Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.

ops/devops/findings-ledger/helm/templates/deployment.yaml

@@ -0,0 +1,122 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "findings-ledger.fullname" . }}
+  labels:
+    {{- include "findings-ledger.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "findings-ledger.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      labels:
+        {{- include "findings-ledger.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "findings-ledger.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: ledger
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+            {{- if .Values.observability.metricsEnabled }}
+            - name: metrics
+              containerPort: {{ .Values.service.metricsPort }}
+              protocol: TCP
+            {{- end }}
+          env:
+            - name: ASPNETCORE_URLS
+              value: "http://0.0.0.0:{{ .Values.service.port }}"
+            - name: ASPNETCORE_ENVIRONMENT
+              value: "Production"
+            # Database
+            - name: LEDGER__DB__CONNECTIONSTRING
+              {{- include "findings-ledger.databaseConnectionString" . | nindent 14 }}
+            # Observability
+            - name: LEDGER__OBSERVABILITY__ENABLED
+              value: {{ .Values.observability.enabled | quote }}
+            - name: LEDGER__OBSERVABILITY__OTLPENDPOINT
+              value: {{ .Values.observability.otlpEndpoint | quote }}
+            # Merkle anchoring
+            - name: LEDGER__MERKLE__ANCHORINTERVAL
+              value: {{ .Values.merkle.anchorInterval | quote }}
+            - name: LEDGER__MERKLE__EXTERNALIZE
+              value: {{ .Values.merkle.externalize | quote }}
+            # Attachments
+            - name: LEDGER__ATTACHMENTS__MAXSIZEBYTES
+              value: {{ .Values.attachments.maxSizeBytes | quote }}
+            - name: LEDGER__ATTACHMENTS__ALLOWEGRESS
+              value: {{ .Values.attachments.allowEgress | quote }}
+            - name: LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.name }}
+                  key: LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+            # Authority
+            - name: LEDGER__AUTHORITY__BASEURL
+              value: {{ .Values.authority.baseUrl | quote }}
+            # Air-gap thresholds
+            - name: LEDGER__AIRGAP__ADVISORYSTALETHRESHOLD
+              value: {{ .Values.airgap.advisoryStaleThreshold | quote }}
+            - name: LEDGER__AIRGAP__VEXSTALETHRESHOLD
+              value: {{ .Values.airgap.vexStaleThreshold | quote }}
+            - name: LEDGER__AIRGAP__POLICYSTALETHRESHOLD
+              value: {{ .Values.airgap.policyStaleThreshold | quote }}
+            # Features
+            - name: LEDGER__FEATURES__ENABLEATTACHMENTS
+              value: {{ .Values.features.enableAttachments | quote }}
+            - name: LEDGER__FEATURES__ENABLEAUDITLOG
+              value: {{ .Values.features.enableAuditLog | quote }}
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with .Values.extraEnvFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.probes.readiness.path }}
+              port: http
+            initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.probes.liveness.path }}
+              port: http
+            initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: data
+              mountPath: /app/data
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: data
+          emptyDir: {}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}