Add LDAP Distinguished Name Helper and Credential Audit Context

- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.

docs/security/crypto-routing-audit-2025-11-07.md

@@ -29,34 +29,49 @@
 All hosts can now express provider ordering and profile overrides via configuration:
 
 ```yaml
-Crypto:
-  registry:
-    preferredProviders:
-      - default
-      - ru.pkcs11
-    activeProfile: ru-offline
-    profiles:
-      ru-offline:
-        preferredProviders:
-          - ru.cryptopro.csp
-          - ru.pkcs11
-  pkcs11:
-    keys:
-      - keyId: ru-slot-token
-        libraryPath: /usr/local/lib/librutokenecp.so
-        slotId: "0x1"
-        privateKeyLabel: signing-key
-        certificateThumbprint: "<thumbprint>"
-  cryptopro:
-    keys:
-      - keyId: ru-csp-token
-        libraryPath: /opt/cprocsp/lib/libcapi20.so
-        containerLabel: KRYPTO_PRO_KEY
-        certificateThumbprint: "<thumbprint>"
+StellaOps:
+  Crypto:
+    Registry:
+      PreferredProviders:
+        - default
+        - ru.pkcs11
+      ActiveProfile: ru-offline
+      Profiles:
+        ru-offline:
+          PreferredProviders:
+            - ru.cryptopro.csp
+            - ru.pkcs11
+    Pkcs11:
+      Keys:
+        - KeyId: ru-slot-token
+          LibraryPath: /usr/local/lib/librutokenecp.so
+          SlotId: "0x1"
+          PrivateKeyLabel: signing-key
+          CertificateThumbprint: "<thumbprint>"
+    CryptoPro:
+      Keys:
+        - KeyId: ru-csp-token
+          ProviderName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
+          CertificateThumbprint: "<thumbprint>"
+          CertificateStoreLocation: LocalMachine
+          CertificateStoreName: My
 ```
 
+Call `builder.Services.AddStellaOpsCryptoRu(builder.Configuration)` to bind this configuration and register the RU providers with the correct preferred order.
+
 Each deployment picks a profile (`activeProfile`) that resolves to a deterministic provider order, and individual services call into `ICryptoProviderRegistry` rather than new-ing crypto stacks directly.
 
+### Known gaps (2025-11-09)
+
+Even after the initial plug-ins landed, several sovereign-crypto deliverables remain outstanding. These items must be addressed before RootPack_RU can be treated as GA:
+
+1. **CryptoPro CSP integration** – `StellaOps.Cryptography.Plugin.CryptoPro` currently reuses the PKCS#11 core and never talks to CryptoPro CSP / GostCryptography. Replace it with a real CSP-backed signer, including certificate-store lookup and DER/raw normalization.
+2. **Ops CLI** – The promised `StellaOps.CryptoRu.Cli` (list keys, try-sign, emit determinism records) has not been implemented; operators are blind when staging PKCS#11/CryptoPro keys.
+3. **Integration tests** – There are zero CryptoPro/PKCS#11 tests in `src/__Libraries/__Tests/StellaOps.Cryptography.Tests/`. The RootPack validation script cannot validate hardware paths today.
+4. **Symmetric GOST** – Magma/Kuznyechik (RFC 5830 / RFC 7801) support is missing, so RU deployments cannot request sovereign symmetric encryption for exports/data-at-rest.
+5. **Host adoption** – Authority, Scanner, Concelier, etc. register only the default providers; none call the RU DI helpers or set `ActiveProfile = ru-offline`, leaving sovereign bundles inert.
+6. **Docs/runbooks** – RootPack docs reference the CLI/config/test harnesses, but they do not yet exist; we need explicit TODOs (see rootpack docs) and follow-up edits once tooling ships.
+
 ## Inspecting providers from the CLI
 
 `stellaops crypto providers` now lists the registered providers, signing algorithms, certificate metadata, and the current preferred order. Use `--json` for machine-readable output or `--profile <name>` to preview another profile (e.g., `ru-offline`) before flipping configuration.