docs re-org, audit fixes, build fixes

src/__Libraries/StellaOps.Cryptography.Kms/AwsKmsClient.cs

@@ -11,6 +11,7 @@ namespace StellaOps.Cryptography.Kms;
 public sealed class AwsKmsClient : IKmsClient, IDisposable
 {
     private readonly IAwsKmsFacade _facade;
+    private readonly TimeProvider _timeProvider;
     private readonly TimeSpan _metadataCacheDuration;
     private readonly TimeSpan _publicKeyCacheDuration;
 
@@ -18,11 +19,12 @@ public sealed class AwsKmsClient : IKmsClient, IDisposable
     private readonly ConcurrentDictionary<string, CachedPublicKey> _publicKeyCache = new(StringComparer.Ordinal);
     private bool _disposed;
 
-    public AwsKmsClient(IAwsKmsFacade facade, AwsKmsOptions options)
+    public AwsKmsClient(IAwsKmsFacade facade, AwsKmsOptions options, TimeProvider? timeProvider = null)
     {
         _facade = facade ?? throw new ArgumentNullException(nameof(facade));
         ArgumentNullException.ThrowIfNull(options);
 
+        _timeProvider = timeProvider ?? TimeProvider.System;
         _metadataCacheDuration = options.MetadataCacheDuration;
         _publicKeyCacheDuration = options.PublicKeyCacheDuration;
     }
@@ -156,7 +158,7 @@ public sealed class AwsKmsClient : IKmsClient, IDisposable
 
     private async Task<AwsKeyMetadata> GetCachedMetadataAsync(string keyId, CancellationToken cancellationToken)
     {
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();
         if (_metadataCache.TryGetValue(keyId, out var cached) && cached.ExpiresAt > now)
         {
             return cached.Metadata;
@@ -170,7 +172,7 @@ public sealed class AwsKmsClient : IKmsClient, IDisposable
 
     private async Task<AwsPublicKeyMaterial> GetCachedPublicKeyAsync(string resource, CancellationToken cancellationToken)
     {
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();
         if (_publicKeyCache.TryGetValue(resource, out var cached) && cached.ExpiresAt > now)
         {
             return cached.Material;