# Crypto Registry Decision · 2025-11-18

## Outcome
- Agree to ship `ICryptoProviderRegistry` with the following defaults:
  - PreferredProviders (global default): `default`, `ru.openssl.gost`, `ru.pkcs11`.
  - ActiveProfile for RU/sovereign deployments: `ru-offline` with preferred order `ru.cryptopro.csp`, `ru.openssl.gost`, `ru.pkcs11`.
  - For non-RU deployments, ActiveProfile remains `default`.
- Registry contract to be published via shared library (`StellaOps.Cryptography` stack) and referenced by EvidenceLocker/ExportCenter/TimelineIndexer and downstream services.
- Deterministic config binding: keep profile names and provider IDs lowercase ASCII; enforce ISO-8601 UTC timestamps for any audit material generated by registry actions.

## Rationale
- Aligns with 2025-11-07 crypto routing audit (`docs/security/crypto-routing-audit-2025-11-07.md`) to ensure sovereign-ready providers are selectable without code changes.
- Keeps default provider chain intact for non-sovereign deployments while enabling RU-specific stacks where mandated.

## Required follow-ups
- Publish NuGet/package update exposing the approved registry contract and provider IDs.
- Update module hosts (EvidenceLocker, ExportCenter, TimelineIndexer, CLI) to bind `StellaOps:Crypto:Registry` using the defaults above.
- Add CI smoke to assert registry resolves the chosen ActiveProfile on Linux and Windows.
- Mirror decision into sprint docs for affected modules (160/161).