# SPRINT_4100_0006 Summary - Complete CLI Consolidation & Compliance Crypto Integration

## Overview

This sprint series completes the CLI consolidation effort by migrating sovereign crypto tools (GOST, eIDAS, SM) into the unified `stella` CLI with plugin-based architecture, removing deprecated standalone CLIs, and creating comprehensive CLI documentation.

**Origin Advisory:** Internal architecture review - CLI fragmentation and compliance crypto isolation requirements

**Gap Analysis:** CLI tools scattered across multiple projects with inconsistent patterns; regional crypto compliance requires plugin isolation

## Executive Summary

**Goal:** Unified `stella` CLI with plugin-based regional crypto support (GOST, eIDAS, SM) while maintaining compliance isolation through build-time and runtime plugin loading.

**Scope:**
- Migrate `cryptoru` commands to `stella crypto` with plugin architecture
- Create eIDAS crypto plugin and CLI integration
- Ensure SM (Chinese crypto) plugin CLI integration
- Final removal of deprecated `stella-aoc` and `stella-symbols` CLI projects
- Comprehensive CLI documentation with architecture diagrams
- Admin utility planning (`stellopsctl` → `stella admin`)

| Sprint | Title | Status | Tasks |
|--------|-------|--------|-------|
| 4100.0006.0001 | Crypto Plugin CLI Architecture | 📋 PLANNED | 15 |
| 4100.0006.0002 | eIDAS Crypto Plugin Implementation | 📋 PLANNED | 12 |
| 4100.0006.0003 | SM Crypto CLI Integration | 📋 PLANNED | 8 |
| 4100.0006.0004 | Deprecated CLI Removal | 📋 PLANNED | 10 |
| 4100.0006.0005 | Admin Utility Integration | 📋 PLANNED | 14 |
| 4100.0006.0006 | CLI Documentation Overhaul | 📋 PLANNED | 18 |

**Total Tasks:** 77 tasks

---

## Sprint Structure

```
SPRINT_4100_0006 (Complete CLI Consolidation)
├── 0001 (Crypto Plugin CLI Architecture)
│   ├─ Plugin discovery and loading
│   ├─ stella crypto sign command
│   ├─ GOST/eIDAS/SM profile switching
│   └─ Build-time conditional compilation
├── 0002 (eIDAS Crypto Plugin)
│   ├─ eIDAS signature algorithms (ECDSA, RSA-PSS)
│   ├─ Trust Service Provider integration
│   ├─ QES/AES/AdES compliance
│   └─ CLI integration
├── 0003 (SM Crypto CLI Integration)
│   ├─ SM2/SM3/SM4 algorithm support
│   ├─ stella crypto sm commands
│   └─ GuoMi compliance validation
├── 0004 (Deprecated CLI Removal)
│   ├─ Remove stella-aoc project
│   ├─ Remove stella-symbols project
│   └─ Migration guide verification
├── 0005 (Admin Utility Integration)
│   ├─ stella admin policy commands
│   ├─ stella admin users commands
│   ├─ stella admin feeds commands
│   └─ stella admin system commands
└── 0006 (CLI Documentation Overhaul)
    ├─ CLI architecture documentation
    ├─ Command reference matrix
    ├─ Plugin loading diagrams
    └─ Compliance guidance
```

## Key Design Principles

### 1. Compliance Isolation

**Problem:** Regional crypto standards (GOST, eIDAS, SM) have legal/export restrictions and MUST NOT be accidentally mixed.

**Solution:**
- **Build-time plugin selection** via MSBuild conditionals (`StellaOpsEnableGOST`, `StellaOpsEnableEIDAS`, `StellaOpsEnableSM`)
- **Runtime plugin loading** via configuration profiles
- **Separate distributions** for each region (international, russia, eu, china)

```xml
<!-- Example: European distribution .csproj -->
<ItemGroup Condition="'$(StellaOpsEnableEIDAS)' == 'true'">
  <ProjectReference Include="StellaOps.Cryptography.Plugin.EIDAS.csproj" />
</ItemGroup>

<ItemGroup Condition="'$(StellaOpsEnableGOST)' == 'true'">
  <!-- Excluded from EU builds -->
</ItemGroup>
```

### 2. Plugin Architecture

**Crypto Plugin Interface:**
```csharp
public interface ICryptoProvider
{
    string Name { get; } // "gost-cryptopro", "eidas-tsp", "sm-gmssl"
    string[] SupportedAlgorithms { get; }
    Task<byte[]> SignAsync(byte[] data, string algorithm, CryptoKeyReference key);
    Task<bool> VerifyAsync(byte[] data, byte[] signature, string algorithm, CryptoKeyReference key);
}

public interface ICryptoProviderDiagnostics
{
    IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys();
}
```

