devops folders consolidate

deploy/tools/security/attest/build-attestation-bundle.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# DEVOPS-ATTEST-74-002: package attestation outputs into an offline bundle with checksums.
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <attest-dir> [bundle-out]" >&2
+  exit 64
+fi
+
+ATTEST_DIR=$1
+BUNDLE_OUT=${2:-"out/attest-bundles"}
+
+if [[ ! -d "$ATTEST_DIR" ]]; then
+  echo "[attest-bundle] attestation directory not found: $ATTEST_DIR" >&2
+  exit 66
+fi
+
+mkdir -p "$BUNDLE_OUT"
+
+TS=$(date -u +"%Y%m%dT%H%M%SZ")
+BUNDLE_NAME="attestation-bundle-${TS}"
+WORK_DIR="${BUNDLE_OUT}/${BUNDLE_NAME}"
+mkdir -p "$WORK_DIR"
+
+copy_if_exists() {
+  local pattern="$1"
+  shopt -s nullglob
+  local files=("$ATTEST_DIR"/$pattern)
+  if (( ${#files[@]} > 0 )); then
+    cp "${files[@]}" "$WORK_DIR/"
+  fi
+  shopt -u nullglob
+}
+
+# Collect common attestation artefacts
+copy_if_exists "*.dsse.json"
+copy_if_exists "*.in-toto.jsonl"
+copy_if_exists "*.sarif"
+copy_if_exists "*.intoto.json"
+copy_if_exists "*.rekor.txt"
+copy_if_exists "*.sig"
+copy_if_exists "*.crt"
+copy_if_exists "*.pem"
+copy_if_exists "*.json"
+
+# Manifest
+cat > "${WORK_DIR}/manifest.json" <<EOF
+{
+  "created_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+  "source_dir": "${ATTEST_DIR}",
+  "files": $(ls -1 "${WORK_DIR}" | jq -R . | jq -s .)
+}
+EOF
+
+# Checksums
+(
+  cd "$WORK_DIR"
+  sha256sum * > SHA256SUMS
+)
+
+tar -C "$BUNDLE_OUT" -czf "${WORK_DIR}.tgz" "${BUNDLE_NAME}"
+echo "[attest-bundle] bundle created at ${WORK_DIR}.tgz"

deploy/tools/security/cosign/README.md

@@ -0,0 +1,124 @@
+# Cosign binaries (runtime/signals signing)
+
+## Preferred (system)
+- Version: `v3.0.2`
+- Path: `/usr/local/bin/cosign` (installed on WSL Debian host)
+- Breaking change: v3 requires `--bundle <file>` when signing blobs; older `--output-signature`/`--output-certificate` pairs are deprecated.
+
+## Offline fallback (repo-pinned)
+- Version: `v2.6.0`
+- Binary: `tools/cosign/cosign` → `tools/cosign/v2.6.0/cosign-linux-amd64`
+- SHA256: `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`
+- Check: `cd tools/cosign/v2.6.0 && sha256sum -c cosign_checksums.txt --ignore-missing`
+
+## Usage examples
+- v3 DSSE blob: `cosign sign-blob --key cosign.key --predicate-type stella.ops/confidenceDecayConfig@v1 --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
+- v3 verify: `cosign verify-blob --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
+- To force offline fallback, export `PATH=./tools/cosign:$PATH` (ensures v2.6.0 is used).
+
+## CI Workflow: signals-dsse-sign.yml
+
+The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing for Signals artifacts.
+
+### Required Secrets
+| Secret | Description | Required |
+|--------|-------------|----------|
+| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key | Yes (for production) |
+| `COSIGN_PASSWORD` | Password for the private key | If key is encrypted |
+| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker upload | Optional |
+
+### Trigger Options
+1. **Automatic**: On push to `main` when signals artifacts change
+2. **Manual**: Via workflow_dispatch with options:
+   - `out_dir`: Output directory (default: `evidence-locker/signals/2025-12-01`)
+   - `allow_dev_key`: Set to `1` for testing with dev key
+
+### Setting Up CI Secrets
+```bash
+# Generate production key pair (do this once, securely)
+cosign generate-key-pair
+
+# Base64 encode the private key
+cat cosign.key | base64 -w0 > cosign.key.b64
+
+# Add to Gitea secrets:
+# - COSIGN_PRIVATE_KEY_B64: contents of cosign.key.b64
+# - COSIGN_PASSWORD: password used during key generation
+```
+
+## CI / secrets (manual usage)
+- CI should provide a base64-encoded private key via secret `COSIGN_PRIVATE_KEY_B64` and optional password in `COSIGN_PASSWORD`.
+- Example bootstrap in jobs:
+  ```bash
+  echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > /tmp/cosign.key
+  chmod 600 /tmp/cosign.key
+  COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" cosign version
+  ```
+- For local dev, copy your own key to `tools/cosign/cosign.key` or export `COSIGN_PRIVATE_KEY_B64` before running signing scripts. Never commit real keys; only `cosign.key.example` lives in git.
+
+## Development signing key
+
+A development key pair is provided for local testing and smoke tests:
+
+| File | Description |
+|------|-------------|
+| `tools/cosign/cosign.dev.key` | Private key (password-protected) |
+| `tools/cosign/cosign.dev.pub` | Public key for verification |
+
+### Usage
+```bash
+# Sign signals artifacts with dev key
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  OUT_DIR=docs/modules/signals/dev-test \
+  tools/cosign/sign-signals.sh
+
+# Verify a signature
+cosign verify-blob \
+  --key tools/cosign/cosign.dev.pub \
+  --bundle docs/modules/signals/dev-test/confidence_decay_config.sigstore.json \
+  docs/modules/signals/decay/confidence_decay_config.yaml
+```
+
+### Security Notes
+- Password: `stellaops-dev` (do not reuse elsewhere)
+- **NOT** for production or Evidence Locker ingestion
+- Real signing requires the Signals Guild key via `COSIGN_PRIVATE_KEY_B64` (CI) or `tools/cosign/cosign.key` (local drop-in)
+- `sign-signals.sh` requires `COSIGN_ALLOW_DEV_KEY=1` to use the dev key; otherwise it refuses
+- The signing helper disables tlog upload (`--tlog-upload=false`) and auto-accepts prompts (`--yes`) for offline runs
+
+## Signing Scripts
+
+### sign-signals.sh
+Signs decay config, unknowns manifest, and heuristics catalog with DSSE envelopes.
+
+```bash
+# Production (CI secret or cosign.key drop-in)
+OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
+
+# Development (dev key)
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  OUT_DIR=docs/modules/signals/dev-test \
+  tools/cosign/sign-signals.sh
+```
+
+### Key Resolution Order
+1. `COSIGN_KEY_FILE` environment variable
+2. `COSIGN_PRIVATE_KEY_B64` (decoded to temp file)
+3. `tools/cosign/cosign.key` (production drop-in)
+4. `tools/cosign/cosign.dev.key` (only if `COSIGN_ALLOW_DEV_KEY=1`)
+
+### sign-authority-gaps.sh
+Signs Authority gap artefacts (AU1–AU10, RR1–RR10) under `docs/modules/authority/gaps/artifacts/`.
+
+```
+# Production (Authority key via CI secret or cosign.key drop-in)
+OUT_DIR=docs/modules/authority/gaps/dsse/2025-12-04 tools/cosign/sign-authority-gaps.sh
+
+# Development (dev key, smoke only)
+COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
+  OUT_DIR=docs/modules/authority/gaps/dev-smoke/2025-12-04 \
+  tools/cosign/sign-authority-gaps.sh
+```
+
+- Outputs bundles or dsse signatures plus `SHA256SUMS` in `OUT_DIR`.
+- tlog upload disabled (`--tlog-upload=false`) and prompts auto-accepted (`--yes`) for offline use.

