Add post-quantum cryptography support with PqSoftCryptoProvider

- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.

ops/devops/findings-ledger/helm/values.yaml

@@ -0,0 +1,151 @@
+# Default values for stellaops-findings-ledger
+
+image:
+  repository: stellaops/findings-ledger
+  tag: "2025.11.0"
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+
+service:
+  type: ClusterIP
+  port: 8080
+  metricsPort: 9090
+
+# Database configuration
+database:
+  # External PostgreSQL connection (preferred for production)
+  # Set connectionStringSecret to use existing secret
+  connectionStringSecret: ""
+  connectionStringKey: "LEDGER__DB__CONNECTIONSTRING"
+  # Or provide connection details directly (not recommended for prod)
+  host: "postgres"
+  port: 5432
+  database: "findings_ledger"
+  username: "ledger"
+  # password via secret only
+
+# Built-in PostgreSQL (dev/testing only)
+postgresql:
+  enabled: false
+  auth:
+    username: ledger
+    database: findings_ledger
+
+# Secrets configuration
+secrets:
+  # Name of secret containing sensitive values
+  name: "findings-ledger-secrets"
+  # Expected keys in secret:
+  #   LEDGER__DB__CONNECTIONSTRING
+  #   LEDGER__ATTACHMENTS__ENCRYPTIONKEY
+  #   LEDGER__MERKLE__SIGNINGKEY (optional)
+
+# Observability
+observability:
+  enabled: true
+  otlpEndpoint: "http://otel-collector:4317"
+  metricsEnabled: true
+
+# Merkle anchoring
+merkle:
+  anchorInterval: "00:05:00"
+  externalize: false
+  # externalAnchorEndpoint: ""
+
+# Attachments
+attachments:
+  maxSizeBytes: 104857600  # 100MB
+  allowEgress: true
+  # encryptionKey via secret
+
+# Air-gap configuration
+airgap:
+  advisoryStaleThreshold: 604800   # 7 days
+  vexStaleThreshold: 604800        # 7 days
+  policyStaleThreshold: 86400      # 1 day
+
+# Authority integration
+authority:
+  baseUrl: "http://authority:8080"
+
+# Feature flags
+features:
+  enableAttachments: true
+  enableAuditLog: true
+
+# Resource limits
+resources:
+  requests:
+    cpu: "500m"
+    memory: "1Gi"
+  limits:
+    cpu: "2"
+    memory: "4Gi"
+
+# Probes
+probes:
+  readiness:
+    path: /health/ready
+    initialDelaySeconds: 10
+    periodSeconds: 10
+  liveness:
+    path: /health/live
+    initialDelaySeconds: 15
+    periodSeconds: 20
+
+# Pod configuration
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+# Extra environment variables
+extraEnv: []
+# - name: CUSTOM_VAR
+#   value: "value"
+
+extraEnvFrom: []
+# - secretRef:
+#     name: additional-secrets
+
+# Migration job
+migrations:
+  enabled: true
+  image:
+    repository: stellaops/findings-ledger-migrations
+    tag: "2025.11.0"
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "256Mi"
+    limits:
+      cpu: "500m"
+      memory: "512Mi"
+
+# Service account
+serviceAccount:
+  create: true
+  name: ""
+  annotations: {}
+
+# Pod security context
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 1000
+
+# Container security context
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+
+# Ingress (optional)
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts: []
+  tls: []