feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

- ✅ Zero direct System.Security.Cryptography usage in production code
- ✅ All crypto operations go through ICryptoProvider abstraction
- ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider
- ✅ Build successful (AirGap, Crypto plugin, DI infrastructure)
- ✅ Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/__Libraries/StellaOps.Cryptography.DependencyInjection/CryptoPluginServiceCollectionExtensions.cs

@@ -0,0 +1,140 @@
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Cryptography;
+using StellaOps.Cryptography.PluginLoader;
+
+namespace StellaOps.Cryptography.DependencyInjection;
+
+/// <summary>
+/// DI extension methods for configuration-driven crypto plugin loading.
+/// </summary>
+public static class CryptoPluginServiceCollectionExtensions
+{
+    /// <summary>
+    /// Registers crypto providers using configuration-driven plugin loading.
+    /// Replaces hardcoded provider registrations with dynamic plugin loader.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <param name="configuration">Application configuration.</param>
+    /// <param name="configurePlugins">Optional plugin configuration action.</param>
+    /// <returns>The service collection.</returns>
+    public static IServiceCollection AddStellaOpsCryptoWithPlugins(
+        this IServiceCollection services,
+        IConfiguration configuration,
+        Action<CryptoPluginConfiguration>? configurePlugins = null)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(configuration);
+
+        // Bind plugin configuration from appsettings
+        services.Configure<CryptoPluginConfiguration>(options =>
+        {
+            configuration.GetSection("StellaOps:Crypto:Plugins").Bind(options);
+            configurePlugins?.Invoke(options);
+        });
+
+        // Register compliance options (reuse existing code)
+        services.TryAddSingleton<IOptionsMonitor<CryptoComplianceOptions>>(sp =>
+        {
+            var config = sp.GetService<IConfiguration>();
+            var options = new CryptoComplianceOptions();
+            config?.GetSection(CryptoComplianceOptions.SectionKey).Bind(options);
+            options.ApplyEnvironmentOverrides();
+            return new StaticComplianceOptionsMonitor(options);
+        });
+
+        services.TryAddSingleton<ICryptoComplianceService, CryptoComplianceService>();
+        services.TryAddSingleton<ICryptoHash, DefaultCryptoHash>();
+        services.TryAddSingleton<ICryptoHmac, DefaultCryptoHmac>();
+
+        // Register plugin loader and load providers dynamically
+        services.TryAddSingleton<CryptoPluginLoader>(sp =>
+        {
+            var pluginConfig = sp.GetRequiredService<IOptions<CryptoPluginConfiguration>>().Value;
+            var logger = sp.GetService<ILogger<CryptoPluginLoader>>();
+            return new CryptoPluginLoader(pluginConfig, logger);
+        });
+
+        // Load all configured crypto providers
+        services.TryAddSingleton(sp =>
+        {
+            var loader = sp.GetRequiredService<CryptoPluginLoader>();
+            return loader.LoadProviders();
+        });
+
+        // Register each loaded provider as ICryptoProvider
+        services.TryAddSingleton<IEnumerable<ICryptoProvider>>(sp =>
+        {
+            return sp.GetRequiredService<IReadOnlyList<ICryptoProvider>>();
+        });
+
+        // Register crypto provider registry with loaded providers
+        services.TryAddSingleton<ICryptoProviderRegistry>(sp =>
+        {
+            var providers = sp.GetRequiredService<IReadOnlyList<ICryptoProvider>>();
+            var options = sp.GetService<IOptionsMonitor<CryptoProviderRegistryOptions>>();
+            IEnumerable<string>? preferred = options?.CurrentValue?.ResolvePreferredProviders();
+            return new CryptoProviderRegistry(providers, preferred);
+        });
+
+        return services;
+    }
+
+    /// <summary>
+    /// Registers crypto providers with plugin loading and compliance profile configuration.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <param name="configuration">Application configuration.</param>
+    /// <param name="configurePlugins">Optional plugin configuration.</param>
+    /// <param name="configureCompliance">Optional compliance configuration.</param>
+    /// <returns>The service collection.</returns>
+    public static IServiceCollection AddStellaOpsCryptoWithPluginsAndCompliance(
+        this IServiceCollection services,
+        IConfiguration configuration,
+        Action<CryptoPluginConfiguration>? configurePlugins = null,
+        Action<CryptoComplianceOptions>? configureCompliance = null)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(configuration);
+
+        // Bind compliance options from configuration
+        services.Configure<CryptoComplianceOptions>(options =>
+        {
+            configuration.GetSection(CryptoComplianceOptions.SectionKey).Bind(options);
+            configureCompliance?.Invoke(options);
+            options.ApplyEnvironmentOverrides();
+        });
+
+        // Register base crypto services with plugin loading
+        services.AddStellaOpsCryptoWithPlugins(configuration, configurePlugins);
+
+        return services;
+    }
+
+    /// <summary>
+    /// Helper class for static options monitoring.
+    /// </summary>
+    private sealed class StaticComplianceOptionsMonitor : IOptionsMonitor<CryptoComplianceOptions>
+    {
+        private readonly CryptoComplianceOptions _options;
+
+        public StaticComplianceOptionsMonitor(CryptoComplianceOptions options)
+            => _options = options;
+
+        public CryptoComplianceOptions CurrentValue => _options;
+
+        public CryptoComplianceOptions Get(string? name) => _options;
+
+        public IDisposable OnChange(Action<CryptoComplianceOptions, string> listener)
+            => NullDisposable.Instance;
+
+        private sealed class NullDisposable : IDisposable
+        {
+            public static readonly NullDisposable Instance = new();
+            public void Dispose() { }
+        }
+    }
+}