deploy/tools/security/cosign/cosign

@@ -0,0 +1 @@
+v2.6.0/cosign-linux-amd64

deploy/tools/security/cosign/cosign.dev.key

@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJ5dlhpaXliR2lTR0NPS2x0Q2M1dlFhTy91S3pBVzNs
+Skl3QTRaU2dEMTAwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiIyNHA0T2xJZnJxdnhPVnM3dlY2MXNwVGpkNk80cVBEVCJ9LCJj
+aXBoZXJ0ZXh0IjoiTHRWSGRqVi94MXJrYXhscGxJbVB5dkVtc2NBYTB5dW5oakZ5
+UUFiZ1RSNVdZL3lCS0tYMWdFb09hclZDWksrQU0yY0tIM2tJQWlJNWlMd1AvV3c5
+Q3k2SVY1ek4za014cExpcjJ1QVZNV3c3Y3BiYUhnNjV4TzNOYkEwLzJOSi84R0dN
+NWt1QXhJRWsraER3ZWJ4Tld4WkRtNEZ4NTJVcVJxa2NPT09vNk9xWXB4OWFMaVZw
+RjgzRElGZFpRK2R4K05RUnUxUmNrKzBtOHc9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----

deploy/tools/security/cosign/cosign.dev.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfoI+9RFCTcfjeMqpCQ3FAyvKwBQU
+YAIM2cfDR8W98OxnXV+gfV5Dhfoi8qofAnG/vC7DbBlX2t/gT7GKUZAChA==
+-----END PUBLIC KEY-----

deploy/tools/security/cosign/cosign.key.example

@@ -0,0 +1,8 @@
+# Placeholder development cosign key
+#
+# Do not use in production. Generate your own:
+#   cosign generate-key-pair
+#
+# Store the private key securely (e.g., CI secret COSIGN_PRIVATE_KEY_B64).
+#
+# This file exists only as a path stub for tooling; it is not a real key.

