Add LDAP Distinguished Name Helper and Credential Audit Context

- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.

docs/implplan/SPRINT_127_policy_reasoning.md

@@ -10,18 +10,18 @@ Focus: Policy & Reasoning focus on Policy (phase V).
 
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
-| 1 | POLICY-ENGINE-80-002 | TODO | Create joining layer to read `reachability_facts` efficiently (indexes, projections) and populate Redis overlay caches (Deps: POLICY-ENGINE-80-001) | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 2 | POLICY-ENGINE-80-003 | TODO | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation (Deps: POLICY-ENGINE-80-002) | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 3 | POLICY-ENGINE-80-004 | TODO | Emit metrics (`policy_reachability_applied_total`, `policy_reachability_cache_hit_ratio`) and traces for signals usage (Deps: POLICY-ENGINE-80-003) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 4 | POLICY-OBS-50-001 | TODO | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 5 | POLICY-OBS-51-001 | TODO | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules (Deps: POLICY-OBS-50-001) | Policy Guild, DevOps Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 6 | POLICY-OBS-52-001 | TODO | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics (Deps: POLICY-OBS-51-001) | Policy Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 7 | POLICY-OBS-53-001 | TODO | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests (Deps: POLICY-OBS-52-001) | Policy Guild, Evidence Locker Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 8 | POLICY-OBS-54-001 | TODO | Generate DSSE attestations for evaluation outputs, expose `/evaluations/{id}/attestation`, and link attestation IDs in timeline + console. Provide verification harness (Deps: POLICY-OBS-53-001) | Policy Guild, Provenance Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 9 | POLICY-OBS-55-001 | TODO | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier (Deps: POLICY-OBS-54-001) | Policy Guild, DevOps Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 10 | POLICY-RISK-66-001 | TODO | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile/TASKS.md |
-| 11 | POLICY-RISK-66-002 | TODO | Implement inheritance/merge logic with conflict detection and deterministic content hashing (Deps: POLICY-RISK-66-001) | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile/TASKS.md |
-| 12 | POLICY-RISK-66-003 | TODO | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment (Deps: POLICY-RISK-66-002) | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 13 | POLICY-RISK-66-004 | TODO | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics (Deps: POLICY-RISK-66-003) | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy/TASKS.md |
-| 14 | POLICY-RISK-67-001 | TODO | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks (Deps: POLICY-RISK-66-004) | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine/TASKS.md |
-| 15 | POLICY-RISK-67-001 | TODO | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate) (Deps: POLICY-RISK-67-001) | Risk Profile Schema Guild, Policy Engine Guild / src/Policy/StellaOps.Policy.RiskProfile/TASKS.md |
+| 1 | POLICY-ENGINE-80-002 | TODO | Create joining layer to read `reachability_facts` efficiently (indexes, projections) and populate Redis overlay caches (Deps: POLICY-ENGINE-80-001) | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine |
+| 2 | POLICY-ENGINE-80-003 | TODO | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation (Deps: POLICY-ENGINE-80-002) | Policy Guild, Policy Editor Guild / src/Policy/StellaOps.Policy.Engine |
+| 3 | POLICY-ENGINE-80-004 | TODO | Emit metrics (`policy_reachability_applied_total`, `policy_reachability_cache_hit_ratio`) and traces for signals usage (Deps: POLICY-ENGINE-80-003) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
+| 4 | POLICY-OBS-50-001 | TODO | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
+| 5 | POLICY-OBS-51-001 | TODO | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules (Deps: POLICY-OBS-50-001) | Policy Guild, DevOps Guild / src/Policy/StellaOps.Policy.Engine |
+| 6 | POLICY-OBS-52-001 | TODO | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics (Deps: POLICY-OBS-51-001) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 7 | POLICY-OBS-53-001 | TODO | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests (Deps: POLICY-OBS-52-001) | Policy Guild, Evidence Locker Guild / src/Policy/StellaOps.Policy.Engine |
+| 8 | POLICY-OBS-54-001 | TODO | Generate DSSE attestations for evaluation outputs, expose `/evaluations/{id}/attestation`, and link attestation IDs in timeline + console. Provide verification harness (Deps: POLICY-OBS-53-001) | Policy Guild, Provenance Guild / src/Policy/StellaOps.Policy.Engine |
+| 9 | POLICY-OBS-55-001 | TODO | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier (Deps: POLICY-OBS-54-001) | Policy Guild, DevOps Guild / src/Policy/StellaOps.Policy.Engine |
+| 10 | POLICY-RISK-66-001 | TODO | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile |
+| 11 | POLICY-RISK-66-002 | TODO | Implement inheritance/merge logic with conflict detection and deterministic content hashing (Deps: POLICY-RISK-66-001) | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile |
+| 12 | POLICY-RISK-66-003 | TODO | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment (Deps: POLICY-RISK-66-002) | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine |
+| 13 | POLICY-RISK-66-004 | TODO | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics (Deps: POLICY-RISK-66-003) | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy |
+| 14 | POLICY-RISK-67-001 | TODO | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks (Deps: POLICY-RISK-66-004) | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine |
+| 15 | POLICY-RISK-67-001 | TODO | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate) (Deps: POLICY-RISK-67-001) | Risk Profile Schema Guild, Policy Engine Guild / src/Policy/StellaOps.Policy.RiskProfile |