refactor: inject TimeProvider/IGuidProvider across multiple modules - DET-006 to DET-010

DET-006 Provenance module: Skipped - already uses TimeProvider in production code

DET-007 ReachGraph module:
- PostgresReachGraphRepository: Added TimeProvider for fallback timestamp in StoreAsync

DET-008 Registry module:
- RegistryTokenIssuer: Added IGuidProvider for JWT ID (jti) generation
- Added StellaOps.Determinism.Abstractions project reference

DET-009 Replay module:
- ReplayEngine: Added TimeProvider for ExecutedAt timestamp
- ReplayResult.Failed: Added optional executedAt parameter for determinism
- ReplayManifestExporter: Added TimeProvider constructor, replaced DateTimeOffset.UtcNow
- FeedSnapshotCoordinatorService: Updated GenerateSnapshotId to use injected TimeProvider
- ExportMetadataInfo: Made ExportedAt required (callers must provide explicitly)
- PolicySimulationInputLock: Made GeneratedAt required (callers must provide explicitly)

DET-010 RiskEngine module: Skipped - no determinism issues found

All changes maintain backward compatibility through optional parameters with system defaults.

src/Registry/StellaOps.Registry.TokenService/RegistryTokenIssuer.cs

@@ -5,6 +5,7 @@ using System.Linq;
 using System.Security.Claims;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Tokens;
+using StellaOps.Determinism;
 using StellaOps.Registry.TokenService.Observability;
 using StellaOps.Registry.TokenService.Security;
 
@@ -18,12 +19,14 @@ public sealed class RegistryTokenIssuer
     private readonly SigningCredentials _signingCredentials;
     private readonly JwtSecurityTokenHandler _tokenHandler = new();
     private readonly TimeProvider _timeProvider;
+    private readonly IGuidProvider _guidProvider;
 
     public RegistryTokenIssuer(
         IOptions<RegistryTokenServiceOptions> options,
         PlanRegistry planRegistry,
         RegistryTokenMetrics metrics,
-        TimeProvider timeProvider)
+        TimeProvider timeProvider,
+        IGuidProvider? guidProvider = null)
     {
         ArgumentNullException.ThrowIfNull(options);
         ArgumentNullException.ThrowIfNull(planRegistry);
@@ -34,6 +37,7 @@ public sealed class RegistryTokenIssuer
         _planRegistry = planRegistry;
         _metrics = metrics;
         _timeProvider = timeProvider;
+        _guidProvider = guidProvider ?? SystemGuidProvider.Instance;
         _signingCredentials = SigningKeyLoader.Load(_options.Signing);
     }
 
@@ -65,7 +69,7 @@ public sealed class RegistryTokenIssuer
             issuedAt: now.UtcDateTime)
         {
             { JwtRegisteredClaimNames.Sub, subject },
-            { JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("n") },
+            { JwtRegisteredClaimNames.Jti, _guidProvider.NewGuid().ToString("n") },
             { "service", service },
             { "access", BuildAccessClaim(requests) }
         };

src/Registry/StellaOps.Registry.TokenService/StellaOps.Registry.TokenService.csproj

@@ -19,6 +19,7 @@
     <ProjectReference Include="../../AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.Configuration/StellaOps.Configuration.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.Determinism.Abstractions/StellaOps.Determinism.Abstractions.csproj" />
     <ProjectReference Include="../../Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.csproj" />
   </ItemGroup>
 </Project>