Add support for ГОСТ Р 34.10 digital signatures

- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures.
- Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures.
- Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval.
- Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms.
- Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.

docs/implplan/archived/SPRINT_100_identity_signing.md

@@ -0,0 +1,52 @@
+# Sprint 100 - Identity & Signing
+
+_Last updated: November 9, 2025. Implementation order is DOING → TODO → BLOCKED._
+
+Active items are mirrored to `docs/implplan/archived/tasks.md` (refreshed 2025-11-09) now that Sprint 100 is closed.
+
+Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.
+
+## 100.B) Authority.I
+Dependency: None specified; follow module prerequisites.
+Focus: Identity & Signing focus on Authority (phase I).
+
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| 1 | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) |
+| 2 | AUTH-PACKS-43-001 | DONE (2025-11-09) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
+
+## 100.B) Authority.II
+Dependency: None specified; follow module prerequisites.
+Focus: Identity & Signing focus on Authority (phase II).
+
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| 1 | AUTH-DPOP-11-001 | DONE (2025-11-08) | DPoP validation now runs for every `/token` grant, interactive tokens inherit `cnf.jkt`/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
+| 2 | AUTH-MTLS-11-002 | DONE (2025-11-08) | Refresh grants now enforce the original client certificate, tokens persist `x5t#S256`/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
+| 3 | PLG4-6.CAPABILITIES | DONE (2025-11-08) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 4 | PLG6.DIAGRAM | DONE (2025-11-03) | Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under `docs/assets/authority`; dev guide now references final exports. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 5 | PLG7.RFC | DONE (2025-11-03) | LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 6 | SEC2.PLG | DONE (2025-11-09) | StandardCredentialAuditLogger now pushes `authority.plugin.standard.password_verification` events via `IAuthEventSink`, pulling client/tenant/network metadata from `AuthorityCredentialAuditContextAccessor`; success/failure/lockout scenarios are covered by new unit tests. | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 7 | SEC3.PLG | DONE (2025-11-09) | Lockout/rate-limit telemetry emits deterministic `plugin.retry_after_seconds` + `plugin.lockout_until` properties, maps failure codes to the extended `AuthEventOutcome` set, and is validated by updated credential store/audit logger tests. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 8 | SEC5.PLG | DONE (2025-11-09) | Plugin guide + threat model document bootstrap safeguards, Argon2 password policy expectations, and the credential audit contract (`plugin.*` properties) so SOC/offline reviewers can trace mitigations end-to-end. | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 9 | PLG7.IMPL-003 | DONE (2025-11-09) | Claims enricher ships with DN map + regex substitutions, Mongo claims cache (TTL + capacity enforcement) wired through DI, plus unit tests covering enrichment + cache eviction. | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 10 | PLG7.IMPL-004 | DONE (2025-11-09) | LDAP plug-in now ships `clientProvisioning.*` options, a Mongo-audited `LdapClientProvisioningStore`, capability gating, and docs/tests covering LDAP writes + cache shims. | BE-Auth Plugin, DevOps Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap) |
+| 11 | PLG7.IMPL-005 | DONE (2025-11-09) | LDAP plug-in docs refreshed (mutual TLS, regex mappings, cache/audit mirror guidance), sample manifest updated, Offline Kit + release notes now reference the bundled plug-in assets. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 12 | PLG7.IMPL-006 | DONE (2025-11-09) | LDAP bootstrap provisioning added (write probe, Mongo audit mirror, capability downgrade + health status) with docs/tests + sample manifest updates. | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap) |
+
+- 2025-11-08: PLG4-6.CAPABILITIES marked DONE – bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (`dotnet test` across plugins + Authority core).
+- 2025-11-08: AUTH-AIRGAP-57-001 landed — new `airGap.sealedMode` options, file-backed evidence ingestion, client metadata gating, docs/tests, and audit telemetry ensure sealed tenants cannot mint tokens until `authority-sealed-ci.json` passes.
+- 2025-11-09: PLG7.IMPL-003 + PLG7.IMPL-004 complete — LDAP claims enricher/cache + client provisioning store with audit mirror, LDAP DN escapes, DI wiring, and plugin docs/tests refreshed.
+- 2025-11-09: PLG7.IMPL-003 complete — LDAP claims enricher + Mongo cache wired (DI + tests), regex placeholder compatibility finalised, sample config/docs updated, and plugin tests green (`StellaOps.Authority.Plugin.Ldap.Tests`).
+- 2025-11-09: PLG7.IMPL-005 complete — Developer guide, sample manifest, Offline Kit notes, and release updates now cover LDAP mutual TLS, regex mappings, caching, and the audit mirror workflow.
+- 2025-11-09: PLG7.IMPL-006 complete — LDAP plug-in now provisions bootstrap users with hashed audit mirrors, capability probes that prove write access before advertising `clientProvisioning`/`bootstrap`, degraded health signalling when directories are read-only, updated docs, and passing targeted tests.
+- 2025-11-09: AUTH-PACKS-43-001 complete — Authority `/token` now requires `pack_run_id`/`pack_gate_id`/`pack_plan_hash` for `packs.approve`, scope handler enforces a 5‑minute fresh-auth window, docs (`docs/security/pack-signing-and-rbac.md`, `docs/task-packs/runbook.md`) describe the procedure, and CLI/tests cover the new claims.
+
+## 100.D) __Libraries
+Dependency: None specified; follow module prerequisites.
+Focus: Identity & Signing focus on __Libraries.
+
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| 1 | KMS-73-001 | DONE (2025-11-03) | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |
+| 2 | KMS-73-002 | DONE (2025-11-03) | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |