feat(audit): Apply TreatWarningsAsErrors=true to 160+ production csproj files

Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests
Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9)

Changes:
- Set TreatWarningsAsErrors=true for all production .NET projects
- Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence,
  Scheduler.Worker, Concelier connectors, and other modules
- Injected TimeProvider/IGuidProvider for deterministic time/ID generation
- Added path traversal validation in AirGap.Bundle
- Fixed NULL handling in various cursor classes
- Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original)
- Test projects excluded per user decision (rejected decision 10)

Note: All 17 ACSC connector tests pass after snapshot fixture sync

src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs

@@ -6,6 +6,8 @@
 // -----------------------------------------------------------------------------
 
 using System.Collections.Concurrent;
+using System.Security.Cryptography;
+using System.Text;
 using Microsoft.Extensions.Logging;
 using StellaOps.Concelier.Core.Canonical;
 using StellaOps.Concelier.SbomIntegration.Models;
@@ -132,7 +134,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
 
         return new SbomAdvisoryMatch
         {
-            Id = Guid.NewGuid(),
+            Id = ComputeDeterministicMatchId(string.Empty, purl, canonicalId),
             SbomId = Guid.Empty, // Not applicable for single check
             SbomDigest = string.Empty,
             CanonicalId = canonicalId,
@@ -168,7 +170,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
 
             return advisories.Select(advisory => new SbomAdvisoryMatch
             {
-                Id = Guid.NewGuid(),
+                Id = ComputeDeterministicMatchId(sbomDigest, purl, advisory.Id),
                 SbomId = sbomId,
                 SbomDigest = sbomDigest,
                 CanonicalId = advisory.Id,
@@ -267,4 +269,24 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
 
         return normalized;
     }
+
+    /// <summary>
+    /// Computes a deterministic match ID from SBOM digest, PURL, and canonical advisory ID.
+    /// </summary>
+    private static Guid ComputeDeterministicMatchId(string sbomDigest, string purl, Guid canonicalId)
+    {
+        var input = $"SBOM_MATCH:{sbomDigest}:{purl}:{canonicalId}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
+        return new Guid(hashBytes);
+    }
+
+    /// <summary>
+    /// Computes a deterministic match ID from SBOM digest, PURL, and canonical advisory ID string.
+    /// </summary>
+    private static Guid ComputeDeterministicMatchId(string sbomDigest, string purl, string canonicalIdStr)
+    {
+        var input = $"SBOM_MATCH:{sbomDigest}:{purl}:{canonicalIdStr}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
+        return new Guid(hashBytes);
+    }
 }

src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/SbomAdvisoryMatcher.cs

@@ -6,6 +6,8 @@
 // -----------------------------------------------------------------------------
 
 using System.Collections.Concurrent;
+using System.Security.Cryptography;
+using System.Text;
 using Microsoft.Extensions.Logging;
 using StellaOps.Concelier.Core.Canonical;
 using StellaOps.Concelier.SbomIntegration.Models;
@@ -132,7 +134,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
 
         return new SbomAdvisoryMatch
         {
-            Id = Guid.NewGuid(),
+            Id = ComputeDeterministicMatchId(string.Empty, purl, canonicalId),
             SbomId = Guid.Empty, // Not applicable for single check
             SbomDigest = string.Empty,
             CanonicalId = canonicalId,
@@ -168,7 +170,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
 
             return advisories.Select(advisory => new SbomAdvisoryMatch
             {
-                Id = Guid.NewGuid(),
+                Id = ComputeDeterministicMatchId(sbomDigest, purl, advisory.Id),
                 SbomId = sbomId,
                 SbomDigest = sbomDigest,
                 CanonicalId = advisory.Id,
@@ -267,4 +269,24 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
 
         return normalized;
     }
+
+    /// <summary>
+    /// Computes a deterministic match ID from SBOM digest, PURL, and canonical advisory ID.
+    /// </summary>
+    private static Guid ComputeDeterministicMatchId(string sbomDigest, string purl, Guid canonicalId)
+    {
+        var input = $"SBOM_MATCH:{sbomDigest}:{purl}:{canonicalId}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
+        return new Guid(hashBytes);
+    }
+
+    /// <summary>
+    /// Computes a deterministic match ID from SBOM digest, PURL, and canonical advisory ID string.
+    /// </summary>
+    private static Guid ComputeDeterministicMatchId(string sbomDigest, string purl, string canonicalIdStr)
+    {
+        var input = $"SBOM_MATCH:{sbomDigest}:{purl}:{canonicalIdStr}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
+        return new Guid(hashBytes);
+    }
 }

src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/SbomRegistryService.cs

@@ -6,6 +6,8 @@
 // -----------------------------------------------------------------------------
 
 using System.Diagnostics;
+using System.Security.Cryptography;
+using System.Text;
 using Microsoft.Extensions.Logging;
 using StellaOps.Concelier.Interest;
 using StellaOps.Concelier.SbomIntegration.Events;
@@ -62,7 +64,7 @@ public sealed class SbomRegistryService : ISbomRegistryService
 
         var registration = new SbomRegistration
         {
-            Id = Guid.NewGuid(),
+            Id = ComputeDeterministicRegistrationId(input.Digest, input.TenantId),
             Digest = input.Digest,
             Format = input.Format,
             SpecVersion = input.SpecVersion,
@@ -526,4 +528,14 @@ public sealed class SbomRegistryService : ISbomRegistryService
     }
 
     #endregion
+
+    /// <summary>
+    /// Computes a deterministic registration ID from SBOM digest and tenant.
+    /// </summary>
+    private static Guid ComputeDeterministicRegistrationId(string digest, string tenantId)
+    {
+        var input = $"SBOM_REG:{tenantId}:{digest}";
+        var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
+        return new Guid(hashBytes);
+    }
 }

src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/StellaOps.Concelier.SbomIntegration.csproj

@@ -6,7 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <LangVersion>preview</LangVersion>
-    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <RootNamespace>StellaOps.Concelier.SbomIntegration</RootNamespace>
     <AssemblyName>StellaOps.Concelier.SbomIntegration</AssemblyName>
     <Description>SBOM integration for Concelier advisory matching and interest scoring</Description>