deploy/tools/security/cosign/v2.6.0/cosign_checksums.txt

@@ -0,0 +1,40 @@
+e8c634db1252725eabfd517f02e6ebf0d07bfba5b4779d7b45ef373ceff07b38  cosign-2.6.0-1.aarch64.rpm
+9de55601c34fe7a8eaecb7a2fab93da032dd91d423a04ae6ac17e3f5ed99ec72  cosign-2.6.0-1.armv7hl.rpm
+f7281a822306c35f2bd66c055ba6f77a7298de3375a401b12664035b8b323fdf  cosign-2.6.0-1.ppc64le.rpm
+814b890a07b56bcc6a42dfdf9004fadfe45c112e9b11a0c2f4ebf45568e72b4c  cosign-2.6.0-1.riscv64.rpm
+19241a09cc065f062d63a9c9ce45ed7c7ff839b93672be4688334b925809d266  cosign-2.6.0-1.s390x.rpm
+52709467f072043f24553c6dd1e0f287eeeedb23340dd90a4438b8506df0a0bc  cosign-2.6.0-1.x86_64.rpm
+83b0fb42bc265e62aef7de49f4979b7957c9b7320d362a9f20046b2f823330f3  cosign-darwin-amd64
+3bcbcfc41d89e162e47ba08f70ffeffaac567f663afb3545c0265a5041ce652d  cosign-darwin-amd64_2.6.0_darwin_amd64.sbom.json
+dea5b83b8b375b99ac803c7bdb1f798963dbeb47789ceb72153202e7f20e8d07  cosign-darwin-arm64
+c09a84869eb31fcf334e54d0a9f81bf466ba7444dc975a8fe46b94d742288980  cosign-darwin-arm64_2.6.0_darwin_arm64.sbom.json
+ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9  cosign-linux-amd64
+b4ccc276a5cc326f87d81fd1ae12f12a8dba64214ec368a39401522cccae7f9a  cosign-linux-amd64_2.6.0_linux_amd64.sbom.json
+641e05c21ce423cd263a49b1f9ffca58e2df022cb12020dcea63f8317c456950  cosign-linux-arm
+e09684650882fd721ed22b716ffc399ee11426cd4d1c9b4fec539cba8bf46b86  cosign-linux-arm64
+d05d37f6965c3f3c77260171289281dbf88d1f2b07e865bf9d4fd94d9f2fe5c4  cosign-linux-arm64_2.6.0_linux_arm64.sbom.json
+1b8b96535a7c30dbecead51ac3f51f559b31d8ab1dd4842562f857ebb1941fa5  cosign-linux-arm_2.6.0_linux_arm.sbom.json
+6fa93dbd97664ccce6c3e5221e22e14547b0d202ba829e2b34a3479266b33751  cosign-linux-pivkey-pkcs11key-amd64
+17b9803701f5908476d5904492b7a4d1568b86094c3fbb5a06afaa62a6910e8c  cosign-linux-pivkey-pkcs11key-amd64_2.6.0_linux_amd64.sbom.json
+fbb78394e6fc19a2f34fea4ba03ea796aca84b666b6cdf65f46775f295fc9103  cosign-linux-pivkey-pkcs11key-arm64
+35ac308bd9c59844e056f6251ab76184bfc321cb1b3ac337fdb94a9a289d4d44  cosign-linux-pivkey-pkcs11key-arm64_2.6.0_linux_arm64.sbom.json
+bd9cc643ec8a517ca66b22221b830dc9d6064bd4f3b76579e4e28b6af5cfba5f  cosign-linux-ppc64le
+ef04b0e087b95ce1ba7a902ecc962e50bfc974da0bd6b5db59c50880215a3f06  cosign-linux-ppc64le_2.6.0_linux_ppc64le.sbom.json
+17c8ff6a5dc48d3802b511c3eb7495da6142397ace28af9a1baa58fb34fad75c  cosign-linux-riscv64
+2007628a662808f221dc1983d9fba2676df32bb98717f89360cd191c929492ba  cosign-linux-riscv64_2.6.0_linux_riscv64.sbom.json
+7f7f042e7131950c658ff87079ac9080e7d64392915f06811f06a96238c242c1  cosign-linux-s390x
+e22a35083b21552c80bafb747c022aa2aad302c861a392199bc2a8fad22dd6b5  cosign-linux-s390x_2.6.0_linux_s390x.sbom.json
+7beb4dd1e19a72c328bbf7c0d7342d744edbf5cbb082f227b2b76e04a21c16ef  cosign-windows-amd64.exe
+8110eab8c5842caf93cf05dd26f260b6836d93b0263e49e06c1bd22dd5abb82c  cosign-windows-amd64.exe_2.6.0_windows_amd64.sbom.json
+7713d587f8668ce8f2a48556ee17f47c281cfb90102adfdb7182de62bc016cab  cosign_2.6.0_aarch64.apk
+c51b6437559624ef88b29a1ddd88d0782549b585dbbae0a5cb2fcc02bec72687  cosign_2.6.0_amd64.deb
+438baaa35101e9982081c6450a44ea19e04cd4d2aba283ed52242e451736990b  cosign_2.6.0_arm64.deb
+8dc33858a68e18bf0cc2cb18c2ba0a7d829aa59ad3125366b24477e7d6188024  cosign_2.6.0_armhf.deb
+88397077deee943690033276eef5206f7c60a30ea5f6ced66a51601ce79d0d0e  cosign_2.6.0_armv7.apk
+ca45b82cde86634705187f2361363e67c70c23212283594ff942d583a543f9dd  cosign_2.6.0_ppc64el.deb
+497f1a6d3899493153a4426286e673422e357224f3f931fdc028455db2fb5716  cosign_2.6.0_ppc64le.apk
+1e37d9c3d278323095899897236452858c0bc49b52a48c3bcf8ce7a236bf2ee1  cosign_2.6.0_riscv64.apk
+f2f65cf3d115fa5b25c61f6692449df2f4da58002a99e3efacc52a848fd3bca8  cosign_2.6.0_riscv64.deb
+af0a62231880fd3495bbd1f5d4c64384034464b80930b7ffcd819d7152e75759  cosign_2.6.0_s390x.apk
+e282d9337e4ba163a48ff1175855a6f6d6fbb562bc6c576c93944a6126984203  cosign_2.6.0_s390x.deb
+382a842b2242656ecd442ae461c4dc454a366ed50d41a2dafcce8b689bfd03e4  cosign_2.6.0_x86_64.apk

