ef933db0d8
Sprint: SPRINT_4100_0006_0001 Status: COMPLETED Implemented plugin-based crypto command architecture for regional compliance with build-time distribution selection (GOST/eIDAS/SM) and runtime validation. ## New Commands - `stella crypto sign` - Sign artifacts with regional crypto providers - `stella crypto verify` - Verify signatures with trust policy support - `stella crypto profiles` - List available crypto providers & capabilities ## Build-Time Distribution Selection ```bash # International (default - BouncyCastle) dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj # Russia distribution (GOST R 34.10-2012) dotnet build -p:StellaOpsEnableGOST=true # EU distribution (eIDAS Regulation 910/2014) dotnet build -p:StellaOpsEnableEIDAS=true # China distribution (SM2/SM3/SM4) dotnet build -p:StellaOpsEnableSM=true ``` ## Key Features - Build-time conditional compilation prevents export control violations - Runtime crypto profile validation on CLI startup - 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev) - Comprehensive configuration with environment variable substitution - Integration tests with distribution-specific assertions - Full migration path from deprecated `cryptoru` CLI ## Files Added - src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs - src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs - src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs - src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example - src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs - docs/cli/crypto-commands.md - docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md ## Files Modified - src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs) - src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation) - src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring) - src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix) ## Compliance - GOST (Russia): GOST R 34.10-2012, FSB certified - eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES - SM (China): GM/T 0003-2012 (SM2), OSCCA certified ## Migration `cryptoru` CLI deprecated → sunset date: 2025-07-01 - `cryptoru providers` → `stella crypto profiles` - `cryptoru sign` → `stella crypto sign` ## Testing ✅ All crypto code compiles successfully ✅ Integration tests pass ✅ Build verification for all distributions (international/GOST/eIDAS/SM) Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
StellaOps Concelier & CLI
This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
first-party CLI (stellaops-cli). Concelier ingests vulnerability advisories from
authoritative sources, stores them in PostgreSQL, and exports deterministic JSON and
Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
control against the Concelier API.
Quickstart
- Prepare a PostgreSQL instance and (optionally) install
trivy-db/oras. - Copy
etc/concelier.yaml.sampletoetc/concelier.yamland update the storage + telemetry settings. - Copy
etc/authority.yaml.sampletoetc/authority.yaml, review the issuer, token lifetimes, and plug-in descriptors, then edit the companion manifests underetc/authority.plugins/*.yamlto match your deployment. - Start the web service with
dotnet run --project src/Concelier/StellaOps.Concelier.WebService. - Configure the CLI via environment variables (e.g.
STELLAOPS_BACKEND_URL) and trigger jobs withdotnet run --project src/Cli/StellaOps.Cli -- db merge.
Detailed operator guidance is available in docs/10_CONCELIER_CLI_QUICKSTART.md. API and
command reference material lives in docs/09_API_CLI_REFERENCE.md.
Pipeline note: deployment workflows should template etc/concelier.yaml during CI/CD,
injecting environment-specific PostgreSQL connection strings and telemetry endpoints.
Upcoming releases will add Microsoft OAuth (Entra ID) authentication support—track
the quickstart for integration steps once available.
Documentation
docs/README.mdnow consolidates the platform index and points to the updated high-level architecture.- Module architecture dossiers now live under
docs/modules/<module>/. The most relevant here aredocs/modules/concelier/ARCHITECTURE.md(service layout, merge engine, exports) anddocs/modules/cli/ARCHITECTURE.md(command surface, AOT packaging, auth flows). Related services such as the Signer, Attestor, Authority, Scanner, UI, Excititor, Zastava, and DevOps pipeline each have their own dossier in the same hierarchy. - Offline operation guidance moved to
docs/24_OFFLINE_KIT.md, which details bundle composition, verification, and delta workflows. Concelier-specific connector operations stay indocs/modules/concelier/operations/connectors/*.mdwith companion runbooks indocs/modules/concelier/operations/.