Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.

ops/devops/findings-ledger/helm/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: stellaops-findings-ledger
+version: 0.1.0
+appVersion: "2025.11.0"
+description: Findings Ledger service for StellaOps platform - event-sourced findings storage with Merkle anchoring.
+type: application
+keywords:
+  - findings
+  - ledger
+  - event-sourcing
+  - merkle
+  - attestation
+maintainers:
+  - name: StellaOps Team
+    email: platform@stellaops.io
+dependencies:
+  - name: postgresql
+    version: "14.x"
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled

ops/devops/findings-ledger/helm/templates/_helpers.tpl

@@ -0,0 +1,80 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "findings-ledger.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "findings-ledger.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "findings-ledger.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "findings-ledger.labels" -}}
+helm.sh/chart: {{ include "findings-ledger.chart" . }}
+{{ include "findings-ledger.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "findings-ledger.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "findings-ledger.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: ledger
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "findings-ledger.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "findings-ledger.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Database connection string - from secret or constructed
+*/}}
+{{- define "findings-ledger.databaseConnectionString" -}}
+{{- if .Values.database.connectionStringSecret }}
+valueFrom:
+  secretKeyRef:
+    name: {{ .Values.database.connectionStringSecret }}
+    key: {{ .Values.database.connectionStringKey }}
+{{- else if .Values.postgresql.enabled }}
+value: "Host={{ .Release.Name }}-postgresql;Port=5432;Database={{ .Values.postgresql.auth.database }};Username={{ .Values.postgresql.auth.username }};Password=$(POSTGRES_PASSWORD);"
+{{- else }}
+valueFrom:
+  secretKeyRef:
+    name: {{ .Values.secrets.name }}
+    key: LEDGER__DB__CONNECTIONSTRING
+{{- end }}
+{{- end }}

ops/devops/findings-ledger/helm/templates/configmap.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "findings-ledger.fullname" . }}-config
+  labels:
+    {{- include "findings-ledger.labels" . | nindent 4 }}
+data:
+  appsettings.json: |
+    {
+      "Logging": {
+        "LogLevel": {
+          "Default": "Information",
+          "Microsoft": "Warning",
+          "Microsoft.Hosting.Lifetime": "Information",
+          "StellaOps": "Information"
+        }
+      },
+      "AllowedHosts": "*"
+    }

ops/devops/findings-ledger/helm/templates/deployment.yaml

@@ -0,0 +1,122 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "findings-ledger.fullname" . }}
+  labels:
+    {{- include "findings-ledger.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "findings-ledger.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      labels:
+        {{- include "findings-ledger.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "findings-ledger.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: ledger
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+            {{- if .Values.observability.metricsEnabled }}
+            - name: metrics
+              containerPort: {{ .Values.service.metricsPort }}
+              protocol: TCP
+            {{- end }}
+          env:
+            - name: ASPNETCORE_URLS
+              value: "http://0.0.0.0:{{ .Values.service.port }}"
+            - name: ASPNETCORE_ENVIRONMENT
+              value: "Production"
+            # Database
+            - name: LEDGER__DB__CONNECTIONSTRING
+              {{- include "findings-ledger.databaseConnectionString" . | nindent 14 }}
+            # Observability
+            - name: LEDGER__OBSERVABILITY__ENABLED
+              value: {{ .Values.observability.enabled | quote }}
+            - name: LEDGER__OBSERVABILITY__OTLPENDPOINT
+              value: {{ .Values.observability.otlpEndpoint | quote }}
+            # Merkle anchoring
+            - name: LEDGER__MERKLE__ANCHORINTERVAL
+              value: {{ .Values.merkle.anchorInterval | quote }}
+            - name: LEDGER__MERKLE__EXTERNALIZE
+              value: {{ .Values.merkle.externalize | quote }}
+            # Attachments
+            - name: LEDGER__ATTACHMENTS__MAXSIZEBYTES
+              value: {{ .Values.attachments.maxSizeBytes | quote }}
+            - name: LEDGER__ATTACHMENTS__ALLOWEGRESS
+              value: {{ .Values.attachments.allowEgress | quote }}
+            - name: LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.name }}
+                  key: LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+            # Authority
+            - name: LEDGER__AUTHORITY__BASEURL
+              value: {{ .Values.authority.baseUrl | quote }}
+            # Air-gap thresholds
+            - name: LEDGER__AIRGAP__ADVISORYSTALETHRESHOLD
+              value: {{ .Values.airgap.advisoryStaleThreshold | quote }}
+            - name: LEDGER__AIRGAP__VEXSTALETHRESHOLD
+              value: {{ .Values.airgap.vexStaleThreshold | quote }}
+            - name: LEDGER__AIRGAP__POLICYSTALETHRESHOLD
+              value: {{ .Values.airgap.policyStaleThreshold | quote }}
+            # Features
+            - name: LEDGER__FEATURES__ENABLEATTACHMENTS
+              value: {{ .Values.features.enableAttachments | quote }}
+            - name: LEDGER__FEATURES__ENABLEAUDITLOG
+              value: {{ .Values.features.enableAuditLog | quote }}
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with .Values.extraEnvFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.probes.readiness.path }}
+              port: http
+            initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.probes.liveness.path }}
+              port: http
+            initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: data
+              mountPath: /app/data
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: data
+          emptyDir: {}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