**CLI Command Structure:**
```
stella crypto
├── providers          # List all loaded crypto providers
├── sign               # Sign with any provider (unified interface)
│   ├── --provider     # gost|eidas|sm|default
│   ├── --profile      # config profile override
│   ├── --key-id       # key reference
│   ├── --alg          # algorithm (GOST12-256, ECDSA-P256, SM2, etc.)
│   └── --file         # input file
├── verify             # Verify signature
└── profiles           # List available crypto profiles
```

### 3. Distribution Strategy

| Distribution | Region | Plugins Included | Build Flag |
|--------------|--------|------------------|------------|
| **stella-international** | Global (non-restricted) | Default (.NET crypto), BouncyCastle | None |
| **stella-russia** | Russia, CIS | GOST (CryptoPro, OpenSSL-GOST, PKCS#11) | `StellaOpsEnableGOST=true` |
| **stella-eu** | European Union | eIDAS (TSP connectors, QES) | `StellaOpsEnableEIDAS=true` |
| **stella-china** | China | SM (GuoMi - SM2/SM3/SM4) | `StellaOpsEnableSM=true` |
| **stella-full** | Internal testing only | ALL plugins | `StellaOpsEnableAllCrypto=true` |

**WARNING:** `stella-full` distribution MUST NOT be publicly released due to export control regulations.

---

## Dependencies

### External Dependencies (Already DONE)

| Dependency | Sprint | Status |
|------------|--------|--------|
| stella CLI base | (core) | DONE |
| stella aoc command | SPRINT_5100_0001_0001 | DONE |
| stella symbols command | SPRINT_5100_0001_0001 | DONE |
| Crypto plugin framework | (core) | DONE |
| System.CommandLine 2.0 | (core) | DONE |

### Internal Dependencies

```
4100.0006.0001 ──┬─> 4100.0006.0002 (eIDAS needs architecture)
                 ├─> 4100.0006.0003 (SM needs architecture)
                 └─> 4100.0006.0005 (admin needs plugin patterns)

4100.0006.0002 ──┐
4100.0006.0003 ──┼─> 4100.0006.0006 (docs need all implementations)
4100.0006.0005 ──┘

4100.0006.0004 ──> (no dependencies, can run in parallel)
```

**Recommended Execution Order:**
1. **Wave 1 (Week 1):** 4100.0006.0001 (foundation)
2. **Wave 2 (Week 2):** 4100.0006.0002, 4100.0006.0003, 4100.0006.0004, 4100.0006.0005 (parallel)
3. **Wave 3 (Week 3):** 4100.0006.0006 (documentation)

---

## Success Criteria

| # | Criterion | Verification |
|---|-----------|--------------|
| 1 | `stella crypto sign` works with GOST/eIDAS/SM plugins in respective distributions | Integration tests per region |
| 2 | Deprecated `stella-aoc` and `stella-symbols` projects removed from repository | `find src/ -name "*.Cli.csproj"` returns only StellaOps.Cli |
| 3 | Build matrix produces 4 distributions (international, russia, eu, china) | CI/CD artifacts verify |
| 4 | CLI documentation includes plugin architecture diagrams | `docs/cli/architecture.md` complete |
| 5 | Migration guide verification passes for AOC/Symbols users | Manual testing with old scripts |
| 6 | `stella admin` commands provide full platform management | Admin smoke tests pass |
| 7 | No crypto plugin cross-contamination in distributions | Static analysis + runtime checks |
| 8 | eIDAS compliance verified by external audit | QES/AES certificate validation |

---

## Compliance Requirements

### GOST (Russia - GOST R 34.10-2012, GOST R 34.11-2012)

**Algorithms:**
- GOST R 34.10-2012 (256-bit, 512-bit) - Digital signatures
- GOST R 34.11-2012 (Streebog) - Hash functions
- GOST R 34.12-2015 (Kuznyechik, Magma) - Block ciphers

**Providers:**
- CryptoPro CSP (commercial)
- ViPNet CSP (commercial)
- OpenSSL-GOST (open source)
- PKCS#11 GOST

**Verification:** Must validate signatures against Russian Federal Service for Technical and Export Control (FSTEC) test vectors.

### eIDAS (EU - Regulation 910/2014)

**Signature Levels:**
- **QES** (Qualified Electronic Signature) - Legal equivalent to handwritten signature
- **AES** (Advanced Electronic Signature) - High assurance
- **AdES** (Standard) - Basic compliance

**Algorithms:**
- ECDSA (P-256, P-384, P-521)
- RSA-PSS (2048-bit, 4096-bit)
- EdDSA (Ed25519, Ed448)

**Trust Service Providers (TSP):**
- Integration with EU-qualified TSPs
- ETSI EN 319 412 certificate profiles
- Time-stamping (RFC 3161)

**Verification:** Must validate against eIDAS-compliant test suite and EU Trusted List.

### SM (China - GM/T standards)

**Algorithms:**
- SM2 (elliptic curve cryptography) - Signatures and key exchange
- SM3 (hash function) - 256-bit
- SM4 (block cipher) - 128-bit

**Providers:**
- GmSSL (open source)
- Commercial CSPs (certified by OSCCA)

**Verification:** Must validate against Chinese Office of State Commercial Cryptography Administration (OSCCA) test vectors.