deploy/tools/security/crypto/download-cryptopro-playwright.cjs

@@ -0,0 +1,220 @@
+#!/usr/bin/env node
+/**
+ * CryptoPro CSP downloader (Playwright-driven).
+ *
+ * Navigates cryptopro.ru downloads page, optionally fills login form, and selects
+ * Linux packages (.rpm/.deb/.tar.gz/.tgz/.bin) under the CSP Linux section.
+ *
+ * Environment:
+ *  - CRYPTOPRO_URL (default: https://cryptopro.ru/products/csp/downloads#latest_csp50r3_linux)
+ *  - CRYPTOPRO_EMAIL / CRYPTOPRO_PASSWORD (default demo creds: contact@stella-ops.org / Hoko33JD3nj3aJD.)
+ *  - CRYPTOPRO_DRY_RUN (default: 1) -> list candidates, do not download
+ *  - CRYPTOPRO_OUTPUT_DIR (default: /opt/cryptopro/downloads)
+ *  - CRYPTOPRO_OUTPUT_FILE (optional: force a specific output filename/path)
+ *  - CRYPTOPRO_UNPACK (default: 0) -> attempt to unpack tar.gz/tgz/rpm/deb
+ */
+
+const path = require('path');
+const fs = require('fs');
+const { spawnSync } = require('child_process');
+const { chromium } = require('playwright-chromium');
+
+const url = process.env.CRYPTOPRO_URL || 'https://cryptopro.ru/products/csp/downloads#latest_csp50r3_linux';
+const email = process.env.CRYPTOPRO_EMAIL || 'contact@stella-ops.org';
+const password = process.env.CRYPTOPRO_PASSWORD || 'Hoko33JD3nj3aJD.';
+const dryRun = (process.env.CRYPTOPRO_DRY_RUN || '1') !== '0';
+const outputDir = process.env.CRYPTOPRO_OUTPUT_DIR || '/opt/cryptopro/downloads';
+const outputFile = process.env.CRYPTOPRO_OUTPUT_FILE;
+const unpack = (process.env.CRYPTOPRO_UNPACK || '0') === '1';
+const navTimeout = parseInt(process.env.CRYPTOPRO_NAV_TIMEOUT || '60000', 10);
+
+const linuxPattern = /\.(rpm|deb|tar\.gz|tgz|bin)(\?|$)/i;
+const debugLinks = (process.env.CRYPTOPRO_DEBUG || '0') === '1';
+
+function log(msg) {
+  process.stdout.write(`${msg}\n`);
+}
+
+function warn(msg) {
+  process.stderr.write(`[WARN] ${msg}\n`);
+}
+
+async function maybeLogin(page) {
+  const emailSelector = 'input[type="email"], input[name*="email" i], input[name*="login" i], input[name="name"]';
+  const passwordSelector = 'input[type="password"], input[name*="password" i]';
+  const submitSelector = 'button[type="submit"], input[type="submit"]';
+
+  const emailInput = await page.$(emailSelector);
+  const passwordInput = await page.$(passwordSelector);
+  if (emailInput && passwordInput) {
+    log('[login] Form detected; submitting credentials');
+    await emailInput.fill(email);
+    await passwordInput.fill(password);
+    const submit = await page.$(submitSelector);
+    if (submit) {
+      await Promise.all([
+        page.waitForNavigation({ waitUntil: 'networkidle', timeout: 15000 }).catch(() => {}),
+        submit.click()
+      ]);
+    } else {
+      await passwordInput.press('Enter');
+      await page.waitForTimeout(2000);
+    }
+  } else {
+    log('[login] No login form detected; continuing anonymously');
+  }
+}
+
+async function findLinuxLinks(page) {
+  const targets = [page, ...page.frames()];
+  const hrefs = [];
+
+  // Collect href/data-href/data-url across main page + frames
+  for (const target of targets) {
+    try {
+      const collected = await target.$$eval('a[href], [data-href], [data-url]', (els) =>
+        els
+          .map((el) => el.getAttribute('href') || el.getAttribute('data-href') || el.getAttribute('data-url'))
+          .filter((href) => typeof href === 'string')
+      );
+      hrefs.push(...collected);
+    } catch (err) {
+      warn(`[scan] Failed to collect links from frame: ${err.message}`);
+    }
+  }
+
+  const unique = Array.from(new Set(hrefs));
+  return unique.filter((href) => linuxPattern.test(href));
+}
+
+function unpackIfSupported(filePath) {
+  if (!unpack) {
+    return;
+  }
+  const cwd = path.dirname(filePath);
+  if (filePath.endsWith('.tar.gz') || filePath.endsWith('.tgz')) {
+    const res = spawnSync('tar', ['-xzf', filePath, '-C', cwd], { stdio: 'inherit' });
+    if (res.status === 0) {
+      log(`[unpack] Extracted ${filePath}`);
+    } else {
+      warn(`[unpack] Failed to extract ${filePath}`);
+    }
+  } else if (filePath.endsWith('.rpm')) {
+    const res = spawnSync('bash', ['-lc', `rpm2cpio "${filePath}" | cpio -idmv`], { stdio: 'inherit', cwd });
+    if (res.status === 0) {
+      log(`[unpack] Extracted RPM ${filePath}`);
+    } else {
