feat(audit): Apply TreatWarningsAsErrors=true to 160+ production csproj files

Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests
Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9)

Changes:
- Set TreatWarningsAsErrors=true for all production .NET projects
- Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence,
  Scheduler.Worker, Concelier connectors, and other modules
- Injected TimeProvider/IGuidProvider for deterministic time/ID generation
- Added path traversal validation in AirGap.Bundle
- Fixed NULL handling in various cursor classes
- Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original)
- Test projects excluded per user decision (rejected decision 10)

Note: All 17 ACSC connector tests pass after snapshot fixture sync

src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/ProvenanceScopeService.cs

@@ -5,6 +5,8 @@
 // Description: Service for managing provenance scope lifecycle
 // -----------------------------------------------------------------------------
 
+using System.Security.Cryptography;
+using System.Text;
 using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
 
@@ -79,7 +81,7 @@ public sealed partial class ProvenanceScopeService : IProvenanceScopeService
         // 4. Prepare scope data
         var scope = new ProvenanceScope
         {
-            Id = existing?.Id ?? Guid.NewGuid(),
+            Id = existing?.Id ?? ComputeDeterministicScopeId(request.CanonicalId, distroRelease),
             CanonicalId = request.CanonicalId,
             DistroRelease = distroRelease,
             BackportSemver = evidence?.BackportVersion ?? request.FixedVersion,
@@ -144,7 +146,7 @@ public sealed partial class ProvenanceScopeService : IProvenanceScopeService
 
         var scope = new ProvenanceScope
         {
-            Id = existing?.Id ?? Guid.NewGuid(),
+            Id = existing?.Id ?? ComputeDeterministicScopeId(canonicalId, evidence.DistroRelease),
             CanonicalId = canonicalId,
             DistroRelease = evidence.DistroRelease,
             BackportSemver = evidence.BackportVersion,
@@ -306,6 +308,13 @@ public sealed partial class ProvenanceScopeService : IProvenanceScopeService
     [GeneratedRegex(@"[0-9a-f]{40}", RegexOptions.IgnoreCase)]
     private static partial Regex CommitShaRegex();
 
+    private static Guid ComputeDeterministicScopeId(Guid canonicalId, string distroRelease)
+    {
+        var input = $"provenance-scope:{canonicalId}:{distroRelease}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input));
+        return new Guid(hashBytes[..16]);
+    }
+
     #endregion
 }
 

src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/AdvisoryMergeService.cs

@@ -3,6 +3,8 @@ using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.Diagnostics.Metrics;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -246,7 +248,7 @@ public sealed class AdvisoryMergeService
 
         foreach (var advisory in inputs)
         {
-            var statementId = Guid.NewGuid();
+            var statementId = ComputeDeterministicStatementId(vulnerabilityKey, advisory);
             statementIds[advisory] = statementId;
             var (provenance, trust) = ResolveDsseMetadata(advisory);
             statements.Add(new AdvisoryStatementInput(
@@ -260,7 +262,7 @@ public sealed class AdvisoryMergeService
                 Trust: trust));
         }
 
-        var canonicalStatementId = Guid.NewGuid();
+        var canonicalStatementId = ComputeDeterministicStatementId(vulnerabilityKey, merged);
         statementIds[merged] = canonicalStatementId;
         var (canonicalProvenance, canonicalTrust) = ResolveDsseMetadata(merged);
         statements.Add(new AdvisoryStatementInput(
@@ -352,9 +354,9 @@ public sealed class AdvisoryMergeService
             var canonicalJson = explainer.ToCanonicalJson();
             var document = JsonDocument.Parse(canonicalJson);
             var asOf = (detail.Primary.Modified ?? detail.Suppressed.Modified ?? recordedAt).ToUniversalTime();
-            var conflictId = Guid.NewGuid();
-            var statementIdArray = ImmutableArray.CreateRange(related);
             var conflictHash = explainer.ComputeHashHex(canonicalJson);
+            var conflictId = ComputeDeterministicConflictId(vulnerabilityKey, conflictHash);
+            var statementIdArray = ImmutableArray.CreateRange(related);
 
             inputs.Add(new AdvisoryConflictInput(
                 vulnerabilityKey,
@@ -572,6 +574,21 @@ public sealed class AdvisoryMergeService
 
         return component.SeedAdvisoryKey;
     }
+
+    private static Guid ComputeDeterministicStatementId(string vulnerabilityKey, Advisory advisory)
+    {
+        var canonicalJson = CanonicalJsonSerializer.Serialize(advisory);
+        var input = $"statement:{vulnerabilityKey}:{advisory.AdvisoryKey}:{canonicalJson}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input));
+        return new Guid(hashBytes[..16]);
+    }
+
+    private static Guid ComputeDeterministicConflictId(string vulnerabilityKey, string conflictHash)
+    {
+        var input = $"conflict:{vulnerabilityKey}:{conflictHash}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input));
+        return new Guid(hashBytes[..16]);
+    }
 }
 
 public sealed record AdvisoryMergeResult(

src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/MergeEventWriter.cs

@@ -2,6 +2,7 @@ namespace StellaOps.Concelier.Merge.Services;
 
 using System.Security.Cryptography;
 using System.Linq;
+using System.Text;
 using Microsoft.Extensions.Logging;
 using StellaOps.Concelier.Merge.Backport;
 using StellaOps.Concelier.Models;
@@ -69,9 +70,10 @@ public sealed class MergeEventWriter
 
         // Convert backport evidence to audit decisions
         var evidenceDecisions = ConvertToAuditDecisions(backportEvidence);
+        var eventId = ComputeDeterministicEventId(advisoryKey, afterHash, timestamp);
 
         var record = new MergeEventRecord(
-            Guid.NewGuid(),
+            eventId,
             advisoryKey,
             beforeHash,
             afterHash,
@@ -123,4 +125,11 @@ public sealed class MergeEventWriter
             e.ProofId,
             e.EvidenceDate)).ToArray();
     }
+
+    private static Guid ComputeDeterministicEventId(string advisoryKey, byte[] afterHash, DateTimeOffset timestamp)
+    {
+        var input = $"merge-event:{advisoryKey}:{Convert.ToHexString(afterHash)}:{timestamp:O}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input));
+        return new Guid(hashBytes[..16]);
+    }
 }

src/Concelier/__Libraries/StellaOps.Concelier.Merge/StellaOps.Concelier.Merge.csproj

@@ -5,6 +5,7 @@
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
   <ItemGroup>
@@ -18,5 +19,6 @@
     <ProjectReference Include="../../../Router/__Libraries/StellaOps.Messaging/StellaOps.Messaging.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.Provcache/StellaOps.Provcache.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.VersionComparison/StellaOps.VersionComparison.csproj" />
+    <ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
   </ItemGroup>
 </Project>