feat: Add hybrid X25519 + ML-KEM-768 post-quantum KEM

Implements combined X25519 + ML-KEM-768 key encapsulation following
NIST/CNSA 2.0 hybrid recommendations. Both classical and post-quantum
components must be compromised to break the shared secret.

Protocol:
  Combined PK: X25519_pk(32) || ML-KEM_pk(1184) = 1216 bytes
  Decaps input: X25519_eph_pk(32) || ML-KEM_ct(1088) = 1120 bytes
  Combined SS: SHA256(X25519_ss || ML-KEM_ss) = 32 bytes

New operations (slot 134 = RESERVED_KEY_HYBRID_PQ):
  - okcrypto_hybrid_keygen: generates both keypairs, persists to flash
  - okcrypto_hybrid_decaps: X25519 ECDH + ML-KEM decaps + SHA256 combine
  - okcrypto_hybrid_getpubkey: returns combined 1216-byte public key

Storage:
  - Both keys share flash sectors 10-11 with standalone ML-KEM
  - Features byte (offset 352 in sector 11) distinguishes key type:
    KEYTYPE_MLKEM768(5) vs KEYTYPE_HYBRID_PQ(6)
  - X25519 SK (32 bytes) stored AES-GCM encrypted at sector 11 offset 353

Buffer sizes bumped to 1120 (from 1088) for hybrid payload.

Test suite expanded to 16 tests:
  - 8 ML-KEM-768 standalone tests
  - 6 hybrid tests (combiner, wrong-component rejection, full flow)
  - 2 performance/stress tests

Author: cr7pt0