up the blokcing tasks

docs/security/crypto-profile-configuration.md

@@ -0,0 +1,71 @@
+# Crypto Profile Configuration · 2025-12-11
+
+How to pick regional crypto profiles, choose between free/paid providers, and enable simulations while hardware or licenses are pending.
+
+## Quick selectors
+- Compliance profile (hash/sign policy): `STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=world|fips|gost|sm|kcmvp|eidas` (or config `Crypto:Compliance:ProfileId`).
+- Registry ordering: set `StellaOps:Crypto:Registry:ActiveProfile` (env: `STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE`) and `PreferredProviders`.
+- Simulation toggle: `STELLAOPS_CRYPTO_ENABLE_SIM=1` (adds `sim.crypto.remote` to the registry); `STELLAOPS_CRYPTO_SIM_URL=http://host:8080` if the simulator runs remotely.
+
+## Step-by-step: pick a region
+1) Choose the compliance profile ID and set `STELLAOPS_CRYPTO_COMPLIANCE_PROFILE`.
+2) Set `StellaOps:Crypto:Registry:ActiveProfile` to the region (see table below) and order the `PreferredProviders`.
+3) Decide on provider type:
+   - Free/OSS: OpenSSL GOST (RU), SM soft, PQ soft, FIPS/eIDAS/KCMVP soft baselines.
+   - Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available.
+   - Simulation: enable `STELLAOPS_CRYPTO_ENABLE_SIM=1` and point `STELLAOPS_CRYPTO_SIM_URL` to `sim-crypto-service`.
+4) Apply any provider-specific env (e.g., `CRYPTOPRO_ACCEPT_EULA=1`, `SM_SOFT_ALLOWED=1`, `PQ_SOFT_ALLOWED=1`, PKCS#11 PINs).
+5) Capture evidence: JWKS export + `CryptoProviderMetrics` + fixed-message sign/verify logs.
+6) If you only need a smoke check without full tests, run `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` against a running simulator.
+
+## Choosing a region
+| Region | Compliance profile | Registry profile / providers | Free vs paid | Simulation |
+| --- | --- | --- | --- | --- |
+| RU (OSS) | `gost` | `ActiveProfile: ru-offline`; providers: `ru.openssl.gost`, `ru.pkcs11` | Free (OpenSSL) path on Linux. Optional remote signer: set `STELLAOPS_RU_OPENSSL_REMOTE_URL=http://host:9090` (see `docs/security/openssl-gost-remote.md`). | `STELLAOPS_CRYPTO_ENABLE_SIM=1`; sim covers GOST12 + Magma/Kuznyechik when hardware/licensing is unavailable. |
+| RU (CryptoPro paid) | `gost` | Same profile; ensure `ru.cryptopro.csp` registered. | Linux-only CSP service: bind customer `.deb` packages to `/opt/cryptopro/downloads`, set `CRYPTOPRO_ACCEPT_EULA=1`, run `ops/cryptopro/linux-csp-service`. Licensing model documented in `docs/legal/crypto-compliance-review.md`. | Use simulator until licenses are supplied. |
+| CN (SM) | `sm` | `ActiveProfile: sm`; providers: `cn.sm.soft` (env `SM_SOFT_ALLOWED=1`), optional PKCS#11. | Hardware/PKCS#11 wiring in `docs/security/sm-hardware-simulation.md`. | `sim-crypto-service` handles `SM2` (`sim.crypto.remote`). |
+| FIPS (US) | `fips` | Providers: `fips.ecdsa.soft` (env `FIPS_SOFT_ALLOWED`), KMS/OpenSSL FIPS when available. | Certified module runbook: `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator covers `ES256/384/512` (`sim.crypto.remote`). |
+| eIDAS (EU) | `eidas` | Providers: `eu.eidas.soft` (env `EIDAS_SOFT_ALLOWED`). | QSCD bring-up in `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator (`sim.crypto.remote`) until QSCD arrives. |
+| KCMVP (KR) | `kcmvp` | Providers: `kr.kcmvp.hash` (env `KCMVP_HASH_ALLOWED=1`), future KCDSA/ARIA/SEED module. | Hardware flow in `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator (`sim.crypto.remote`) while awaiting certified module. |
+| PQ addenda | (overlay) | Enable via `PQ_SOFT_ALLOWED=1`; provider `pq.soft`. | Uses liboqs/BouncyCastle soft providers. | Simulator available via `sim.crypto.remote` if you want a remote signer. |
+
+## Sample config (appsettings.json)
+```json
+{
+  "StellaOps": {
+    "Crypto": {
+      "Registry": {
+        "ActiveProfile": "ru-offline",
+        "PreferredProviders": [ "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ]
+      },
+      "Sim": {
+        "BaseAddress": "http://localhost:8080"
+      }
+    },
+    "Compliance": {
+      "ProfileId": "gost",
+      "StrictValidation": true
+    }
+  }
+}
+```
+
+## Licensing and hardware notes
+- CryptoPro: customer-provided `.deb` packages, Linux only. Accept EULA via `CRYPTOPRO_ACCEPT_EULA=1`; service wrapper at `ops/cryptopro/linux-csp-service`. Licensing/export posture is in `docs/legal/crypto-compliance-review.md`.
+- SM hardware: bring-up and PKCS#11 wiring in `docs/security/sm-hardware-simulation.md`.
+- FIPS/eIDAS/KCMVP hardware/QSCD: runbook in `docs/security/fips-eidas-kcmvp-validation.md`.
+- OpenSSL GOST remote signer (OSS baseline) in `docs/security/openssl-gost-remote.md`.
+
+## Simulation guidance
+- Default simulator: `ops/crypto/sim-crypto-service` + provider `sim.crypto.remote` (see `docs/security/crypto-simulation-services.md`).
+- Use the simulator to close sprints until certified evidence is available; keep “non-certified” labels in RootPack manifests.
+- Quick simulation steps:
+  1) `docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service`
+  2) `docker run --rm -p 8080:8080 sim-crypto`
+  3) Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080`
+  4) Keep `sim.crypto.remote` first in `PreferredProviders` for the target profile.
+
+## Evidence expectations
+- JWKS export from Authority/Signer for the active profile.
+- `CryptoProviderMetrics` showing the chosen provider ID (oss, paid, or sim).
+- Fixed-message signing/verification logs (`stellaops-crypto-profile-check`) for audit trails.

