feat(cli): Implement crypto plugin CLI architecture with regional compliance

Sprint: SPRINT_4100_0006_0001 Status: COMPLETED Implemented plugin-based crypto command architecture for regional compliance with build-time distribution selection (GOST/eIDAS/SM) and runtime validation. ## New Commands - `stella crypto sign` - Sign artifacts with regional crypto providers - `stella crypto verify` - Verify signatures with trust policy support - `stella crypto profiles` - List available crypto providers & capabilities ## Build-Time Distribution Selection ```bash # International (default - BouncyCastle) dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj # Russia distribution (GOST R 34.10-2012) dotnet build -p:StellaOpsEnableGOST=true # EU distribution (eIDAS Regulation 910/2014) dotnet build -p:StellaOpsEnableEIDAS=true # China distribution (SM2/SM3/SM4) dotnet build -p:StellaOpsEnableSM=true ``` ## Key Features - Build-time conditional compilation prevents export control violations - Runtime crypto profile validation on CLI startup - 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev) - Comprehensive configuration with environment variable substitution - Integration tests with distribution-specific assertions - Full migration path from deprecated `cryptoru` CLI ## Files Added - src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs - src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs - src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs - src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example - src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs - docs/cli/crypto-commands.md - docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md ## Files Modified - src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs) - src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation) - src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring) - src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix) ## Compliance - GOST (Russia): GOST R 34.10-2012, FSB certified - eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES - SM (China): GM/T 0003-2012 (SM2), OSCCA certified ## Migration `cryptoru` CLI deprecated → sunset date: 2025-07-01 - `cryptoru providers` → `stella crypto profiles` - `cryptoru sign` → `stella crypto sign` ## Testing ✅ All crypto code compiles successfully ✅ Integration tests pass ✅ Build verification for all distributions (international/GOST/eIDAS/SM) Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00
parent c8a871dd30
commit ef933db0d8
97 changed files with 17455 additions and 52 deletions
--- a/src/Concelier/__Libraries/StellaOps.Concelier.SourceIntel/PatchHeaderParser.cs
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.SourceIntel/PatchHeaderParser.cs
@@ -0,0 +1,153 @@
+namespace StellaOps.Concelier.SourceIntel;
+
+using System.Text.RegularExpressions;
+
+/// <summary>
+/// Parses patch file headers for CVE references (Tier 3).
+/// Supports DEP-3 format (Debian) and standard patch headers.
+/// </summary>
+public static partial class PatchHeaderParser
+{
+    /// <summary>
+    /// Parse patch file for CVE references.
+    /// </summary>
+    public static PatchHeaderParseResult ParsePatchFile(string patchContent, string patchFilePath)
+    {
+        var lines = patchContent.Split('\n').Take(50).ToArray(); // Only check first 50 lines (header)
+
+        var cveIds = new HashSet<string>();
+        var description = "";
+        var bugReferences = new List<string>();
+        var origin = "";
+
+        foreach (var line in lines)
+        {
+            // Stop at actual diff content
+            if (line.StartsWith("---") || line.StartsWith("+++") || line.StartsWith("@@"))
+            {
+                break;
+            }
+
+            // DEP-3 Description field
+            if (line.StartsWith("Description:"))
+            {
+                description = line["Description:".Length..].Trim();
+            }
+
+            // DEP-3 Bug references
+            if (line.StartsWith("Bug:") || line.StartsWith("Bug-Debian:") || line.StartsWith("Bug-Ubuntu:"))
+            {
+                var bugRef = line.Split(':')[1].Trim();
+                bugReferences.Add(bugRef);
+            }
+
+            // DEP-3 Origin
+            if (line.StartsWith("Origin:"))
+            {
+                origin = line["Origin:".Length..].Trim();
+            }
+
+            // Look for CVE mentions in any line
+            var cveMatches = CvePatternRegex().Matches(line);
+            foreach (Match match in cveMatches)
+            {
+                cveIds.Add(match.Groups[0].Value);
+            }
+        }
+
+        // Also check filename for CVE pattern
+        var filenameCves = CvePatternRegex().Matches(patchFilePath);
+        foreach (Match match in filenameCves)
+        {
+            cveIds.Add(match.Groups[0].Value);
+        }
+
+        var confidence = CalculateConfidence(cveIds.Count, description, origin);
+
+        return new PatchHeaderParseResult
+        {
+            PatchFilePath = patchFilePath,
+            CveIds = cveIds.ToList(),
+            Description = description,
+            BugReferences = bugReferences,
+            Origin = origin,
+            Confidence = confidence,
+            ParsedAt = DateTimeOffset.UtcNow
+        };
+    }
+
+    /// <summary>
+    /// Batch parse multiple patches from debian/patches directory.
+    /// </summary>
+    public static IReadOnlyList<PatchHeaderParseResult> ParsePatchDirectory(
+        string basePath,
+        IEnumerable<string> patchFiles)
+    {
+        var results = new List<PatchHeaderParseResult>();
+
+        foreach (var patchFile in patchFiles)
+        {
+            try
+            {
+                var fullPath = Path.Combine(basePath, patchFile);
+                if (File.Exists(fullPath))
+                {
+                    var content = File.ReadAllText(fullPath);
+                    var result = ParsePatchFile(content, patchFile);
+
+                    if (result.CveIds.Count > 0)
+                    {
+                        results.Add(result);
+                    }
+                }
+            }
+            catch
+            {
+                // Skip files that can't be read
+                continue;
+            }
+        }
+
+        return results;
+    }
+
+    private static double CalculateConfidence(int cveCount, string description, string origin)
+    {
+        // Base confidence for patch header CVE mention
+        var confidence = 0.80;
+
+        // Bonus for multiple CVEs (more explicit)
+        if (cveCount > 1)
+        {
+            confidence += 0.05;
+        }
+
+        // Bonus for detailed description
+        if (description.Length > 50)
+        {
+            confidence += 0.03;
+        }
+
+        // Bonus for upstream origin
+        if (origin.Contains("upstream", StringComparison.OrdinalIgnoreCase))
+        {
+            confidence += 0.02;
+        }
+
+        return Math.Min(confidence, 0.95);
+    }
+
+    [GeneratedRegex(@"CVE-\d{4}-\d{4,}")]
+    private static partial Regex CvePatternRegex();
+}
+
+public sealed record PatchHeaderParseResult
+{
+    public required string PatchFilePath { get; init; }
+    public required IReadOnlyList<string> CveIds { get; init; }
+    public required string Description { get; init; }
+    public required IReadOnlyList<string> BugReferences { get; init; }
+    public required string Origin { get; init; }
+    public required double Confidence { get; init; }
+    public required DateTimeOffset ParsedAt { get; init; }
+}