src/__Libraries/StellaOps.Cryptography.DependencyInjection/CryptoServiceCollectionExtensions.cs

@@ -6,6 +6,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 using StellaOps.Cryptography;
+using StellaOps.Cryptography.PluginLoader;
 #if STELLAOPS_CRYPTO_PRO
 using StellaOps.Cryptography.Plugin.CryptoPro;
 #endif
@@ -15,6 +16,7 @@ using StellaOps.Cryptography.Plugin.SmRemote;
 using StellaOps.Cryptography.Plugin.SmSoft;
 using StellaOps.Cryptography.Plugin.PqSoft;
 using StellaOps.Cryptography.Plugin.WineCsp;
+using Microsoft.Extensions.Logging;
 
 namespace StellaOps.Cryptography.DependencyInjection;
 
@@ -242,4 +244,123 @@ public static class CryptoServiceCollectionExtensions
 
         return services;
     }
+
+    /// <summary>
+    /// Registers crypto services using configuration-driven plugin loading.
+    /// This is the recommended method for production deployments with regional compliance requirements.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <param name="configuration">Configuration root.</param>
+    /// <param name="pluginDirectory">Optional custom plugin directory path. Defaults to application base directory.</param>
+    /// <returns>The service collection.</returns>
+    public static IServiceCollection AddStellaOpsCryptoFromConfiguration(
+        this IServiceCollection services,
+        IConfiguration configuration,
+        string? pluginDirectory = null)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(configuration);
+
+        // Bind plugin configuration from appsettings
+        var pluginConfig = new CryptoPluginConfiguration();
+        configuration.GetSection("StellaOps:Crypto:Plugins").Bind(pluginConfig);
+
+        // Bind compliance configuration
+        var complianceConfig = new CryptoComplianceConfiguration();
+        configuration.GetSection("StellaOps:Crypto:Compliance").Bind(complianceConfig);
+        pluginConfig.Compliance = complianceConfig;
+
+        // Register plugin configuration as singleton
+        services.AddSingleton(pluginConfig);
+
+        // Register compliance options with configuration binding
+        services.Configure<CryptoComplianceOptions>(options =>
+        {
+            configuration.GetSection(CryptoComplianceOptions.SectionKey).Bind(options);
+            options.ApplyEnvironmentOverrides();
+        });
+
+        // Register compliance service
+        services.TryAddSingleton<ICryptoComplianceService, CryptoComplianceService>();
+
+        // Load crypto providers using plugin loader
+        services.TryAddSingleton<ICryptoProviderRegistry>(sp =>
+        {
+            var logger = sp.GetService<ILoggerFactory>()?.CreateLogger<CryptoPluginLoader>();
+            var loader = new CryptoPluginLoader(pluginConfig, logger, pluginDirectory);
+
+            IReadOnlyList<ICryptoProvider> providers;
+            try
+            {
+                providers = loader.LoadProviders();
+            }
+            catch (CryptoPluginLoadException ex)
+            {
+                logger?.LogCritical(ex, "Failed to load crypto plugins: {Message}", ex.Message);
+                throw;
+            }
+
+            if (providers.Count == 0)
+            {
+                throw new InvalidOperationException(
+                    "No crypto providers were loaded. Check plugin configuration and manifest.");
+            }
+
