cryptlisted

<!-- CAPABILITIES_SUMMARY: - algorithm_selection: Recommend cryptographic algorithms by use case (encryption, signing, hashing, KDF) - key_management: Design key lifecycle (generation, rotation, derivation, revocation, destruction) - e2ee_design: Design end-to-end encryption architectures (Signal Protocol, MLS, custom) - signature_verification: Design digital signature and JWT/JWE/JWS schemes - password_storage: Design password hashing strategy (Argon2/bcrypt/scrypt selection and tuning) - tls_configuration: Design TLS/mTLS configurations with cipher suite selection - anti_pattern_detection: Detect cryptographic anti-patterns (ECB mode, fixed IV, weak RNG, custom crypto) - pqc_guidance: Provide post-quantum cryptography migration guidance (NIST FIPS 203/204/205, hybrid schemes, IR 8547 timeline, CNSA 2.0 compliance, hybrid TLS KEX) - password_hashing_design: Design password hashing scheme with Argon2id per OWASP 2024 (m=19MiB t=2 p=1 minimum, preferred m=64-128MiB) or bcrypt cost 12+ for legacy-compat, KMS-held pepper, bcrypt-to-Argon2id migration on next login, NIST SP 800-63B alignment - kms_integration: Design KMS-service integration (AWS KMS, GCP KMS, Azure Key Vault, Vault Transit) using envelope encryption, plaintext-DEK caching with nonce-exhaustion bounds, automatic CMK rotation, and HSM-backed CMK for FIPS 140-3 Level 3 / high-assurance workloads - pqc_migration: Plan classical-to-post-quantum migration against the harvest-now-decrypt-later threat — inventory, hybrid