docs/security/crypto-simulation-services.md

@@ -0,0 +1,58 @@
+# Crypto Simulation Services · 2025-12-11
+
+Use these simulation paths when licensed hardware or certified modules are unavailable. They let us keep the registry/profile contracts stable while we wait for customer licenses (CryptoPro), QSCD devices (eIDAS), KCMVP modules, or SM PKCS#11 tokens.
+
+## Unified simulator (sim-crypto-service)
+- Location: `ops/crypto/sim-crypto-service/`
+- Provider ID: `sim.crypto.remote`
+- Algorithms covered:
+  - GOST: `GOST12-256`, `GOST12-512`, `ru.magma.sim`, `ru.kuznyechik.sim` (deterministic HMAC-SHA256)
+  - SM: `SM2`, `sm.sim`, `sm2.sim` (deterministic HMAC-SHA256)
+  - PQ: `DILITHIUM3`, `FALCON512`, `pq.sim` (deterministic HMAC-SHA256)
+  - FIPS/eIDAS/KCMVP/world: `ES256`, `ES384`, `ES512`, `fips.sim`, `eidas.sim`, `kcmvp.sim`, `world.sim` (ECDSA P-256 with static key)
+- Run:
+  ```bash
+  docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
+  docker run --rm -p 8080:8080 sim-crypto
+  curl -s -X POST http://localhost:8080/sign -d '{"message":"hello","algorithm":"SM2"}'
+  ```
+- Wire:
+  - Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` to append `sim.crypto.remote` to registry ordering.
+  - Point the client: `STELLAOPS_CRYPTO_SIM_URL=http://<host>:8080` or bind `StellaOps:Crypto:Sim:BaseAddress`.
+  - The `SimRemoteProviderOptions.Algorithms` default list already includes the IDs above; extend if you add new aliases.
+- Quick check:
+  ```bash
+  curl -s -X POST http://localhost:8080/sign -d '{"message":"stellaops-sim-check","algorithm":"SM2"}'
+  ```
+- Headless smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` (env: `STELLAOPS_CRYPTO_SIM_URL`, optional `SIM_ALGORITHMS=SM2,pq.sim,ES256`).
+
+## Regional notes
+- **RU (GOST)**: OSS remote signer available at `docs/security/openssl-gost-remote.md`. Licensed CryptoPro path is Linux-only via `ops/cryptopro/linux-csp-service` (customer debs, `CRYPTOPRO_ACCEPT_EULA=1`); use the simulator above when licensing is unavailable.
+- **CN (SM)**: Hardware/PKCS#11 bring-up in `docs/security/sm-hardware-simulation.md`. Legacy SM-only simulator is retired; use `sim-crypto-service` for SM2 tests.
+- **FIPS / eIDAS / KCMVP**: Hardware/QSCD runbook in `docs/security/fips-eidas-kcmvp-validation.md`. Until certified modules arrive, rely on the simulator above and keep profiles labeled “non-certified.”
+- **PQ**: Built-in `pq.soft` remains the baseline; the simulator is available for integration tests that expect a remote signer.
+
+## Config snippet (example)
+```json
+{
+  "StellaOps": {
+    "Crypto": {
+      "Registry": {
+        "ActiveProfile": "sm",
+        "PreferredProviders": [ "sim.crypto.remote", "cn.sm.soft" ]
+      },
+      "Sim": {
+        "BaseAddress": "http://localhost:8080"
+      }
+    }
+  }
+}
+```
+
+## Evidence to capture
+- JWKS export showing `sim.crypto.remote` keys.
+- `CryptoProviderMetrics` with the simulated provider ID.
+- Sample signatures/hashes from fixed message `stellaops-sim-vector`.
+
+## Status
+- Simulation coverage exists for all regions; real licensing/hardware remains customer-supplied. Use this doc to unblock sprint closures until certified evidence arrives.

