feat(secrets): Implement secret leak policies and signal binding

- Added `spl-secret-block@1.json` to block deployments with critical or high severity secret findings. - Introduced `spl-secret-warn@1.json` to warn on secret findings without blocking deployments. - Created `SecretSignalBinder.cs` to bind secret evidence to policy evaluation signals. - Developed unit tests for `SecretEvidenceContext` and `SecretSignalBinder` to ensure correct functionality. - Enhanced `SecretSignalContextExtensions` to integrate secret evidence into signal contexts.
2026-01-04 15:44:49 +02:00
parent 1f33143bd1
commit f7d27c6fda
44 changed files with 2406 additions and 1107 deletions
--- a/src/Policy/StellaOps.PolicyDsl/SecretSignalContextExtensions.cs
+++ b/src/Policy/StellaOps.PolicyDsl/SecretSignalContextExtensions.cs
@@ -0,0 +1,106 @@
+// -----------------------------------------------------------------------------
+// SecretSignalContextExtensions.cs
+// Sprint: SPRINT_20260104_004_POLICY (Secret DSL Integration)
+// Task: PSD-008 - Register predicates in PolicyDslRegistry (via signal context)
+// -----------------------------------------------------------------------------
+
+using StellaOps.Policy.Secrets;
+
+namespace StellaOps.PolicyDsl;
+
+/// <summary>
+/// Extension methods for integrating secret evidence with PolicyDsl SignalContext.
+/// </summary>
+public static class SecretSignalContextExtensions
+{
+    /// <summary>
+    /// Adds secret evidence signals to the signal context.
+    /// </summary>
+    /// <param name="context">The signal context.</param>
+    /// <param name="evidenceContext">The secret evidence context.</param>
+    /// <returns>The signal context for chaining.</returns>
+    public static SignalContext WithSecretEvidence(
+        this SignalContext context,
+        SecretEvidenceContext evidenceContext)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+        ArgumentNullException.ThrowIfNull(evidenceContext);
+
+        // Add flat signals
+        var signals = SecretSignalBinder.BindToSignals(evidenceContext);
+        foreach (var (name, value) in signals)
+        {
+            context.SetSignal(name, value);
+        }
+
+        // Add nested object for member access (secret.severity.high, etc.)
+        var nested = SecretSignalBinder.BindToNestedObject(evidenceContext);
+        context.SetSignal("secret", nested);
+
+        return context;
+    }
+
+    /// <summary>
+    /// Adds secret evidence signals to the signal context builder.
+    /// </summary>
+    /// <param name="builder">The signal context builder.</param>
+    /// <param name="evidenceContext">The secret evidence context.</param>
+    /// <returns>The builder for chaining.</returns>
+    public static SignalContextBuilder WithSecretEvidence(
+        this SignalContextBuilder builder,
+        SecretEvidenceContext evidenceContext)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        ArgumentNullException.ThrowIfNull(evidenceContext);
+
+        // Add flat signals
+        var signals = SecretSignalBinder.BindToSignals(evidenceContext);
+        foreach (var (name, value) in signals)
+        {
+            builder.WithSignal(name, value);
+        }
+
+        // Add nested object for member access
+        var nested = SecretSignalBinder.BindToNestedObject(evidenceContext);
+        builder.WithSignal("secret", nested);
+
+        return builder;
+    }
+
+    /// <summary>
+    /// Adds secret evidence signals from a provider.
+    /// </summary>
+    /// <param name="builder">The signal context builder.</param>
+    /// <param name="provider">The secret evidence provider.</param>
+    /// <returns>The builder for chaining.</returns>
+    public static SignalContextBuilder WithSecretEvidence(
+        this SignalContextBuilder builder,
+        ISecretEvidenceProvider provider)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        ArgumentNullException.ThrowIfNull(provider);
+
+        var context = new SecretEvidenceContext(provider);
+        return builder.WithSecretEvidence(context);
+    }
+
+    /// <summary>
+    /// Creates a signal context builder with secret evidence.
+    /// </summary>
+    /// <param name="evidenceContext">The secret evidence context.</param>
+    /// <returns>A new builder with secret signals.</returns>
+    public static SignalContextBuilder CreateBuilderWithSecrets(SecretEvidenceContext evidenceContext)
+    {
+        return SignalContext.Builder().WithSecretEvidence(evidenceContext);
+    }
+
+    /// <summary>
+    /// Creates a signal context with secret evidence.
+    /// </summary>
+    /// <param name="evidenceContext">The secret evidence context.</param>
+    /// <returns>A new signal context with secret signals.</returns>
+    public static SignalContext CreateContextWithSecrets(SecretEvidenceContext evidenceContext)
+    {
+        return CreateBuilderWithSecrets(evidenceContext).Build();
+    }
+}
--- a/src/Policy/__Libraries/StellaOps.Policy/Schemas/signals-schema@1.json
+++ b/src/Policy/__Libraries/StellaOps.Policy/Schemas/signals-schema@1.json
@@ -0,0 +1,159 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.stellaops.io/policy/signals-schema@1.json",
+  "title": "StellaOps Policy Signals v1",
+  "description": "Defines available signals for policy condition evaluation",
+  "type": "object",
+  "$defs": {
+    "signalName": {
+      "type": "string",
+      "description": "A signal name for policy condition evaluation",
+      "pattern": "^[a-z][a-z0-9_]*(?:\\.[a-z][a-z0-9_]*)*$",
+      "examples": [
+        "secret.has_finding",
+        "secret.severity.critical",
+        "secret.bundle.version",
+        "reachability.state",
+        "finding.severity"
+      ]
+    },
+    "secretSignals": {
+      "type": "object",
+      "description": "Secret detection related signals",
+      "properties": {
+        "secret.has_finding": {
+          "type": "boolean",
+          "description": "True if any secret finding exists"
+        },
+        "secret.count": {
+          "type": "integer",
+          "description": "Total number of secret findings",
+          "minimum": 0
+        },
+        "secret.severity.critical": {
+          "type": "boolean",
+          "description": "True if any critical severity secret finding exists"
+        },
+        "secret.severity.high": {
+          "type": "boolean",
+          "description": "True if any high severity secret finding exists"
+        },
+        "secret.severity.medium": {
+          "type": "boolean",
+          "description": "True if any medium severity secret finding exists"
+        },
+        "secret.severity.low": {
+          "type": "boolean",
+          "description": "True if any low severity secret finding exists"
+        },
+        "secret.confidence.high": {
+          "type": "boolean",
+          "description": "True if any high confidence secret finding exists"
+        },
+        "secret.confidence.medium": {
+          "type": "boolean",
+          "description": "True if any medium confidence secret finding exists"
+        },
+        "secret.confidence.low": {
+          "type": "boolean",
+          "description": "True if any low confidence secret finding exists"
+        },
+        "secret.mask.applied": {
+          "type": "boolean",
+          "description": "True if masking was applied to all findings"
+        },
+        "secret.bundle.version": {
+          "type": "string",
+          "description": "The active secret detection bundle version (YYYY.MM format)",
+          "pattern": "^\\d{4}\\.\\d{2}$"
+        },
+        "secret.bundle.id": {
+          "type": "string",
+          "description": "The active bundle identifier"
+        },
+        "secret.bundle.rule_count": {
+          "type": "integer",
+          "description": "Number of rules in the active bundle",
+          "minimum": 0
+        },
+        "secret.bundle.signer_key_id": {
+          "type": "string",
+          "description": "Key ID used to sign the bundle"
+        },
+        "secret.aws.count": {
+          "type": "integer",
+          "description": "Count of AWS-related secret findings",
+          "minimum": 0
+        },
+        "secret.github.count": {
+          "type": "integer",
+          "description": "Count of GitHub-related secret findings",
+          "minimum": 0
+        },
+        "secret.private_key.count": {
+          "type": "integer",
+          "description": "Count of private key findings",
+          "minimum": 0
+        }
+      }
+    },
+    "findingSignals": {
+      "type": "object",
+      "description": "Vulnerability finding related signals",
+      "properties": {
+        "finding.severity": {
+          "type": "string",
+          "description": "Finding severity level",
+          "enum": ["critical", "high", "medium", "low", "unknown"]
+        },
+        "finding.confidence": {
+          "type": "number",
+          "description": "Finding confidence score",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "finding.cve_id": {
+          "type": "string",
+          "description": "CVE identifier if applicable"
+        }
+      }
+    },
+    "reachabilitySignals": {
+      "type": "object",
+      "description": "Reachability analysis signals",
+      "properties": {
+        "reachability.state": {
+          "type": "string",
+          "description": "Reachability state",
+          "enum": ["reachable", "unreachable", "unknown"]
+        },
+        "reachability.confidence": {
+          "type": "number",
+          "description": "Reachability confidence score",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "reachability.has_runtime_evidence": {
+          "type": "boolean",
+          "description": "True if runtime evidence exists for reachability"
+        }
+      }
+    },
+    "trustSignals": {
+      "type": "object",
+      "description": "Trust and verification signals",
+      "properties": {
+        "trust_score": {
+          "type": "number",
+          "description": "Trust score",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "trust_verified": {
+          "type": "boolean",
+          "description": "True if the source is verified"
+        }
+      }
+    }
+  }
+}
--- a/src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-schema@1.json
+++ b/src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-schema@1.json
@@ -131,6 +131,7 @@
                  },
                  "conditions": {
                    "type": "array",
+                    "description": "Conditions evaluated against policy signals. See signals-schema@1.json for available signals.",
                    "items": {
                      "type": "object",
                      "additionalProperties": false,
@@ -138,7 +139,18 @@
                      "properties": {
                        "field": {
                          "type": "string",
-                          "maxLength": 256
+                          "maxLength": 256,
+                          "description": "Signal name to evaluate. Common signals: secret.has_finding, secret.severity.critical, secret.count, secret.bundle.version, reachability.state, finding.severity",
+                          "examples": [
+                            "secret.has_finding",
+                            "secret.severity.critical",
+                            "secret.severity.high",
+                            "secret.count",
+                            "secret.mask.applied",
+                            "secret.bundle.version",
+                            "reachability.state",
+                            "finding.severity"
+                          ]
                        },
                        "operator": {
                          "type": "string",
@@ -153,8 +165,11 @@
                            "nin",
                            "contains",
                            "startsWith",
-                            "endsWith"
-                          ]
+                            "endsWith",
+                            "matches",
+                            "exists"
+                          ],
+                          "description": "Comparison operator. 'matches' uses glob patterns, 'exists' checks signal presence."
                        },
                        "value": {}
                      }
--- a/src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-secret-block@1.json
+++ b/src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-secret-block@1.json
@@ -0,0 +1,82 @@
+{
+  "apiVersion": "spl.stellaops/v1",
+  "kind": "Policy",
+  "metadata": {
+    "name": "secret-leak-block",
+    "description": "Block deployments with critical or high severity secret findings",
+    "labels": {
+      "category": "security",
+      "domain": "secrets"
+    }
+  },
+  "spec": {
+    "defaultEffect": "allow",
+    "statements": [
+      {
+        "id": "block-critical-secrets",
+        "effect": "deny",
+        "description": "Block any critical severity secret findings",
+        "match": {
+          "resource": "*",
+          "actions": ["deploy", "release"],
+          "conditions": [
+            {
+              "field": "secret.severity.critical",
+              "operator": "eq",
+              "value": true
+            }
+          ]
+        },
+        "audit": {
+          "message": "Blocked: Critical severity secret leak detected",
+          "severity": "error"
+        }
+      },
+      {
+        "id": "block-high-secrets-unmasked",
+        "effect": "deny",
+        "description": "Block high severity secrets that are not properly masked",
+        "match": {
+          "resource": "*",
+          "actions": ["deploy", "release"],
+          "conditions": [
+            {
+              "field": "secret.severity.high",
+              "operator": "eq",
+              "value": true
+            },
+            {
+              "field": "secret.mask.applied",
+              "operator": "eq",
+              "value": false
+            }
+          ]
+        },
+        "audit": {
+          "message": "Blocked: High severity secret without masking",