+      warn(`[unpack] Failed to extract RPM ${filePath}`);
+    }
+  } else if (filePath.endsWith('.deb')) {
+    const res = spawnSync('dpkg-deb', ['-x', filePath, cwd], { stdio: 'inherit' });
+    if (res.status === 0) {
+      log(`[unpack] Extracted DEB ${filePath}`);
+    } else {
+      warn(`[unpack] Failed to extract DEB ${filePath}`);
+    }
+  } else if (filePath.endsWith('.bin')) {
+    const res = spawnSync('chmod', ['+x', filePath], { stdio: 'inherit' });
+    if (res.status === 0) {
+      log(`[unpack] Marked ${filePath} as executable (self-extract expected)`);
+    } else {
+      warn(`[unpack] Could not mark ${filePath} executable`);
+    }
+  } else {
+    warn(`[unpack] Skipping unsupported archive type for ${filePath}`);
+  }
+}
+
+async function main() {
+  if (email === 'contact@stella-ops.org' && password === 'Hoko33JD3nj3aJD.') {
+    warn('Using default demo credentials; set CRYPTOPRO_EMAIL/CRYPTOPRO_PASSWORD to real customer creds.');
+  }
+
+  const browser = await chromium.launch({ headless: true });
+  const context = await browser.newContext({
+    acceptDownloads: true,
+    httpCredentials: { username: email, password }
+  });
+  const page = await context.newPage();
+  log(`[nav] Opening ${url}`);
+  try {
+    await page.goto(url, { waitUntil: 'networkidle', timeout: navTimeout });
+  } catch (err) {
+    warn(`[nav] Navigation at networkidle failed (${err.message}); retrying with waitUntil=load`);
+    await page.goto(url, { waitUntil: 'load', timeout: navTimeout });
+  }
+  log(`[nav] Landed on ${page.url()}`);
+  await maybeLogin(page);
+  await page.waitForTimeout(2000);
+
+  const loginGate =
+    page.url().includes('/user') ||
+    (await page.$('form#user-login, form[id*="user-login"], .captcha, #captcha-container'));
+  if (loginGate) {
+    warn('[auth] Login/captcha gate detected on downloads page; automated fetch blocked. Provide session/cookies or run headful to solve manually.');
+    await browser.close();
+    return 2;
+  }
+
+  let links = await findLinuxLinks(page);
+  if (links.length === 0) {
+    await page.waitForTimeout(1500);
+    await page.evaluate(() => window.scrollTo(0, document.body.scrollHeight));
+    await page.waitForTimeout(2000);
+    links = await findLinuxLinks(page);
+  }
+  if (links.length === 0) {
+    if (debugLinks) {
+      const targetDir = outputFile ? path.dirname(outputFile) : outputDir;
+      await fs.promises.mkdir(targetDir, { recursive: true });
+      const debugHtml = path.join(targetDir, 'cryptopro-download-page.html');
+      await fs.promises.writeFile(debugHtml, await page.content(), 'utf8');
+      log(`[debug] Saved page HTML to ${debugHtml}`);
+      const allLinks = await page.$$eval('a[href], [data-href], [data-url]', (els) =>
+        els
+          .map((el) => el.getAttribute('href') || el.getAttribute('data-href') || el.getAttribute('data-url'))
+          .filter((href) => typeof href === 'string')
+      );
+      log(`[debug] Total link-like attributes: ${allLinks.length}`);
+      allLinks.slice(0, 20).forEach((href, idx) => log(`  [all ${idx + 1}] ${href}`));
+    }
+    warn('No Linux download links found on page.');
+    await browser.close();
+    return 1;
+  }
+
+  log(`[scan] Found ${links.length} Linux candidate links`);
+  links.slice(0, 10).forEach((href, idx) => log(`  [${idx + 1}] ${href}`));
+
+  if (dryRun) {
+    log('[mode] Dry-run enabled; not downloading. Set CRYPTOPRO_DRY_RUN=0 to fetch.');
+    await browser.close();
+    return 0;
+  }
+
+  const target = links[0];
+  log(`[download] Fetching ${target}`);
+  const [download] = await Promise.all([
+    page.waitForEvent('download', { timeout: 30000 }),
+    page.goto(target).catch(() => page.click(`a[href="${target}"]`).catch(() => {}))
+  ]);
+
+  const targetDir = outputFile ? path.dirname(outputFile) : outputDir;
+  await fs.promises.mkdir(targetDir, { recursive: true });
+  const suggested = download.suggestedFilename();
+  const outPath = outputFile ? outputFile : path.join(outputDir, suggested);
+  await download.saveAs(outPath);
+  log(`[download] Saved to ${outPath}`);
+
+  unpackIfSupported(outPath);
+
+  await browser.close();
+  return 0;
+}
+
+main()
+  .then((code) => process.exit(code))
+  .catch((err) => {
+    console.error(err);
+    process.exit(1);
+  });

