Refactor code structure for improved readability and maintainability

NuGet.config

@@ -29,7 +29,14 @@
       <package pattern="Microsoft.IdentityModel.Abstractions" />
       <package pattern="Microsoft.AspNetCore.Authentication.JwtBearer" />
       <package pattern="Google.Protobuf" />
+      <package pattern="Google.Api.*" />
+      <package pattern="Google.Apis.*" />
+      <package pattern="Google.Cloud.*" />
+      <package pattern="Google.LongRunning" />
       <package pattern="Grpc.*" />
+      <package pattern="AWSSDK.*" />
+      <package pattern="Pkcs11Interop" />
+      <package pattern="System.Management" />
     </packageSource>
     <packageSource key="dotnet-public">
       <package pattern="Microsoft.Extensions.*" />

local-nuget/Google.Api.Gax.Grpc.GrpcCore.4.11.0.nupkg

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?><Error><Code>BlobNotFound</Code><Message>The specified blob does not exist.
+RequestId:111b5cf5-801e-0033-51f3-4ee25c000000
+Time:2025-11-06T08:00:59.9404934Z</Message></Error>

src/__Libraries/StellaOps.Cryptography.Kms/AwsKmsFacade.cs

@@ -5,7 +5,7 @@ using Amazon.KeyManagementService.Model;
 
 namespace StellaOps.Cryptography.Kms;
 
-internal interface IAwsKmsFacade : IDisposable
+public interface IAwsKmsFacade : IDisposable
 {
     Task<AwsSignResult> SignAsync(string keyResource, ReadOnlyMemory<byte> digest, CancellationToken cancellationToken);
 
@@ -16,11 +16,11 @@ internal interface IAwsKmsFacade : IDisposable
     Task<AwsPublicKeyMaterial> GetPublicKeyAsync(string keyResource, CancellationToken cancellationToken);
 }
 
-internal sealed record AwsSignResult(string KeyResource, string VersionId, byte[] Signature);
+public sealed record AwsSignResult(string KeyResource, string VersionId, byte[] Signature);
 
-internal sealed record AwsKeyMetadata(string KeyId, string Arn, DateTimeOffset CreatedAt, AwsKeyStatus Status);
+public sealed record AwsKeyMetadata(string KeyId, string Arn, DateTimeOffset CreatedAt, AwsKeyStatus Status);
 
-internal enum AwsKeyStatus
+public enum AwsKeyStatus
 {
     Unspecified = 0,
     Enabled = 1,
@@ -31,7 +31,7 @@ internal enum AwsKeyStatus
     Unavailable = 6,
 }
 
-internal sealed record AwsPublicKeyMaterial(string KeyId, string VersionId, string Curve, byte[] SubjectPublicKeyInfo);
+public sealed record AwsPublicKeyMaterial(string KeyId, string VersionId, string Curve, byte[] SubjectPublicKeyInfo);
 
 internal sealed class AwsKmsFacade : IAwsKmsFacade
 {

src/__Libraries/StellaOps.Cryptography.Kms/GcpKmsFacade.cs

@@ -4,7 +4,7 @@ using Google.Protobuf.WellKnownTypes;
 
 namespace StellaOps.Cryptography.Kms;
 
-internal interface IGcpKmsFacade : IDisposable
+public interface IGcpKmsFacade : IDisposable
 {
     Task<GcpSignResult> SignAsync(string versionName, ReadOnlyMemory<byte> digest, CancellationToken cancellationToken);
 
@@ -15,11 +15,11 @@ internal interface IGcpKmsFacade : IDisposable
     Task<GcpPublicKeyMaterial> GetPublicKeyAsync(string versionName, CancellationToken cancellationToken);
 }
 
-internal sealed record GcpSignResult(string VersionName, byte[] Signature);
+public sealed record GcpSignResult(string VersionName, byte[] Signature);
 
-internal sealed record GcpCryptoKeyMetadata(string KeyName, string? PrimaryVersionName, DateTimeOffset CreateTime);
+public sealed record GcpCryptoKeyMetadata(string KeyName, string? PrimaryVersionName, DateTimeOffset CreateTime);
 
-internal enum GcpCryptoKeyVersionState
+public enum GcpCryptoKeyVersionState
 {
     Unspecified = 0,
     PendingGeneration = 1,
@@ -32,13 +32,13 @@ internal enum GcpCryptoKeyVersionState
     GenerationFailed = 8,
 }
 
-internal sealed record GcpCryptoKeyVersionMetadata(
+public sealed record GcpCryptoKeyVersionMetadata(
     string VersionName,
     GcpCryptoKeyVersionState State,
     DateTimeOffset CreateTime,
     DateTimeOffset? DestroyTime);
 
-internal sealed record GcpPublicKeyMaterial(string VersionName, string Algorithm, string Pem);
+public sealed record GcpPublicKeyMaterial(string VersionName, string Algorithm, string Pem);
 
 internal sealed class GcpKmsFacade : IGcpKmsFacade
 {

src/__Libraries/StellaOps.Cryptography.Kms/Pkcs11Facade.cs

@@ -1,13 +1,20 @@
 using Net.Pkcs11Interop.Common;
 using Net.Pkcs11Interop.HighLevelAPI;
 using Net.Pkcs11Interop.HighLevelAPI.MechanismParams;
+using Pkcs11 = Net.Pkcs11Interop.HighLevelAPI.Pkcs11;
+using Slot = Net.Pkcs11Interop.HighLevelAPI.Slot;
+using ISession = Net.Pkcs11Interop.HighLevelAPI.Session;
+using ObjectHandle = Net.Pkcs11Interop.HighLevelAPI.ObjectHandle;
+using ObjectAttribute = Net.Pkcs11Interop.HighLevelAPI.ObjectAttribute;
+using Mechanism = Net.Pkcs11Interop.HighLevelAPI.Mechanism;
 using System.Collections.Concurrent;
 using System.Formats.Asn1;
 using System.Security.Cryptography;
+using Microsoft.IdentityModel.Tokens;
 
 namespace StellaOps.Cryptography.Kms;
 