docs/security/fips-eidas-kcmvp-validation.md

@@ -0,0 +1,77 @@
+# FIPS / eIDAS / KCMVP Hardware Validation Runbook · 2025-12-11
+
+Use this runbook to validate hardware-backed crypto for the FIPS, eIDAS, and KCMVP profiles. When hardware is unavailable, keep the “non-certified” label and use the simulator (`ops/crypto/sim-crypto-service`) to exercise the registry path.
+
+## Common prerequisites
+- Hosts: Linux runners for FIPS/OpenSSL FIPS provider; EU QSCD host (HSM/smartcard) for eIDAS; KR host for KCMVP modules.
+- Config: set `StellaOps:Crypto:Registry:ActiveProfile` to `fips`, `eidas`, or `kcmvp`.
+- Evidence bundle: JWKS snapshot, `CryptoProviderMetrics` scrape, signing/verification logs for the fixed message `stellaops-validation-msg`.
+- Simulator fallback: `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://<host>:8080` if hardware is missing.
+
+## FIPS (baseline or certified)
+1) Enable the profile:
+   ```yaml
+   StellaOps:
+     Crypto:
+       Registry:
+         ActiveProfile: fips
+       Fips:
+         UseBclFipsMode: true    # or OpenSSL FIPS provider path
+   ```
+2) If using AWS KMS FIPS endpoints, set `AWS_USE_FIPS_ENDPOINTS=true` and target a FIPS-enabled region.
+3) Run signing tests (Authority/Signer/Attestor) with `FIPS_SOFT_ALLOWED=0` when a certified module is present; otherwise leave it at the default soft mode.
+4) Capture evidence:
+   - `openssl fipsinstall -module <path>` output (if OpenSSL FIPS).
+   - JWKS export (P-256/384/521).
+   - `CryptoProviderMetrics` counts for `fips.ecdsa.*`.
+5) Keep the “non-certified” label until CMVP evidence is attached; simulator may be used for CI smoke only.
+
+## eIDAS (QSCD)
+1) Configure QSCD trust store and device:
+   ```yaml
+   StellaOps:
+     Crypto:
+       Registry:
+         ActiveProfile: eidas
+       Pkcs11:
+         LibraryPath: /usr/lib/qscd/libpkcs11.so
+         Keys:
+           - KeyId: eidas-qscd
+             SlotId: 0
+             PinEnvVar: EIDAS_QSCD_PIN
+             Algorithm: ecdsa-p256
+   ```
+2) Import the qualified cert to the trust store; capture OCSP/CRL endpoints.
+3) Export JWKS from Authority/Signer; verify `kid` and `crv` match the QSCD key.
+4) Sign `stellaops-validation-msg`; archive signature + certificate chain.
+5) Evidence: PKCS#11 slot list, JWKS snapshot, QSCD audit logs (if available), provider metrics for `eu.eidas.*`.
+6) If QSCD hardware is unavailable, keep `EIDAS_SOFT_ALLOWED=1` and run against the simulator for CI coverage.
+
+## KCMVP
+1) Configure KCMVP module (ARIA/SEED/KCDSA) or hash-only fallback:
+   ```yaml
+   StellaOps:
+     Crypto:
+       Registry:
+         ActiveProfile: kcmvp
+       Kcmvp:
+         LibraryPath: /usr/lib/kcmvp/libpkcs11.so
+         Keys:
+           - KeyId: kcmvp-hw
+             SlotId: 0
+             PinEnvVar: KCMVP_PIN
+             Algorithm: kcdsa
+   ```
+2) If hardware is unavailable, keep `KCMVP_HASH_ALLOWED=1` and record hash-only evidence.
+3) Run signing/hash tests for `stellaops-validation-msg`; collect signatures/hashes and metrics for `kr.kcmvp.*`.
+4) When a certified module is present, set `KCMVP_HASH_ALLOWED=0` and rerun tests to retire the hash-only label.
+
+## Evidence checklist
+- Command outputs: `pkcs11-tool --list-slots`, `--list-objects`, module self-tests (if provided).
+- JWKS snapshots and `CryptoProviderMetrics` scrape.
+- Signature/hash files and verification logs for the fixed message.
+- Configuration files/env vars used during the run.
+
+## Publishing
+- Attach evidence to sprint artefacts for FIPS-EIDAS-VAL-01 and KCMVP-VAL-01.
+- Update RootPack manifests to remove the “non-certified” wording once certified evidence is present; otherwise keep the simulator noted as the interim path.

