feat(cli): Implement crypto plugin CLI architecture with regional compliance

Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

✅ All crypto code compiles successfully
✅ Integration tests pass
✅ Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/EcdsaP256Signer.cs

@@ -0,0 +1,64 @@
+namespace StellaOps.Cryptography.Profiles.Ecdsa;
+
+using System.Security.Cryptography;
+using StellaOps.Cryptography;
+using StellaOps.Cryptography.Models;
+
+/// <summary>
+/// ECDSA P-256 signer using .NET cryptography (FIPS 186-4 compliant).
+/// </summary>
+public sealed class EcdsaP256Signer : IContentSigner
+{
+    private readonly ECDsa _ecdsa;
+    private readonly string _keyId;
+    private bool _disposed;
+
+    public string KeyId => _keyId;
+    public SignatureProfile Profile => SignatureProfile.EcdsaP256;
+    public string Algorithm => "ES256";
+
+    public EcdsaP256Signer(string keyId, ECDsa ecdsa)
+    {
+        _keyId = keyId ?? throw new ArgumentNullException(nameof(keyId));
+        _ecdsa = ecdsa ?? throw new ArgumentNullException(nameof(ecdsa));
+
+        if (_ecdsa.KeySize != 256)
+            throw new ArgumentException("ECDSA key must be P-256 (256 bits)", nameof(ecdsa));
+    }
+
+    public static EcdsaP256Signer Generate(string keyId)
+    {
+        var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+        return new EcdsaP256Signer(keyId, ecdsa);
+    }
+
+    public Task<SignatureResult> SignAsync(ReadOnlyMemory<byte> payload, CancellationToken ct = default)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+        ct.ThrowIfCancellationRequested();
+
+        var signature = _ecdsa.SignData(payload.Span, HashAlgorithmName.SHA256);
+
+        return Task.FromResult(new SignatureResult
+        {
+            KeyId = _keyId,
+            Profile = Profile,
+            Algorithm = Algorithm,
+            Signature = signature,
+            SignedAt = DateTimeOffset.UtcNow
+        });
+    }
+
+    public byte[]? GetPublicKey()
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+        return _ecdsa.ExportSubjectPublicKeyInfo();
+    }
+
+    public void Dispose()
+    {
+        if (_disposed) return;
+        _ecdsa?.Dispose();
+        _disposed = true;
+    }
+}

src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/StellaOps.Cryptography.Profiles.Ecdsa.csproj

@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <ItemGroup>
+    <ProjectReference Include="..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
+  </ItemGroup>
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+</Project>

src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Signer.cs

@@ -59,7 +59,7 @@ public sealed class Ed25519Signer : IContentSigner
         ct.ThrowIfCancellationRequested();
 
         // Sign with Ed25519
-        var signature = PublicKeyAuth.SignDetached(payload.Span, _privateKey);
+        var signature = PublicKeyAuth.SignDetached(payload.ToArray(), _privateKey);
 
         return Task.FromResult(new SignatureResult
         {

src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Verifier.cs

@@ -47,7 +47,7 @@ public sealed class Ed25519Verifier : IContentVerifier
         {
             var isValid = PublicKeyAuth.VerifyDetached(
                 signature.SignatureBytes,
-                payload.Span,
+                payload.ToArray(),
                 signature.PublicKey);
 
             return Task.FromResult(new VerificationResult