Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories

- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.

src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Postgres/Repositories/FailureSignatureRepository.cs

@@ -344,6 +344,49 @@ public sealed class FailureSignatureRepository : RepositoryBase<SchedulerDataSou
         return await command.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
     }
 
+    /// <inheritdoc />
+    public async Task<FailureSignatureEntity?> GetBestMatchAsync(
+        string tenantId,
+        FailureSignatureScopeType scopeType,
+        string scopeId,
+        string? toolchainHash = null,
+        CancellationToken cancellationToken = default)
+    {
+        // Query prioritizes:
+        // 1. Unresolved signatures (most actionable)
+        // 2. Higher confidence scores
+        // 3. More recent occurrences
+        // 4. Higher hit counts
+        // Optionally filters by toolchain hash for better precision
+        const string sql = """
+            SELECT * FROM scheduler.failure_signatures
+            WHERE tenant_id = @tenant_id
+              AND scope_type = @scope_type
+              AND scope_id = @scope_id
+              AND resolution_status != 'resolved'
+              AND (@toolchain_hash IS NULL OR toolchain_hash = @toolchain_hash)
+            ORDER BY
+              CASE WHEN resolution_status = 'unresolved' THEN 0 ELSE 1 END,
+              confidence_score DESC NULLS LAST,
+              last_seen_at DESC,
+              occurrence_count DESC
+            LIMIT 1
+            """;
+
+        return await QuerySingleOrDefaultAsync(
+            tenantId,
+            sql,
+            cmd =>
+            {
+                AddParameter(cmd, "tenant_id", tenantId);
+                AddParameter(cmd, "scope_type", scopeType.ToString().ToLowerInvariant());
+                AddParameter(cmd, "scope_id", scopeId);
+                AddParameter(cmd, "toolchain_hash", toolchainHash ?? (object)DBNull.Value);
+            },
+            MapSignature,
+            cancellationToken).ConfigureAwait(false);
+    }
+
     private void AddSignatureParameters(NpgsqlCommand command, FailureSignatureEntity signature)
     {
         AddParameter(command, "signature_id", signature.SignatureId == Guid.Empty ? Guid.NewGuid() : signature.SignatureId);

src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Postgres/Repositories/IFailureSignatureRepository.cs

@@ -109,4 +109,16 @@ public interface IFailureSignatureRepository
         string tenantId,
         TimeSpan olderThan,
         CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets the best matching signature for a given scope.
+    /// Returns the highest confidence, most recent match.
+    /// Used by FirstSignal for LastKnownOutcome prediction.
+    /// </summary>
+    Task<FailureSignatureEntity?> GetBestMatchAsync(
+        string tenantId,
+        FailureSignatureScopeType scopeType,
+        string scopeId,
+        string? toolchainHash = null,
+        CancellationToken cancellationToken = default);
 }