$ROOT_DIR/target/release/cir_materialize"
-CIR_EXTRACT_INPUTS_BIN="$ROOT_DIR/target/release/cir_extract_inputs"
-CCR_TO_COMPARE_VIEWS_BIN="$ROOT_DIR/target/release/ccr_to_compare_views"
+RPKI_BIN="${RPKI_BIN:-$ROOT_DIR/target/release/rpki}"
+CIR_MATERIALIZE_BIN="${CIR_MATERIALIZE_BIN:-$ROOT_DIR/target/release/cir_materialize}"
+CIR_EXTRACT_INPUTS_BIN="${CIR_EXTRACT_INPUTS_BIN:-$ROOT_DIR/target/release/cir_extract_inputs}"
+CCR_TO_COMPARE_VIEWS_BIN="${CCR_TO_COMPARE_VIEWS_BIN:-$ROOT_DIR/target/release/ccr_to_compare_views}"
 REAL_RSYNC_BIN="${REAL_RSYNC_BIN:-/usr/bin/rsync}"
 WRAPPER="$ROOT_DIR/scripts/cir/cir-rsync-wrapper"
 

scripts/cir/run_cir_replay_routinator.sh

@@ -29,9 +29,9 @@ KEEP_DB=0
 ROUTINATOR_ROOT="${ROUTINATOR_ROOT:-/home/yuyr/dev/rust_playground/routinator}"
 ROUTINATOR_BIN="${ROUTINATOR_BIN:-$ROUTINATOR_ROOT/target/debug/routinator}"
 REAL_RSYNC_BIN="${REAL_RSYNC_BIN:-/usr/bin/rsync}"
-CIR_MATERIALIZE_BIN="$ROOT_DIR/target/release/cir_materialize"
-CIR_EXTRACT_INPUTS_BIN="$ROOT_DIR/target/release/cir_extract_inputs"
-CCR_TO_COMPARE_VIEWS_BIN="$ROOT_DIR/target/release/ccr_to_compare_views"
+CIR_MATERIALIZE_BIN="${CIR_MATERIALIZE_BIN:-$ROOT_DIR/target/release/cir_materialize}"
+CIR_EXTRACT_INPUTS_BIN="${CIR_EXTRACT_INPUTS_BIN:-$ROOT_DIR/target/release/cir_extract_inputs}"
+CCR_TO_COMPARE_VIEWS_BIN="${CCR_TO_COMPARE_VIEWS_BIN:-$ROOT_DIR/target/release/ccr_to_compare_views}"
 WRAPPER="$ROOT_DIR/scripts/cir/cir-rsync-wrapper"
 JSON_TO_VAPS="$ROOT_DIR/scripts/cir/json_to_vaps_csv.py"
 FAKETIME_LIB="${FAKETIME_LIB:-$ROOT_DIR/target/tools/faketime_pkg/extracted/libfaketime/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1}"

scripts/cir/run_cir_replay_rpki_client.sh

@@ -25,9 +25,9 @@ REFERENCE_CCR=""
 BUILD_DIR=""
 KEEP_DB=0
 REAL_RSYNC_BIN="${REAL_RSYNC_BIN:-/usr/bin/rsync}"
-CIR_MATERIALIZE_BIN="$ROOT_DIR/target/release/cir_materialize"
-CIR_EXTRACT_INPUTS_BIN="$ROOT_DIR/target/release/cir_extract_inputs"
-CCR_TO_COMPARE_VIEWS_BIN="$ROOT_DIR/target/release/ccr_to_compare_views"
+CIR_MATERIALIZE_BIN="${CIR_MATERIALIZE_BIN:-$ROOT_DIR/target/release/cir_materialize}"
+CIR_EXTRACT_INPUTS_BIN="${CIR_EXTRACT_INPUTS_BIN:-$ROOT_DIR/target/release/cir_extract_inputs}"
+CCR_TO_COMPARE_VIEWS_BIN="${CCR_TO_COMPARE_VIEWS_BIN:-$ROOT_DIR/target/release/ccr_to_compare_views}"
 WRAPPER="$ROOT_DIR/scripts/cir/cir-rsync-wrapper"
 
 while [[ $# -gt 0 ]]; do

scripts/coverage.sh

@@ -5,6 +5,19 @@ set -euo pipefail
 #   rustup component add llvm-tools-preview
 #   cargo install cargo-llvm-cov --locked
 