+          "severity": "error"
+        }
+      },
+      {
+        "id": "require-current-bundle",
+        "effect": "deny",
+        "description": "Block scans using outdated detection bundles",
+        "match": {
+          "resource": "*",
+          "actions": ["deploy"],
+          "conditions": [
+            {
+              "field": "secret.bundle.version",
+              "operator": "lt",
+              "value": "2025.01"
+            }
+          ]
+        },
+        "audit": {
+          "message": "Blocked: Secret detection bundle is outdated",
+          "severity": "warn"
+        }
+      }
+    ]
+  }
+}
--- a/src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-secret-warn@1.json
+++ b/src/Policy/__Libraries/StellaOps.Policy/Schemas/spl-secret-warn@1.json
@@ -0,0 +1,98 @@
+{
+  "apiVersion": "spl.stellaops/v1",
+  "kind": "Policy",
+  "metadata": {
+    "name": "secret-leak-warn",
+    "description": "Warn on secret findings without blocking deployments",
+    "labels": {
+      "category": "security",
+      "domain": "secrets",
+      "mode": "advisory"
+    }
+  },
+  "spec": {
+    "defaultEffect": "allow",
+    "statements": [
+      {
+        "id": "warn-any-secrets",
+        "effect": "allow",
+        "description": "Log warning for any secret findings",
+        "match": {
+          "resource": "*",
+          "actions": ["scan", "deploy", "release"],
+          "conditions": [
+            {
+              "field": "secret.has_finding",
+              "operator": "eq",
+              "value": true
+            }
+          ]
+        },
+        "audit": {
+          "message": "Warning: Secret findings detected in scan",
+          "severity": "warn"
+        }
+      },
+      {
+        "id": "warn-aws-credentials",
+        "effect": "allow",
+        "description": "Special warning for AWS credential exposure",
+        "match": {
+          "resource": "*",
+          "actions": ["scan", "deploy"],
+          "conditions": [
+            {
+              "field": "secret.aws.count",
+              "operator": "gt",
+              "value": 0
+            }
+          ]
+        },
+        "audit": {
+          "message": "Warning: AWS credentials detected - consider rotating",
+          "severity": "warn"
+        }
+      },
+      {
+        "id": "warn-github-tokens",
+        "effect": "allow",
+        "description": "Special warning for GitHub token exposure",
+        "match": {
+          "resource": "*",
+          "actions": ["scan", "deploy"],
+          "conditions": [
+            {
+              "field": "secret.github.count",
+              "operator": "gt",
+              "value": 0
+            }
+          ]
+        },
+        "audit": {
+          "message": "Warning: GitHub tokens detected - consider rotating",
+          "severity": "warn"
+        }
+      },
+      {
+        "id": "warn-private-keys",
+        "effect": "allow",
+        "description": "Special warning for private key exposure",
+        "match": {
+          "resource": "*",
+          "actions": ["scan", "deploy"],
+          "conditions": [
+            {
+              "field": "secret.private_key.count",
+              "operator": "gt",
+              "value": 0
+            }
+          ]
+        },
+        "audit": {
+          "message": "Warning: Private keys detected - review exposure",
+          "severity": "warn"
+        }
+      }
+    ]
+  }
+}
--- a/src/Policy/__Libraries/StellaOps.Policy/Secrets/SecretSignalBinder.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy/Secrets/SecretSignalBinder.cs
@@ -0,0 +1,228 @@
+// -----------------------------------------------------------------------------
+// SecretSignalBinder.cs
+// Sprint: SPRINT_20260104_004_POLICY (Secret DSL Integration)
+// Tasks: PSD-003 through PSD-007 - Add secret.* predicates as signals
+// -----------------------------------------------------------------------------
+
+using System.Collections.Immutable;
+using System.Globalization;
+
+namespace StellaOps.Policy.Secrets;
+
+/// <summary>
+/// Binds secret evidence to policy evaluation signals.
+/// This class converts secret findings and bundle metadata into signals that can be
+/// evaluated by the PolicyDsl SignalContext.
+///
+/// <para>
+/// Available signals after binding:
+/// <list type="bullet">
+///   <item><c>secret.has_finding</c> - true if any secret finding exists</item>
+///   <item><c>secret.count</c> - total number of findings</item>
+///   <item><c>secret.severity.critical</c> - true if any critical finding exists</item>
+///   <item><c>secret.severity.high</c> - true if any high severity finding exists</item>
+///   <item><c>secret.severity.medium</c> - true if any medium severity finding exists</item>
+///   <item><c>secret.severity.low</c> - true if any low severity finding exists</item>
+///   <item><c>secret.confidence.high</c> - true if any high confidence finding exists</item>
+///   <item><c>secret.confidence.medium</c> - true if any medium confidence finding exists</item>
+///   <item><c>secret.confidence.low</c> - true if any low confidence finding exists</item>
+///   <item><c>secret.mask.applied</c> - true if masking was applied to all findings</item>
+///   <item><c>secret.bundle.version</c> - the active bundle version string</item>
+///   <item><c>secret.bundle.id</c> - the active bundle ID</item>
+///   <item><c>secret.bundle.rule_count</c> - the number of rules in the bundle</item>
+/// </list>
+/// </para>
+/// </summary>
+public static class SecretSignalBinder
+{
+    /// <summary>
+    /// Signal name prefix for all secret-related signals.
+    /// </summary>
+    public const string SignalPrefix = "secret";
+
+    /// <summary>
+    /// Binds secret evidence to a dictionary of signals.
+    /// </summary>
+    /// <param name="context">The secret evidence context.</param>
+    /// <returns>A dictionary of signal names to values.</returns>
+    public static ImmutableDictionary<string, object?> BindToSignals(SecretEvidenceContext context)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+
+        var signals = ImmutableDictionary.CreateBuilder<string, object?>(StringComparer.Ordinal);
+
+        // Core finding signals
+        signals[$"{SignalPrefix}.has_finding"] = context.HasAnyFinding;
+        signals[$"{SignalPrefix}.count"] = context.FindingCount;
+
+        // Severity signals
+        signals[$"{SignalPrefix}.severity.critical"] = context.HasFindingWithSeverity("critical");
+        signals[$"{SignalPrefix}.severity.high"] = context.HasFindingWithSeverity("high");
+        signals[$"{SignalPrefix}.severity.medium"] = context.HasFindingWithSeverity("medium");
+        signals[$"{SignalPrefix}.severity.low"] = context.HasFindingWithSeverity("low");
+
+        // Confidence signals
+        signals[$"{SignalPrefix}.confidence.high"] = context.HasFindingWithConfidence("high");
+        signals[$"{SignalPrefix}.confidence.medium"] = context.HasFindingWithConfidence("medium");
+        signals[$"{SignalPrefix}.confidence.low"] = context.HasFindingWithConfidence("low");
+
+        // Masking signal
+        signals[$"{SignalPrefix}.mask.applied"] = context.MaskingApplied;
+
+        // Bundle signals
+        var bundle = context.Bundle;
+        if (bundle is not null)
+        {
+            signals[$"{SignalPrefix}.bundle.version"] = bundle.Version;
+            signals[$"{SignalPrefix}.bundle.id"] = bundle.BundleId;
+            signals[$"{SignalPrefix}.bundle.rule_count"] = bundle.RuleCount;
+            signals[$"{SignalPrefix}.bundle.signer_key_id"] = bundle.SignerKeyId;
+        }
+        else
+        {
+            signals[$"{SignalPrefix}.bundle.version"] = null;
+            signals[$"{SignalPrefix}.bundle.id"] = null;
+            signals[$"{SignalPrefix}.bundle.rule_count"] = 0;
+            signals[$"{SignalPrefix}.bundle.signer_key_id"] = null;
+        }
+
+        // Rule-specific counts (for common rule patterns)
+        signals[$"{SignalPrefix}.aws.count"] = context.GetMatchCount("stellaops.secrets.aws-*");
+        signals[$"{SignalPrefix}.github.count"] = context.GetMatchCount("stellaops.secrets.github-*");
+        signals[$"{SignalPrefix}.private_key.count"] = context.GetMatchCount("stellaops.secrets.private-key-*");
+
+        return signals.ToImmutable();
+    }
+
+    /// <summary>
+    /// Binds secret evidence to a nested object suitable for member access in policies.
+    /// This creates a hierarchical structure like:
+    /// secret.severity.high, secret.bundle.version, etc.
+    /// </summary>
+    /// <param name="context">The secret evidence context.</param>
+    /// <returns>A nested dictionary structure.</returns>
+    public static ImmutableDictionary<string, object?> BindToNestedObject(SecretEvidenceContext context)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+
+        var severity = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["critical"] = context.HasFindingWithSeverity("critical"),
+            ["high"] = context.HasFindingWithSeverity("high"),
+            ["medium"] = context.HasFindingWithSeverity("medium"),
+            ["low"] = context.HasFindingWithSeverity("low"),
+        };
+
+        var confidence = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["high"] = context.HasFindingWithConfidence("high"),
+            ["medium"] = context.HasFindingWithConfidence("medium"),
+            ["low"] = context.HasFindingWithConfidence("low"),
+        };
+
+        var mask = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["applied"] = context.MaskingApplied,
+        };
+
+        var bundle = context.Bundle;
+        var bundleDict = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["version"] = bundle?.Version,
+            ["id"] = bundle?.BundleId,
+            ["rule_count"] = bundle?.RuleCount ?? 0,
+            ["signer_key_id"] = bundle?.SignerKeyId,
+        };
+
+        var match = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["count"] = context.FindingCount,
+            ["aws_count"] = context.GetMatchCount("stellaops.secrets.aws-*"),
+            ["github_count"] = context.GetMatchCount("stellaops.secrets.github-*"),
+            ["private_key_count"] = context.GetMatchCount("stellaops.secrets.private-key-*"),
+        };
+
+        return new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["has_finding"] = context.HasAnyFinding,
+            ["count"] = context.FindingCount,
+            ["severity"] = severity,
+            ["confidence"] = confidence,
+            ["mask"] = mask,
+            ["bundle"] = bundleDict,
+            ["match"] = match,
+        }.ToImmutableDictionary();
+    }
+
+    /// <summary>
+    /// Checks if the bundle version meets a required minimum version.
+    /// </summary>
+    /// <param name="context">The secret evidence context.</param>
+    /// <param name="requiredVersion">The minimum required version (YYYY.MM format).</param>
+    /// <returns>True if the bundle meets the version requirement.</returns>
+    public static bool CheckBundleVersion(SecretEvidenceContext context, string requiredVersion)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+        ArgumentException.ThrowIfNullOrWhiteSpace(requiredVersion);
+
+        return context.BundleVersionMeetsRequirement(requiredVersion);
+    }
+
+    /// <summary>
+    /// Checks if all findings are in paths matching the allowlist.
+    /// </summary>
+    /// <param name="context">The secret evidence context.</param>
+    /// <param name="patterns">Glob patterns for allowed paths.</param>
+    /// <returns>True if all findings are in allowed paths.</returns>
+    public static bool CheckPathAllowlist(SecretEvidenceContext context, IReadOnlyList<string> patterns)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+        ArgumentNullException.ThrowIfNull(patterns);
+
+        return context.AllFindingsInAllowlist(patterns);
+    }
+
+    /// <summary>
+    /// Creates finding summary for policy explanation.
+    /// </summary>
+    /// <param name="context">The secret evidence context.</param>
+    /// <returns>A summary string for audit/explanation purposes.</returns>
+    public static string CreateFindingSummary(SecretEvidenceContext context)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+
+        if (!context.HasAnyFinding)
+        {
+            return "No secret findings detected.";
+        }
+
+        var findings = context.Findings;
+        var severityCounts = findings
+            .GroupBy(f => f.Severity, StringComparer.OrdinalIgnoreCase)
+            .ToDictionary(g => g.Key, g => g.Count(), StringComparer.OrdinalIgnoreCase);
+
+        var parts = new List<string>();
+        if (severityCounts.TryGetValue("critical", out var critical) && critical > 0)
+        {
+            parts.Add($"{critical} critical");
+        }
+        if (severityCounts.TryGetValue("high", out var high) && high > 0)
+        {
+            parts.Add($"{high} high");
+        }
+        if (severityCounts.TryGetValue("medium", out var medium) && medium > 0)
+        {
+            parts.Add($"{medium} medium");
+        }
+        if (severityCounts.TryGetValue("low", out var low) && low > 0)
+        {
+            parts.Add($"{low} low");
+        }
+
+        return string.Format(
+            CultureInfo.InvariantCulture,
+            "{0} secret finding(s): {1}",
+            findings.Count,
+            string.Join(", ", parts));
+    }
+}
--- a/src/Policy/__Libraries/StellaOps.Policy/StellaOps.Policy.csproj
+++ b/src/Policy/__Libraries/StellaOps.Policy/StellaOps.Policy.csproj
@@ -19,8 +19,11 @@
    <EmbeddedResource Include="Schemas\policy-schema@1.json" />
    <EmbeddedResource Include="Schemas\policy-scoring-default.json" />
    <EmbeddedResource Include="Schemas\policy-scoring-schema@1.json" />
+    <EmbeddedResource Include="Schemas\signals-schema@1.json" />
    <EmbeddedResource Include="Schemas\spl-schema@1.json" />
    <EmbeddedResource Include="Schemas\spl-sample@1.json" />
+    <EmbeddedResource Include="Schemas\spl-secret-block@1.json" />
+    <EmbeddedResource Include="Schemas\spl-secret-warn@1.json" />
  </ItemGroup>

