Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.

docs/security/crypto-compliance.md

@@ -16,9 +16,19 @@ StellaOps supports multiple cryptographic compliance profiles to meet regional r
 | `eidas` | eIDAS/ETSI TS 119 312 | European Union | EU digital identity and trust |
 
 **Certification caveats (current baselines)**
-- `fips`, `eidas`, `kcmvp` are enforced via algorithm allow-lists only; certified modules are not yet integrated. Deployments must treat these as non-certified until a CMVP/QSCD/KCMVP module is configured.
-- `gost` is validated on Linux via OpenSSL GOST; Windows CryptoPro CSP remains pending.
-- `sm` uses a software-only SM2/SM3 path when `SM_SOFT_ALLOWED=1`; hardware PKCS#11 validation is pending.
+- `fips` and `eidas` now route through software allow-listed providers (`fips.ecdsa.soft`, `eu.eidas.soft`) and are labeled **non-certified** until a CMVP/QSCD module is attached (set `FIPS_SOFT_ALLOWED=1` / `EIDAS_SOFT_ALLOWED=1`).
+- `kcmvp` is covered by a hash-only baseline provider (`kr.kcmvp.hash`, SHA-256) with the `KCMVP_HASH_ALLOWED` gate; ARIA/SEED/KCDSA remain pending.
+- `gost` has a Linux-ready OpenSSL baseline plus a Wine sidecar for CryptoPro CSP (`ru.winecsp.http`); native Windows CSP stays blocked on licensed runners.
+- `sm` uses software SM2/SM3 (`cn.sm.soft`, gate `SM_SOFT_ALLOWED=1`); hardware PKCS#11 validation remains pending.
+- `pq` uses software-only Dilithium3 and Falcon512 (`pq.soft`, gate `PQ_SOFT_ALLOWED=1`); certified PQ modules are not available.
+
+**Provider identifiers (registry names)**
+- FIPS: `fips.ecdsa.soft`
+- eIDAS: `eu.eidas.soft`
+- KCMVP hash baseline: `kr.kcmvp.hash`
+- PQ (Dilithium3/Falcon512): `pq.soft`
+- RU GOST (Wine sidecar): `ru.winecsp.http`
+- CN SM software: `cn.sm.soft`
 
 ## Configuration
 
@@ -87,6 +97,14 @@ HMAC operations use purpose-based selection similar to hashing:
 
 **Note:** The `WebhookInterop` purpose always uses HMAC-SHA256 regardless of profile. This is required for compatibility with external webhook receivers (Slack, Teams, GitHub, etc.) that expect SHA-256 signatures.
 
+## Simulation paths when hardware is missing
+
+- **RU / GOST**: Linux baseline uses `ru.openssl.gost`; CryptoPro CSP can be exercised from Linux via the Wine sidecar service (`ru.winecsp.http`) built from `scripts/crypto/setup-wine-csp-service.sh` when customers supply the CSP installer. Windows CSP remains blocked until licensed runners are available.
+- **CN / SM**: Software-only SM2/SM3 provider (`cn.sm.soft`) backed by BouncyCastle; enable with `SM_SOFT_ALLOWED=1`. Hardware PKCS#11 tokens can be added later without changing feature code because hosts resolve via `ICryptoProviderRegistry`.
+- **FIPS / eIDAS**: Software allow-lists (`fips.ecdsa.soft`, `eu.eidas.soft`) enforce ES256/ES384 + SHA-2. They are labeled non-certified until a CMVP/QSCD module is supplied.
+- **KCMVP**: Hash-only baseline (`kr.kcmvp.hash`) keeps SHA-256 available when ARIA/SEED/KCDSA hardware is absent.
+- **PQ (Dilithium3/Falcon512)**: Software-only `pq.soft` provider using BouncyCastle PQC primitives; gated by `PQ_SOFT_ALLOWED=1`. Certified PQ hardware is not yet available.
+
 ## Interoperability Exceptions
 
 Certain operations must use SHA-256 regardless of compliance profile to maintain external compatibility: