Add authority bootstrap flows and Concelier ops runbooks

src/StellaOps.Cryptography.Tests/CryptoProviderRegistryTests.cs

@@ -41,20 +41,22 @@ public class CryptoProviderRegistryTests
 
         var registry = new CryptoProviderRegistry(new[] { providerA, providerB }, Array.Empty<string>());
 
-        var hintSigner = registry.ResolveSigner(
+        var hintResolution = registry.ResolveSigner(
             CryptoCapability.Signing,
             SignatureAlgorithms.Es256,
             new CryptoKeyReference("key-b"),
             preferredProvider: "providerB");
 
-        Assert.Equal("key-b", hintSigner.KeyId);
+        Assert.Equal("providerB", hintResolution.ProviderName);
+        Assert.Equal("key-b", hintResolution.Signer.KeyId);
 
-        var fallbackSigner = registry.ResolveSigner(
+        var fallbackResolution = registry.ResolveSigner(
             CryptoCapability.Signing,
             SignatureAlgorithms.Es256,
             new CryptoKeyReference("key-a"));
 
-        Assert.Equal("key-a", fallbackSigner.KeyId);
+        Assert.Equal("providerA", fallbackResolution.ProviderName);
+        Assert.Equal("key-a", fallbackResolution.Signer.KeyId);
     }
 
     private sealed class FakeCryptoProvider : ICryptoProvider

src/StellaOps.Cryptography.Tests/LibsodiumCryptoProviderTests.cs

@@ -0,0 +1,38 @@
+#if STELLAOPS_CRYPTO_SODIUM
+using System;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading.Tasks;
+using Xunit;
+
+namespace StellaOps.Cryptography.Tests;
+
+public class LibsodiumCryptoProviderTests
+{
+    [Fact]
+    public async Task LibsodiumProvider_SignsAndVerifiesEs256()
+    {
+        var provider = new LibsodiumCryptoProvider();
+        using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+        var parameters = ecdsa.ExportParameters(includePrivateParameters: true);
+
+        var signingKey = new CryptoSigningKey(
+            new CryptoKeyReference("libsodium-key"),
+            SignatureAlgorithms.Es256,
+            privateParameters: in parameters,
+            createdAt: DateTimeOffset.UtcNow);
+
+        provider.UpsertSigningKey(signingKey);
+
+        var signer = provider.GetSigner(SignatureAlgorithms.Es256, signingKey.Reference);
+
+        var payload = Encoding.UTF8.GetBytes("libsodium-test");
+        var signature = await signer.SignAsync(payload);
+
+        Assert.True(signature.Length > 0);
+
+        var verified = await signer.VerifyAsync(payload, signature);
+        Assert.True(verified);
+    }
+}
+#endif

src/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj

@@ -5,6 +5,9 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <IsPackable>false</IsPackable>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(StellaOpsCryptoSodium)' == 'true'">
+    <DefineConstants>$(DefineConstants);STELLAOPS_CRYPTO_SODIUM</DefineConstants>
+  </PropertyGroup>
   <ItemGroup>
     <ProjectReference Include="..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
   </ItemGroup>