  <ItemGroup>
--- a/src/Policy/__Tests/StellaOps.Policy.Tests/Secrets/SecretEvidenceContextTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Secrets/SecretEvidenceContextTests.cs
@@ -0,0 +1,259 @@
+// -----------------------------------------------------------------------------
+// SecretEvidenceContextTests.cs
+// Sprint: SPRINT_20260104_004_POLICY (Secret DSL Integration)
+// Task: PSD-011 - Add unit and integration tests
+// -----------------------------------------------------------------------------
+
+using System.Collections.Immutable;
+using FluentAssertions;
+using Moq;
+using StellaOps.Policy.Secrets;
+using Xunit;
+
+namespace StellaOps.Policy.Tests.Secrets;
+
+[Trait("Category", "Unit")]
+public sealed class SecretEvidenceContextTests
+{
+    [Fact]
+    public void Constructor_WithNullProvider_ThrowsArgumentNullException()
+    {
+        var action = () => new SecretEvidenceContext(null!);
+        action.Should().Throw<ArgumentNullException>();
+    }
+
+    [Fact]
+    public void HasAnyFinding_NoFindings_ReturnsFalse()
+    {
+        var provider = CreateMockProvider([]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasAnyFinding.Should().BeFalse();
+    }
+
+    [Fact]
+    public void HasAnyFinding_WithFindings_ReturnsTrue()
+    {
+        var finding = CreateFinding("stellaops.secrets.test", "high");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasAnyFinding.Should().BeTrue();
+    }
+
+    [Fact]
+    public void FindingCount_ReturnsCorrectCount()
+    {
+        var findings = new[]
+        {
+            CreateFinding("stellaops.secrets.test1", "high"),
+            CreateFinding("stellaops.secrets.test2", "medium"),
+            CreateFinding("stellaops.secrets.test3", "low"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        context.FindingCount.Should().Be(3);
+    }
+
+    [Fact]
+    public void HasFindingWithSeverity_MatchingSeverity_ReturnsTrue()
+    {
+        var finding = CreateFinding("stellaops.secrets.test", "critical");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasFindingWithSeverity("critical").Should().BeTrue();
+        context.HasFindingWithSeverity("CRITICAL").Should().BeTrue(); // Case insensitive
+    }
+
+    [Fact]
+    public void HasFindingWithSeverity_NoMatchingSeverity_ReturnsFalse()
+    {
+        var finding = CreateFinding("stellaops.secrets.test", "low");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasFindingWithSeverity("critical").Should().BeFalse();
+    }
+
+    [Fact]
+    public void HasFindingWithConfidence_MatchingConfidence_ReturnsTrue()
+    {
+        var finding = CreateFinding("stellaops.secrets.test", "high", "high");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasFindingWithConfidence("high").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasFindingWithRuleId_ExactMatch_ReturnsTrue()
+    {
+        var finding = CreateFinding("stellaops.secrets.aws-access-key", "high");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasFindingWithRuleId("stellaops.secrets.aws-access-key").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasFindingWithRuleId_PatternMatch_ReturnsTrue()
+    {
+        var finding = CreateFinding("stellaops.secrets.aws-access-key", "high");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasFindingWithRuleId("stellaops.secrets.aws-*").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasFindingWithRuleId_NoMatch_ReturnsFalse()
+    {
+        var finding = CreateFinding("stellaops.secrets.github-token", "high");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.HasFindingWithRuleId("stellaops.secrets.aws-*").Should().BeFalse();
+    }
+
+    [Fact]
+    public void GetMatchCount_WithPattern_ReturnsCorrectCount()
+    {
+        var findings = new[]
+        {
+            CreateFinding("stellaops.secrets.aws-access-key", "high"),
+            CreateFinding("stellaops.secrets.aws-secret-key", "high"),
+            CreateFinding("stellaops.secrets.github-token", "medium"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        context.GetMatchCount("stellaops.secrets.aws-*").Should().Be(2);
+        context.GetMatchCount("stellaops.secrets.github-*").Should().Be(1);
+    }
+
+    [Fact]
+    public void BundleVersionMeetsRequirement_ValidVersion_ReturnsTrue()
+    {
+        var bundle = new SecretBundleMetadata("bundle-1", "2025.06", DateTimeOffset.UtcNow, 100);
+        var provider = CreateMockProvider([], bundle);
+        var context = new SecretEvidenceContext(provider);
+
+        context.BundleVersionMeetsRequirement("2025.01").Should().BeTrue();
+        context.BundleVersionMeetsRequirement("2025.06").Should().BeTrue();
+    }
+
+    [Fact]
+    public void BundleVersionMeetsRequirement_OlderVersion_ReturnsFalse()
+    {
+        var bundle = new SecretBundleMetadata("bundle-1", "2024.12", DateTimeOffset.UtcNow, 100);
+        var provider = CreateMockProvider([], bundle);
+        var context = new SecretEvidenceContext(provider);
+
+        context.BundleVersionMeetsRequirement("2025.01").Should().BeFalse();
+    }
+
+    [Fact]
+    public void BundleVersionMeetsRequirement_NoBundle_ReturnsFalse()
+    {
+        var provider = CreateMockProvider([]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.BundleVersionMeetsRequirement("2025.01").Should().BeFalse();
+    }
+
+    [Fact]
+    public void MaskingApplied_ReturnsProviderValue()
+    {
+        var mock = new Mock<ISecretEvidenceProvider>();
+        mock.Setup(p => p.GetFindings()).Returns([]);
+        mock.Setup(p => p.IsMaskingApplied()).Returns(true);
+        var context = new SecretEvidenceContext(mock.Object);
+
+        context.MaskingApplied.Should().BeTrue();
+    }
+
+    [Fact]
+    public void AllFindingsInAllowlist_NoFindings_ReturnsTrue()
+    {
+        var provider = CreateMockProvider([]);
+        var context = new SecretEvidenceContext(provider);
+
+        context.AllFindingsInAllowlist(["**/test/**"]).Should().BeTrue();
+    }
+
+    [Fact]
+    public void AllFindingsInAllowlist_AllMatch_ReturnsTrue()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "high", "high", "test/data/secrets.txt"),
+            CreateFinding("rule2", "high", "high", "test/fixtures/keys.txt"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        context.AllFindingsInAllowlist(["test/**"]).Should().BeTrue();
+    }
+
+    [Fact]
+    public void AllFindingsInAllowlist_SomeNotMatch_ReturnsFalse()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "high", "high", "test/data/secrets.txt"),
+            CreateFinding("rule2", "high", "high", "src/app/config.json"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        context.AllFindingsInAllowlist(["test/**"]).Should().BeFalse();
+    }
+
+    [Fact]
+    public void AllFindingsInAllowlist_DoubleStarPattern_MatchesNestedPaths()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "high", "high", "a/b/c/d/test.txt"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        context.AllFindingsInAllowlist(["**/test.txt"]).Should().BeTrue();
+    }
+
+    private static ISecretEvidenceProvider CreateMockProvider(
+        SecretFinding[] findings,
+        SecretBundleMetadata? bundle = null,
+        bool maskingApplied = true)
+    {
+        var mock = new Mock<ISecretEvidenceProvider>();
+        mock.Setup(p => p.GetFindings()).Returns(findings);
+        mock.Setup(p => p.GetBundleMetadata()).Returns(bundle);
+        mock.Setup(p => p.IsMaskingApplied()).Returns(maskingApplied);
+        return mock.Object;
+    }
+
+    private static SecretFinding CreateFinding(
+        string ruleId,
+        string severity,
+        string confidence = "high",
+        string filePath = "test/file.txt")
+    {
+        return new SecretFinding
+        {
+            RuleId = ruleId,
+            RuleVersion = "1.0.0",
+            Severity = severity,
+            Confidence = confidence,
+            FilePath = filePath,
+            LineNumber = 10,
+            Mask = "***REDACTED***",
+            BundleId = "bundle-1",
+            BundleVersion = "2025.01",
+            DetectedAt = DateTimeOffset.UtcNow,
+        };
+    }
+}
--- a/src/Policy/__Tests/StellaOps.Policy.Tests/Secrets/SecretSignalBinderTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Secrets/SecretSignalBinderTests.cs
@@ -0,0 +1,264 @@
+// -----------------------------------------------------------------------------
+// SecretSignalBinderTests.cs
+// Sprint: SPRINT_20260104_004_POLICY (Secret DSL Integration)
+// Task: PSD-011 - Add unit and integration tests
+// -----------------------------------------------------------------------------
+
+using FluentAssertions;
+using Moq;
+using StellaOps.Policy.Secrets;
+using Xunit;
+
+namespace StellaOps.Policy.Tests.Secrets;
+
+[Trait("Category", "Unit")]
+public sealed class SecretSignalBinderTests
+{
+    [Fact]
+    public void BindToSignals_WithNullContext_ThrowsArgumentNullException()
+    {
+        var action = () => SecretSignalBinder.BindToSignals(null!);
+        action.Should().Throw<ArgumentNullException>();
+    }
+
+    [Fact]
+    public void BindToSignals_NoFindings_ReturnsExpectedSignals()
+    {
+        var provider = CreateMockProvider([]);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.has_finding"].Should().Be(false);
+        signals["secret.count"].Should().Be(0);
+        signals["secret.severity.critical"].Should().Be(false);
+        signals["secret.severity.high"].Should().Be(false);
+        signals["secret.severity.medium"].Should().Be(false);
+        signals["secret.severity.low"].Should().Be(false);
+    }
+
+    [Fact]
+    public void BindToSignals_WithCriticalFinding_SetsCriticalSignal()
+    {
+        var finding = CreateFinding("rule1", "critical");
+        var provider = CreateMockProvider([finding]);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.has_finding"].Should().Be(true);
+        signals["secret.count"].Should().Be(1);
+        signals["secret.severity.critical"].Should().Be(true);
+    }
+
+    [Fact]
+    public void BindToSignals_WithMultipleSeverities_SetsAllMatchingSignals()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "high"),
+            CreateFinding("rule2", "medium"),
+            CreateFinding("rule3", "high"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.has_finding"].Should().Be(true);
+        signals["secret.count"].Should().Be(3);
+        signals["secret.severity.critical"].Should().Be(false);
+        signals["secret.severity.high"].Should().Be(true);
+        signals["secret.severity.medium"].Should().Be(true);
+        signals["secret.severity.low"].Should().Be(false);
+    }
+
+    [Fact]
+    public void BindToSignals_WithBundle_SetsBundleSignals()
+    {
+        var bundle = new SecretBundleMetadata(
+            "stellaops-bundle-2025",
+            "2025.06",
+            DateTimeOffset.UtcNow,
+            150,
+            "key-001");
+        var provider = CreateMockProvider([], bundle);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.bundle.version"].Should().Be("2025.06");
+        signals["secret.bundle.id"].Should().Be("stellaops-bundle-2025");
+        signals["secret.bundle.rule_count"].Should().Be(150);
+        signals["secret.bundle.signer_key_id"].Should().Be("key-001");
+    }
+
+    [Fact]
+    public void BindToSignals_NoBundle_SetsBundleSignalsToDefaults()
+    {
+        var provider = CreateMockProvider([]);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.bundle.version"].Should().BeNull();
+        signals["secret.bundle.id"].Should().BeNull();
+        signals["secret.bundle.rule_count"].Should().Be(0);
+        signals["secret.bundle.signer_key_id"].Should().BeNull();
+    }
+
+    [Fact]
+    public void BindToSignals_WithConfidenceLevels_SetsConfidenceSignals()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "high", "high"),
+            CreateFinding("rule2", "high", "medium"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.confidence.high"].Should().Be(true);
+        signals["secret.confidence.medium"].Should().Be(true);
+        signals["secret.confidence.low"].Should().Be(false);
+    }
+
+    [Fact]
+    public void BindToSignals_WithMasking_SetsMaskSignal()
+    {
+        var provider = CreateMockProvider([], maskingApplied: true);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.mask.applied"].Should().Be(true);