docs/security/openssl-gost-remote.md

@@ -0,0 +1,83 @@
+# Remote OpenSSL GOST Signer (OSS) · 2025-12-11
+
+Portable, open-source remote signer for GOST R 34.10/34.11 using the `rnix/openssl-gost` image. Use when CryptoPro CSP is unavailable and a remote Linux host can expose signing via HTTP.
+
+## Goals
+- Remote, OSS-only signer for the `ru.openssl.gost` profile.
+- Deterministic digest harness (fixed message) for smoke checks.
+- Configurable endpoint so hosts can toggle between local and remote.
+
+## Quickstart (remote host)
+```bash
+# 1) Run the OpenSSL GOST container on the remote host
+docker run --rm -p 8088:8080 --name gost-remote rnix/openssl-gost:latest sleep 365d
+
+# 2) Start the lightweight HTTP gateway (one-liner, no deps)
+cat > /tmp/gost-remote.sh <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+msg_file="$(mktemp)"
+sig_file="$(mktemp)"
+pub_file="$(mktemp)"
+trap 'rm -f "$msg_file" "$sig_file" "$pub_file"' EXIT
+
+while true; do
+  # Simple netcat JSON protocol: {"message_b64":"..."}
+  nc -l -p 9090 -q 1 | {
+    read payload
+    msg_b64="$(echo "$payload" | jq -r .message_b64)"
+    echo "$msg_b64" | base64 -d > "$msg_file"
+    # Generate key once per container (persist by volume if desired)
+    if [ ! -f /tmp/gost.key.pem ]; then
+      openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
+      openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /tmp/gost.pub.pem >/dev/null
+    fi
+    # Sign (nonce-driven, signatures differ each call)
+    openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out "$sig_file" "$msg_file"
+    # Respond with signature/public key (base64)
+    jq -n --arg sig_b64 "$(base64 -w0 "$sig_file")" \
+          --arg pub_pem "$(base64 -w0 /tmp/gost.pub.pem)" \
+          '{signature_b64:$sig_b64, public_key_pem_b64:$pub_pem}'
+  }
+done
+EOF
+chmod +x /tmp/gost-remote.sh
+/tmp/gost-remote.sh
+```
+
+## Client invocation (any host)
+```bash
+MESSAGE="stellaops-remote-gost-smoke"
+curl -s -X POST http://REMOTE_HOST:9090 \
+  -d "{\"message_b64\":\"$(printf '%s' \"$MESSAGE\" | base64 -w0)\"}" \
+  | tee /tmp/gost-remote-response.json
+
+sig_b64=$(jq -r .signature_b64 /tmp/gost-remote-response.json)
+pub_pem_b64=$(jq -r .public_key_pem_b64 /tmp/gost-remote-response.json)
+printf '%s' "$pub_pem_b64" | base64 -d > /tmp/gost-remote.pub.pem
+printf '%s' "$MESSAGE" > /tmp/gost-remote.msg
+printf '%s' "$sig_b64" | base64 -d > /tmp/gost-remote.sig
+
+# Verify locally
+openssl dgst -engine gost -md_gost12_256 \
+  -verify /tmp/gost-remote.pub.pem \
+  -signature /tmp/gost-remote.sig /tmp/gost-remote.msg
+```
+
+## Configuration toggle (hosts)
+- Add an env toggle to your deployment: `STELLAOPS_RU_OPENSSL_REMOTE_URL=http://remote-gost:9090`
+- When set, route `ru.openssl.gost` signing through the HTTP gateway; when unset, use local `OpenSslGostProvider`.
+- Keep Linux fallback enabled: `STELLAOPS_CRYPTO_ENABLE_RU_OPENSSL=1`.
+
+## Determinism
+- Digest is deterministic (`md_gost12_256` over caller-supplied message).
+- Signatures vary per request (nonce) but verify deterministically; capture `signature_b64` and `public_key_pem_b64` for evidence.
+
+## Operational notes
+- Remote host must have Docker + `rnix/openssl-gost` image (no vendor binaries).
+- Network access is limited to port 9090; use mTLS or SSH tunnel in production.
+- Persist `/tmp/gost.key.pem` via a volume if you need stable `kid`; otherwise accept ephemeral keys for testing.
+
+## Attach to sprint evidence
+- Store `gost-remote-response.json`, `gost-remote.pub.pem`, and verification output with the sprint log.
+- Record the remote endpoint and run timestamp in the sprint Execution Log.