+# Optional:
+#   COVERAGE_FORCE_CLEAN=1  Force `cargo llvm-cov clean --workspace` before the run.
+#                           Default behavior is to reuse existing llvm-cov build artifacts.
+#   RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS=1  Skip replay/matrix integration tests that
+#                           spawn shell pipelines and can trigger separate release builds.
+#                           coverage.sh enables this by default.
+#   RPKI_SKIP_HEAVY_BLACKBOX_TESTS=1  Skip slower blackbox CLI/script integration tests
+#                           that provide low incremental coverage per wall-clock second.
+#                           coverage.sh enables this by default.
+#   RPKI_SKIP_HEAVY_CRYPTO_TESTS=1  Skip slower OpenSSL-heavy certificate generation tests
+#                           that provide low incremental coverage per wall-clock second.
+#                           coverage.sh enables this by default.
+
 run_out="$(mktemp)"
 text_out="$(mktemp)"
 html_out="$(mktemp)"
@@ -20,7 +33,16 @@ IGNORE_REGEX='src/bin/replay_bundle_capture\.rs|src/bin/replay_bundle_capture_de
 # We run tests only once, then generate both CLI text + HTML reports without rerunning tests.
 set +e
 
-cargo llvm-cov clean --workspace >/dev/null 2>&1
+if [ "${COVERAGE_FORCE_CLEAN:-0}" = "1" ]; then
+  cargo llvm-cov clean --workspace >/dev/null 2>&1
+  echo "coverage mode: clean build (COVERAGE_FORCE_CLEAN=1)"
+else
+  echo "coverage mode: reuse existing llvm-cov artifacts (default)"
+fi
+
+export RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS="${RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS:-1}"
+export RPKI_SKIP_HEAVY_BLACKBOX_TESTS="${RPKI_SKIP_HEAVY_BLACKBOX_TESTS:-1}"
+export RPKI_SKIP_HEAVY_CRYPTO_TESTS="${RPKI_SKIP_HEAVY_CRYPTO_TESTS:-1}"
 
 # 1) Run tests once to collect coverage data (no report).
 script -q -e -c "CARGO_TERM_COLOR=always cargo llvm-cov --no-report" "$run_out" >/dev/null 2>&1

src/bin/replay_bundle_record.rs

@@ -670,6 +670,10 @@ mod tests {
     use super::*;
     use tempfile::tempdir;
 
+    fn skip_heavy_blackbox_test() -> bool {
+        std::env::var_os("RPKI_SKIP_HEAVY_BLACKBOX_TESTS").is_some()
+    }
+
     #[test]
     fn parse_args_requires_required_flags() {
         let argv = vec![
@@ -730,6 +734,9 @@ mod tests {
 
     #[test]
     fn run_base_bundle_record_smoke_root_only_apnic() {
+        if skip_heavy_blackbox_test() {
+            return;
+        }
         let dir = tempdir().expect("tempdir");
         let out_dir = dir.path().join("bundle");
         let out = run(Args {

tests/test_ca_path_m15.rs

@@ -11,6 +11,10 @@ fn openssl_available() -> bool {
         .unwrap_or(false)
 }
 
+fn skip_heavy_crypto_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_CRYPTO_TESTS").is_some()
+}
+
 struct Generated {
     issuer_ca_der: Vec<u8>,
     child_ca_der: Vec<u8>,
@@ -212,6 +216,9 @@ authorityKeyIdentifier = keyid:always
 
 #[test]
 fn validate_subordinate_ca_succeeds_for_valid_child_and_subset_resources() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let generated = generate_chain_and_crl(
         "keyUsage = critical, keyCertSign, cRLSign\nsbgp-ipAddrBlock = critical, IPv4:10.0.0.0/16\nsbgp-autonomousSysNum = critical, AS:64496\n",
         false,
@@ -238,6 +245,9 @@ fn validate_subordinate_ca_succeeds_for_valid_child_and_subset_resources() {
 