+    }
+
+    [Fact]
+    public void BindToSignals_SetsRuleSpecificCounts()
+    {
+        var findings = new[]
+        {
+            CreateFinding("stellaops.secrets.aws-access-key", "high"),
+            CreateFinding("stellaops.secrets.aws-secret-key", "high"),
+            CreateFinding("stellaops.secrets.github-token", "medium"),
+            CreateFinding("stellaops.secrets.private-key-rsa", "critical"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        var signals = SecretSignalBinder.BindToSignals(context);
+
+        signals["secret.aws.count"].Should().Be(2);
+        signals["secret.github.count"].Should().Be(1);
+        signals["secret.private_key.count"].Should().Be(1);
+    }
+
+    [Fact]
+    public void BindToNestedObject_ReturnsHierarchicalStructure()
+    {
+        var finding = CreateFinding("rule1", "critical", "high");
+        var bundle = new SecretBundleMetadata("bundle-1", "2025.06", DateTimeOffset.UtcNow, 100);
+        var provider = CreateMockProvider([finding], bundle);
+        var context = new SecretEvidenceContext(provider);
+
+        var nested = SecretSignalBinder.BindToNestedObject(context);
+
+        nested["has_finding"].Should().Be(true);
+        nested["count"].Should().Be(1);
+
+        var severity = nested["severity"] as IDictionary<string, object?>;
+        severity.Should().NotBeNull();
+        severity!["critical"].Should().Be(true);
+
+        var bundleDict = nested["bundle"] as IDictionary<string, object?>;
+        bundleDict.Should().NotBeNull();
+        bundleDict!["version"].Should().Be("2025.06");
+    }
+
+    [Fact]
+    public void CheckBundleVersion_ValidRequirement_ReturnsTrue()
+    {
+        var bundle = new SecretBundleMetadata("bundle-1", "2025.06", DateTimeOffset.UtcNow, 100);
+        var provider = CreateMockProvider([], bundle);
+        var context = new SecretEvidenceContext(provider);
+
+        SecretSignalBinder.CheckBundleVersion(context, "2025.01").Should().BeTrue();
+    }
+
+    [Fact]
+    public void CheckBundleVersion_InvalidRequirement_ReturnsFalse()
+    {
+        var bundle = new SecretBundleMetadata("bundle-1", "2024.12", DateTimeOffset.UtcNow, 100);
+        var provider = CreateMockProvider([], bundle);
+        var context = new SecretEvidenceContext(provider);
+
+        SecretSignalBinder.CheckBundleVersion(context, "2025.01").Should().BeFalse();
+    }
+
+    [Fact]
+    public void CreateFindingSummary_NoFindings_ReturnsNoFindingsMessage()
+    {
+        var provider = CreateMockProvider([]);
+        var context = new SecretEvidenceContext(provider);
+
+        var summary = SecretSignalBinder.CreateFindingSummary(context);
+
+        summary.Should().Be("No secret findings detected.");
+    }
+
+    [Fact]
+    public void CreateFindingSummary_WithFindings_ReturnsFormattedSummary()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "critical"),
+            CreateFinding("rule2", "high"),
+            CreateFinding("rule3", "high"),
+            CreateFinding("rule4", "medium"),
+        };
+        var provider = CreateMockProvider(findings);
+        var context = new SecretEvidenceContext(provider);
+
+        var summary = SecretSignalBinder.CreateFindingSummary(context);
+
+        summary.Should().Contain("4 secret finding(s)");
+        summary.Should().Contain("1 critical");
+        summary.Should().Contain("2 high");
+        summary.Should().Contain("1 medium");
+    }
+
+    private static ISecretEvidenceProvider CreateMockProvider(
+        SecretFinding[] findings,
+        SecretBundleMetadata? bundle = null,
+        bool maskingApplied = true)
+    {
+        var mock = new Mock<ISecretEvidenceProvider>();
+        mock.Setup(p => p.GetFindings()).Returns(findings);
+        mock.Setup(p => p.GetBundleMetadata()).Returns(bundle);
+        mock.Setup(p => p.IsMaskingApplied()).Returns(maskingApplied);
+        return mock.Object;
+    }
+
+    private static SecretFinding CreateFinding(
+        string ruleId,
+        string severity,
+        string confidence = "high")
+    {
+        return new SecretFinding
+        {
+            RuleId = ruleId,
+            RuleVersion = "1.0.0",
+            Severity = severity,
+            Confidence = confidence,
+            FilePath = "test/file.txt",
+            LineNumber = 10,
+            Mask = "***REDACTED***",
+            BundleId = "bundle-1",
+            BundleVersion = "2025.01",
+            DetectedAt = DateTimeOffset.UtcNow,
+        };
+    }
+}
--- a/src/Policy/__Tests/StellaOps.PolicyDsl.Tests/SecretSignalContextExtensionsTests.cs
+++ b/src/Policy/__Tests/StellaOps.PolicyDsl.Tests/SecretSignalContextExtensionsTests.cs
@@ -0,0 +1,182 @@
+// -----------------------------------------------------------------------------
+// SecretSignalContextExtensionsTests.cs
+// Sprint: SPRINT_20260104_004_POLICY (Secret DSL Integration)
+// Task: PSD-011 - Add unit and integration tests
+// -----------------------------------------------------------------------------
+
+using FluentAssertions;
+using Moq;
+using StellaOps.Policy.Secrets;
+using Xunit;
+
+namespace StellaOps.PolicyDsl.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class SecretSignalContextExtensionsTests
+{
+    [Fact]
+    public void WithSecretEvidence_OnSignalContext_AddsAllSignals()
+    {
+        var finding = CreateFinding("stellaops.secrets.aws-key", "critical", "high");
+        var bundle = new SecretBundleMetadata("bundle-1", "2025.06", DateTimeOffset.UtcNow, 100);
+        var provider = CreateMockProvider([finding], bundle, true);
+        var evidenceContext = new SecretEvidenceContext(provider);
+
+        var signalContext = new SignalContext();
+        signalContext.WithSecretEvidence(evidenceContext);
+
+        // Check flat signals
+        signalContext.GetSignal<bool>("secret.has_finding").Should().BeTrue();
+        signalContext.GetSignal<int>("secret.count").Should().Be(1);
+        signalContext.GetSignal<bool>("secret.severity.critical").Should().BeTrue();
+        signalContext.GetSignal<bool>("secret.mask.applied").Should().BeTrue();
+        signalContext.GetSignal<string>("secret.bundle.version").Should().Be("2025.06");
+
+        // Check nested object
+        var secretObj = signalContext.GetSignal("secret") as IDictionary<string, object?>;
+        secretObj.Should().NotBeNull();
+        secretObj!["has_finding"].Should().Be(true);
+    }
+
+    [Fact]
+    public void WithSecretEvidence_OnSignalContextBuilder_AddsAllSignals()
+    {
+        var finding = CreateFinding("stellaops.secrets.github-token", "high", "medium");
+        var provider = CreateMockProvider([finding]);
+        var evidenceContext = new SecretEvidenceContext(provider);
+
+        var context = SignalContext.Builder()
+            .WithSecretEvidence(evidenceContext)
+            .Build();
+
+        context.GetSignal<bool>("secret.has_finding").Should().BeTrue();
+        context.GetSignal<bool>("secret.severity.high").Should().BeTrue();
+        context.GetSignal<bool>("secret.confidence.medium").Should().BeTrue();
+    }
+
+    [Fact]
+    public void WithSecretEvidence_FromProvider_AddsSignals()
+    {
+        var finding = CreateFinding("stellaops.secrets.private-key-rsa", "critical");
+        var provider = CreateMockProvider([finding]);
+
+        var context = SignalContext.Builder()
+            .WithSecretEvidence(provider)
+            .Build();
+
+        context.GetSignal<bool>("secret.has_finding").Should().BeTrue();
+        context.GetSignal<int>("secret.private_key.count").Should().Be(1);
+    }
+
+    [Fact]
+    public void CreateBuilderWithSecrets_ReturnsConfiguredBuilder()
+    {
+        var provider = CreateMockProvider([]);
+        var evidenceContext = new SecretEvidenceContext(provider);
+
+        var builder = SecretSignalContextExtensions.CreateBuilderWithSecrets(evidenceContext);
+        var context = builder.Build();
+
+        context.GetSignal<bool>("secret.has_finding").Should().BeFalse();
+        context.GetSignal<int>("secret.count").Should().Be(0);
+    }
+
+    [Fact]
+    public void CreateContextWithSecrets_ReturnsFullyConfiguredContext()
+    {
+        var findings = new[]
+        {
+            CreateFinding("rule1", "high"),
+            CreateFinding("rule2", "medium"),
+        };
+        var bundle = new SecretBundleMetadata("bundle-1", "2025.06", DateTimeOffset.UtcNow, 50);
+        var provider = CreateMockProvider(findings, bundle);
+        var evidenceContext = new SecretEvidenceContext(provider);
+
+        var context = SecretSignalContextExtensions.CreateContextWithSecrets(evidenceContext);
+
+        context.GetSignal<bool>("secret.has_finding").Should().BeTrue();
+        context.GetSignal<int>("secret.count").Should().Be(2);
+        context.GetSignal<string>("secret.bundle.id").Should().Be("bundle-1");
+    }
+
+    [Fact]
+    public void WithSecretEvidence_NullContext_ThrowsArgumentNullException()
+    {
+        SignalContext context = null!;
+        var provider = CreateMockProvider([]);
+        var evidenceContext = new SecretEvidenceContext(provider);
+
+        var action = () => context.WithSecretEvidence(evidenceContext);
+        action.Should().Throw<ArgumentNullException>();
+    }
+
+    [Fact]
+    public void WithSecretEvidence_NullEvidenceContext_ThrowsArgumentNullException()
+    {
+        var context = new SignalContext();
+        SecretEvidenceContext evidenceContext = null!;
+
+        var action = () => context.WithSecretEvidence(evidenceContext);
+        action.Should().Throw<ArgumentNullException>();
+    }
+
+    [Fact]
+    public void SignalContext_CanCombineSecretSignalsWithOtherSignals()
+    {
+        var finding = CreateFinding("rule1", "high");
+        var provider = CreateMockProvider([finding]);
+        var evidenceContext = new SecretEvidenceContext(provider);
+
+        var context = SignalContext.Builder()
+            .WithFlag("custom.flag", true)
+            .WithNumber("custom.score", 0.85m)
+            .WithSecretEvidence(evidenceContext)
+            .WithFinding("high", 0.9m, "CVE-2025-1234")
+            .Build();
+
+        // Custom signals preserved
+        context.GetSignal<bool>("custom.flag").Should().BeTrue();
+        context.GetSignal<decimal>("custom.score").Should().Be(0.85m);
+
+        // Secret signals added
+        context.GetSignal<bool>("secret.has_finding").Should().BeTrue();
+
+        // Other builder methods work
+        var finding2 = context.GetSignal("finding") as IDictionary<string, object?>;
+        finding2.Should().NotBeNull();
+        finding2!["severity"].Should().Be("high");
+    }
+
+    private static ISecretEvidenceProvider CreateMockProvider(
+        SecretFinding[] findings,
+        SecretBundleMetadata? bundle = null,
+        bool maskingApplied = true)
+    {
+        var mock = new Mock<ISecretEvidenceProvider>();
+        mock.Setup(p => p.GetFindings()).Returns(findings);
+        mock.Setup(p => p.GetBundleMetadata()).Returns(bundle);
+        mock.Setup(p => p.IsMaskingApplied()).Returns(maskingApplied);
+        return mock.Object;
+    }
+
+    private static SecretFinding CreateFinding(
+        string ruleId,
+        string severity,
+        string confidence = "high")
+    {
+        return new SecretFinding
+        {
+            RuleId = ruleId,
+            RuleVersion = "1.0.0",
+            Severity = severity,
+            Confidence = confidence,
+            FilePath = "test/file.txt",
+            LineNumber = 10,
+            Mask = "***REDACTED***",
+            BundleId = "bundle-1",
+            BundleVersion = "2025.01",
+            DetectedAt = DateTimeOffset.UtcNow,
+        };
+    }
+}
--- a/src/Policy/__Tests/StellaOps.PolicyDsl.Tests/StellaOps.PolicyDsl.Tests.csproj
+++ b/src/Policy/__Tests/StellaOps.PolicyDsl.Tests/StellaOps.PolicyDsl.Tests.csproj
@@ -11,9 +11,10 @@
    <!-- Disable Concelier test infra to avoid duplicate package references -->
  </PropertyGroup>
  <ItemGroup>
-<PackageReference Include="FluentAssertions" />
+    <PackageReference Include="FluentAssertions" />
    <PackageReference Include="FsCheck" />
    <PackageReference Include="FsCheck.Xunit.v3" />
+    <PackageReference Include="Moq" />
  </ItemGroup>