-internal interface IPkcs11Facade : IDisposable
+public interface IPkcs11Facade : IDisposable
 {
     Task<Pkcs11KeyDescriptor> GetKeyAsync(CancellationToken cancellationToken);
 
@@ -16,12 +23,12 @@ internal interface IPkcs11Facade : IDisposable
     Task<byte[]> SignDigestAsync(ReadOnlyMemory<byte> digest, CancellationToken cancellationToken);
 }
 
-internal sealed record Pkcs11KeyDescriptor(
+public sealed record Pkcs11KeyDescriptor(
     string KeyId,
     string? Label,
     DateTimeOffset CreatedAt);
 
-internal sealed record Pkcs11PublicKeyMaterial(
+public sealed record Pkcs11PublicKeyMaterial(
     string KeyId,
     string Curve,
     byte[] Qx,
@@ -57,11 +64,11 @@ internal sealed class Pkcs11InteropFacade : IPkcs11Facade
             throw new InvalidOperationException("PKCS#11 private key not found.");
         }
 
-        var labelAttr = GetAttribute(session, privateHandle.Value, CKA.CKA_LABEL);
+        var labelAttr = GetAttribute(session, privateHandle, CKA.CKA_LABEL);
         var label = labelAttr?.GetValueAsString();
 
         return new Pkcs11KeyDescriptor(
-            KeyId: label ?? privateHandle.Value.ObjectId.ToString(),
+            KeyId: label ?? privateHandle.ObjectId.ToString(),
             Label: label,
             CreatedAt: DateTimeOffset.UtcNow);
     }
@@ -76,9 +83,9 @@ internal sealed class Pkcs11InteropFacade : IPkcs11Facade
             throw new InvalidOperationException("PKCS#11 public key not found.");
         }
 
-        var pointAttr = GetAttribute(session, publicHandle.Value, CKA.CKA_EC_POINT)
+        var pointAttr = GetAttribute(session, publicHandle, CKA.CKA_EC_POINT)
             ?? throw new InvalidOperationException("Public key missing EC point.");
-        var paramsAttr = GetAttribute(session, publicHandle.Value, CKA.CKA_EC_PARAMS)
+        var paramsAttr = GetAttribute(session, publicHandle, CKA.CKA_EC_PARAMS)
             ?? throw new InvalidOperationException("Public key missing EC parameters.");
 
         var ecPoint = ExtractEcPoint(pointAttr.GetValueAsByteArray());
@@ -92,8 +99,8 @@ internal sealed class Pkcs11InteropFacade : IPkcs11Facade
         var qx = ecPoint.AsSpan(1, coordinateSize).ToArray();
         var qy = ecPoint.AsSpan(1 + coordinateSize, coordinateSize).ToArray();
 
-        var keyId = GetAttribute(session, publicHandle.Value, CKA.CKA_LABEL)?.GetValueAsString()
-            ?? publicHandle.Value.ObjectId.ToString();
+        var keyId = GetAttribute(session, publicHandle, CKA.CKA_LABEL)?.GetValueAsString()
+            ?? publicHandle.ObjectId.ToString();
 
         return new Pkcs11PublicKeyMaterial(
             keyId,
@@ -110,7 +117,7 @@ internal sealed class Pkcs11InteropFacade : IPkcs11Facade
             ?? throw new InvalidOperationException("PKCS#11 private key not found.");
 
         var mechanism = new Mechanism(_options.MechanismId);
-        return session.Sign(mechanism, privateHandle.Value, digest.ToArray());
+        return session.Sign(mechanism, privateHandle, digest.ToArray());
     }
 
     private async Task<SessionContext> OpenSessionAsync(CancellationToken cancellationToken)

src/__Libraries/StellaOps.Cryptography.Kms/Pkcs11KmsClient.cs

@@ -1,6 +1,7 @@
 using System.Collections.Concurrent;
 using System.Collections.Immutable;
 using System.Security.Cryptography;
+using Microsoft.IdentityModel.Tokens;
 
 namespace StellaOps.Cryptography.Kms;
 

src/__Libraries/StellaOps.Cryptography.Kms/Pkcs11Options.cs

@@ -64,7 +64,7 @@ public sealed class Pkcs11Options
     /// <summary>
     /// Gets or sets an optional factory for advanced facade injection (testing, custom providers).
     /// </summary>
-    internal Func<IServiceProvider, IPkcs11Facade>? FacadeFactory { get; set; }
+    public Func<IServiceProvider, IPkcs11Facade>? FacadeFactory { get; set; }
 
     private static TimeSpan EnsurePositive(TimeSpan value, TimeSpan fallback)
         => value <= TimeSpan.Zero ? fallback : value;

src/__Libraries/StellaOps.Cryptography.Kms/StellaOps.Cryptography.Kms.csproj

@@ -9,7 +9,7 @@
     <PackageReference Include="Microsoft.Extensions.Options" Version="9.0.0" />
     <PackageReference Include="AWSSDK.KeyManagementService" Version="4.0.6" />
     <PackageReference Include="Google.Cloud.Kms.V1" Version="3.19.0" />
-    <PackageReference Include="Pkcs11Interop" Version="5.3.0" />
+    <PackageReference Include="Pkcs11Interop" Version="4.1.0" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="../StellaOps.Cryptography/StellaOps.Cryptography.csproj" />