Add unit tests for RancherHubConnector and various exporters

- Implemented tests for RancherHubConnector to validate fetching documents, handling errors, and managing state.
- Added tests for CsafExporter to ensure deterministic serialization of CSAF documents.
- Created tests for CycloneDX exporters and reconciler to verify correct handling of VEX claims and output structure.
- Developed OpenVEX exporter tests to confirm the generation of canonical OpenVEX documents and statement merging logic.
- Introduced Rust file caching and license scanning functionality, including a cache key structure and hash computation.
- Added sample Cargo.toml and LICENSE files for testing Rust license scanning functionality.

src/__Libraries/StellaOps.Cryptography.Kms/FileKmsClient.cs

@@ -18,6 +18,7 @@ public sealed class FileKmsClient : IKmsClient, IDisposable
             new JsonStringEnumConverter(),
         },
     };
+    private const int MinKeyDerivationIterations = 600_000;
 
     private readonly FileKmsOptions _options;
     private readonly SemaphoreSlim _mutex = new(1, 1);
@@ -36,6 +37,13 @@ public sealed class FileKmsClient : IKmsClient, IDisposable
         }
 
         _options = options;
+        if (_options.KeyDerivationIterations < MinKeyDerivationIterations)
+        {
+            throw new ArgumentOutOfRangeException(
+                nameof(options.KeyDerivationIterations),
+                _options.KeyDerivationIterations,
+                $"PBKDF2 iterations must be at least {MinKeyDerivationIterations:N0} to satisfy cryptographic guidance.");
+        }
         Directory.CreateDirectory(_options.RootPath);
     }
 
@@ -415,7 +423,7 @@ public sealed class FileKmsClient : IKmsClient, IDisposable
 
         using var ecdsa = ECDsa.Create();
         ecdsa.ImportParameters(parameters);
-        return ecdsa.SignData(data.ToArray(), HashAlgorithmName.SHA256);
+        return ecdsa.SignData(data, HashAlgorithmName.SHA256);
     }
 
     private bool VerifyData(string curveName, string publicKeyBase64, ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature)
@@ -442,7 +450,7 @@ public sealed class FileKmsClient : IKmsClient, IDisposable
 
         using var ecdsa = ECDsa.Create();
         ecdsa.ImportParameters(parameters);
-        return ecdsa.VerifyData(data.ToArray(), signature.ToArray(), HashAlgorithmName.SHA256);
+        return ecdsa.VerifyData(data, signature, HashAlgorithmName.SHA256);
     }
 
     private KeyEnvelope EncryptPrivateKey(ReadOnlySpan<byte> privateKey)
@@ -457,9 +465,10 @@ public sealed class FileKmsClient : IKmsClient, IDisposable
             var tag = new byte[16];
             var plaintextCopy = privateKey.ToArray();
 
+            using var aesGcm = new AesGcm(key, tag.Length);
             try
             {
-                AesGcm.Encrypt(key, nonce, plaintextCopy, ciphertext, tag);
+                aesGcm.Encrypt(nonce, plaintextCopy, ciphertext, tag);
             }
             finally
             {
@@ -489,7 +498,8 @@ public sealed class FileKmsClient : IKmsClient, IDisposable
         try
         {
             var plaintext = new byte[ciphertext.Length];
-            AesGcm.Decrypt(key, nonce, ciphertext, tag, plaintext);
+            using var aesGcm = new AesGcm(key, tag.Length);
+            aesGcm.Decrypt(nonce, ciphertext, tag, plaintext);
 
             return plaintext;
         }

src/__Libraries/StellaOps.Cryptography.Kms/FileKmsOptions.cs

@@ -16,12 +16,12 @@ public sealed class FileKmsOptions
     public required string Password { get; set; }
 
     /// <summary>
-    /// Signing algorithm identifier (default ED25519).
+    /// Signing algorithm identifier (default ES256).
     /// </summary>
     public string Algorithm { get; set; } = KmsAlgorithms.Es256;
 
     /// <summary>
     /// PBKDF2 iteration count for envelope encryption.
     /// </summary>
-    public int KeyDerivationIterations { get; set; } = 100_000;
+    public int KeyDerivationIterations { get; set; } = 600_000;
 }

src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md

@@ -3,7 +3,7 @@
 ## Sprint 72 – Abstractions & File Driver
 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
-| KMS-72-001 | DOING (2025-10-29) | KMS Guild | — | Implement KMS interface (sign, verify, metadata, rotate, revoke) and file-based key driver with encrypted at-rest storage. | Interface + file driver operational; unit tests cover sign/verify/rotation; lint passes.<br>2025-10-29: `FileKmsClient` (ES256) file driver scaffolding committed under `StellaOps.Cryptography.Kms`; includes disk encryption + unit tests. Follow-up: address PBKDF2/AesGcm warnings and wire into Authority services. |
+| KMS-72-001 | DOING (2025-10-29) | KMS Guild | — | Implement KMS interface (sign, verify, metadata, rotate, revoke) and file-based key driver with encrypted at-rest storage. | Interface + file driver operational; unit tests cover sign/verify/rotation; lint passes.<br>2025-10-29: `FileKmsClient` (ES256) file driver scaffolding committed under `StellaOps.Cryptography.Kms`; includes disk encryption + unit tests. Follow-up: address PBKDF2/AesGcm warnings and wire into Authority services.<br>2025-10-29 18:40Z: Hardened PBKDF2 iteration floor (≥600k), switched to tag-size explicit `AesGcm` usage, removed transient array allocations, and refreshed unit tests (`StellaOps.Cryptography.Kms.Tests`). |
 | KMS-72-002 | TODO | KMS Guild | KMS-72-001 | Add CLI support for importing/exporting file-based keys with password protection. | CLI commands functional; docs updated; integration tests pass. |
 
 ## Sprint 73 – Cloud & HSM Integration