  <ItemGroup>
--- a/src/Scheduler/StellaOps.Scheduler.WebService/EventWebhooks/InMemoryWebhookRateLimiter.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/EventWebhooks/InMemoryWebhookRateLimiter.cs
@@ -7,9 +7,15 @@ namespace StellaOps.Scheduler.WebService.EventWebhooks;
 internal sealed class InMemoryWebhookRateLimiter : IWebhookRateLimiter, IDisposable
 {
    private readonly MemoryCache _cache = new(new MemoryCacheOptions());
+    private readonly TimeProvider _timeProvider;

    private readonly object _mutex = new();

+    public InMemoryWebhookRateLimiter(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
    public bool TryAcquire(string key, int limit, TimeSpan window, out TimeSpan retryAfter)
    {
        if (limit <= 0)
@@ -19,7 +25,7 @@ internal sealed class InMemoryWebhookRateLimiter : IWebhookRateLimiter, IDisposa
        }

        retryAfter = TimeSpan.Zero;
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();

        lock (_mutex)
        {
--- a/src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/GraphJobService.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/GraphJobService.cs
@@ -8,18 +8,18 @@ namespace StellaOps.Scheduler.WebService.GraphJobs;
 internal sealed class GraphJobService : IGraphJobService
 {
    private readonly IGraphJobStore _store;
-    private readonly ISystemClock _clock;
+    private readonly TimeProvider _timeProvider;
    private readonly IGraphJobCompletionPublisher _completionPublisher;
    private readonly ICartographerWebhookClient _cartographerWebhook;

    public GraphJobService(
        IGraphJobStore store,
-        ISystemClock clock,
+        TimeProvider timeProvider,
        IGraphJobCompletionPublisher completionPublisher,
        ICartographerWebhookClient cartographerWebhook)
    {
        _store = store ?? throw new ArgumentNullException(nameof(store));
-        _clock = clock ?? throw new ArgumentNullException(nameof(clock));
+        _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
        _completionPublisher = completionPublisher ?? throw new ArgumentNullException(nameof(completionPublisher));
        _cartographerWebhook = cartographerWebhook ?? throw new ArgumentNullException(nameof(cartographerWebhook));
    }
@@ -31,7 +31,7 @@ internal sealed class GraphJobService : IGraphJobService
        var trigger = request.Trigger ?? GraphBuildJobTrigger.SbomVersion;
        var metadata = request.Metadata ?? new Dictionary<string, string>(StringComparer.Ordinal);

-        var now = _clock.UtcNow;
+        var now = _timeProvider.GetUtcNow();
        var id = GenerateIdentifier("gbj");
        var job = new GraphBuildJob(
            id,
@@ -65,7 +65,7 @@ internal sealed class GraphJobService : IGraphJobService
        var metadata = request.Metadata ?? new Dictionary<string, string>(StringComparer.Ordinal);
        var trigger = request.Trigger ?? GraphOverlayJobTrigger.Policy;

-        var now = _clock.UtcNow;
+        var now = _timeProvider.GetUtcNow();
        var id = GenerateIdentifier("goj");

        var job = new GraphOverlayJob(
@@ -98,7 +98,7 @@ internal sealed class GraphJobService : IGraphJobService
            throw new ValidationException("Completion requires status completed, failed, or cancelled.");
        }

-        var occurredAt = request.OccurredAt == default ? _clock.UtcNow : request.OccurredAt.ToUniversalTime();
+        var occurredAt = request.OccurredAt == default ? _timeProvider.GetUtcNow() : request.OccurredAt.ToUniversalTime();
        var graphSnapshotId = Normalize(request.GraphSnapshotId);
        var correlationId = Normalize(request.CorrelationId);
        var resultUri = Normalize(request.ResultUri);
@@ -369,7 +369,7 @@ internal sealed class GraphJobService : IGraphJobService

    public async Task<OverlayLagMetricsResponse> GetOverlayLagMetricsAsync(string tenantId, CancellationToken cancellationToken)
    {
-        var now = _clock.UtcNow;
+        var now = _timeProvider.GetUtcNow();
        var overlayJobs = await _store.GetOverlayJobsAsync(tenantId, cancellationToken);

        var pending = overlayJobs.Count(job => job.Status == GraphJobStatus.Pending);
--- a/src/Scheduler/StellaOps.Scheduler.WebService/ISystemClock.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/ISystemClock.cs
@@ -1,11 +1,26 @@
 namespace StellaOps.Scheduler.WebService;

+/// <summary>
+/// Legacy system clock interface. Prefer using TimeProvider instead.
+/// </summary>
+[Obsolete("Use TimeProvider instead. This interface is retained for backward compatibility.")]
 public interface ISystemClock
 {
    DateTimeOffset UtcNow { get; }
 }

+/// <summary>
+/// Legacy system clock implementation. Prefer using TimeProvider instead.
+/// </summary>
+[Obsolete("Use TimeProvider instead. This class is retained for backward compatibility.")]
 public sealed class SystemClock : ISystemClock
 {
-    public DateTimeOffset UtcNow => DateTimeOffset.UtcNow;
+    private readonly TimeProvider _timeProvider;
+
+    public SystemClock(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    public DateTimeOffset UtcNow => _timeProvider.GetUtcNow();
 }
--- a/src/Scheduler/StellaOps.Scheduler.WebService/PolicyRuns/InMemoryPolicyRunService.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/PolicyRuns/InMemoryPolicyRunService.cs
@@ -1,6 +1,7 @@
 using System.Collections.Concurrent;
 using System.Collections.Immutable;
 using System.ComponentModel.DataAnnotations;
+using StellaOps.Determinism;
 using StellaOps.Scheduler.Models;

 namespace StellaOps.Scheduler.WebService.PolicyRuns;
@@ -10,6 +11,14 @@ internal sealed class InMemoryPolicyRunService : IPolicyRunService
    private readonly ConcurrentDictionary<string, PolicyRunStatus> _runs = new(StringComparer.Ordinal);
    private readonly List<PolicyRunStatus> _orderedRuns = new();
    private readonly object _gate = new();
+    private readonly TimeProvider _timeProvider;
+    private readonly IGuidProvider _guidProvider;
+
+    public InMemoryPolicyRunService(TimeProvider? timeProvider = null, IGuidProvider? guidProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? SystemGuidProvider.Instance;
+    }

    public Task<PolicyRunStatus> EnqueueAsync(string tenantId, PolicyRunRequest request, CancellationToken cancellationToken)
    {
@@ -17,11 +26,12 @@ internal sealed class InMemoryPolicyRunService : IPolicyRunService
        ArgumentNullException.ThrowIfNull(request);
        cancellationToken.ThrowIfCancellationRequested();

+        var now = _timeProvider.GetUtcNow();
        var runId = string.IsNullOrWhiteSpace(request.RunId)
-            ? GenerateRunId(request.PolicyId, request.QueuedAt ?? DateTimeOffset.UtcNow)
+            ? GenerateRunId(request.PolicyId, request.QueuedAt ?? now)
            : request.RunId;

-        var queuedAt = request.QueuedAt ?? DateTimeOffset.UtcNow;
+        var queuedAt = request.QueuedAt ?? now;

        var status = new PolicyRunStatus(
            runId,
@@ -152,7 +162,7 @@ internal sealed class InMemoryPolicyRunService : IPolicyRunService
            }

            var cancellationReason = NormalizeCancellationReason(reason);
-            var now = DateTimeOffset.UtcNow;
+            var now = _timeProvider.GetUtcNow();
            updated = existing with
            {
                Status = PolicyRunExecutionStatus.Cancelled,
@@ -206,17 +216,17 @@ internal sealed class InMemoryPolicyRunService : IPolicyRunService
            runId: null,
            policyVersion: existing.PolicyVersion,
            requestedBy: NormalizeActor(requestedBy),
-            queuedAt: DateTimeOffset.UtcNow,
+            queuedAt: _timeProvider.GetUtcNow(),
            correlationId: null,
            metadata: metadataBuilder.ToImmutable());

        return await EnqueueAsync(tenantId, request, cancellationToken).ConfigureAwait(false);
    }

-    private static string GenerateRunId(string policyId, DateTimeOffset timestamp)
+    private string GenerateRunId(string policyId, DateTimeOffset timestamp)
    {
        var normalizedPolicyId = string.IsNullOrWhiteSpace(policyId) ? "policy" : policyId.Trim();
-        var suffix = Guid.NewGuid().ToString("N")[..8];
+        var suffix = _guidProvider.NewGuid().ToString("N")[..8];
        return $"run:{normalizedPolicyId}:{timestamp:yyyyMMddTHHmmssZ}:{suffix}";
    }

--- a/src/Scheduler/StellaOps.Scheduler.WebService/Program.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/Program.cs
@@ -29,7 +29,7 @@ using StellaOps.Router.AspNet;
 var builder = WebApplication.CreateBuilder(args);

 builder.Services.AddRouting(options => options.LowercaseUrls = true);
-builder.Services.AddSingleton<StellaOps.Scheduler.WebService.ISystemClock, StellaOps.Scheduler.WebService.SystemClock>();
+// TimeProvider.System is registered here for deterministic time support
 builder.Services.TryAddSingleton(TimeProvider.System);

 var authorityOptions = new SchedulerAuthorityOptions();
--- a/src/Scheduler/StellaOps.Scheduler.WebService/SchedulerEndpointHelpers.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/SchedulerEndpointHelpers.cs
@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.Globalization;
 using System.Text;
+using StellaOps.Determinism;
 using StellaOps.Scheduler.Models;
 using StellaOps.Scheduler.Persistence.Postgres.Repositories;

@@ -13,14 +14,15 @@ internal static class SchedulerEndpointHelpers
    private const string ActorKindHeader = "X-Actor-Kind";
    private const string TenantHeader = "X-Tenant-Id";

-    public static string GenerateIdentifier(string prefix)
+    public static string GenerateIdentifier(string prefix, IGuidProvider? guidProvider = null)
    {
        if (string.IsNullOrWhiteSpace(prefix))
        {
            throw new ArgumentException("Prefix must be provided.", nameof(prefix));
        }

-        return $"{prefix.Trim()}_{Guid.NewGuid():N}";
+        var guid = (guidProvider ?? SystemGuidProvider.Instance).NewGuid();
+        return $"{prefix.Trim()}_{guid:N}";
    }

    public static string ResolveActorId(HttpContext context)
--- a/src/Scheduler/StellaOps.Scheduler.WebService/Schedules/InMemorySchedulerServices.cs
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/Schedules/InMemorySchedulerServices.cs
@@ -124,11 +124,22 @@ internal sealed class InMemoryRunSummaryService : IRunSummaryService

 internal sealed class InMemorySchedulerAuditService : ISchedulerAuditService
 {
+    private readonly TimeProvider _timeProvider;
+    private readonly StellaOps.Determinism.IGuidProvider _guidProvider;
+
+    public InMemorySchedulerAuditService(
+        TimeProvider? timeProvider = null,
+        StellaOps.Determinism.IGuidProvider? guidProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? StellaOps.Determinism.SystemGuidProvider.Instance;
+    }
+
    public Task<AuditRecord> WriteAsync(SchedulerAuditEvent auditEvent, CancellationToken cancellationToken = default)
    {
-        var occurredAt = auditEvent.OccurredAt ?? DateTimeOffset.UtcNow;
+        var occurredAt = auditEvent.OccurredAt ?? _timeProvider.GetUtcNow();
        var record = new AuditRecord(
-            auditEvent.AuditId ?? $"audit_{Guid.NewGuid():N}",
+            auditEvent.AuditId ?? $"audit_{_guidProvider.NewGuid():N}",
            auditEvent.TenantId,
            auditEvent.Category,
            auditEvent.Action,
--- a/src/Scheduler/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj
@@ -15,6 +15,7 @@
    <ProjectReference Include="../__Libraries/StellaOps.Scheduler.Queue/StellaOps.Scheduler.Queue.csproj" />
    <ProjectReference Include="../__Libraries/StellaOps.Scheduler.Persistence/StellaOps.Scheduler.Persistence.csproj" />
    <ProjectReference Include="../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.Determinism.Abstractions/StellaOps.Determinism.Abstractions.csproj" />
    <ProjectReference Include="../../__Libraries/StellaOps.Plugin/StellaOps.Plugin.csproj" />
    <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
    <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOps.Auth.ServerIntegration.csproj" />
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/FailureSignatureRepository.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/FailureSignatureRepository.cs
@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Npgsql;
+using StellaOps.Determinism;
 using StellaOps.Infrastructure.Postgres.Repositories;
 using StellaOps.Scheduler.Persistence.Postgres.Models;

