security: add comprehensive cryptographic requirements

Add post-quantum cryptographic standards to META.scm and SECURITY.md:

META.scm:
- Document password hashing: Argon2id (512 MiB, 8 iter, 4 lanes)
- Document PQ signatures: Dilithium5-AES (ML-DSA-87, FIPS 204)
- Document PQ key exchange: Kyber-1024 + SHAKE256-KDF
- Document all crypto algorithms with NIST/FIPS standards
- Add formal verification requirement for crypto primitives
- Terminate deprecated algorithms: Ed25519, SHA-1, HTTP/1.1, IPv4

SECURITY.md:
- Replace template with complete security policy
- Add Cryptographic Requirements section with detailed specs
- Document formal verification requirements (Idris2/Coq)
- Add contact information (jonathan.jewell@open.ac.uk)
- Specify protocol stack: QUIC + HTTP/3 + IPv6 only
- List terminated algorithms as security requirements

Implements user security requirements for proactive security stance
with belt-and-suspenders approach (hybrid classical+PQ with SPHINCS+ fallback).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: Jonathan D.A. Jewell

META.scm

@@ -56,7 +56,21 @@
     (security
       (constraint-validation "All neural tokens must pass Anti-Crash")
       (no-eval "Never use dynamic code execution")
-      (type-safety "ReScript strict mode enforced"))
+      (type-safety "ReScript strict mode enforced")
+
+      ;; Cryptographic Requirements (for future auth/crypto features)
+      (password-hashing "Argon2id (512 MiB, 8 iter, 4 lanes) - max resistance to GPU/ASIC attacks")
+      (general-hashing "SHAKE3-512 (512-bit output, FIPS 202) - post-quantum for provenance/key derivation")
+      (pq-signatures "Dilithium5-AES hybrid (ML-DSA-87, FIPS 204) with SPHINCS+ backup")
+      (pq-key-exchange "Kyber-1024 + SHAKE256-KDF (ML-KEM-1024, FIPS 203)")
+      (classical-sigs "Ed448 + Dilithium5 hybrid - TERMINATE Ed25519/SHA-1 immediately")
+      (symmetric "XChaCha20-Poly1305 (256-bit key) - larger nonce space for quantum margin")
+      (key-derivation "HKDF-SHAKE512 (FIPS 202) - post-quantum KDF for all secret material")
+      (rng "ChaCha20-DRBG (512-bit seed, SP 800-90Ar1) - CSPRNG for high-entropy needs")
+      (database-hashing "BLAKE3 (512-bit) + SHAKE3-512 - speed + long-term storage")
+      (formal-verification "Idris2/Coq for crypto primitives - proactive attestation required")
+      (protocol-stack "QUIC + HTTP/3 + IPv6 ONLY - terminate HTTP/1.1, IPv4, SHA-1")
+      (fallback "SPHINCS+ as conservative PQ backup for all hybrid systems"))
 
     (testing
       (unit "rescript-test for pure functions")