feat(audit): Apply TreatWarningsAsErrors=true to 160+ production csproj files

Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests
Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9)

Changes:
- Set TreatWarningsAsErrors=true for all production .NET projects
- Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence,
  Scheduler.Worker, Concelier connectors, and other modules
- Injected TimeProvider/IGuidProvider for deterministic time/ID generation
- Added path traversal validation in AirGap.Bundle
- Fixed NULL handling in various cursor classes
- Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original)
- Test projects excluded per user decision (rejected decision 10)

Note: All 17 ACSC connector tests pass after snapshot fixture sync

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/CiscoConnector.cs

@@ -1,6 +1,6 @@
 using System.Globalization;
 using System.Linq;
-using System.Security.Cryptography;
+using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using Microsoft.Extensions.Logging;
@@ -14,6 +14,7 @@ using StellaOps.Concelier.Storage;
 using StellaOps.Concelier.Storage.Advisories;
 using StellaOps.Concelier.Storage;
 using StellaOps.Concelier.Storage;
+using StellaOps.Cryptography;
 using StellaOps.Plugin;
 
 namespace StellaOps.Concelier.Connector.Vndr.Cisco;
@@ -45,6 +46,7 @@ public sealed class CiscoConnector : IFeedConnector
     private readonly IAdvisoryStore _advisoryStore;
     private readonly ISourceStateRepository _stateRepository;
     private readonly CiscoDtoFactory _dtoFactory;
+    private readonly ICryptoHash _hash;
     private readonly CiscoDiagnostics _diagnostics;
     private readonly IOptions<CiscoOptions> _options;
     private readonly TimeProvider _timeProvider;
@@ -58,6 +60,7 @@ public sealed class CiscoConnector : IFeedConnector
         IAdvisoryStore advisoryStore,
         ISourceStateRepository stateRepository,
         CiscoDtoFactory dtoFactory,
+        ICryptoHash hash,
         CiscoDiagnostics diagnostics,
         IOptions<CiscoOptions> options,
         TimeProvider? timeProvider,
@@ -70,6 +73,7 @@ public sealed class CiscoConnector : IFeedConnector
         _advisoryStore = advisoryStore ?? throw new ArgumentNullException(nameof(advisoryStore));
         _stateRepository = stateRepository ?? throw new ArgumentNullException(nameof(stateRepository));
         _dtoFactory = dtoFactory ?? throw new ArgumentNullException(nameof(dtoFactory));
+        _hash = hash ?? throw new ArgumentNullException(nameof(hash));
         _diagnostics = diagnostics ?? throw new ArgumentNullException(nameof(diagnostics));
         _options = options ?? throw new ArgumentNullException(nameof(options));
         _timeProvider = timeProvider ?? TimeProvider.System;
@@ -78,6 +82,25 @@ public sealed class CiscoConnector : IFeedConnector
 
     public string SourceName => VndrCiscoConnectorPlugin.SourceName;
 
+    /// <summary>
+    /// Computes a deterministic GUID from the source namespace and identifier using SHA-256.
+    /// </summary>
+    private Guid ComputeDeterministicId(string identifier, string sourceNamespace)
+    {
+        var input = Encoding.UTF8.GetBytes($"{sourceNamespace}:{identifier}");
+        var hashBytes = _hash.ComputeHash(input, HashAlgorithms.Sha256);
+        return new Guid(hashBytes[..16]);
+    }
+
+    /// <summary>
+    /// Computes a SHA-256 hash of the payload and returns it as a lowercase hex string.
+    /// </summary>
+    private string ComputeSha256(byte[] payload)
+    {
+        var hashBytes = _hash.ComputeHash(payload, HashAlgorithms.Sha256);
+        return Convert.ToHexString(hashBytes).ToLowerInvariant();
+    }
+
     public async Task FetchAsync(IServiceProvider services, CancellationToken cancellationToken)
     {
         ArgumentNullException.ThrowIfNull(services);
@@ -137,7 +160,7 @@ public sealed class CiscoConnector : IFeedConnector
                             continue;
                         }
 
-                        var recordId = existing?.Id ?? Guid.NewGuid();
+                        var recordId = existing?.Id ?? ComputeDeterministicId(documentUri, "cisco-doc/1.0");
                         _ = await _rawDocumentStorage.UploadAsync(
                             SourceName,
                             documentUri,
@@ -326,7 +349,7 @@ public sealed class CiscoConnector : IFeedConnector
             {
                 var dtoJson = JsonSerializer.Serialize(dto, DtoSerializerOptions);
                 var dtoDoc = DocumentObject.Parse(dtoJson);
-                var dtoRecord = new DtoRecord(Guid.NewGuid(), document.Id, SourceName, DtoSchemaVersion, dtoDoc, _timeProvider.GetUtcNow());
+                var dtoRecord = new DtoRecord(ComputeDeterministicId(document.Id.ToString(), "cisco/1.0"), document.Id, SourceName, DtoSchemaVersion, dtoDoc, _timeProvider.GetUtcNow());
                 await _dtoStore.UpsertAsync(dtoRecord, cancellationToken).ConfigureAwait(false);
                 await _documentStore.UpdateStatusAsync(document.Id, DocumentStatuses.PendingMap, cancellationToken).ConfigureAwait(false);
                 pendingDocuments.Remove(documentId);
@@ -463,13 +486,6 @@ public sealed class CiscoConnector : IFeedConnector
         }
     }
 
-    private static string ComputeSha256(byte[] payload)
-    {
-        Span<byte> hash = stackalloc byte[32];
-        SHA256.HashData(payload, hash);
-        return Convert.ToHexString(hash).ToLowerInvariant();
-    }
-
     private static bool ShouldProcess(CiscoAdvisoryItem advisory, DateTimeOffset? checkpoint, string? checkpointId)
     {
         if (checkpoint is null || advisory.LastUpdated is null)

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoCursor.cs

@@ -16,8 +16,8 @@ internal sealed record CiscoCursor(
     {
         var document = new DocumentObject
         {
-            ["pendingDocuments"] = new DocumentArray(PendingDocuments.Select(id => id.ToString())),
-            ["pendingMappings"] = new DocumentArray(PendingMappings.Select(id => id.ToString())),
+            ["pendingDocuments"] = new DocumentArray(PendingDocuments.OrderBy(id => id).Select(id => id.ToString())),
+            ["pendingMappings"] = new DocumentArray(PendingMappings.OrderBy(id => id).Select(id => id.ToString())),
         };
 
         if (LastModified.HasValue)

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/StellaOps.Concelier.Connector.Vndr.Cisco.csproj

@@ -5,9 +5,11 @@
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
   <ItemGroup>
+    <ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.Plugin/StellaOps.Plugin.csproj" />
     <ProjectReference Include="../StellaOps.Concelier.Core/StellaOps.Concelier.Core.csproj" />
     <ProjectReference Include="../StellaOps.Concelier.Connector.Common/StellaOps.Concelier.Connector.Common.csproj" />