Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.

ops/devops/findings-ledger/compose/docker-compose.ledger.yaml

@@ -0,0 +1,64 @@
+# Findings Ledger Docker Compose overlay
+# Append to or reference from your main compose file
+#
+# Usage:
+#   docker compose -f docker-compose.yaml -f ops/devops/findings-ledger/compose/docker-compose.ledger.yaml up -d
+
+services:
+  findings-ledger:
+    image: stellaops/findings-ledger:${STELLA_VERSION:-2025.11.0}
+    restart: unless-stopped
+    env_file:
+      - ./env/ledger.${STELLAOPS_ENV:-dev}.env
+    environment:
+      ASPNETCORE_URLS: http://0.0.0.0:8080
+      ASPNETCORE_ENVIRONMENT: ${ASPNETCORE_ENVIRONMENT:-Production}
+      # Database connection (override via env file or secrets)
+      # LEDGER__DB__CONNECTIONSTRING: see secrets
+      # Observability
+      LEDGER__OBSERVABILITY__ENABLED: "true"
+      LEDGER__OBSERVABILITY__OTLPENDPOINT: ${OTEL_EXPORTER_OTLP_ENDPOINT:-http://otel-collector:4317}
+      # Merkle anchoring
+      LEDGER__MERKLE__ANCHORINTERVAL: "00:05:00"
+      LEDGER__MERKLE__EXTERNALIZE: ${LEDGER_MERKLE_EXTERNALIZE:-false}
+      # Attachments
+      LEDGER__ATTACHMENTS__MAXSIZEBYTES: "104857600"  # 100MB
+      LEDGER__ATTACHMENTS__ALLOWEGRESS: ${LEDGER_ATTACHMENTS_ALLOWEGRESS:-true}
+    ports:
+      - "${LEDGER_PORT:-8188}:8080"
+    depends_on:
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:8080/health/ready"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    volumes:
+      - ledger-data:/app/data
+      - ./etc/ledger/appsettings.json:/app/appsettings.json:ro
+    networks:
+      - stellaops
+
+  # Migration job (run before starting ledger)
+  findings-ledger-migrations:
+    image: stellaops/findings-ledger-migrations:${STELLA_VERSION:-2025.11.0}
+    command: ["--connection", "${LEDGER__DB__CONNECTIONSTRING}"]
+    env_file:
+      - ./env/ledger.${STELLAOPS_ENV:-dev}.env
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - stellaops
+    profiles:
+      - migrations
+
+volumes:
+  ledger-data:
+    driver: local
+
+networks:
+  stellaops:
+    external: true

ops/devops/findings-ledger/compose/env/ledger.dev.env

@@ -0,0 +1,24 @@
+# Findings Ledger - Development Environment
+# Copy to ledger.local.env and customize for local dev
+
+# Database connection
+LEDGER__DB__CONNECTIONSTRING=Host=postgres;Port=5432;Database=findings_ledger_dev;Username=ledger;Password=change_me_dev;
+
+# Attachment encryption key (AES-256, base64 encoded)
+# Generate with: openssl rand -base64 32
+LEDGER__ATTACHMENTS__ENCRYPTIONKEY=
+
+# Merkle anchor signing (optional in dev)
+LEDGER__MERKLE__SIGNINGKEY=
+
+# Authority service endpoint (for JWT validation)
+LEDGER__AUTHORITY__BASEURL=http://authority:8080
+
+# Logging level
+Logging__LogLevel__Default=Debug
+Logging__LogLevel__Microsoft=Information
+Logging__LogLevel__StellaOps=Debug
+
+# Feature flags
+LEDGER__FEATURES__ENABLEATTACHMENTS=true
+LEDGER__FEATURES__ENABLEAUDITLOG=true

ops/devops/findings-ledger/compose/env/ledger.prod.env

@@ -0,0 +1,40 @@
+# Findings Ledger - Production Environment
+# Secrets should be injected from secrets manager, not committed
+
+# Database connection (inject from secrets manager)
+# LEDGER__DB__CONNECTIONSTRING=
+
+# Attachment encryption key (inject from secrets manager)
+# LEDGER__ATTACHMENTS__ENCRYPTIONKEY=
+
+# Merkle anchor signing (inject from secrets manager)
+# LEDGER__MERKLE__SIGNINGKEY=
+
+# Authority service endpoint
+LEDGER__AUTHORITY__BASEURL=http://authority:8080
+
+# Logging level
+Logging__LogLevel__Default=Warning
+Logging__LogLevel__Microsoft=Warning
+Logging__LogLevel__StellaOps=Information
+
+# Feature flags
+LEDGER__FEATURES__ENABLEATTACHMENTS=true
+LEDGER__FEATURES__ENABLEAUDITLOG=true
+
+# Observability
+LEDGER__OBSERVABILITY__ENABLED=true
+LEDGER__OBSERVABILITY__METRICSPORT=9090
+
+# Merkle anchoring
+LEDGER__MERKLE__ANCHORINTERVAL=00:05:00
+LEDGER__MERKLE__EXTERNALIZE=false
+
+# Attachments
+LEDGER__ATTACHMENTS__MAXSIZEBYTES=104857600
+LEDGER__ATTACHMENTS__ALLOWEGRESS=false
+
+# Air-gap staleness thresholds (seconds)
+LEDGER__AIRGAP__ADVISORYSTALETHRESHOLD=604800
+LEDGER__AIRGAP__VEXSTALETHRESHOLD=604800
+LEDGER__AIRGAP__POLICYSTALETHRESHOLD=86400