 #[test]
 fn validate_subordinate_ca_rejects_wrong_key_usage_bits() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let generated = generate_chain_and_crl(
         "keyUsage = critical, digitalSignature\nsbgp-ipAddrBlock = critical, IPv4:10.0.0.0/16\n",
         false,

tests/test_cert_path_key_usage.rs

@@ -12,6 +12,10 @@ fn openssl_available() -> bool {
         .unwrap_or(false)
 }
 
+fn skip_heavy_crypto_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_CRYPTO_TESTS").is_some()
+}
+
 fn run(cmd: &mut Command) {
     let out = cmd.output().expect("run command");
     if !out.status.success() {
@@ -185,6 +189,9 @@ authorityKeyIdentifier = keyid:always
 
 #[test]
 fn ee_key_usage_digital_signature_only_is_accepted() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_issuer_ca_ee_and_crl("keyUsage = critical, digitalSignature\n");
     let now = time::OffsetDateTime::now_utc();
     validate_ee_cert_path(
@@ -200,6 +207,9 @@ fn ee_key_usage_digital_signature_only_is_accepted() {
 
 #[test]
 fn ee_key_usage_missing_is_rejected() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_issuer_ca_ee_and_crl("");
     let now = time::OffsetDateTime::now_utc();
     let err = validate_ee_cert_path(
@@ -216,6 +226,9 @@ fn ee_key_usage_missing_is_rejected() {
 
 #[test]
 fn ee_key_usage_not_critical_is_rejected() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_issuer_ca_ee_and_crl("keyUsage = digitalSignature\n");
     let now = time::OffsetDateTime::now_utc();
     let err = validate_ee_cert_path(
@@ -232,6 +245,9 @@ fn ee_key_usage_not_critical_is_rejected() {
 
 #[test]
 fn ee_key_usage_wrong_bits_is_rejected() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g =
         generate_issuer_ca_ee_and_crl("keyUsage = critical, digitalSignature, keyEncipherment\n");
     let now = time::OffsetDateTime::now_utc();
@@ -249,6 +265,9 @@ fn ee_key_usage_wrong_bits_is_rejected() {
 
 #[test]
 fn validate_ee_cert_path_with_prevalidated_issuer_covers_success_and_error_paths() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     use rpki::data_model::common::BigUnsigned;
     use rpki::data_model::crl::RpkixCrl;
     use rpki::data_model::rc::ResourceCertificate;

tests/test_cir_delta_export_m1.rs

@@ -10,8 +10,15 @@ use rpki::cir::{
     CIR_VERSION_V1, CanonicalInputRepresentation, CirHashAlgorithm, CirObject, CirTal, encode_cir,
 };
 
+fn skip_heavy_blackbox_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_BLACKBOX_TESTS").is_some()
+}
+
 #[test]
 fn cir_full_and_delta_pair_reuses_shared_static_pool() {
+    if skip_heavy_blackbox_test() {
+        return;
+    }
     let script =
         PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("scripts/cir/run_cir_record_full_delta.sh");
     let out_dir = tempfile::tempdir().expect("tempdir");

tests/test_cir_matrix_m9.rs

@@ -6,6 +6,10 @@ use rpki::cir::{
     materialize_cir,
 };
 
+fn skip_heavy_script_replay_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS").is_some()
+}
+
 fn apnic_tal_path() -> PathBuf {
     PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests/fixtures/tal/apnic-rfc7730-https.tal")
 }
@@ -105,6 +109,9 @@ fn prepare_reference_ccr(
 
 #[test]
 fn cir_replay_matrix_script_matches_reference_for_all_participants() {
+    if skip_heavy_script_replay_test() {
+        return;
+    }
     if !Path::new("/usr/bin/rsync").exists()
         || !Path::new("/home/yuyr/dev/rust_playground/routinator/target/debug/routinator").exists()
         || !Path::new("/home/yuyr/dev/rpki-client-9.7/build-m5/src/rpki-client").exists()
@@ -127,6 +134,12 @@ fn cir_replay_matrix_script_matches_reference_for_all_participants() {
     let script =
         PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("scripts/cir/run_cir_replay_matrix.sh");
     let out = Command::new(script)
+        .env("CIR_MATERIALIZE_BIN", env!("CARGO_BIN_EXE_cir_materialize"))
+        .env("CIR_EXTRACT_INPUTS_BIN", env!("CARGO_BIN_EXE_cir_extract_inputs"))
+        .env(
+            "CCR_TO_COMPARE_VIEWS_BIN",
+            env!("CARGO_BIN_EXE_ccr_to_compare_views"),
+        )
         .args([
             "--cir",
             cir_path.to_string_lossy().as_ref(),

tests/test_cir_peer_replay_m8.rs

@@ -6,6 +6,10 @@ use rpki::cir::{
     materialize_cir,
 };
 
+fn skip_heavy_script_replay_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS").is_some()
+}
+
 fn apnic_tal_path() -> PathBuf {
     PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests/fixtures/tal/apnic-rfc7730-https.tal")
 }
@@ -105,6 +109,9 @@ fn prepare_reference_ccr(
 
 #[test]
 fn cir_routinator_script_matches_reference_on_ta_only_cir() {
+    if skip_heavy_script_replay_test() {
+        return;
+    }
     if !Path::new("/usr/bin/rsync").exists()
         || !Path::new("/home/yuyr/dev/rust_playground/routinator/target/debug/routinator").exists()
     {
@@ -125,6 +132,12 @@ fn cir_routinator_script_matches_reference_on_ta_only_cir() {
     let script =
         PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("scripts/cir/run_cir_replay_routinator.sh");
     let out = Command::new(script)
+        .env("CIR_MATERIALIZE_BIN", env!("CARGO_BIN_EXE_cir_materialize"))
+        .env("CIR_EXTRACT_INPUTS_BIN", env!("CARGO_BIN_EXE_cir_extract_inputs"))
+        .env(
+            "CCR_TO_COMPARE_VIEWS_BIN",
+            env!("CARGO_BIN_EXE_ccr_to_compare_views"),
+        )
         .args([
             "--cir",
             cir_path.to_string_lossy().as_ref(),
@@ -152,6 +165,9 @@ fn cir_routinator_script_matches_reference_on_ta_only_cir() {
 
 #[test]
 fn cir_rpki_client_script_matches_reference_on_ta_only_cir() {
+    if skip_heavy_script_replay_test() {
+        return;
+    }
     if !Path::new("/usr/bin/rsync").exists()
         || !Path::new("/home/yuyr/dev/rpki-client-9.7/build-m5/src/rpki-client").exists()
     {
@@ -172,6 +188,12 @@ fn cir_rpki_client_script_matches_reference_on_ta_only_cir() {
     let script =
         PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("scripts/cir/run_cir_replay_rpki_client.sh");
     let out = Command::new(script)
+        .env("CIR_MATERIALIZE_BIN", env!("CARGO_BIN_EXE_cir_materialize"))
+        .env("CIR_EXTRACT_INPUTS_BIN", env!("CARGO_BIN_EXE_cir_extract_inputs"))
+        .env(
+            "CCR_TO_COMPARE_VIEWS_BIN",
+            env!("CARGO_BIN_EXE_ccr_to_compare_views"),
+        )
         .args([
             "--cir",
             cir_path.to_string_lossy().as_ref(),

tests/test_cir_sequence_m2.rs

@@ -9,8 +9,15 @@ use rpki::cir::{
     CIR_VERSION_V1, CanonicalInputRepresentation, CirHashAlgorithm, CirObject, CirTal, encode_cir,
 };
 
+fn skip_heavy_blackbox_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_BLACKBOX_TESTS").is_some()
+}
+
 #[test]
 fn cir_offline_sequence_writes_parseable_sequence_json_and_steps() {
+    if skip_heavy_blackbox_test() {
+        return;
+    }
     let out_dir = tempfile::tempdir().expect("tempdir");
     let out = out_dir.path().join("cir-sequence");
     let script = PathBuf::from(env!("CARGO_MANIFEST_DIR"))

tests/test_cir_sequence_peer_replay_m4.rs

@@ -6,6 +6,10 @@ use rpki::cir::{
     materialize_cir,
 };
 
