audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Signing/KmsOrgKeySigner.cs

@@ -23,6 +23,7 @@ public sealed class KmsOrgKeySigner : IOrgKeySigner
     private readonly IKmsProvider _kmsProvider;
     private readonly ILogger<KmsOrgKeySigner> _logger;
     private readonly OrgSigningOptions _options;
+    private readonly TimeProvider _timeProvider;
 
     /// <summary>
     /// Create a new KMS organization key signer.
@@ -30,11 +31,13 @@ public sealed class KmsOrgKeySigner : IOrgKeySigner
     public KmsOrgKeySigner(
         IKmsProvider kmsProvider,
         ILogger<KmsOrgKeySigner> logger,
-        IOptions<OrgSigningOptions> options)
+        IOptions<OrgSigningOptions> options,
+        TimeProvider? timeProvider = null)
     {
         _kmsProvider = kmsProvider ?? throw new ArgumentNullException(nameof(kmsProvider));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         _options = options?.Value ?? new OrgSigningOptions();
+        _timeProvider = timeProvider ?? TimeProvider.System;
     }
 
     /// <inheritdoc />
@@ -62,7 +65,7 @@ public sealed class KmsOrgKeySigner : IOrgKeySigner
         }
 
         // Check key expiry
-        if (keyInfo.ValidUntil.HasValue && keyInfo.ValidUntil.Value < DateTimeOffset.UtcNow)
+        if (keyInfo.ValidUntil.HasValue && keyInfo.ValidUntil.Value < _timeProvider.GetUtcNow())
         {
             throw new InvalidOperationException($"Signing key '{keyId}' has expired.");
         }
@@ -87,7 +90,7 @@ public sealed class KmsOrgKeySigner : IOrgKeySigner
             KeyId = keyId,
             Algorithm = keyInfo.Algorithm,
             Signature = Convert.ToBase64String(signatureBytes),
-            SignedAt = DateTimeOffset.UtcNow,
+            SignedAt = _timeProvider.GetUtcNow(),
             CertificateChain = certChain
         };
     }
@@ -140,9 +143,10 @@ public sealed class KmsOrgKeySigner : IOrgKeySigner
 
         // List keys and find the active one based on rotation policy
         var keys = await ListKeysAsync(cancellationToken);
+        var now = _timeProvider.GetUtcNow();
         var activeKey = keys
             .Where(k => k.IsActive)
-            .Where(k => !k.ValidUntil.HasValue || k.ValidUntil.Value > DateTimeOffset.UtcNow)
+            .Where(k => !k.ValidUntil.HasValue || k.ValidUntil.Value > now)
             .OrderByDescending(k => k.ValidFrom)
             .FirstOrDefault();
 
@@ -253,14 +257,16 @@ public sealed class LocalOrgKeySigner : IOrgKeySigner
 {
     private readonly Dictionary<string, (ECDsa Key, OrgKeyInfo Info)> _keys = new();
     private readonly ILogger<LocalOrgKeySigner> _logger;
+    private readonly TimeProvider _timeProvider;
     private string? _activeKeyId;
 
     /// <summary>
     /// Create a new local key signer.
     /// </summary>
-    public LocalOrgKeySigner(ILogger<LocalOrgKeySigner> logger)
+    public LocalOrgKeySigner(ILogger<LocalOrgKeySigner> logger, TimeProvider? timeProvider = null)
     {
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
     }
 
     /// <summary>
@@ -276,7 +282,7 @@ public sealed class LocalOrgKeySigner : IOrgKeySigner
             keyId,
             "ECDSA_P256",
             fingerprint,
-            DateTimeOffset.UtcNow,
+            _timeProvider.GetUtcNow(),
             null,
             isActive);
 
@@ -308,7 +314,7 @@ public sealed class LocalOrgKeySigner : IOrgKeySigner
             KeyId = keyId,
             Algorithm = "ECDSA_P256",
             Signature = Convert.ToBase64String(signature),
-            SignedAt = DateTimeOffset.UtcNow,
+            SignedAt = _timeProvider.GetUtcNow(),
             CertificateChain = null
         });
     }

src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs

@@ -4,6 +4,7 @@
 // Task: Implement OCI registry attachment via ORAS
 // -----------------------------------------------------------------------------
 
+using System.Globalization;
 using System.Security.Cryptography;
 using System.Text.Json;
 using Microsoft.Extensions.Logging;
@@ -327,7 +328,7 @@ public sealed class OrasAttestationAttacher : IOciAttestationAttacher
     {
         var annotations = new Dictionary<string, string>(StringComparer.Ordinal)
         {
-            [AnnotationKeys.Created] = createdAt.ToString("O"),
+            [AnnotationKeys.Created] = createdAt.ToString("O", CultureInfo.InvariantCulture),
             [AnnotationKeys.PredicateType] = predicateType,
             [AnnotationKeys.CosignSignature] = "" // Cosign compatibility placeholder
         };

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/StellaOps.Attestor.TrustVerdict.Tests.csproj

@@ -12,7 +12,6 @@
 
   <ItemGroup>
     <PackageReference Include="coverlet.collector" />
-        <PackageReference Include="xunit.runner.visualstudio" />
     <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" />
     <PackageReference Include="Moq" />
     <PackageReference Include="FluentAssertions" />