deploy/tools/security/crypto/package-rootpack-ru.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
+OUTPUT_ROOT="${1:-${ROOT_DIR}/build/rootpack_ru_${TIMESTAMP}}"
+ARTIFACT_DIR="${OUTPUT_ROOT}/artifacts"
+DOC_DIR="${OUTPUT_ROOT}/docs"
+CONFIG_DIR="${OUTPUT_ROOT}/config"
+TRUST_DIR="${OUTPUT_ROOT}/trust"
+
+mkdir -p "$ARTIFACT_DIR" "$DOC_DIR" "$CONFIG_DIR" "$TRUST_DIR"
+
+publish_plugin() {
+    local project="$1"
+    local name="$2"
+    local publish_dir="${ARTIFACT_DIR}/${name}"
+    echo "[rootpack-ru] Publishing ${project} -> ${publish_dir}"
+    dotnet publish "$project" -c Release -o "$publish_dir" --nologo >/dev/null
+}
+
+publish_plugin "src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj" "StellaOps.Cryptography.Plugin.CryptoPro"
+publish_plugin "src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/StellaOps.Cryptography.Plugin.Pkcs11Gost.csproj" "StellaOps.Cryptography.Plugin.Pkcs11Gost"
+
+cp docs/security/rootpack_ru_validation.md "$DOC_DIR/"
+cp docs/security/crypto-routing-audit-2025-11-07.md "$DOC_DIR/"
+cp docs/security/rootpack_ru_package.md "$DOC_DIR/"
+cp etc/rootpack/ru/crypto.profile.yaml "$CONFIG_DIR/rootpack_ru.crypto.yaml"
+
+if [ "${INCLUDE_GOST_VALIDATION:-1}" != "0" ]; then
+    candidate="${OPENSSL_GOST_LOG_DIR:-}"
+    if [ -z "$candidate" ]; then
+        candidate="$(ls -d "${ROOT_DIR}"/logs/openssl_gost_validation_* "${ROOT_DIR}"/logs/rootpack_ru_*/openssl_gost 2>/dev/null | sort | tail -n 1 || true)"
+    fi
+
+    if [ -n "$candidate" ] && [ -d "$candidate" ]; then
+        mkdir -p "${DOC_DIR}/gost-validation"
+        cp -r "$candidate" "${DOC_DIR}/gost-validation/latest"
+    fi
+fi
+
+shopt -s nullglob
+for pem in "$ROOT_DIR"/certificates/russian_trusted_*; do
+    cp "$pem" "$TRUST_DIR/"
+done
+shopt -u nullglob
+
+cat <<README >"${OUTPUT_ROOT}/README.txt"
+RootPack_RU bundle (${TIMESTAMP})
+--------------------------------
+Contents:
+  - artifacts/ : Sovereign crypto plug-ins published for net10.0 (CryptoPro + PKCS#11)
+  - config/rootpack_ru.crypto.yaml : example configuration binding registry profiles
+  - docs/ : validation + audit documentation
+  - trust/ : Russian trust anchor PEM bundle copied from certificates/
+
+Usage:
+  1. Review docs/rootpack_ru_package.md for installation steps.
+  2. Execute scripts/crypto/run-rootpack-ru-tests.sh (or CI equivalent) and attach the logs to this bundle.
+  3. Record hardware validation outputs per docs/rootpack_ru_validation.md and store alongside this directory.
+README
+
+if [[ "${PACKAGE_TAR:-1}" != "0" ]]; then
+    tarball="${OUTPUT_ROOT}.tar.gz"
+    echo "[rootpack-ru] Creating ${tarball}"
+    tar -czf "$tarball" -C "$(dirname "$OUTPUT_ROOT")" "$(basename "$OUTPUT_ROOT")"
+fi
+
+echo "[rootpack-ru] Bundle staged under $OUTPUT_ROOT"

deploy/tools/security/crypto/run-cryptopro-tests.ps1

@@ -0,0 +1,25 @@
+param(
+    [string]$Configuration = "Release"
+)
+
+if (-not $IsWindows) {
+    Write-Host "CryptoPro tests require Windows" -ForegroundColor Yellow
+    exit 0
+}
+
+if (-not (Get-Command dotnet -ErrorAction SilentlyContinue)) {
+    Write-Host "dotnet SDK not found" -ForegroundColor Red
+    exit 1
+}
+
+# Opt-in flag to avoid accidental runs on agents without CryptoPro CSP installed
+$env:STELLAOPS_CRYPTO_PRO_ENABLED = "1"
+
+Write-Host "Running CryptoPro-only tests..." -ForegroundColor Cyan
+
+pushd $PSScriptRoot\..\..
+try {
+    dotnet test src/__Libraries/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj -c $Configuration --filter CryptoProGostSignerTests
+} finally {
+    popd
+}