---

## Risk Register

| Risk | Impact | Probability | Mitigation |
|------|--------|-------------|------------|
| **Export control violations** | CRITICAL | MEDIUM | Automated distribution validation; separate build pipelines per region |
| **Plugin cross-contamination** | HIGH | LOW | Build-time exclusion; runtime profile validation |
| **eIDAS audit failure** | HIGH | MEDIUM | External compliance review before release |
| **Migration breaks existing AOC/Symbols users** | MEDIUM | LOW | Comprehensive migration guide; deprecation warnings |
| **Admin utility scope creep** | LOW | HIGH | Strict scope definition; defer advanced features |
| **Documentation drift** | MEDIUM | MEDIUM | Automated CLI help text generation from code |

---

## Team Assignments

| Team | Sprints | Total Effort |
|------|---------|--------------|
| CLI Team | 4100.0006.0001, 4100.0006.0004 | L (5-8d) |
| Crypto Team | 4100.0006.0002, 4100.0006.0003 | L (5-8d) |
| Platform Team | 4100.0006.0005 | M (3-5d) |
| Documentation Team | 4100.0006.0006 | M (3-5d) |

---

## Deliverables

### New CLI Commands

```bash
# Unified crypto interface
stella crypto providers [--json]
stella crypto sign --provider gost --key-id <id> --alg GOST12-256 --file <path> [--out <path>]
stella crypto verify --provider gost --key-id <id> --alg GOST12-256 --file <path> --signature <path>
stella crypto profiles

# Admin utilities (replace stellopsctl)
stella admin policy export [--output <path>]
stella admin policy import --file <path>
stella admin users list [--role <role>]
stella admin users add <email> --role <role>
stella admin users revoke <email>
stella admin feeds refresh [--source <id>]
stella admin system status
stella admin system migrate --version <v>
```

### Removed Projects

- `src/Aoc/StellaOps.Aoc.Cli/` (deleted)
- `src/Symbols/StellaOps.Symbols.Ingestor.Cli/` (deleted)
- `src/Tools/StellaOps.CryptoRu.Cli/` (deleted)

### New Plugins

- `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/` (new)
- `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS.Tests/` (new)

### New Documentation

- `docs/cli/architecture.md` - CLI architecture with plugin diagrams
- `docs/cli/crypto-plugins.md` - Crypto plugin development guide
- `docs/cli/compliance-guide.md` - Regional compliance requirements
- `docs/cli/commands/crypto.md` - stella crypto command reference
- `docs/cli/commands/admin.md` - stella admin command reference
- `docs/cli/distribution-matrix.md` - Build and distribution guide

### Updated Documentation

- `docs/09_API_CLI_REFERENCE.md` - Add crypto and admin commands
- `docs/cli/cli-consolidation-migration.md` - Final migration verification
- `docs/ARCHITECTURE_DETAILED.md` - Add CLI plugin architecture section
- `docs/DEVELOPER_ONBOARDING.md` - Update CLI development guide

---

## Completion Checklist

- [ ] All 6 sprints marked DONE
- [ ] GOST crypto commands work in russia distribution
- [ ] eIDAS crypto commands work in eu distribution
- [ ] SM crypto commands work in china distribution
- [ ] Deprecated CLI projects deleted from repository
- [ ] stella admin commands provide full platform management
- [ ] Build matrix produces correct distributions
- [ ] Compliance audits pass (GOST, eIDAS, SM)
- [ ] CLI documentation complete with diagrams
- [ ] Integration tests pass for all distributions
- [ ] Migration guide verification complete

---

## Post-Completion

After all sprints complete:
1. Update `docs/09_API_CLI_REFERENCE.md` with crypto and admin commands
2. Archive standalone CLI migration guide to `docs/cli/archived/`
3. Create compliance certificates for each distribution
4. Publish distribution-specific binaries to release channels
5. Notify community of final migration deadline (2025-07-01)

---

## Topic & Scope
- Complete the CLI consolidation effort started in SPRINT_5100_0001_0001
- Integrate regional crypto compliance with plugin architecture
- Remove all deprecated standalone CLIs
- Provide comprehensive CLI documentation
- **Working directory:** `docs/implplan` (planning), `src/Cli` (implementation)

## Dependencies & Concurrency
- Depends on SPRINT_5100_0001_0001 (AOC/Symbols migration)
- Sprints 0002, 0003, 0004, 0005 can run in parallel after 0001 completes
- Sprint 0006 (documentation) waits for all implementations

## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/ARCHITECTURE_DETAILED.md`
- `docs/cli/cli-consolidation-migration.md`

---

**Sprint Series Status:** 📋 PLANNED

**Created:** 2025-12-23
**Origin:** CLI fragmentation analysis + compliance crypto isolation requirements
**Estimated Completion:** 2026-01-31 (3 weeks)