@@ -10,12 +11,21 @@ namespace StellaOps.Scheduler.Persistence.Postgres.Repositories;
 /// </summary>
 public sealed class FailureSignatureRepository : RepositoryBase<SchedulerDataSource>, IFailureSignatureRepository
 {
+    private readonly TimeProvider _timeProvider;
+    private readonly IGuidProvider _guidProvider;
+
    /// <summary>
    /// Creates a new failure signature repository.
    /// </summary>
-    public FailureSignatureRepository(SchedulerDataSource dataSource, ILogger<FailureSignatureRepository> logger)
+    public FailureSignatureRepository(
+        SchedulerDataSource dataSource,
+        ILogger<FailureSignatureRepository> logger,
+        TimeProvider? timeProvider = null,
+        IGuidProvider? guidProvider = null)
        : base(dataSource, logger)
    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? SystemGuidProvider.Instance;
    }

    /// <inheritdoc />
@@ -332,7 +342,7 @@ public sealed class FailureSignatureRepository : RepositoryBase<SchedulerDataSou
              AND resolved_at < @cutoff
            """;

-        var cutoff = DateTimeOffset.UtcNow.Subtract(olderThan);
+        var cutoff = _timeProvider.GetUtcNow().Subtract(olderThan);

        await using var connection = await DataSource.OpenConnectionAsync(tenantId, "writer", cancellationToken)
            .ConfigureAwait(false);
@@ -389,7 +399,7 @@ public sealed class FailureSignatureRepository : RepositoryBase<SchedulerDataSou

    private void AddSignatureParameters(NpgsqlCommand command, FailureSignatureEntity signature)
    {
-        AddParameter(command, "signature_id", signature.SignatureId == Guid.Empty ? Guid.NewGuid() : signature.SignatureId);
+        AddParameter(command, "signature_id", signature.SignatureId == Guid.Empty ? _guidProvider.NewGuid() : signature.SignatureId);
        AddParameter(command, "tenant_id", signature.TenantId);
        AddParameter(command, "scope_type", signature.ScopeType.ToString().ToLowerInvariant());
        AddParameter(command, "scope_id", signature.ScopeId);
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/ImpactSnapshotRepository.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/ImpactSnapshotRepository.cs
@@ -1,5 +1,6 @@
 using System.Text.Json;
 using Dapper;
+using StellaOps.Determinism;
 using StellaOps.Scheduler.Models;
 using StellaOps.Infrastructure.Postgres.Connections;

@@ -8,11 +9,13 @@ namespace StellaOps.Scheduler.Persistence.Postgres.Repositories;
 public sealed class ImpactSnapshotRepository : IImpactSnapshotRepository
 {
    private readonly SchedulerDataSource _dataSource;
+    private readonly IGuidProvider _guidProvider;
    private readonly JsonSerializerOptions _serializer = CanonicalJsonSerializer.Settings;

-    public ImpactSnapshotRepository(SchedulerDataSource dataSource)
+    public ImpactSnapshotRepository(SchedulerDataSource dataSource, IGuidProvider? guidProvider = null)
    {
        _dataSource = dataSource ?? throw new ArgumentNullException(nameof(dataSource));
+        _guidProvider = guidProvider ?? SystemGuidProvider.Instance;
    }

    public async Task UpsertAsync(ImpactSet snapshot, CancellationToken cancellationToken = default)
@@ -29,7 +32,7 @@ ON CONFLICT (snapshot_id) DO UPDATE SET impact = EXCLUDED.impact;

        await conn.ExecuteAsync(sql, new
        {
-            SnapshotId = snapshot.SnapshotId ?? $"impact::{Guid.NewGuid():N}",
+            SnapshotId = snapshot.SnapshotId ?? $"impact::{_guidProvider.NewGuid():N}",
            TenantId = tenantId,
            Impact = JsonSerializer.Serialize(snapshot, _serializer)
        });
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/JobRepository.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/JobRepository.cs
@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Npgsql;
+using StellaOps.Determinism;
 using StellaOps.Infrastructure.Postgres.Repositories;
 using StellaOps.Scheduler.Persistence.Postgres.Models;

@@ -10,12 +11,21 @@ namespace StellaOps.Scheduler.Persistence.Postgres.Repositories;
 /// </summary>
 public sealed class JobRepository : RepositoryBase<SchedulerDataSource>, IJobRepository
 {
+    private readonly TimeProvider _timeProvider;
+    private readonly IGuidProvider _guidProvider;
+
    /// <summary>
    /// Creates a new job repository.
    /// </summary>
-    public JobRepository(SchedulerDataSource dataSource, ILogger<JobRepository> logger)
+    public JobRepository(
+        SchedulerDataSource dataSource,
+        ILogger<JobRepository> logger,
+        TimeProvider? timeProvider = null,
+        IGuidProvider? guidProvider = null)
        : base(dataSource, logger)
    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? SystemGuidProvider.Instance;
    }

    /// <inheritdoc />
@@ -123,8 +133,8 @@ public sealed class JobRepository : RepositoryBase<SchedulerDataSource>, IJobRep
        TimeSpan leaseDuration,
        CancellationToken cancellationToken = default)
    {
-        var leaseId = Guid.NewGuid();
-        var leaseUntil = DateTimeOffset.UtcNow.Add(leaseDuration);
+        var leaseId = _guidProvider.NewGuid();
+        var leaseUntil = _timeProvider.GetUtcNow().Add(leaseDuration);

        const string sql = """
            UPDATE scheduler.jobs
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/TriggerRepository.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/Postgres/Repositories/TriggerRepository.cs
@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Npgsql;
+using StellaOps.Determinism;
 using StellaOps.Infrastructure.Postgres.Repositories;
 using StellaOps.Scheduler.Persistence.Postgres.Models;

@@ -10,12 +11,18 @@ namespace StellaOps.Scheduler.Persistence.Postgres.Repositories;
 /// </summary>
 public sealed class TriggerRepository : RepositoryBase<SchedulerDataSource>, ITriggerRepository
 {
+    private readonly IGuidProvider _guidProvider;
+
    /// <summary>
    /// Creates a new trigger repository.
    /// </summary>
-    public TriggerRepository(SchedulerDataSource dataSource, ILogger<TriggerRepository> logger)
+    public TriggerRepository(
+        SchedulerDataSource dataSource,
+        ILogger<TriggerRepository> logger,
+        IGuidProvider? guidProvider = null)
        : base(dataSource, logger)
    {
+        _guidProvider = guidProvider ?? SystemGuidProvider.Instance;
    }

    /// <inheritdoc />
@@ -125,7 +132,7 @@ public sealed class TriggerRepository : RepositoryBase<SchedulerDataSource>, ITr
            RETURNING *
            """;

-        var id = trigger.Id == Guid.Empty ? Guid.NewGuid() : trigger.Id;
+        var id = trigger.Id == Guid.Empty ? _guidProvider.NewGuid() : trigger.Id;
        await using var connection = await DataSource.OpenConnectionAsync(trigger.TenantId, "writer", cancellationToken)
            .ConfigureAwait(false);
        await using var command = CreateCommand(sql, connection);
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/StellaOps.Scheduler.Persistence.csproj
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Persistence/StellaOps.Scheduler.Persistence.csproj
@@ -24,6 +24,7 @@

  <ItemGroup>
    <ProjectReference Include="..\StellaOps.Scheduler.Models\StellaOps.Scheduler.Models.csproj" />
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Infrastructure.Postgres\StellaOps.Infrastructure.Postgres.csproj" />
    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Infrastructure.EfCore\StellaOps.Infrastructure.EfCore.csproj" />
  </ItemGroup>
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Attestor/BundleRotationJob.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Attestor/BundleRotationJob.cs
@@ -227,15 +227,18 @@ public sealed class BundleRotationJob : IBundleRotationScheduler
    private readonly IAttestorBundleClient _bundleClient;
    private readonly BundleRotationOptions _options;
    private readonly ILogger<BundleRotationJob> _logger;
+    private readonly TimeProvider _timeProvider;

    public BundleRotationJob(
        IAttestorBundleClient bundleClient,
        IOptions<BundleRotationOptions> options,
-        ILogger<BundleRotationJob> logger)
+        ILogger<BundleRotationJob> logger,
+        TimeProvider? timeProvider = null)
    {
        _bundleClient = bundleClient ?? throw new ArgumentNullException(nameof(bundleClient));
        _options = options?.Value ?? throw new ArgumentNullException(nameof(options));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    /// <summary>
@@ -275,7 +278,7 @@ public sealed class BundleRotationJob : IBundleRotationScheduler
        string triggeredBy,
        CancellationToken ct = default)
    {
-        var startedAt = DateTimeOffset.UtcNow;
+        var startedAt = _timeProvider.GetUtcNow();
        var results = new List<BundleRotationResult>();
        var sw = Stopwatch.StartNew();

@@ -330,7 +333,7 @@ public sealed class BundleRotationJob : IBundleRotationScheduler
        }

        sw.Stop();
-        var completedAt = DateTimeOffset.UtcNow;
+        var completedAt = _timeProvider.GetUtcNow();

        var summary = new BundleRotationSummary(
            StartedAt: startedAt,
@@ -417,7 +420,7 @@ public sealed class BundleRotationJob : IBundleRotationScheduler
    /// <inheritdoc/>
    public async Task<int> ApplyRetentionPolicyAsync(CancellationToken ct = default)
    {
-        var cutoffDate = DateTimeOffset.UtcNow.AddMonths(-_options.RetentionMonths);
+        var cutoffDate = _timeProvider.GetUtcNow().AddMonths(-_options.RetentionMonths);

        _logger.LogInformation(
            "Applying retention policy. Deleting bundles created before {Cutoff}",
@@ -456,7 +459,7 @@ public sealed class BundleRotationJob : IBundleRotationScheduler

    private (DateTimeOffset start, DateTimeOffset end) GetCurrentBundlePeriod()
    {
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();

        return _options.Cadence switch
        {
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Console/EvidenceBundleCoordinator.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Console/EvidenceBundleCoordinator.cs
@@ -472,10 +472,17 @@ public sealed class InMemoryEvidenceBundleJobQueue : IEvidenceBundleJobQueue
 public sealed class InMemoryEvidenceBundleStore : IEvidenceBundleStore
 {
    private readonly ConcurrentDictionary<string, StoredBundle> _bundles = new();
+    private readonly TimeProvider _timeProvider;
+
+    public InMemoryEvidenceBundleStore(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }

    public ValueTask StoreBundleAsync(string tenantId, string idempotencyKey, GeneratedBundle bundle, CancellationToken cancellationToken = default)
    {
        var key = $"{tenantId}:{idempotencyKey}";
+        var now = _timeProvider.GetUtcNow();
        var stored = new StoredBundle(
            bundle.BundleId,
            tenantId,
@@ -483,8 +490,8 @@ public sealed class InMemoryEvidenceBundleStore : IEvidenceBundleStore
            bundle.StorageUri,
            bundle.SizeBytes,
            BundleStatus.Completed,
-            DateTimeOffset.UtcNow,
-            DateTimeOffset.UtcNow.AddDays(7));
+            now,
+            now.AddDays(7));

