Add support for ГОСТ Р 34.10 digital signatures

- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures.
- Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures.
- Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval.
- Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms.
- Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.

docs/modules/vex-lens/README.md

@@ -15,6 +15,13 @@ VEX Lens produces a deterministic, provenance-rich consensus view of VEX stateme
 - **Explainability traces** — capture derived-from chains, conflicting issuers, and trust deltas to power UI drilldowns and CLI audits.
 - **Recompute orchestration** — Orchestrator jobs trigger recompute on Excititor deltas, issuer updates, or policy knob changes with deterministic ordering and SRM manifests.
 
+### Provenance-aware trust weighting (new)
+
+- **Connector metadata contract.** Excititor connectors now emit `vex.provenance.*` fields (provider id/name/kind, `trust.weight`, `trust.tier`, human-readable `trust.note`, `cosign.*`, and ordered `pgp.fingerprints`). VEX Lens must ingest these keys verbatim so the trust engine can reason about issuer pedigree without hitting external registries for every statement.
+- **Weight calculation.** Lens uses the supplied `trust.weight` as the baseline score, then multiplies by freshness decay and justification scope multipliers. Missing weights default to the Issuer Directory profile, but connector-provided values take precedence so Ubuntu/SUSE mirror feeds can tune their relative influence.
+- **Integrity hints.** Presence of `vex.provenance.cosign.*` or `pgp.fingerprints` toggles signature-policy shortcuts: if Lens sees a statement whose provenance indicates cosign keyless mode plus Rekor URI, it can skip redundant issuer lookups and apply the “cryptographically verified” confidence tier immediately.
+- **Policy exposure.** Consensus APIs surface the original provenance payload inside each `sources[]` entry so Policy Engine, Advisory AI, and Console can explain why a lower-tier issuer lost a conflict (e.g., different `trust.tier` or missing fingerprints). See the updated payload reference in `docs/vex/consensus-json.md`.
+
 ## Current workstreams (Q4 2025)
 - `VEXLENS-30-001..004` — build normalisation pipeline, product mapping library, and trust weighting engine (in progress; dependencies captured in src/VexLens/StellaOps.VexLens/TASKS.md).
 - `VEXLENS-30-005..007` — expose consensus APIs and export flows, aligning docs with future `/docs/vex/consensus-*.md` deliverables.

docs/modules/vex-lens/architecture.md

@@ -8,9 +8,23 @@ Compute a deterministic, reproducible consensus view over multiple VEX statement
 
 ## 2) Inputs
 
-- `vex_normalized` tuples emitted by Excititor (status, justification, scope, timestamp, content hash).
-- Issuer trust registry (`vex_issuer_registry`) providing trust tier, confidence, authority scope.
-- Optional runtime context (Zastava exposure) and policy precedence rules.
+- `vex_normalized` tuples emitted by Excititor (status, justification, scope, timestamp, content hash).
+- Issuer trust registry (`vex_issuer_registry`) providing trust tier, confidence, authority scope.
+- Optional runtime context (Zastava exposure) and policy precedence rules.
+
+### Provenance field mapping (new input contract)
+
+Excititor connectors now stamp every raw VEX document with `vex.provenance.*` metadata. Lens ingests these keys alongside the normalized tuples:
+
+| Field | Description | Lens usage |
+| --- | --- | --- |
+| `vex.provenance.provider` / `providerName` / `providerKind` | Logical issuer identity and type supplied by the connector (e.g., `excititor:ubuntu`, `distro`). | Seed issuer lookup, short-circuit Issuer Directory calls when we already trust the connector’s profile. |
+| `vex.provenance.trust.weight` | Connector-provided base weight (0–1). | Multiplied by freshness decay & justification multipliers; overrides registry default. |
+| `vex.provenance.trust.tier` & `trust.note` | Human/ops tier labels (`vendor`, `distro-trusted`, etc.) plus descriptive note. | Drives secondary sort (after timestamp) and Console labels; conflicts report per-tier deltas. |
+| `vex.provenance.cosign.*` | Cosign issuer/identity pattern (+ optional Fulcio/Rekor URIs). | When present, Lens marks the statement as “cryptographically attested” and applies the higher confidence bucket immediately. |
+| `vex.provenance.pgp.fingerprints` | Ordered list of PGP fingerprints used by the feed. | Enables Lens to validate deterministic fingerprint sets against Issuer Directory entries and flag mismatches in conflict summaries. |
+
+The trust engine preserves the raw metadata so downstream components can audit decisions or remap tiers without replaying ingestion.
 
 ## 3) Core algorithm
 

docs/modules/vex-lens/implementation_plan.md

@@ -15,11 +15,11 @@
 ## Work breakdown
 - **VEX Lens service**
   - Normalise VEX payloads, maintain scope scores, compute consensus digest.
-  - Trust weighting functions (issuer tier, freshness decay, scope quality).
+  - Trust weighting functions (issuer tier, freshness decay, scope quality) ingest the new `vex.provenance.*` contract emitted by Excititor connectors (provider weight/tier, cosign metadata, fingerprints) so connector-tuned trust flows all the way to consensus.
   - Idempotent workers for consensus projection and history tracking.
   - Conflict handling queue for manual review and notifications.
 - **Integrations**
-  - Excitor: enrich VEX events with issuer hints, signatures, product trees.
+  - Excitor: enrich VEX events with issuer hints, signatures, product trees, and now connector-supplied trust weights/tiers that Lens consumes directly.
   - Policy Engine: trust knobs, simulation endpoints, policy-driven recompute.
   - Vuln Explorer & Advisory AI: consensus badges, conflict surfacing.
 - **Issuer Directory**