semi implemented and features implemented save checkpoint

docs/features/unchecked/cryptography/additional-crypto-profiles.md

@@ -0,0 +1,40 @@
+# Additional Crypto Profiles (GOST, SM2, eIDAS, PQC)
+
+## Status
+IMPLEMENTED (PARTIALLY)
+
+## Description
+The advisory explicitly deferred GOST R 34.10-2012, SM2, eIDAS, and post-quantum crypto profiles to future work. Note: the broader repo does have crypto modules under src/Cryptography and src/SmRemote, but those are part of separate efforts.
+
+## Why Marked as Dropped (Correction)
+**FINDING: These crypto profiles ARE implemented as plugins.** The following plugin projects exist under `src/Cryptography/`:
+- `StellaOps.Cryptography.Plugin.Gost` -- GOST R 34.10-2012 support via `GostPlugin.cs`
+- `StellaOps.Cryptography.Plugin.Eidas` -- eIDAS support via `EidasPlugin.cs`, includes ETSI conformance test vectors
+- `StellaOps.Cryptography.Plugin.Sm` -- SM2/SM3 support
+- `StellaOps.Cryptography.Plugin.Fips` -- FIPS 140 compliance plugin
+- `StellaOps.Cryptography.Plugin.Hsm` -- HSM integration plugin
+
+Additional infrastructure: `StellaOps.Cryptography.Plugin` base class (`CryptoPluginBase.cs`), `MultiProfileSigner.cs`, `SignatureProfile.cs`, ECDSA and EdDSA profile libraries. PQC (post-quantum) is the only profile that does not appear to have a dedicated plugin yet.
+
+## Implementation Details
+- Plugin architecture: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs`
+- GOST: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs`
+- eIDAS: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs`
+- SM2: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/`
+- FIPS: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/`
+- HSM: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/`
+- Tests: `src/Cryptography/__Tests/`, plus tests in `src/__Libraries/__Tests/StellaOps.Cryptography.Tests/`
+
+## E2E Test Plan
+- Verify each crypto plugin can sign and verify payloads
+- Validate ETSI conformance test vectors pass for eIDAS plugin
+- Test multi-profile signing via MultiProfileSigner
+- Confirm plugin discovery and loading via CryptoPluginBase
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Cryptography
+- Modules referenced: `src/Cryptography/`, `src/SmRemote/`
+- **Status should be reclassified from NOT_FOUND to IMPLEMENTED (PARTIALLY) -- only PQC remains unimplemented**

docs/features/unchecked/cryptography/crypto-provider-plugin-architecture.md

@@ -0,0 +1,34 @@
+# Crypto Provider Plugin Architecture (GOST, SM, FIPS, eIDAS)
+
+## Module
+Cryptography
+
+## Status
+IMPLEMENTED
+
+## Description
+Full plugin-based crypto architecture with dedicated plugins for GOST, SM (Chinese), FIPS, and eIDAS regional crypto profiles. MultiProfileSigner supports runtime profile selection.
+
+## Implementation Details
+- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- abstract base class for all crypto plugins implementing IPlugin + ICryptoCapability; provides lifecycle management, SignAsync/VerifyAsync/EncryptAsync/DecryptAsync/HashAsync abstract methods, CanHandle for algorithm routing
+- **GostPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- GOST R 34.10-2012 / GOST R 34.11-2012 (Streebog) crypto provider for Russian Federation compliance
+- **SmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs` -- SM2/SM3/SM4 crypto provider for Chinese national standards compliance
+- **FipsPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs` -- FIPS 140-2/3 compliant crypto provider restricting operations to FIPS-approved algorithms
+- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- EU eIDAS regulation crypto provider with qualified timestamping and CAdES signature support
+- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- Hardware Security Module plugin with PKCS#11 integration
+- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- orchestrates concurrent signing with multiple IContentSigner profiles (e.g., EdDSA + GOST dual-stack); SignAllAsync runs all profiles via Task.WhenAll; returns MultiSignatureResult with all signatures + timestamp
+- **IContentSigner**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs` -- signer interface: SignAsync, Profile, Algorithm, KeyId; extends IDisposable
+- **IContentVerifier**: `src/Cryptography/StellaOps.Cryptography/IContentVerifier.cs` -- verifier interface
+- **SignatureProfile**: `src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs` -- enum/model for crypto profiles
+- **Models**: `src/Cryptography/StellaOps.Cryptography/Models/` -- MultiSignatureResult, SignatureResult, Signature, VerificationResult
+- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/CryptographyModelTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify each crypto plugin (GOST, SM, FIPS, eIDAS, HSM) can be loaded and initialized through the plugin system
+- [ ] Verify CryptoPluginBase lifecycle: initialization, health check, and disposal
+- [ ] Test CanHandle routes signing requests to the correct plugin based on algorithm prefix
+- [ ] Verify MultiProfileSigner signs with all configured profiles concurrently and returns combined result
+- [ ] Test dual-stack signing (e.g., EdDSA + GOST) produces two independent signatures
+- [ ] Verify plugin health checks report connected/disconnected status
+- [ ] Verify FIPS plugin rejects non-FIPS-approved algorithms