        _bundles[key] = stored;
        return ValueTask.CompletedTask;
@@ -498,7 +505,7 @@ public sealed class InMemoryEvidenceBundleStore : IEvidenceBundleStore

    public ValueTask<int> CleanupExpiredAsync(TimeSpan maxAge, CancellationToken cancellationToken = default)
    {
-        var cutoff = DateTimeOffset.UtcNow - maxAge;
+        var cutoff = _timeProvider.GetUtcNow() - maxAge;
        var toRemove = _bundles
            .Where(kvp => kvp.Value.CreatedAt < cutoff)
            .Select(kvp => kvp.Key)
@@ -551,8 +558,15 @@ public sealed class InMemoryJobManifestProvider : IJobManifestProvider
 /// </summary>
 public sealed class NullEvidenceBundleGenerator : IEvidenceBundleGenerator
 {
+    private readonly TimeProvider _timeProvider;
+
    public static NullEvidenceBundleGenerator Instance { get; } = new();

+    public NullEvidenceBundleGenerator(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
    public ValueTask<GeneratedBundle> GenerateAsync(EvidenceBundleJob job, CancellationToken cancellationToken = default)
    {
        return ValueTask.FromResult(new GeneratedBundle(
@@ -563,6 +577,6 @@ public sealed class NullEvidenceBundleGenerator : IEvidenceBundleGenerator
            ChecksumAlgorithm: "SHA256",
            BundleType: job.BundleType,
            ArtifactCount: job.ArtifactIds.Length,
-            GeneratedAt: DateTimeOffset.UtcNow));
+            GeneratedAt: _timeProvider.GetUtcNow()));
    }
 }
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Console/ProgressStreamingWorker.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Console/ProgressStreamingWorker.cs
@@ -345,15 +345,17 @@ public sealed class InMemoryProgressEventDeduplicator : IProgressEventDeduplicat
 {
    private readonly ConcurrentDictionary<string, DateTimeOffset> _processed = new();
    private readonly TimeSpan _retentionPeriod;
+    private readonly TimeProvider _timeProvider;

-    public InMemoryProgressEventDeduplicator(TimeSpan? retentionPeriod = null)
+    public InMemoryProgressEventDeduplicator(TimeSpan? retentionPeriod = null, TimeProvider? timeProvider = null)
    {
        _retentionPeriod = retentionPeriod ?? TimeSpan.FromMinutes(30);
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    public ValueTask<bool> TryMarkAsProcessedAsync(string eventId, CancellationToken cancellationToken = default)
    {
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();

        // Clean up old entries periodically
        if (_processed.Count > 10000)
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Events/SchedulerEventPublisher.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Events/SchedulerEventPublisher.cs
@@ -37,6 +37,7 @@ internal sealed class SchedulerEventPublisher : ISchedulerEventPublisher
    private readonly INotifyEventQueue _queue;
    private readonly NotifyEventQueueOptions _queueOptions;
    private readonly TimeProvider _timeProvider;
+    private readonly StellaOps.Determinism.IGuidProvider _guidProvider;
    private readonly ILogger<SchedulerEventPublisher> _logger;
    private readonly string _stream;

@@ -44,11 +45,13 @@ internal sealed class SchedulerEventPublisher : ISchedulerEventPublisher
        INotifyEventQueue queue,
        NotifyEventQueueOptions queueOptions,
        TimeProvider timeProvider,
-        ILogger<SchedulerEventPublisher> logger)
+        ILogger<SchedulerEventPublisher> logger,
+        StellaOps.Determinism.IGuidProvider? guidProvider = null)
    {
        _queue = queue ?? throw new ArgumentNullException(nameof(queue));
        _queueOptions = queueOptions ?? throw new ArgumentNullException(nameof(queueOptions));
        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? StellaOps.Determinism.SystemGuidProvider.Instance;
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
        _stream = ResolveStream(queueOptions);
    }
@@ -76,7 +79,7 @@ internal sealed class SchedulerEventPublisher : ISchedulerEventPublisher
        var attributes = BuildReportAttributes(run, message, result, impactImage);

        var notifyEvent = NotifyEvent.Create(
-            eventId: Guid.NewGuid(),
+            eventId: _guidProvider.NewGuid(),
            kind: NotifyEventKinds.ScannerReportReady,
            tenant: run.TenantId,
            ts: occurredAt,
@@ -110,7 +113,7 @@ internal sealed class SchedulerEventPublisher : ISchedulerEventPublisher
        var attributes = BuildRescanAttributes(run, message, deltas, impactLookup);

        var notifyEvent = NotifyEvent.Create(
-            eventId: Guid.NewGuid(),
+            eventId: _guidProvider.NewGuid(),
            kind: NotifyEventKinds.SchedulerRescanDelta,
            tenant: run.TenantId,
            ts: now,
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Exception/ExpiringNotificationWorker.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Exception/ExpiringNotificationWorker.cs
@@ -276,8 +276,17 @@ public sealed record ExpiringDigestEntry(
 /// </summary>
 public sealed class NullExpiringDigestService : IExpiringDigestService
 {
+    private readonly TimeProvider _timeProvider;
+    private readonly StellaOps.Determinism.IGuidProvider _guidProvider;
+
    public static NullExpiringDigestService Instance { get; } = new();

+    public NullExpiringDigestService(TimeProvider? timeProvider = null, StellaOps.Determinism.IGuidProvider? guidProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? StellaOps.Determinism.SystemGuidProvider.Instance;
+    }
+
    public ValueTask<ExpiringDigest> GenerateDigestAsync(
        string tenantId,
        IReadOnlyList<ExceptionRecord> expiringExceptions,
@@ -285,9 +294,9 @@ public sealed class NullExpiringDigestService : IExpiringDigestService
        CancellationToken cancellationToken = default)
    {
        var digest = new ExpiringDigest(
-            DigestId: Guid.NewGuid().ToString("N"),
+            DigestId: _guidProvider.NewGuid().ToString("N"),
            TenantId: tenantId,
-            GeneratedAt: DateTimeOffset.UtcNow,
+            GeneratedAt: _timeProvider.GetUtcNow(),
            WindowEnd: windowEnd,
            TotalCount: expiringExceptions.Count,
            CriticalCount: 0,
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Execution/HttpScannerReportClient.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Execution/HttpScannerReportClient.cs
@@ -21,15 +21,18 @@ internal sealed class HttpScannerReportClient : IScannerReportClient
    private readonly HttpClient _httpClient;
    private readonly IOptions<SchedulerWorkerOptions> _options;
    private readonly ILogger<HttpScannerReportClient> _logger;
+    private readonly StellaOps.Determinism.IGuidProvider _guidProvider;

    public HttpScannerReportClient(
        HttpClient httpClient,
        IOptions<SchedulerWorkerOptions> options,
-        ILogger<HttpScannerReportClient> logger)
+        ILogger<HttpScannerReportClient> logger,
+        StellaOps.Determinism.IGuidProvider? guidProvider = null)
    {
        _httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
        _options = options ?? throw new ArgumentNullException(nameof(options));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _guidProvider = guidProvider ?? StellaOps.Determinism.SystemGuidProvider.Instance;
    }

    public async Task<RunnerImageResult> ExecuteAsync(
@@ -151,13 +154,13 @@ internal sealed class HttpScannerReportClient : IScannerReportClient
    private static bool IsTransient(Exception exception)
        => exception is HttpRequestException or TaskCanceledException;

-    private static RunnerReportSnapshot BuildReportSnapshot(ReportResponse report, string fallbackDigest)
+    private RunnerReportSnapshot BuildReportSnapshot(ReportResponse report, string fallbackDigest)
    {
        var document = report.Report ?? new ReportDocument();
        var summary = document.Summary ?? new ReportSummary();

        return new RunnerReportSnapshot(
-            string.IsNullOrWhiteSpace(document.ReportId) ? Guid.NewGuid().ToString("N") : document.ReportId,
+            string.IsNullOrWhiteSpace(document.ReportId) ? _guidProvider.NewGuid().ToString("N") : document.ReportId,
            string.IsNullOrWhiteSpace(document.ImageDigest) ? fallbackDigest : document.ImageDigest,
            string.IsNullOrWhiteSpace(document.Verdict) ? "warn" : document.Verdict,
            document.GeneratedAt,
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Execution/PartitionHealthMonitor.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Execution/PartitionHealthMonitor.cs
@@ -48,14 +48,17 @@ public sealed class PartitionHealthMonitor
    /// <param name="connection">PostgreSQL connection.</param>
    /// <param name="alertThreshold">Days threshold for warning alert.</param>
    /// <param name="criticalThreshold">Days threshold for critical alert.</param>
+    /// <param name="timeProvider">Optional time provider for deterministic testing.</param>
    /// <param name="cancellationToken">Cancellation token.</param>
    /// <returns>List of partition health status for each table.</returns>
    public async Task<List<PartitionHealthStatus>> CheckHealthAsync(
        NpgsqlConnection connection,
        int alertThreshold = 30,
        int criticalThreshold = 7,
+        TimeProvider? timeProvider = null,
        CancellationToken cancellationToken = default)
    {
+        var time = timeProvider ?? TimeProvider.System;
        using var activity = ActivitySource.StartActivity("partitions.health_check", ActivityKind.Internal);

        var results = new List<PartitionHealthStatus>();
@@ -82,6 +85,7 @@ public sealed class PartitionHealthMonitor
        {
            await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);

+            var now = time.GetUtcNow();
            while (await reader.ReadAsync(cancellationToken))
            {
                var schema = reader.GetString(0);
@@ -91,7 +95,7 @@ public sealed class PartitionHealthMonitor

                var tableKey = $"{schema}.{table}";
                var daysUntilExhaustion = lastPartitionStart.HasValue
-                    ? Math.Max(0, (int)(lastPartitionStart.Value - DateTimeOffset.UtcNow).TotalDays)
+                    ? Math.Max(0, (int)(lastPartitionStart.Value - now).TotalDays)
                    : 0;

                futureCounts[tableKey] = futureCount;
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Planning/ScoreReplaySchedulerJob.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Planning/ScoreReplaySchedulerJob.cs
@@ -134,17 +134,20 @@ public sealed class ScoreReplaySchedulerJob : IScoreReplayScheduler
 {
    private readonly IScannerReplayClient _scannerClient;
    private readonly ScoreReplaySchedulerOptions _options;
+    private readonly TimeProvider _timeProvider;
    private readonly ILogger<ScoreReplaySchedulerJob> _logger;
    private string? _lastFeedSnapshotHash;

    public ScoreReplaySchedulerJob(
        IScannerReplayClient scannerClient,
        IOptions<ScoreReplaySchedulerOptions> options,
-        ILogger<ScoreReplaySchedulerJob> logger)
+        ILogger<ScoreReplaySchedulerJob> logger,
+        TimeProvider? timeProvider = null)
    {
        _scannerClient = scannerClient ?? throw new ArgumentNullException(nameof(scannerClient));
        _options = options?.Value ?? throw new ArgumentNullException(nameof(options));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    /// <summary>
@@ -191,7 +194,7 @@ public sealed class ScoreReplaySchedulerJob : IScoreReplayScheduler
        string? feedSnapshotHash = null,
        CancellationToken ct = default)
    {
-        var startedAt = DateTimeOffset.UtcNow;
+        var startedAt = _timeProvider.GetUtcNow();
        var results = new List<ScoreReplayResult>();
        var successCount = 0;
        var failureCount = 0;
@@ -252,7 +255,7 @@ public sealed class ScoreReplaySchedulerJob : IScoreReplayScheduler
            _logger.LogError(ex, "Error during batch score replay");
        }

-        var completedAt = DateTimeOffset.UtcNow;
+        var completedAt = _timeProvider.GetUtcNow();

        _logger.LogInformation(
            "Score replay batch completed. Success={Success}, Failed={Failed}, SignificantDeltas={Deltas}, Duration={Duration}ms",
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Policy/GateEvaluationJob.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Policy/GateEvaluationJob.cs
@@ -200,6 +200,7 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
    private readonly IPolicyGatewayClient _gatewayClient;
    private readonly GateEvaluationOptions _options;
    private readonly ILogger<GateEvaluationJob> _logger;
+    private readonly TimeProvider _timeProvider;

