feat(cli): Implement crypto plugin CLI architecture with regional compliance

Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

✅ All crypto code compiles successfully
✅ Integration tests pass
✅ Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Models/PoEModels.cs

@@ -180,3 +180,60 @@ public record EvidenceInfo(
     [property: JsonPropertyName("vexClaimUri")] string? VexClaimUri = null,
     [property: JsonPropertyName("runtimeFactsUri")] string? RuntimeFactsUri = null
 );
+
+/// <summary>
+/// Represents a matched vulnerability for PoE generation.
+/// </summary>
+/// <param name="VulnId">Vulnerability identifier (CVE, GHSA, etc.)</param>
+/// <param name="ComponentRef">Component package URL (PURL)</param>
+/// <param name="IsReachable">Whether the vulnerability is reachable from entry points</param>
+/// <param name="Severity">Vulnerability severity (Critical, High, Medium, Low, Info)</param>
+[method: JsonConstructor]
+public record VulnerabilityMatch(
+    [property: JsonPropertyName("vulnId")] string VulnId,
+    [property: JsonPropertyName("componentRef")] string ComponentRef,
+    [property: JsonPropertyName("isReachable")] bool IsReachable,
+    [property: JsonPropertyName("severity")] string Severity
+);
+
+/// <summary>
+/// Scan context for PoE generation.
+/// </summary>
+/// <param name="ScanId">Unique scan identifier</param>
+/// <param name="GraphHash">BLAKE3 hash of the reachability graph</param>
+/// <param name="BuildId">GNU build ID or equivalent</param>
+/// <param name="ImageDigest">Container image digest</param>
+/// <param name="PolicyId">Policy identifier</param>
+/// <param name="PolicyDigest">Policy content digest</param>
+/// <param name="ScannerVersion">Scanner version</param>
+/// <param name="ConfigPath">Scanner configuration path</param>
+[method: JsonConstructor]
+public record ScanContext(
+    [property: JsonPropertyName("scanId")] string ScanId,
+    [property: JsonPropertyName("graphHash")] string GraphHash,
+    [property: JsonPropertyName("buildId")] string BuildId,
+    [property: JsonPropertyName("imageDigest")] string ImageDigest,
+    [property: JsonPropertyName("policyId")] string PolicyId,
+    [property: JsonPropertyName("policyDigest")] string PolicyDigest,
+    [property: JsonPropertyName("scannerVersion")] string ScannerVersion,
+    [property: JsonPropertyName("configPath")] string ConfigPath
+);
+
+/// <summary>
+/// Result from PoE generation for a single vulnerability.
+/// </summary>
+/// <param name="VulnId">Vulnerability identifier</param>
+/// <param name="ComponentRef">Component package URL</param>
+/// <param name="PoEHash">Content hash of the PoE artifact</param>
+/// <param name="PoERef">CAS reference to the PoE artifact</param>
+/// <param name="IsSigned">Whether the PoE is cryptographically signed</param>
+/// <param name="PathCount">Number of paths in the subgraph</param>
+[method: JsonConstructor]
+public record PoEResult(
+    [property: JsonPropertyName("vulnId")] string VulnId,
+    [property: JsonPropertyName("componentRef")] string ComponentRef,
+    [property: JsonPropertyName("poeHash")] string PoEHash,
+    [property: JsonPropertyName("poeRef")] string? PoERef,
+    [property: JsonPropertyName("isSigned")] bool IsSigned,
+    [property: JsonPropertyName("pathCount")] int? PathCount = null
+);