up the blokcing tasks

ops/crypto/sim-crypto-service/Dockerfile

@@ -0,0 +1,13 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build
+WORKDIR /src
+COPY SimCryptoService.csproj .
+RUN dotnet restore
+COPY . .
+RUN dotnet publish -c Release -o /app/publish
+
+FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine
+WORKDIR /app
+COPY --from=build /app/publish .
+EXPOSE 8080
+ENV ASPNETCORE_URLS=http://0.0.0.0:8080
+ENTRYPOINT ["dotnet", "SimCryptoService.dll"]

ops/crypto/sim-crypto-service/Program.cs

@@ -0,0 +1,128 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json.Serialization;
+
+var builder = WebApplication.CreateBuilder(args);
+var app = builder.Build();
+
+// Static key material for simulations (not for production use).
+using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+var ecdsaPublic = ecdsa.ExportSubjectPublicKeyInfo();
+
+byte[] Sign(string message, string algorithm)
+{
+    var data = Encoding.UTF8.GetBytes(message);
+    var lower = algorithm.Trim().ToLowerInvariant();
+    var upper = algorithm.Trim().ToUpperInvariant();
+
+    if (lower is "pq.dilithium3" or "pq.falcon512" or "pq.sim" || upper is "DILITHIUM3" or "FALCON512")
+    {
+        return HMACSHA256.HashData(Encoding.UTF8.GetBytes("pq-sim-key"), data);
+    }
+
+    if (lower is "ru.magma.sim" or "ru.kuznyechik.sim" || upper is "GOST12-256" or "GOST12-512")
+    {
+        return HMACSHA256.HashData(Encoding.UTF8.GetBytes("gost-sim-key"), data);
+    }
+
+    if (lower is "sm.sim" or "sm2.sim" || upper is "SM2")
+    {
+        return HMACSHA256.HashData(Encoding.UTF8.GetBytes("sm-sim-key"), data);
+    }
+
+    return ecdsa.SignData(data, HashAlgorithmName.SHA256);
+}
+
+bool Verify(string message, string algorithm, byte[] signature)
+{
+    var data = Encoding.UTF8.GetBytes(message);
+    var lower = algorithm.Trim().ToLowerInvariant();
+    var upper = algorithm.Trim().ToUpperInvariant();
+
+    if (lower is "pq.dilithium3" or "pq.falcon512" or "pq.sim" || upper is "DILITHIUM3" or "FALCON512")
+    {
+        return CryptographicOperations.FixedTimeEquals(HMACSHA256.HashData(Encoding.UTF8.GetBytes("pq-sim-key"), data), signature);
+    }
+
+    if (lower is "ru.magma.sim" or "ru.kuznyechik.sim" || upper is "GOST12-256" or "GOST12-512")
+    {
+        return CryptographicOperations.FixedTimeEquals(HMACSHA256.HashData(Encoding.UTF8.GetBytes("gost-sim-key"), data), signature);
+    }
+
+    if (lower is "sm.sim" or "sm2.sim" || upper is "SM2")
+    {
+        return CryptographicOperations.FixedTimeEquals(HMACSHA256.HashData(Encoding.UTF8.GetBytes("sm-sim-key"), data), signature);
+    }
+
+    return ecdsa.VerifyData(data, signature, HashAlgorithmName.SHA256);
+}
+
+app.MapPost("/sign", (SignRequest request) =>
+{
+    if (string.IsNullOrWhiteSpace(request.Algorithm) || string.IsNullOrWhiteSpace(request.Message))
+    {
+        return Results.BadRequest("Algorithm and message are required.");
+    }
+
+    var sig = Sign(request.Message, request.Algorithm);
+    return Results.Json(new SignResponse(Convert.ToBase64String(sig), request.Algorithm));
+});
+
+app.MapPost("/verify", (VerifyRequest request) =>
+{
+    if (string.IsNullOrWhiteSpace(request.Algorithm) || string.IsNullOrWhiteSpace(request.Message) || string.IsNullOrWhiteSpace(request.SignatureBase64))
+    {
+        return Results.BadRequest("Algorithm, message, and signature are required.");
+    }
+
+    var sig = Convert.FromBase64String(request.SignatureBase64);
+    var ok = Verify(request.Message, request.Algorithm, sig);
+    return Results.Json(new VerifyResponse(ok, request.Algorithm));
+});
+
+app.MapGet("/keys", () =>
+{
+    return Results.Json(new KeysResponse(
+        Convert.ToBase64String(ecdsaPublic),
+        "nistp256",
+        new[]
+        {
+            "pq.sim",
+            "DILITHIUM3",
+            "FALCON512",
+            "ru.magma.sim",
+            "ru.kuznyechik.sim",
+            "GOST12-256",
+            "GOST12-512",
+            "sm.sim",
+            "SM2",
+            "fips.sim",
+            "eidas.sim",
+            "kcmvp.sim",
+            "world.sim"
+        }));
+});
+
+app.Run();
+
+public record SignRequest(
+    [property: JsonPropertyName("message")] string Message,
+    [property: JsonPropertyName("algorithm")] string Algorithm);
+
+public record SignResponse(
+    [property: JsonPropertyName("signature_b64")] string SignatureBase64,
+    [property: JsonPropertyName("algorithm")] string Algorithm);
+
+public record VerifyRequest(
+    [property: JsonPropertyName("message")] string Message,
+    [property: JsonPropertyName("signature_b64")] string SignatureBase64,
+    [property: JsonPropertyName("algorithm")] string Algorithm);
+
+public record VerifyResponse(
+    [property: JsonPropertyName("ok")] bool Ok,
+    [property: JsonPropertyName("algorithm")] string Algorithm);
+
+public record KeysResponse(
+    [property: JsonPropertyName("public_key_b64")] string PublicKeyBase64,
+    [property: JsonPropertyName("curve")] string Curve,
+    [property: JsonPropertyName("simulated_providers")] IEnumerable<string> Providers);

ops/crypto/sim-crypto-service/README.md

@@ -0,0 +1,32 @@
+# Sim Crypto Service · 2025-12-11
+
+Minimal HTTP service to simulate sovereign crypto providers when licensed hardware or certified modules are unavailable.
+
+## Endpoints
+- `POST /sign` — body: `{"message":"<string>","algorithm":"<id>"}`; returns `{"signature_b64":"...","algorithm":"<id>"}`.
+- `POST /verify` — body: `{"message":"<string>","algorithm":"<id>","signature_b64":"..."}`; returns `{"ok":true/false,"algorithm":"<id>"}`.
+- `GET /keys` — returns public key info for simulated providers.
+
+## Supported simulated provider IDs
+- GOST: `GOST12-256`, `GOST12-512`, `ru.magma.sim`, `ru.kuznyechik.sim` — deterministic HMAC-SHA256.
+- SM: `SM2`, `sm.sim`, `sm2.sim` — deterministic HMAC-SHA256.
+- PQ: `DILITHIUM3`, `FALCON512`, `pq.sim` — deterministic HMAC-SHA256.
+- FIPS/eIDAS/KCMVP/world: `ES256`, `ES384`, `ES512`, `fips.sim`, `eidas.sim`, `kcmvp.sim`, `world.sim` — ECDSA P-256 with a static key.
+
+## Build & run
+```bash
+dotnet run -c Release --project ops/crypto/sim-crypto-service/SimCryptoService.csproj
+# or
+docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
+docker run --rm -p 8080:8080 sim-crypto
+```
+
+## Wiring
+- Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` to append `sim.crypto.remote` to the registry preference order.
+- Point the provider at the service: `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080` (or bind `StellaOps:Crypto:Sim:BaseAddress` in config).
+- `SimRemoteProviderOptions.Algorithms` already includes the IDs above; extend if you need extra aliases.
+
+## Notes
+- Replaces the legacy SM-only simulator; use this unified service for SM, PQ, GOST, and FIPS/eIDAS/KCMVP placeholders.
+- Deterministic HMAC for SM/PQ/GOST; static ECDSA key for the rest. Not for production use.
+- No licensed binaries are shipped; everything is BCL-only.

ops/crypto/sim-crypto-service/SimCryptoService.csproj

@@ -0,0 +1,10 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <LangVersion>preview</LangVersion>
+    <PackageTargetFallback></PackageTargetFallback>
+    <AssetTargetFallback></AssetTargetFallback>
+  </PropertyGroup>
+</Project>