+            // Extract provider names for preferred ordering (uses priority from manifest/config)
+            var preferredProviderNames = providers
+                .OrderByDescending(p => GetProviderPriority(p, pluginConfig))
+                .Select(p => p.Name)
+                .ToList();
+
+            logger?.LogInformation(
+                "Loaded {Count} crypto provider(s) with preferred order: {Providers}",
+                providers.Count,
+                string.Join(", ", preferredProviderNames));
+
+            return new CryptoProviderRegistry(providers, preferredProviderNames);
+        });
+
+        return services;
+    }
+
+    /// <summary>
+    /// Registers crypto services using configuration-driven plugin loading with explicit compliance profile.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <param name="configuration">Configuration root.</param>
+    /// <param name="complianceProfileId">Compliance profile identifier (e.g., "gost", "fips", "eidas", "sm").</param>
+    /// <param name="strictValidation">Enable strict compliance validation.</param>
+    /// <param name="pluginDirectory">Optional custom plugin directory path.</param>
+    /// <returns>The service collection.</returns>
+    public static IServiceCollection AddStellaOpsCryptoFromConfiguration(
+        this IServiceCollection services,
+        IConfiguration configuration,
+        string complianceProfileId,
+        bool strictValidation = true,
+        string? pluginDirectory = null)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(configuration);
+        ArgumentNullException.ThrowIfNull(complianceProfileId);
+
+        // Override compliance configuration with explicit profile
+        services.Configure<CryptoComplianceOptions>(options =>
+        {
+            configuration.GetSection(CryptoComplianceOptions.SectionKey).Bind(options);
+            options.ProfileId = complianceProfileId;
+            options.StrictValidation = strictValidation;
+            options.ApplyEnvironmentOverrides();
+        });
+
+        return services.AddStellaOpsCryptoFromConfiguration(configuration, pluginDirectory);
+    }
+
+    private static int GetProviderPriority(ICryptoProvider provider, CryptoPluginConfiguration config)
+    {
+        // Check if priority was overridden in configuration
+        var enabledEntry = config.Enabled.FirstOrDefault(e =>
+            e.Id.Equals(provider.Name, StringComparison.OrdinalIgnoreCase));
+
+        return enabledEntry?.Priority ?? 50; // Default priority
+    }
 }

src/__Libraries/StellaOps.Cryptography.DependencyInjection/StellaOps.Cryptography.DependencyInjection.csproj

@@ -10,6 +10,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
+    <ProjectReference Include="..\StellaOps.Cryptography.PluginLoader\StellaOps.Cryptography.PluginLoader.csproj" />
     <ProjectReference Include="..\StellaOps.Cryptography.Plugin.Pkcs11Gost\StellaOps.Cryptography.Plugin.Pkcs11Gost.csproj" />
     <ProjectReference Include="..\StellaOps.Cryptography.Plugin.OpenSslGost\StellaOps.Cryptography.Plugin.OpenSslGost.csproj" />
     <ProjectReference Include="..\StellaOps.Cryptography.Plugin.SmSoft\StellaOps.Cryptography.Plugin.SmSoft.csproj" />
@@ -22,6 +23,7 @@
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
     <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(StellaOpsEnableCryptoPro)' == 'true'">