ops/devops/findings-ledger/helm/templates/migration-job.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.migrations.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "findings-ledger.fullname" . }}-migrations
+  labels:
+    {{- include "findings-ledger.labels" . | nindent 4 }}
+    app.kubernetes.io/component: migrations
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      labels:
+        {{- include "findings-ledger.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: migrations
+    spec:
+      serviceAccountName: {{ include "findings-ledger.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      restartPolicy: Never
+      containers:
+        - name: migrations
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.migrations.image.repository }}:{{ .Values.migrations.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - "--connection"
+            - "$(LEDGER__DB__CONNECTIONSTRING)"
+          env:
+            - name: LEDGER__DB__CONNECTIONSTRING
+              {{- include "findings-ledger.databaseConnectionString" . | nindent 14 }}
+          resources:
+            {{- toYaml .Values.migrations.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

ops/devops/findings-ledger/helm/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "findings-ledger.fullname" . }}
+  labels:
+    {{- include "findings-ledger.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    {{- if .Values.observability.metricsEnabled }}
+    - port: {{ .Values.service.metricsPort }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+    {{- end }}
+  selector:
+    {{- include "findings-ledger.selectorLabels" . | nindent 4 }}

ops/devops/findings-ledger/helm/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "findings-ledger.serviceAccountName" . }}
+  labels:
+    {{- include "findings-ledger.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

ops/devops/findings-ledger/helm/values.yaml

@@ -0,0 +1,151 @@
+# Default values for stellaops-findings-ledger
+
+image:
+  repository: stellaops/findings-ledger
+  tag: "2025.11.0"
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+
+service:
+  type: ClusterIP
+  port: 8080
+  metricsPort: 9090
+
+# Database configuration
+database:
+  # External PostgreSQL connection (preferred for production)
+  # Set connectionStringSecret to use existing secret
+  connectionStringSecret: ""
+  connectionStringKey: "LEDGER__DB__CONNECTIONSTRING"
+  # Or provide connection details directly (not recommended for prod)
+  host: "postgres"
+  port: 5432
+  database: "findings_ledger"
+  username: "ledger"
+  # password via secret only
+
+# Built-in PostgreSQL (dev/testing only)
+postgresql:
+  enabled: false
+  auth:
+    username: ledger
+    database: findings_ledger
+
+# Secrets configuration
+secrets:
+  # Name of secret containing sensitive values
+  name: "findings-ledger-secrets"
+  # Expected keys in secret:
+  #   LEDGER__DB__CONNECTIONSTRING
+  #   LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+  #   LEDGER__MERKLE__SIGNINGKEY (optional)
+
+# Observability
+observability:
+  enabled: true
+  otlpEndpoint: "http://otel-collector:4317"
+  metricsEnabled: true
+
+# Merkle anchoring
+merkle:
+  anchorInterval: "00:05:00"
+  externalize: false
+  # externalAnchorEndpoint: ""
+
+# Attachments
+attachments:
+  maxSizeBytes: 104857600  # 100MB
+  allowEgress: true
+  # encryptionKey via secret
+
+# Air-gap configuration
+airgap:
+  advisoryStaleThreshold: 604800   # 7 days
+  vexStaleThreshold: 604800        # 7 days
+  policyStaleThreshold: 86400      # 1 day
+
+# Authority integration
+authority:
+  baseUrl: "http://authority:8080"
+
+# Feature flags
+features:
+  enableAttachments: true
+  enableAuditLog: true
+
+# Resource limits
+resources:
+  requests:
+    cpu: "500m"
+    memory: "1Gi"
+  limits:
+    cpu: "2"
+    memory: "4Gi"
+
+# Probes
+probes:
+  readiness:
+    path: /health/ready
+    initialDelaySeconds: 10
+    periodSeconds: 10
+  liveness:
+    path: /health/live
+    initialDelaySeconds: 15
+    periodSeconds: 20
+
+# Pod configuration
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+# Extra environment variables
+extraEnv: []
+# - name: CUSTOM_VAR
+#   value: "value"
+
+extraEnvFrom: []
+# - secretRef:
+#     name: additional-secrets
+
+# Migration job
+migrations:
+  enabled: true
+  image:
+    repository: stellaops/findings-ledger-migrations
+    tag: "2025.11.0"
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "256Mi"
+    limits:
+      cpu: "500m"
+      memory: "512Mi"
+
+# Service account
+serviceAccount:
+  create: true
+  name: ""
+  annotations: {}
+
+# Pod security context
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 1000
+
+# Container security context
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+
+# Ingress (optional)
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts: []
+  tls: []