feat(crypto): extract crypto providers to overlay compose files + health probe API

- Extract smremote to docker-compose.crypto-provider.smremote.yml
- Rename cryptopro/crypto-sim compose files for consistent naming
- Add crypto provider health probe endpoint (CP-001)
- Add tenant crypto provider preferences API + migration (CP-002)
- Update docs and compliance env examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/docker-compose.crypto-provider.smremote.yml

@@ -0,0 +1,90 @@
+# =============================================================================
+# STELLA OPS - CRYPTO PROVIDER OVERLAY: SMREMOTE
+# =============================================================================
+# ShangMi (SM2/SM3/SM4) crypto microservice overlay.
+# Extracted from docker-compose.stella-ops.yml (Slot 31) so that the SM Remote
+# service is opt-in rather than always-on.
+#
+# Usage (with main stack):
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.crypto-provider.smremote.yml up -d
+#
+# Usage (with China compliance):
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.crypto-provider.smremote.yml up -d
+#
+# SM Algorithms:
+# - SM2: Public key cryptography (GM/T 0003-2012)
+# - SM3: Hash function, 256-bit (GM/T 0004-2012)
+# - SM4: Block cipher, 128-bit (GM/T 0002-2012)
+#
+# =============================================================================
+
+networks:
+  stellaops:
+    external: true
+    name: stellaops
+  frontdoor:
+    external: true
+    name: compose_frontdoor
+
+services:
+  # --- Slot 31: SmRemote ----------------------------------------------------
+  smremote:
+    image: stellaops/smremote:dev
+    container_name: stellaops-smremote
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      valkey:
+        condition: service_healthy
+    environment:
+      ASPNETCORE_URLS: "http://+:8080"
+      Kestrel__Certificates__Default__Path: "/app/etc/certs/kestrel-dev.pfx"
+      Kestrel__Certificates__Default__Password: "devpass"
+      Router__Region: "local"
+      Router__Gateways__0__Host: "router.stella-ops.local"
+      Router__Gateways__0__Port: "9100"
+      Router__Gateways__0__TransportType: "Messaging"
+      Router__OnMissingAuthorization: "${ROUTER_ON_MISSING_AUTHORIZATION:-WarnAndAllow}"
+      Router__TransportPlugins__Directory: "/app/plugins/router/transports"
+      Router__TransportPlugins__SearchPattern: "StellaOps.Router.Transport.*.dll"
+      Router__Messaging__Transport: "valkey"
+      Router__Messaging__PluginDirectory: "/app/plugins/messaging"
+      Router__Messaging__SearchPattern: "StellaOps.Messaging.Transport.*.dll"
+      Router__Messaging__RequestQueueTemplate: "router:requests:{service}"
+      Router__Messaging__ResponseQueueName: "router:responses"
+      Router__Messaging__RequestTimeout: "30s"
+      Router__Messaging__LeaseDuration: "5m"
+      Router__Messaging__BatchSize: "10"
+      Router__Messaging__HeartbeatInterval: "${ROUTER_MESSAGING_HEARTBEAT_INTERVAL:-30s}"
+      Router__RegistrationRefreshIntervalSeconds: "${ROUTER_REGISTRATION_REFRESH_INTERVAL_SECONDS:-30}"
+      Router__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
+      Router__Messaging__valkey__Database: "0"
+      Router__Messaging__valkey__QueueWaitTimeoutSeconds: "${VALKEY_QUEUE_WAIT_TIMEOUT:-0}"
+      Router__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
+      ConnectionStrings__Default: "Host=db.stella-ops.local;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops};Maximum Pool Size=50"
+      ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+      Router__Enabled: "${SMREMOTE_ROUTER_ENABLED:-true}"
+      Router__Messaging__ConsumerGroup: "smremote"
+    volumes:
+      - "../../etc/authority/keys:/app/etc/certs:ro"
+    ports:
+      - "127.1.0.31:80:80"
+    networks:
+      stellaops:
+        aliases:
+          - smremote.stella-ops.local
+      frontdoor: {}
+    healthcheck:
+      test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
+      interval: ${HEALTHCHECK_INTERVAL:-60s}
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+    labels:
+      com.stellaops.release.version: "2025.10.0"
+      com.stellaops.release.channel: "stable"
+      com.stellaops.profile: "default"