+fn skip_heavy_script_replay_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS").is_some()
+}
+
 fn apnic_tal_path() -> PathBuf {
     PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests/fixtures/tal/apnic-rfc7730-https.tal")
 }
@@ -161,6 +165,9 @@ fn prepare_sequence_root(td: &Path) -> PathBuf {
 
 #[test]
 fn peer_sequence_replay_scripts_replay_all_steps() {
+    if skip_heavy_script_replay_test() {
+        return;
+    }
     if !Path::new("/usr/bin/rsync").exists()
         || !Path::new("/home/yuyr/dev/rust_playground/routinator/target/debug/routinator").exists()
         || !Path::new("/home/yuyr/dev/rpki-client-9.7/build-m5/src/rpki-client").exists()
@@ -174,6 +181,12 @@ fn peer_sequence_replay_scripts_replay_all_steps() {
     let routinator_script = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
         .join("scripts/cir/run_cir_replay_sequence_routinator.sh");
     let out = Command::new(routinator_script)
+        .env("CIR_MATERIALIZE_BIN", env!("CARGO_BIN_EXE_cir_materialize"))
+        .env("CIR_EXTRACT_INPUTS_BIN", env!("CARGO_BIN_EXE_cir_extract_inputs"))
+        .env(
+            "CCR_TO_COMPARE_VIEWS_BIN",
+            env!("CARGO_BIN_EXE_ccr_to_compare_views"),
+        )
         .args(["--sequence-root", sequence_root.to_string_lossy().as_ref()])
         .output()
         .expect("run routinator sequence replay");
@@ -192,6 +205,12 @@ fn peer_sequence_replay_scripts_replay_all_steps() {
     let rpki_client_script = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
         .join("scripts/cir/run_cir_replay_sequence_rpki_client.sh");
     let out = Command::new(rpki_client_script)
+        .env("CIR_MATERIALIZE_BIN", env!("CARGO_BIN_EXE_cir_materialize"))
+        .env("CIR_EXTRACT_INPUTS_BIN", env!("CARGO_BIN_EXE_cir_extract_inputs"))
+        .env(
+            "CCR_TO_COMPARE_VIEWS_BIN",
+            env!("CARGO_BIN_EXE_ccr_to_compare_views"),
+        )
         .args([
             "--sequence-root",
             sequence_root.to_string_lossy().as_ref(),

tests/test_cir_sequence_replay_m3.rs

@@ -6,6 +6,10 @@ use rpki::cir::{
     materialize_cir,
 };
 
+fn skip_heavy_script_replay_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_SCRIPT_REPLAY_TESTS").is_some()
+}
+
 fn apnic_tal_path() -> PathBuf {
     PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests/fixtures/tal/apnic-rfc7730-https.tal")
 }
@@ -106,6 +110,9 @@ fn prepare_reference_ccr(
 
 #[test]
 fn ours_sequence_replay_script_replays_all_steps() {
+    if skip_heavy_script_replay_test() {
+        return;
+    }
     if !Path::new("/usr/bin/rsync").exists() {
         return;
     }
@@ -166,6 +173,12 @@ fn ours_sequence_replay_script_replays_all_steps() {
     let script = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
         .join("scripts/cir/run_cir_replay_sequence_ours.sh");
     let out = Command::new(script)
+        .env("CIR_MATERIALIZE_BIN", env!("CARGO_BIN_EXE_cir_materialize"))
+        .env("CIR_EXTRACT_INPUTS_BIN", env!("CARGO_BIN_EXE_cir_extract_inputs"))
+        .env(
+            "CCR_TO_COMPARE_VIEWS_BIN",
+            env!("CARGO_BIN_EXE_ccr_to_compare_views"),
+        )
         .args([
             "--sequence-root",
             sequence_root.to_string_lossy().as_ref(),

tests/test_cli_payload_delta_replay_smoke.rs

@@ -1,7 +1,14 @@
 use std::process::Command;
 
