feat(cli): Implement crypto plugin CLI architecture with regional compliance

Sprint: SPRINT_4100_0006_0001 Status: COMPLETED Implemented plugin-based crypto command architecture for regional compliance with build-time distribution selection (GOST/eIDAS/SM) and runtime validation. ## New Commands - `stella crypto sign` - Sign artifacts with regional crypto providers - `stella crypto verify` - Verify signatures with trust policy support - `stella crypto profiles` - List available crypto providers & capabilities ## Build-Time Distribution Selection ```bash # International (default - BouncyCastle) dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj # Russia distribution (GOST R 34.10-2012) dotnet build -p:StellaOpsEnableGOST=true # EU distribution (eIDAS Regulation 910/2014) dotnet build -p:StellaOpsEnableEIDAS=true # China distribution (SM2/SM3/SM4) dotnet build -p:StellaOpsEnableSM=true ``` ## Key Features - Build-time conditional compilation prevents export control violations - Runtime crypto profile validation on CLI startup - 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev) - Comprehensive configuration with environment variable substitution - Integration tests with distribution-specific assertions - Full migration path from deprecated `cryptoru` CLI ## Files Added - src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs - src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs - src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs - src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example - src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs - docs/cli/crypto-commands.md - docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md ## Files Modified - src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs) - src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation) - src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring) - src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix) ## Compliance - GOST (Russia): GOST R 34.10-2012, FSB certified - eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES - SM (China): GM/T 0003-2012 (SM2), OSCCA certified ## Migration `cryptoru` CLI deprecated → sunset date: 2025-07-01 - `cryptoru providers` → `stella crypto profiles` - `cryptoru sign` → `stella crypto sign` ## Testing ✅ All crypto code compiles successfully ✅ Integration tests pass ✅ Build verification for all distributions (international/GOST/eIDAS/SM) Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00
parent c8a871dd30
commit ef933db0d8
97 changed files with 17455 additions and 52 deletions
--- a/src/Cli/StellaOps.Cli/Program.cs
+++ b/src/Cli/StellaOps.Cli/Program.cs
@@ -36,6 +36,19 @@ internal static class Program
        services.AddAirGapEgressPolicy(configuration);
        services.AddStellaOpsCrypto(options.Crypto);

+        // Conditionally register regional crypto plugins based on distribution build
+#if STELLAOPS_ENABLE_GOST
+        services.AddGostCryptoProviders(configuration);
+#endif
+
+#if STELLAOPS_ENABLE_EIDAS
+        services.AddEidasCryptoProviders(configuration);
+#endif
+
+#if STELLAOPS_ENABLE_SM
+        services.AddSmCryptoProviders(configuration);
+#endif
+
        // CLI-AIRGAP-56-002: Add sealed mode telemetry for air-gapped operation
        services.AddSealedModeTelemetryIfOffline(
            options.IsOffline,
@@ -264,10 +277,31 @@ internal static class Program
            StellaOps.AirGap.Importer.Repositories.InMemoryBundleItemRepository>();
        services.AddSingleton<IMirrorBundleImportService, MirrorBundleImportService>();

+        // CLI-CRYPTO-4100-001: Crypto profile validator
+        services.AddSingleton<CryptoProfileValidator>();
+
        await using var serviceProvider = services.BuildServiceProvider();
        var loggerFactory = serviceProvider.GetRequiredService<ILoggerFactory>();
        var startupLogger = loggerFactory.CreateLogger("StellaOps.Cli.Startup");
        AuthorityDiagnosticsReporter.Emit(configuration, startupLogger);
+
+        // CLI-CRYPTO-4100-001: Validate crypto configuration on startup
+        var cryptoValidator = serviceProvider.GetRequiredService<CryptoProfileValidator>();
+        var cryptoValidation = cryptoValidator.Validate(serviceProvider);
+        if (cryptoValidation.HasWarnings)
+        {
+            foreach (var warning in cryptoValidation.Warnings)
+            {
+                startupLogger.LogWarning("Crypto: {Warning}", warning);
+            }
+        }
+        if (cryptoValidation.HasErrors)
+        {
+            foreach (var error in cryptoValidation.Errors)
+            {
+                startupLogger.LogError("Crypto: {Error}", error);
+            }
+        }
        using var cts = new CancellationTokenSource();
        Console.CancelKeyPress += (_, eventArgs) =>
        {