Add support for ГОСТ Р 34.10 digital signatures

- Implemented the GostKeyValue class for handling public key parameters in ГОСТ Р 34.10 digital signatures.
- Created the GostSignedXml class to manage XML signatures using ГОСТ 34.10, including methods for computing and checking signatures.
- Developed the GostSignedXmlImpl class to encapsulate the signature computation logic and public key retrieval.
- Added specific key value classes for ГОСТ Р 34.10-2001, ГОСТ Р 34.10-2012/256, and ГОСТ Р 34.10-2012/512 to support different signature algorithms.
- Ensured compatibility with existing XML signature standards while integrating ГОСТ cryptography.

docs/task-packs/authoring-guide.md

@@ -62,6 +62,7 @@ stella pack init --name sbom-remediation
 ### 3.4 Configure approvals
 
 - Add `spec.approvals` entries for each required review.
+- Capture the metadata Authority enforces: `runId`, `gateId`, and `planHash` should be documented so approvers can pass them through `stella pack approve --pack-run-id/--pack-gate-id/--pack-plan-hash` (see `docs/task-packs/runbook.md#4-approvals-workflow`).
 - Provide informative `reasonTemplate` with placeholders.
 - Set `expiresAfter` to match operational policy (e.g., 4 h for security reviews).
 - Document fallback contacts in `docs/runbook.md`.
@@ -205,4 +206,3 @@ Registry verifies signature, stores provenance, and updates index.
 ---
 
 *Last updated: 2025-10-27 (Sprint 43).* 
-

docs/task-packs/runbook.md

@@ -69,6 +69,8 @@ stella pack approve \
   --comment "Validated remediation scope; proceeding."
 ```
 
+- Metadata parameters are mandatory: `--pack-run-id`, `--pack-gate-id`, and `--pack-plan-hash` map 1:1 to the Authority token parameters (`pack_run_id`, `pack_gate_id`, `pack_plan_hash`). The CLI resolves sensible defaults from `stella pack plan`, but operators can override them explicitly for out-of-band runs. Authority `/token` rejects `packs.approve` requests missing any of these fields and records the failure in `authority.pack_scope_violation`. Keep this section (and `docs/security/pack-signing-and-rbac.md`) handy—the Authority team references it as the canonical procedure.
+
 - Auto-expiry triggers run cancellation (configurable per gate).
 - Approval events logged and included in evidence bundle.
 
@@ -159,4 +161,3 @@ Escalations must include run ID, tenant, pack version, plan hash, and timestamps
 ---
 
 *Last updated: 2025-10-27 (Sprint 43).* 
-

docs/task-packs/spec.md

@@ -131,7 +131,7 @@ spec:
 | `metadata` | Human-facing metadata; used for registry listings and RBAC hints. | `name` (DNS-1123), `version` (SemVer), `description` ≤ 2048 chars. |
 | `spec.inputs` | Declarative inputs validated at plan time. | Must include type; custom schema optional but recommended. |
 | `spec.secrets` | Secrets requested at runtime; never stored in pack bundle. | Each secret references Authority scope; CLI prompts or injects from profiles. |
-| `spec.approvals` | Named approval gates with required grants and TTL. | ID unique per pack; `grants` map to Authority roles. |
+| `spec.approvals` | Named approval gates with required grants and TTL. | ID unique per pack; `grants` map to Authority roles. Approval metadata (`runId`, `gateId`, `planHash`) feeds Authority’s `pack_run_id`/`pack_gate_id`/`pack_plan_hash` parameters (see `docs/task-packs/runbook.md#4-approvals-workflow`). |
 | `spec.steps` | Execution graph; each step is `run`, `gate`, `parallel`, or `map`. | Steps must declare deterministic `uses` module and `id`. |
 | `spec.outputs` | Declared artifacts for downstream automation. | `type` can be `file`, `object`, or `url`; path/expression required. |
 | `success` / `failure` | Messages + retry policy. | `failure.retries.maxAttempts` + `backoffSeconds` default to 0. |
@@ -246,4 +246,3 @@ CLI enforces compatibility: running pack with unsupported features yields `ERR_P
 ---
 
 *Last updated: 2025-10-27 (Sprint 43).* 
-