docs/features/unchecked/cryptography/eidas-qualified-timestamping.md

@@ -0,0 +1,35 @@
+# eIDAS Qualified Timestamping
+
+## Module
+Cryptography
+
+## Status
+IMPLEMENTED
+
+## Description
+EU-qualified timestamp verification with TSA configuration, EU Trust List integration, and CAdES signature building for eIDAS compliance.
+
+## Implementation Details
+- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- eIDAS crypto provider plugin extending CryptoPluginBase
+- **QualifiedTimestampVerifier**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/QualifiedTimestampVerifier.cs` -- verifies RFC 3161 timestamps from EU-qualified TSAs against the EU Trust List
+- **IQualifiedTimestampVerifier**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/IQualifiedTimestampVerifier.cs` -- verification interface
+- **EuTrustListService**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EuTrustListService.cs` -- fetches and caches the EU Trusted List of TSA providers for validation
+- **IEuTrustListService**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/IEuTrustListService.cs` -- trust list interface
+- **TimestampModeSelector**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/TimestampModeSelector.cs` -- selects between qualified and standard timestamping based on configuration and TSA availability
+- **ITimestampModeSelector**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/ITimestampModeSelector.cs` -- mode selection interface
+- **CadesSignatureBuilder**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/CadesSignatureBuilder.cs` -- builds CAdES (CMS Advanced Electronic Signatures) signatures with embedded timestamps per EU regulation requirements
+- **ICadesSignatureBuilder**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/ICadesSignatureBuilder.cs` -- CAdES builder interface
+- **QualifiedTsaConfiguration**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/QualifiedTsaConfiguration.cs` -- TSA endpoint URL, authentication, certificate chain configuration
+- **EidasTimestampingExtensions**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EidasTimestampingExtensions.cs` -- DI registration extensions for eIDAS timestamping services
+- **EtsiConformanceTestVectors**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Tests/EtsiConformanceTestVectors.cs` -- ETSI conformance test vectors
+- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Eidas/QualifiedTsaProviderTests.cs`, `TimestampModeSelectorTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify qualified timestamp verification validates RFC 3161 timestamp against EU Trust List
+- [ ] Test timestamp mode selector chooses qualified mode when TSA is available and standard mode as fallback
+- [ ] Verify CAdES signature builder produces valid CMS Advanced Electronic Signatures with embedded timestamps
+- [ ] Test EU Trust List service fetches and caches TSA provider list
+- [ ] Verify QualifiedTsaConfiguration validates TSA endpoint URL and certificate chain
+- [ ] Test ETSI conformance test vectors pass validation
+- [ ] Verify timestamp verification fails for non-qualified TSA providers

docs/features/unchecked/cryptography/hardware-backed-org-key-kms-signing.md

@@ -0,0 +1,30 @@
+# Hardware-Backed Org Key / KMS Signing
+
+## Module
+Cryptography
+
+## Status
+IMPLEMENTED
+
+## Description
+HSM and KMS key support via pluggable cryptography module with dedicated plugins for hardware-backed signing.
+
+## Implementation Details
+- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration supporting RSA (SHA-256/384/512, PSS-SHA256), ECDSA (P-256, P-384), and AES-GCM (128/256) operations; ConnectAsync/DisconnectAsync for HSM session management; simulation mode for testing without hardware
+- **Pkcs11HsmClientImpl**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs` -- production PKCS#11 native library wrapper for hardware key operations
+- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- base class providing plugin lifecycle + ICryptoCapability interface with Sign/Verify/Encrypt/Decrypt/Hash operations
+- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- orchestrates concurrent signing with multiple profiles (e.g., HSM-backed + software EdDSA dual-stack)
+- **IContentSigner**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs` -- abstraction: SignAsync, Profile, Algorithm, KeyId
+- **DefaultSigningKeyResolver**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs` -- resolves signing keys from trust anchors and key management
+- **CryptoDsseSigner**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/CryptoDsseSigner.cs` -- DSSE signer using crypto plugin infrastructure
+- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs`, `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Integration/CryptoDsseSignerIntegrationTests.cs`, `MultiPluginSignVerifyIntegrationTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify HSM-backed signing via PKCS#11 produces valid signatures verifiable with the corresponding public key
+- [ ] Verify HSM key operations work through the CryptoPluginBase plugin interface
+- [ ] Test multi-profile signing with HSM + software key profiles combined
+- [ ] Verify signing key resolution from trust anchors routes to HSM plugin for HSM-prefixed algorithms
+- [ ] Test CryptoDsseSigner produces valid DSSE envelopes when backed by HSM keys
+- [ ] Verify HSM disconnect and reconnect behavior during key operations
+- [ ] Test simulation mode provides functional signing for development/testing environments