+fn skip_heavy_blackbox_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_BLACKBOX_TESTS").is_some()
+}
+
 #[test]
 fn cli_payload_delta_replay_rejects_wrong_base_locks() {
+    if skip_heavy_blackbox_test() {
+        return;
+    }
     let bin = env!("CARGO_BIN_EXE_rpki");
     let db_dir = tempfile::tempdir().expect("db tempdir");
     let out_dir = tempfile::tempdir().expect("out tempdir");

tests/test_cli_payload_replay_smoke.rs

@@ -1,7 +1,14 @@
 use std::process::Command;
 
+fn skip_heavy_blackbox_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_BLACKBOX_TESTS").is_some()
+}
+
 #[test]
 fn cli_payload_replay_root_only_smoke_writes_report_json() {
+    if skip_heavy_blackbox_test() {
+        return;
+    }
     let bin = env!("CARGO_BIN_EXE_rpki");
     let db_dir = tempfile::tempdir().expect("db tempdir");
     let out_dir = tempfile::tempdir().expect("out tempdir");

tests/test_cli_run_offline_m18.rs

@@ -1,5 +1,9 @@
 use std::process::Command;
 
+fn skip_heavy_blackbox_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_BLACKBOX_TESTS").is_some()
+}
+
 #[test]
 fn cli_run_offline_mode_executes_and_writes_json_and_ccr() {
     let db_dir = tempfile::tempdir().expect("db tempdir");
@@ -134,6 +138,9 @@ fn cli_run_offline_mode_writes_cir_and_static_pool() {
 
 #[test]
 fn cli_run_blackbox_rsync_wrapper_mode_matches_reference_ccr_without_ta_path() {
+    if skip_heavy_blackbox_test() {
+        return;
+    }
     let real_rsync = std::path::Path::new("/usr/bin/rsync");
     if !real_rsync.exists() {
         return;

tests/test_router_cert_m4.rs

@@ -14,6 +14,10 @@ fn openssl_available() -> bool {
         .unwrap_or(false)
 }
 
+fn skip_heavy_crypto_test() -> bool {
+    std::env::var_os("RPKI_SKIP_HEAVY_CRYPTO_TESTS").is_some()
+}
+
 fn run(cmd: &mut Command) {
     let out = cmd.output().expect("run command");
     if !out.status.success() {
@@ -258,6 +262,9 @@ authorityKeyIdentifier = keyid:always
 
 #[test]
 fn decode_bgpsec_router_certificate_fixture_smoke() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_router_cert_with_variant("ec-p256", true, "");
     let cert = BgpsecRouterCertificate::decode_der(&g.router_der).expect("decode router cert");
     assert_eq!(cert.resource_cert.kind, ResourceCertKind::Ee);
@@ -268,6 +275,9 @@ fn decode_bgpsec_router_certificate_fixture_smoke() {
 
 #[test]
 fn router_certificate_profile_rejects_missing_eku() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_router_cert_with_variant("ec-p256", false, "");
     let err = BgpsecRouterCertificate::decode_der(&g.router_der).unwrap_err();
     assert!(
@@ -284,6 +294,9 @@ fn router_certificate_profile_rejects_missing_eku() {
 
 #[test]
 fn router_certificate_profile_rejects_sia_and_ip_resources_and_ranges() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_router_cert_with_variant(
         "ec-p256",
         true,
@@ -335,6 +348,9 @@ fn router_certificate_profile_rejects_sia_and_ip_resources_and_ranges() {
 
 #[test]
 fn router_certificate_profile_rejects_wrong_spki_algorithm_or_curve() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     let g = generate_router_cert_with_variant("rsa", true, "");
     let err = BgpsecRouterCertificate::decode_der(&g.router_der).unwrap_err();
     assert!(
@@ -363,6 +379,9 @@ fn router_certificate_profile_rejects_wrong_spki_algorithm_or_curve() {
 
 #[test]
 fn router_certificate_path_validation_accepts_valid_and_rejects_wrong_issuer() {
+    if skip_heavy_crypto_test() {
+        return;
+    }
     use rpki::data_model::common::BigUnsigned;
     use rpki::data_model::crl::RpkixCrl;
     use std::collections::HashSet;