# Sprint 514 - Ops & Offline · 190.K) Sovereign Crypto Enablement

Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

[Ops & Offline] 190.K) Sovereign Crypto Enablement

Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli

Summary: Deliver RootPack_RU-ready sovereign crypto providers (CryptoPro + PKCS#11), configuration knobs, deterministic tests, and repo-wide crypto routing audit.

Fork status: `third_party/forks/AlexMAS.GostCryptography` tracks upstream commit `31413f6` (2024-07-01) so we can patch/build the CryptoPro plug-in without pulling the vulnerable `IT.GostCryptography` binary.

Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SEC-CRYPTO-90-017 | TODO | Vendor `third_party/forks/AlexMAS.GostCryptography` into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the rest of the repo and publishes artifacts for downstream consumers. | Security Guild (third_party/forks + src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro)
SEC-CRYPTO-90-018 | TODO | Update developer/RootPack documentation to describe the new fork, sync steps, and licensing so operators know where the CryptoPro sources live and how to refresh them. | Security & Docs Guilds (docs/security/rootpack_ru_*.md, docs/dev/crypto.md)
SEC-CRYPTO-90-019 | TODO | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 dependencies (target .NET 8+, adopt fixed BCL packages, re-run tests). | Security Guild (third_party/forks/AlexMAS.GostCryptography)
SEC-CRYPTO-90-020 | TODO | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources (replace NuGet package references, adjust DI wiring) and prove the plugin works end-to-end. | Security Guild (src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro)
SEC-CRYPTO-90-021 | TODO | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Security & QA Guilds (scripts/crypto/**, docs/security/rootpack_ru_validation.md)
SEC-CRYPTO-90-001 | DONE (2025-11-07) | Produce the RootPack_RU implementation plan, provider strategy (CryptoPro + PKCS#11), and backlog split for sovereign crypto work. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-002 | DONE (2025-11-07) | Extend signature/catalog constants and configuration schema to recognize `GOST12-256/512`, regional crypto profiles, and provider preference ordering. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-003 | DONE (2025-11-07) | Implement `StellaOps.Cryptography.Plugin.CryptoPro` provider (sign/verify/JWK export) using CryptoPro CSP with deterministic logging/tests. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-004 | DONE (2025-11-07) | Implement `StellaOps.Cryptography.Plugin.Pkcs11Gost` provider (Rutoken/JaCarta) via Pkcs11Interop with configurable slot/pin/module handling. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-005 | DONE (2025-11-08) | Add configuration-driven provider selection (`crypto.regionalProfiles`), CLI diagnostics, and telemetry. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-006 | DONE (2025-11-08) | Build deterministic Streebog/signature harnesses and RootPack audit metadata/runbooks. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-007 | DONE (2025-11-08) | Package RootPack_RU artifacts (plugins, trust anchors, configs) with deployment documentation. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-008 | DONE (2025-11-08) | Audit repository for direct crypto usage bypassing the new abstractions and file remediation tasks. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-009 | DONE (2025-11-09) | Replace the placeholder CryptoPro plug-in with a true CryptoPro CSP implementation (GostCryptography, certificate-store lookup, DER/raw normalization) so RootPack_RU exposes a qualified-signature path. | Security Guild (src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro)
SEC-CRYPTO-90-010 | DONE (2025-11-09) | Introduce `StellaOpsCryptoOptions` / configuration binding for registry profiles/keys and ship an `AddStellaOpsCryptoRu(IConfiguration, …)` helper so hosts can enable `ru-offline` via YAML without custom code. | Security Guild (src/__Libraries/StellaOps.Cryptography + .DependencyInjection)
SEC-CRYPTO-90-011 | DONE (2025-11-09) | Build the sovereign crypto CLI (`StellaOps.CryptoRu.Cli`) to list keys, perform test-sign operations, and emit determinism/audit snapshots referenced in the RootPack docs. | Security & Ops Guilds (src/Tools/StellaOps.CryptoRu.Cli)
SEC-CRYPTO-90-012 | TODO | Add CryptoPro + PKCS#11 integration tests (env/pin gated) and wire them into `scripts/crypto/run-rootpack-ru-tests.sh`, covering Streebog vectors and DER/raw signatures. | Security Guild (src/__Libraries/__Tests/StellaOps.Cryptography.Tests)
SEC-CRYPTO-90-013 | TODO | Extend the shared crypto stack with sovereign symmetric algorithms (Magma/Kuznyechik) so exports/data-at-rest can request Russian ciphers via the provider registry. | Security Guild (src/__Libraries/StellaOps.Cryptography)
SEC-CRYPTO-90-014 | TODO | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register the RU providers, bind `StellaOps:Crypto` profiles, and expose configuration toggles per the new options model. | Security Guild + Service Guilds (multi-module)
SEC-CRYPTO-90-015 | TODO | Refresh RootPack/validation documentation once the CLI/config/tests exist (remove TODO callouts, document final workflows). | Security Guild & Docs Guild (docs/security/rootpack_ru_*.md)
SEC-CRYPTO-90-016 | DONE (2025-11-09) | Quarantine CryptoPro dependencies by default until IT.GostCryptography is patched; add MSBuild flag `StellaOpsEnableCryptoPro` and follow-up plan to re-enable the plug-in once a safe package exists. | Security Guild (src/__Libraries/StellaOps.Cryptography.DependencyInjection + .Plugin.CryptoPro)
AUTH-CRYPTO-90-001 | DOING (2025-11-08) | Migrate Authority signing/key-loading paths (provider registry + crypto hash) so regional bundles can select sovereign providers per docs/security/crypto-routing-audit-2025-11-07.md. | Authority Core & Security Guild (src/Authority/StellaOps.Authority)