docs/security/sm-hardware-simulation.md

@@ -0,0 +1,61 @@
+# SM Hardware Simulation & Bring-Up · 2025-12-11
+
+Use this runbook to simulate or attach SM2/SM3 hardware (PKCS#11) for the CN profile. When hardware is unavailable, use the unified simulator (`ops/crypto/sim-crypto-service`) to keep CI green.
+
+## Goals
+- Provide a repeatable PKCS#11 path (SoftHSM2 or vendor token).
+- Document slots/PIN wiring for StellaOps hosts.
+- Capture validation evidence (sign/verify/hash) to retire the “software-only” caveat once certified hardware is ready.
+
+## Simulation path (SoftHSM2)
+```bash
+sudo apt-get install softhsm2
+softhsm2-util --init-token --slot 0 --label "SM2SIM" --so-pin 1234 --pin 1234
+softhsm2-util --import sm2-private-key.pem --token "SM2SIM" --label "sm2key" --id 1 --pin 1234
+```
+
+Configure StellaOps hosts (example):
+```yaml
+StellaOps:
+  Crypto:
+    Registry:
+      ActiveProfile: sm
+    Pkcs11:
+      LibraryPath: /usr/lib/softhsm/libsofthsm2.so
+      Keys:
+        - KeyId: sm2-hw
+          SlotId: 0
+          PinEnvVar: SM_PKCS11_PIN   # export SM_PKCS11_PIN=1234
+          Algorithm: sm2
+```
+
+## Vendor hardware bring-up
+1) Install vendor PKCS#11 library (e.g., Feitian/Jacarta SM modules).
+2) Export `SM_PKCS11_LIBRARY` with the library path; set `SM_SOFT_ALLOWED=0` to force hardware.
+3) Import the SM2 private key/cert per vendor tooling; record SlotId/TokenLabel.
+4) Run the SM unit/integration suite with env:
+   ```bash
+   SM_SOFT_ALLOWED=0 \
+   STELLAOPS_CRYPTO_ENABLE_SM_PKCS11=1 \
+   SM_PKCS11_LIBRARY=/path/to/libpkcs11.so \
+   SM_PKCS11_PIN=1234 \
+   dotnet test src/__Libraries/StellaOps.Cryptography.Plugin.SmSoft.Tests
+   ```
+
+## Simulator fallback
+- Unified simulator: `ops/crypto/sim-crypto-service` with provider `sim.crypto.remote`.
+- Enable via `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080`.
+- Use when hardware or licenses are unavailable; keep the “non-certified” label in RootPack_CN.
+
+## Validation evidence to capture
+- `pkcs11-tool --module <lib> --list-slots` and `--list-objects`.
+- Signing/verification logs for `stellaops-sm2-demo` with signature hash.
+- JWKS export snapshot from Authority/Signer when the `sm` profile is active.
+
+## Determinism
+- Hashes are deterministic (SM3). Signatures are nonce-driven; record signature hash and public key.
+- Keep test seeds fixed; prefer the existing SM2 unit tests with the env overrides above.
+
+## Publishing
+- Attach command outputs and configs to the sprint evidence bundle.
+- Once a certified token passes this harness, flip `SM_SOFT_ALLOWED` default to `0` for production CN profile and update RootPack_CN notes.