docs/features/unchecked/cryptography/hsm-integration.md

@@ -0,0 +1,31 @@
+# HSM Integration (PKCS#11)
+
+## Module
+Cryptography
+
+## Status
+IMPLEMENTED
+
+## Description
+PKCS#11 HSM client implementation for hardware security module integration, with integration tests.
+
+## Implementation Details
+- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- HSM crypto plugin extending CryptoPluginBase; supports algorithms: HSM-RSA-SHA256/384/512, HSM-RSA-PSS-SHA256, HSM-ECDSA-P256/P384, HSM-AES-128/256-GCM; initializes with PKCS#11 library path (or simulation mode when unconfigured); SignAsync/VerifyAsync/EncryptAsync/DecryptAsync delegate to IHsmClient; HashAsync (SHA-256/384/512) computed locally; health check reports connected/disconnected/degraded status with slot info
+- **IHsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- HSM client interface: ConnectAsync (slotId, pin), DisconnectAsync, PingAsync, SignAsync, VerifyAsync, EncryptAsync, DecryptAsync
+- **Pkcs11HsmClientImpl**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs` -- production PKCS#11 client implementation wrapping native PKCS#11 library
+- **Pkcs11HsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- adapter delegating to Pkcs11HsmClientImpl with connection management
+- **SimulatedHsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- test double for HSM operations without hardware: generates RSA-2048 + AES-256 keys on connect; RSA sign/verify with PKCS1/PSS padding; AES-GCM encrypt/decrypt with IV + tag management
+- **HsmOptions**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- configuration: LibraryPath (.so/.dll path, empty for simulation), SlotId, Pin, TokenLabel, ConnectionTimeoutSeconds (30), ReadOnlySession flag
+- **HsmMechanism**: enum for signing/encryption mechanism mapping: RsaSha256/384/512, RsaPssSha256, EcdsaP256/P384, Aes128Gcm, Aes256Gcm
+- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs`, `SoftHsmTestFixture.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify HSM plugin initializes in simulation mode when no library path is configured
+- [ ] Verify HSM plugin connects to PKCS#11 library when LibraryPath is set
+- [ ] Test RSA signing and verification with SHA-256/384/512 and PKCS1/PSS padding
+- [ ] Test ECDSA P-256 and P-384 signing and verification
+- [ ] Test AES-128-GCM and AES-256-GCM encryption and decryption
+- [ ] Verify health check returns Unhealthy when not connected, Degraded on slow response, Healthy with slot details
+- [ ] Verify CanHandle only accepts algorithms with HSM- prefix
+- [ ] Test plugin lifecycle: initialize -> active -> health check -> dispose (disconnect)

docs/features/unchecked/cryptography/regional-crypto-profiles.md

@@ -0,0 +1,35 @@
+# Regional Crypto Profiles (FIPS, GOST, eIDAS, SM)
+
+## Module
+Cryptography
+
+## Status
+IMPLEMENTED
+
+## Description
+Full crypto profile system with plugins for FIPS, GOST, eIDAS (with qualified timestamping), SM (Chinese standards), and HSM (PKCS#11). Supports multi-profile signing and EdDSA/ECDSA-P256 profiles.
+
+## Implementation Details
+- **FipsPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs` -- FIPS 140-2/3 compliant crypto provider restricting to approved algorithms (RSA, ECDSA, AES-GCM, SHA-2)
+- **GostPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- Russian Federation GOST R 34.10-2012 (digital signatures) and GOST R 34.11-2012 Streebog (hashing) provider
+- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- EU eIDAS provider with qualified timestamping (QualifiedTimestampVerifier, EuTrustListService, TimestampModeSelector) and CAdES signature building (CadesSignatureBuilder)
+- **SmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs` -- Chinese national standards: SM2 (elliptic curve), SM3 (hash), SM4 (block cipher) provider
+- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration with RSA/ECDSA/AES-GCM support
+- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- abstract base for all crypto plugins; lifecycle management + ICryptoCapability interface
+- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- concurrent multi-profile signing via Task.WhenAll across IContentSigner profiles; returns MultiSignatureResult with all signatures
+- **Ed25519Signer/Verifier**: `src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Signer.cs`, `Ed25519Verifier.cs` -- EdDSA Ed25519 profile implementation
+- **EcdsaP256Signer**: `src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/EcdsaP256Signer.cs` -- ECDSA P-256 profile implementation
+- **IContentSigner/IContentVerifier**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs`, `IContentVerifier.cs` -- signer/verifier abstractions with Profile, Algorithm, KeyId
+- **SignatureProfile**: `src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs` -- profile model
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify each regional plugin (FIPS, GOST, eIDAS, SM, HSM) loads and passes health check
+- [ ] Verify FIPS plugin rejects non-FIPS algorithms and accepts approved ones
+- [ ] Verify GOST plugin supports GOST R 34.10-2012 signing and GOST R 34.11-2012 hashing
+- [ ] Verify eIDAS plugin integrates qualified timestamping with EU Trust List validation
+- [ ] Verify SM plugin supports SM2 signing, SM3 hashing, SM4 encryption
+- [ ] Test multi-profile signing with EdDSA + GOST dual-stack produces two independent signatures
+- [ ] Verify Ed25519 signer/verifier round-trip (sign then verify)
+- [ ] Verify ECDSA P-256 signer round-trip
+- [ ] Test profile selection routes to correct plugin based on algorithm