Add PHP Analyzer Plugin and Composer Lock Data Handling

- Implemented the PhpAnalyzerPlugin to analyze PHP projects.
- Created ComposerLockData class to represent data from composer.lock files.
- Developed ComposerLockReader to load and parse composer.lock files asynchronously.
- Introduced ComposerPackage class to encapsulate package details.
- Added PhpPackage class to represent PHP packages with metadata and evidence.
- Implemented PhpPackageCollector to gather packages from ComposerLockData.
- Created PhpLanguageAnalyzer to perform analysis and emit results.
- Added capability signals for known PHP frameworks and CMS.
- Developed unit tests for the PHP language analyzer and its components.
- Included sample composer.lock and expected output for testing.
- Updated project files for the new PHP analyzer library and tests.

docs/modules/sbomservice/fixtures/lnm-v1/README.md

@@ -0,0 +1,21 @@
+# Link-Not-Merge v1 Fixtures
+
+Status: Awaiting drop (2025-11-22)
+
+Expected contents (all JSON, canonicalized, UTF-8):
+- `projections.json` — canonical SBOM projection payloads keyed by snapshot ID.
+- `assets.json` — asset metadata overlays (tenant-scoped, append-only).
+- `paths.json` — ordered dependency paths with runtime flags and blast-radius hints.
+- `events.json` — `sbom.version.created` envelopes aligned to CAS/provenance fields.
+- `schema-version.txt` — git SHA / semantic version of the frozen projection schema.
+- `SHA256SUMS` — checksums for all files above.
+
+Drop instructions:
+- Place files in this directory and update `SHA256SUMS` via `sha256sum *.json *.txt > SHA256SUMS`.
+- Keep ordering stable; prefer NDJSON converted to JSON arrays only if deterministic sorting is applied.
+- Record drop commit in sprint 0140/0142 Execution Logs and link here.
+
+Consumers:
+- SBOM-SERVICE-21-001..004 implementation and tests.
+- Advisory AI and Console replay suites.
+- AirGap parity review (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`).