deploy/tools/security/crypto/run-rootpack-ru-tests.sh

@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+DEFAULT_LOG_ROOT="${ROOT_DIR}/logs/rootpack_ru_$(date -u +%Y%m%dT%H%M%SZ)"
+LOG_ROOT="${ROOTPACK_LOG_DIR:-$DEFAULT_LOG_ROOT}"
+ALLOW_PARTIAL="${ALLOW_PARTIAL:-1}"
+mkdir -p "$LOG_ROOT"
+
+PROJECTS=(
+    "src/__Libraries/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj"
+    "src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj"
+    "src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj"
+)
+if [ "${RUN_SCANNER:-1}" != "1" ]; then
+    PROJECTS=("${PROJECTS[0]}")
+    echo "[rootpack-ru] RUN_SCANNER=0 set; skipping scanner test suites"
+fi
+
+run_test() {
+    local project="$1"
+    local extra_props=""
+
+    if [ "${STELLAOPS_ENABLE_CRYPTO_PRO:-""}" = "1" ]; then
+        extra_props+=" /p:StellaOpsEnableCryptoPro=true"
+    fi
+
+    if [ "${STELLAOPS_ENABLE_PKCS11:-""}" = "1" ]; then
+        extra_props+=" /p:StellaOpsEnablePkcs11=true"
+    fi
+    local safe_name
+    safe_name="$(basename "${project%.csproj}")"
+    local log_file="${LOG_ROOT}/${safe_name}.log"
+    local trx_name="${safe_name}.trx"
+
+    echo "[rootpack-ru] Running tests for ${project}" | tee "$log_file"
+    dotnet test "$project" \
+        --nologo \
+        --verbosity minimal \
+        --results-directory "$LOG_ROOT" \
+        --logger "trx;LogFileName=${trx_name}" ${extra_props} | tee -a "$log_file"
+}
+
+PROJECT_SUMMARY=()
+for project in "${PROJECTS[@]}"; do
+    safe_name="$(basename "${project%.csproj}")"
+        if run_test "$project"; then
+            PROJECT_SUMMARY+=("$project|$safe_name|PASS")
+            echo "[rootpack-ru] Wrote logs for ${project} -> ${LOG_ROOT}/${safe_name}.log"
+        else
+            PROJECT_SUMMARY+=("$project|$safe_name|FAIL")
+            echo "[rootpack-ru] Test run failed for ${project}; see ${LOG_ROOT}/${safe_name}.log"
+            if [ "${ALLOW_PARTIAL}" != "1" ]; then
+                echo "[rootpack-ru] ALLOW_PARTIAL=0; aborting harness."
+                exit 1
+            fi
+        fi
+    done
+
+GOST_SUMMARY="skipped (docker not available)"
+if [ "${RUN_GOST_VALIDATION:-1}" = "1" ]; then
+    if command -v docker >/dev/null 2>&1; then
+        echo "[rootpack-ru] Running OpenSSL GOST validation harness"
+        OPENSSL_GOST_LOG_DIR="${LOG_ROOT}/openssl_gost"
+        if OPENSSL_GOST_LOG_DIR="${OPENSSL_GOST_LOG_DIR}" bash "${ROOT_DIR}/scripts/crypto/validate-openssl-gost.sh"; then
+            if [ -d "${OPENSSL_GOST_LOG_DIR}" ] && [ -f "${OPENSSL_GOST_LOG_DIR}/summary.txt" ]; then
+                GOST_SUMMARY="$(cat "${OPENSSL_GOST_LOG_DIR}/summary.txt")"
+            else
+                GOST_SUMMARY="completed (see logs/openssl_gost_validation_*)"
+            fi
+        else
+            GOST_SUMMARY="failed (see logs/openssl_gost_validation_*)"
+        fi
+    else
+        echo "[rootpack-ru] Docker not available; skipping OpenSSL GOST validation."
+    fi
+fi
+
+{
+    echo "RootPack_RU deterministic test harness"
+    echo "Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+    echo "Log Directory: $LOG_ROOT"
+    echo ""
+    echo "Projects:"
+    for entry in "${PROJECT_SUMMARY[@]}"; do
+        project_path="${entry%%|*}"
+        rest="${entry#*|}"
+        safe_name="${rest%%|*}"
+        status="${rest##*|}"
+        printf ' - %s (log: %s.log, trx: %s.trx) [%s]\n' "$project_path" "$safe_name" "$safe_name" "$status"
+    done
+    echo ""
+    echo "GOST validation: ${GOST_SUMMARY}"
+} > "$LOG_ROOT/README.tests"
+
+echo "Logs and TRX files available under $LOG_ROOT"

deploy/tools/security/crypto/run-sim-smoke.ps1

@@ -0,0 +1,42 @@
+param(
+    [string] $BaseUrl = "http://localhost:5000",
+    [string] $SimProfile = "sm"
+)
+
+$ErrorActionPreference = "Stop"
+$repoRoot = Resolve-Path "$PSScriptRoot/../.."
+
+Push-Location $repoRoot
+$job = $null
+try {
+    Write-Host "Building sim service and smoke harness..."
+    dotnet build ops/crypto/sim-crypto-service/SimCryptoService.csproj -c Release | Out-Host
+    dotnet build ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release | Out-Host
+
+    Write-Host "Starting sim service at $BaseUrl ..."
+    $job = Start-Job -ArgumentList $repoRoot, $BaseUrl -ScriptBlock {
+        param($path, $url)
+        Set-Location $path
+        $env:ASPNETCORE_URLS = $url
+        dotnet run --project ops/crypto/sim-crypto-service/SimCryptoService.csproj --no-build -c Release
+    }
+
+    Start-Sleep -Seconds 6
+
+    $env:STELLAOPS_CRYPTO_SIM_URL = $BaseUrl
+    $env:SIM_PROFILE = $SimProfile
+    Write-Host "Running smoke harness (profile=$SimProfile, url=$BaseUrl)..."
+    dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj --no-build -c Release
+    $exitCode = $LASTEXITCODE
+    if ($exitCode -ne 0) {
+        throw "Smoke harness failed with exit code $exitCode"
+    }
+}
+finally {
+    if ($job) {
+        Stop-Job $job -ErrorAction SilentlyContinue | Out-Null
+        Receive-Job $job -ErrorAction SilentlyContinue | Out-Null
+        Remove-Job $job -ErrorAction SilentlyContinue | Out-Null
+    }
+    Pop-Location
+}