CONCELIER-WEB-AOC-19-005 | DOING (2025-11-08) | Fix `/advisories/{key}/chunks` seeded fixtures so AdvisoryChunksEndpoint tests stop returning 404/not-found when raw documents are pre-populated; ensure Mongo migrations no longer emit “Unable to locate advisory_raw documents” during test boot. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-006 | DOING (2025-11-08) | Align WebService auth defaults with the test tokens so the allowlisted tenant can create an advisory before forbidden tenants are rejected in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
CONCELIER-WEB-AOC-19-007 | DOING (2025-11-08) | Update AOC verify logic/fixtures so guard failures produce the expected `ERR_AOC_001` payload while keeping mapper/guard parity covered by tests. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
SCANNER-CRYPTO-90-001 | TODO | Route hashing/signing flows (`ScanIdGenerator`, `ReportSigner`, Sbomer BuildX plugin) through `ICryptoProviderRegistry` so sovereign deployments can select RU providers per the crypto routing audit. | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService)
SCANNER-WORKER-CRYPTO-90-001 | TODO | Wire Scanner Worker and BuildX analyzers to the crypto provider registry/hash abstractions, ensuring replay/report parity for sovereign bundles. | Scanner Worker Guild, Security Guild (src/Scanner/StellaOps.Scanner.Worker)
SCANNER-CRYPTO-90-002 | TODO | Enable PQ-friendly DSSE (Dilithium/Falcon) for fragment signing + `_composition.json` attestations via crypto provider options; ship configuration docs and fixture coverage. | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService) |
SCANNER-CRYPTO-90-003 | TODO | Add regression tests that rerun deterministic composition with RU/PQ profiles and validate Merkle roots + DSSE chains (hooked into `docs/replay/DETERMINISTIC_REPLAY.md`). Dependencies: SCANNER-CRYPTO-90-002. | Scanner Worker Guild, QA Guild (src/Scanner/__Tests) |
ATTESTOR-CRYPTO-90-001 | TODO | Migrate attestation bundle hashing/witness flows to the registry + hash abstractions, enabling CryptoPro/PKCS#11 deployments. | Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor)