[Task](crypto | masterkey | SSS) Implement SSS Provider Integration with Unified Interface

[nnicora]

This task involves wrapping the SSS reconstruction logic into the standard MasterKeyProvider interface used by the OpenKCM Core. This enables "Polymorphic" key management, where the system can switch between a single KMS provider and the SSS multi-provider mode via simple configuration changes.

The SSS Provider will act as a "Meta-Provider," orchestrating the DB Lookups, Decryption Clients, and Math Engine behind a single GetMasterKey() method call.

Goals

• Map the SSS reconstruction flow to the existing MasterKeyProvider Go interface.
• Implement configuration parsing for SSS-specific parameters (Threshold $M$, Total Shards $N$, and Provider lists).
• Ensure the SSS provider integrates correctly with the system's Health Check and Readiness probes.
• Provide a clean "Bootstrapping" sequence for the SSS mode during service startup.

Acceptance Criteria

• Interface Implementation: The SSS struct must satisfy the following methods:
  • GetMasterKey(ctx context.Context) ([]byte, error): Triggers the full "Peek -> Decrypt -> Reconstruct" flow.
  • ProviderName() string: Returns "SHAMIR_SSS".
  • Status() HealthStatus: Returns the availability of underlying KMS providers.
• Config Integration:
  • Support for config.yaml sections defining SSS parameters.
  • Validation that the number of configured providers is $\ge N$.
• Dependency Injection: Properly wire the Database Repository and Decryption Client Factory into the SSS Provider during initialization.
• Error Mapping: Translate internal SSS errors (e.g., ErrThresholdNotMet) into standard OpenKCM provider errors for consistent API responses.
• Logging & Telemetry: - Log successful unseals and the specific shard indices used.
  • Export metrics for "Time to Reconstruct" and "Active Providers."
• Unit Testing:
  • Functional tests using a "Mock SSS Provider" that returns a hardcoded key.
  • Integration test ensuring the MasterKeyManager successfully initializes the SSS provider when the mode is set in config.

Technical Mapping

The provider should follow the pattern:

1. Init(): Validate $M$ and $N$ constraints.
2. GetMasterKey():
   • Call Aggregation Logic (#Task11).
   • Pass result to Math Engine (#Task4).
   • Return reconstructed key to Secure Memory Holder.