deploy/tools/security/crypto/validate-openssl-gost.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v docker >/dev/null 2>&1; then
+    echo "[gost-validate] docker is required but not found on PATH" >&2
+    exit 1
+fi
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
+LOG_ROOT="${OPENSSL_GOST_LOG_DIR:-${ROOT_DIR}/logs/openssl_gost_validation_${TIMESTAMP}}"
+IMAGE="${OPENSSL_GOST_IMAGE:-rnix/openssl-gost:latest}"
+MOUNT_PATH="${LOG_ROOT}"
+
+UNAME_OUT="$(uname -s || true)"
+case "${UNAME_OUT}" in
+    MINGW*|MSYS*|CYGWIN*)
+        if command -v wslpath >/dev/null 2>&1; then
+            # Docker Desktop on Windows prefers Windows-style mount paths.
+            MOUNT_PATH="$(wslpath -m "${LOG_ROOT}")"
+        fi
+        ;;
+    *)
+        MOUNT_PATH="${LOG_ROOT}"
+        ;;
+esac
+
+mkdir -p "${LOG_ROOT}"
+
+cat >"${LOG_ROOT}/message.txt" <<'EOF'
+StellaOps OpenSSL GOST validation message (md_gost12_256)
+EOF
+
+echo "[gost-validate] Using image ${IMAGE}"
+docker pull "${IMAGE}" >/dev/null
+
+CONTAINER_SCRIPT_PATH="${LOG_ROOT}/container-script.sh"
+
+cat > "${CONTAINER_SCRIPT_PATH}" <<'CONTAINER_SCRIPT'
+set -eu
+
+MESSAGE="/out/message.txt"
+
+openssl version -a > /out/openssl-version.txt
+openssl engine -c > /out/engine-list.txt
+
+openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
+openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /out/gost.pub.pem >/dev/null
+
+DIGEST_LINE="$(openssl dgst -engine gost -md_gost12_256 "${MESSAGE}")"
+echo "${DIGEST_LINE}" > /out/digest.txt
+DIGEST="$(printf "%s" "${DIGEST_LINE}" | awk -F'= ' '{print $2}')"
+
+openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature1.bin "${MESSAGE}"
+openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature2.bin "${MESSAGE}"
+
+openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature1.bin "${MESSAGE}" > /out/verify1.txt
+openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature2.bin "${MESSAGE}" > /out/verify2.txt
+
+SIG1_SHA="$(sha256sum /tmp/signature1.bin | awk '{print $1}')"
+SIG2_SHA="$(sha256sum /tmp/signature2.bin | awk '{print $1}')"
+MSG_SHA="$(sha256sum "${MESSAGE}" | awk '{print $1}')"
+
+cp /tmp/signature1.bin /out/signature1.bin
+cp /tmp/signature2.bin /out/signature2.bin
+
+DETERMINISTIC_BOOL=false
+DETERMINISTIC_LABEL="no"
+if [ "${SIG1_SHA}" = "${SIG2_SHA}" ]; then
+  DETERMINISTIC_BOOL=true
+  DETERMINISTIC_LABEL="yes"
+fi
+
+cat > /out/summary.txt <<SUMMARY
+OpenSSL GOST validation (Linux engine)
+Image: ${VALIDATION_IMAGE:-unknown}
+Digest algorithm: md_gost12_256
+Message SHA256: ${MSG_SHA}
+Digest: ${DIGEST}
+Signature1 SHA256: ${SIG1_SHA}
+Signature2 SHA256: ${SIG2_SHA}
+Signatures deterministic: ${DETERMINISTIC_LABEL}
+SUMMARY
+
+cat > /out/summary.json <<SUMMARYJSON
+{
+  "image": "${VALIDATION_IMAGE:-unknown}",
+  "digest_algorithm": "md_gost12_256",
+  "message_sha256": "${MSG_SHA}",
+  "digest": "${DIGEST}",
+  "signature1_sha256": "${SIG1_SHA}",
+  "signature2_sha256": "${SIG2_SHA}",
+  "signatures_deterministic": ${DETERMINISTIC_BOOL}
+}
+SUMMARYJSON
+
+CONTAINER_SCRIPT
+
+docker run --rm \
+    -e VALIDATION_IMAGE="${IMAGE}" \
+    -v "${MOUNT_PATH}:/out" \
+    "${IMAGE}" /bin/sh "/out/$(basename "${CONTAINER_SCRIPT_PATH}")"
+
+rm -f "${CONTAINER_SCRIPT_PATH}"
+
+echo "[gost-validate] Artifacts written to ${LOG_ROOT}"
+echo "[gost-validate] Summary:"
+cat "${LOG_ROOT}/summary.txt"