    // In-memory queue for pending jobs (replace with persistent store in production)
    private readonly Queue<GateEvaluationRequest> _pendingJobs = new();
@@ -209,11 +210,13 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
    public GateEvaluationJob(
        IPolicyGatewayClient gatewayClient,
        IOptions<GateEvaluationOptions> options,
-        ILogger<GateEvaluationJob> logger)
+        ILogger<GateEvaluationJob> logger,
+        TimeProvider? timeProvider = null)
    {
        _gatewayClient = gatewayClient ?? throw new ArgumentNullException(nameof(gatewayClient));
        _options = options?.Value ?? throw new ArgumentNullException(nameof(options));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    /// <inheritdoc/>
@@ -233,7 +236,7 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
                DeltaCount: null,
                CriticalCount: null,
                HighCount: null,
-                StartedAt: DateTimeOffset.UtcNow,
+                StartedAt: _timeProvider.GetUtcNow(),
                CompletedAt: default,
                Duration: TimeSpan.Zero);
        }
@@ -262,13 +265,13 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
        {
            _logger.LogDebug("Gate evaluation jobs are disabled");
            return new GateEvaluationBatchSummary(
-                DateTimeOffset.UtcNow,
-                DateTimeOffset.UtcNow,
+                _timeProvider.GetUtcNow(),
+                _timeProvider.GetUtcNow(),
                0, 0, 0, 0, 0,
                TimeSpan.Zero);
        }

-        var startedAt = DateTimeOffset.UtcNow;
+        var startedAt = _timeProvider.GetUtcNow();
        var sw = Stopwatch.StartNew();
        var results = new List<GateEvaluationResult>();

@@ -292,7 +295,7 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
        results.AddRange(completedResults);

        sw.Stop();
-        var completedAt = DateTimeOffset.UtcNow;
+        var completedAt = _timeProvider.GetUtcNow();

        var summary = new GateEvaluationBatchSummary(
            StartedAt: startedAt,
@@ -320,7 +323,7 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
        GateEvaluationRequest request,
        CancellationToken ct)
    {
-        var startedAt = DateTimeOffset.UtcNow;
+        var startedAt = _timeProvider.GetUtcNow();
        var sw = Stopwatch.StartNew();

        // Update status to in-progress
@@ -347,7 +350,7 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
                timeoutCts.Token);

            sw.Stop();
-            var completedAt = DateTimeOffset.UtcNow;
+            var completedAt = _timeProvider.GetUtcNow();

            var result = new GateEvaluationResult(
                JobId: request.JobId,
@@ -453,7 +456,7 @@ public sealed class GateEvaluationJob : IGateEvaluationScheduler
            CriticalCount: null,
            HighCount: null,
            StartedAt: startedAt,
-            CompletedAt: DateTimeOffset.UtcNow,
+            CompletedAt: _timeProvider.GetUtcNow(),
            Duration: duration,
            ErrorMessage: errorMessage);

--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Reachability/ReachabilityJoinerWorker.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Reachability/ReachabilityJoinerWorker.cs
@@ -186,7 +186,7 @@ public sealed class ReachabilityJoinerWorker : BackgroundService
        }
    }

-    private static IReadOnlyList<ReachabilityFact> JoinSnapshotWithSignals(
+    private IReadOnlyList<ReachabilityFact> JoinSnapshotWithSignals(
        SbomSnapshot snapshot,
        IReadOnlyDictionary<string, ComponentSignal> signals)
    {
@@ -207,7 +207,7 @@ public sealed class ReachabilityJoinerWorker : BackgroundService
                IsReachable: signal.IsReachable,
                Confidence: signal.Confidence,
                Evidence: signal.Evidence,
-                ProducedAt: DateTimeOffset.UtcNow);
+                ProducedAt: _timeProvider.GetUtcNow());

            facts.Add(fact);
        }
@@ -384,6 +384,12 @@ public sealed class InMemoryReachabilityFactCache : IReachabilityFactCache
 {
    private readonly Dictionary<string, (IReadOnlyList<ReachabilityFact> Facts, DateTimeOffset ExpiresAt)> _cache = new();
    private readonly object _lock = new();
+    private readonly TimeProvider _timeProvider;
+
+    public InMemoryReachabilityFactCache(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }

    public ValueTask WriteFactsAsync(
        string tenantId,
@@ -396,7 +402,7 @@ public sealed class InMemoryReachabilityFactCache : IReachabilityFactCache

        lock (_lock)
        {
-            _cache[key] = (facts, DateTimeOffset.UtcNow.Add(ttl));
+            _cache[key] = (facts, _timeProvider.GetUtcNow().Add(ttl));
        }

        return ValueTask.CompletedTask;
@@ -411,7 +417,7 @@ public sealed class InMemoryReachabilityFactCache : IReachabilityFactCache

        lock (_lock)
        {
-            if (_cache.TryGetValue(key, out var entry) && entry.ExpiresAt > DateTimeOffset.UtcNow)
+            if (_cache.TryGetValue(key, out var entry) && entry.ExpiresAt > _timeProvider.GetUtcNow())
            {
                return ValueTask.FromResult(entry.Facts);
            }
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Reachability/ReachabilityStalenessMonitor.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Reachability/ReachabilityStalenessMonitor.cs
@@ -291,6 +291,12 @@ public sealed class InMemoryReachabilityFactStore : IReachabilityFactStore
 {
    private readonly Dictionary<string, List<StoredFact>> _facts = new();
    private readonly object _lock = new();
+    private readonly TimeProvider _timeProvider;
+
+    public InMemoryReachabilityFactStore(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }

    public ValueTask<IReadOnlyList<string>> GetTenantsWithFactsAsync(
        CancellationToken cancellationToken = default)
@@ -343,7 +349,7 @@ public sealed class InMemoryReachabilityFactStore : IReachabilityFactStore
        int maxCount,
        CancellationToken cancellationToken = default)
    {
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();

        lock (_lock)
        {
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Resolver/EvaluationOrchestrationWorker.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Resolver/EvaluationOrchestrationWorker.cs
@@ -422,14 +422,24 @@ public sealed class InMemoryFindingsLedgerProjector : IFindingsLedgerProjector
 /// </summary>
 public sealed class NullPolicyEngineEvaluator : IPolicyEngineEvaluator
 {
+    private readonly TimeProvider _timeProvider;
+    private readonly StellaOps.Determinism.IGuidProvider _guidProvider;
+
    public static NullPolicyEngineEvaluator Instance { get; } = new();

+    public NullPolicyEngineEvaluator(TimeProvider? timeProvider = null, StellaOps.Determinism.IGuidProvider? guidProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _guidProvider = guidProvider ?? StellaOps.Determinism.SystemGuidProvider.Instance;
+    }
+
    public ValueTask<BatchEvaluationResult> EvaluateBatchAsync(
        string tenantId,
        string artifactId,
        IReadOnlyList<CandidateFinding> candidates,
        CancellationToken cancellationToken = default)
    {
+        var now = _timeProvider.GetUtcNow();
        var evaluatedFindings = candidates
            .Select(c => new EvaluatedFinding(
                c.FindingId,
@@ -440,13 +450,13 @@ public sealed class NullPolicyEngineEvaluator : IPolicyEngineEvaluator
                "default-policy",
                null,
                null,
-                DateTimeOffset.UtcNow))
+                now))
            .ToImmutableArray();

        return ValueTask.FromResult(new BatchEvaluationResult(
-            BatchId: Guid.NewGuid().ToString("N"),
+            BatchId: _guidProvider.NewGuid().ToString("N"),
            EvaluatedFindings: evaluatedFindings,
            SkippedCount: 0,
-            EvaluatedAt: DateTimeOffset.UtcNow));
+            EvaluatedAt: now));
    }
 }
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Simulation/SimulationReducerWorker.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Simulation/SimulationReducerWorker.cs
@@ -446,6 +446,12 @@ public sealed class InMemorySimulationManifestWriter : ISimulationManifestWriter
 {
    private readonly Dictionary<string, (SimulationManifest Manifest, ManifestStorageResult Result)> _manifests = new();
    private readonly object _lock = new();
+    private readonly TimeProvider _timeProvider;
+
+    public InMemorySimulationManifestWriter(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }

    public ValueTask<ManifestStorageResult> WriteManifestAsync(
        string tenantId,
@@ -462,7 +468,7 @@ public sealed class InMemorySimulationManifestWriter : ISimulationManifestWriter
            Checksum: checksum,
            ChecksumAlgorithm: "SHA256",
            SizeBytes: bytes.Length,
-            StoredAt: DateTimeOffset.UtcNow);
+            StoredAt: _timeProvider.GetUtcNow());

        lock (_lock)
        {
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Simulation/SimulationSecurityEnforcer.cs
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/Simulation/SimulationSecurityEnforcer.cs
@@ -17,19 +17,22 @@ public sealed class SimulationSecurityEnforcer : ISimulationSecurityEnforcer
    private readonly ISecretScanner _secretScanner;
    private readonly SchedulerWorkerOptions _options;
    private readonly ILogger<SimulationSecurityEnforcer> _logger;
+    private readonly TimeProvider _timeProvider;

    public SimulationSecurityEnforcer(
        ITenantScopeValidator scopeValidator,
        IAttestationVerifier attestationVerifier,
        ISecretScanner secretScanner,
        SchedulerWorkerOptions options,
-        ILogger<SimulationSecurityEnforcer> logger)
+        ILogger<SimulationSecurityEnforcer> logger,
+        TimeProvider? timeProvider = null)
    {
        _scopeValidator = scopeValidator ?? throw new ArgumentNullException(nameof(scopeValidator));
        _attestationVerifier = attestationVerifier ?? throw new ArgumentNullException(nameof(attestationVerifier));
        _secretScanner = secretScanner ?? throw new ArgumentNullException(nameof(secretScanner));
        _options = options ?? throw new ArgumentNullException(nameof(options));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    /// <summary>
@@ -77,7 +80,7 @@ public sealed class SimulationSecurityEnforcer : ISimulationSecurityEnforcer
        return new SecurityValidationResult(
            IsValid: isValid,
            Violations: [.. violations],
-            ValidatedAt: DateTimeOffset.UtcNow,
+            ValidatedAt: _timeProvider.GetUtcNow(),
            ValidatorVersion: "1.0.0");
    }

@@ -112,7 +115,7 @@ public sealed class SimulationSecurityEnforcer : ISimulationSecurityEnforcer
        return new SecurityValidationResult(
            IsValid: violations.Count == 0,
            Violations: [.. violations],
-            ValidatedAt: DateTimeOffset.UtcNow,
+            ValidatedAt: _timeProvider.GetUtcNow(),
            ValidatorVersion: "1.0.0");
    }

--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/StellaOps.Scheduler.Worker.csproj
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/StellaOps.Scheduler.Worker.csproj
@@ -11,6 +11,7 @@
    <ProjectReference Include="../StellaOps.Scheduler.Models/StellaOps.Scheduler.Models.csproj" />
    <ProjectReference Include="../StellaOps.Scheduler.Persistence/StellaOps.Scheduler.Persistence.csproj" />
    <ProjectReference Include="../StellaOps.Scheduler.Queue/StellaOps.Scheduler.Queue.csproj" />
+    <ProjectReference Include="../../../__Libraries/StellaOps.Determinism.Abstractions/StellaOps.Determinism.Abstractions.csproj" />
    <ProjectReference Include="../../../Notify/__Libraries/StellaOps.Notify.Models/StellaOps.Notify.Models.csproj" />
    <ProjectReference Include="../../../Notify/__Libraries/StellaOps.Notify.Queue/StellaOps.Notify.Queue.csproj" />
    <ProjectReference Include="../../../Scanner/__Libraries/StellaOps.Scanner.Surface.Env/StellaOps.Scanner.Surface.Env.csproj" />
--- a/src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/GraphJobServiceTests.cs
+++ b/src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/GraphJobServiceTests.cs
@@ -2,6 +2,7 @@ using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Time.Testing;
 using StellaOps.Scheduler.Models;
 using StellaOps.Scheduler.WebService.GraphJobs;
 using Xunit;
@@ -21,10 +22,10 @@ public sealed class GraphJobServiceTests
        var initial = CreateBuildJob();
        await store.AddAsync(initial, CancellationToken.None);

-        var clock = new FixedClock(FixedTime);
+        var timeProvider = new FakeTimeProvider(FixedTime);
        var publisher = new RecordingPublisher();
        var webhook = new RecordingWebhookClient();
-        var service = new GraphJobService(store, clock, publisher, webhook);
+        var service = new GraphJobService(store, timeProvider, publisher, webhook);

        var request = new GraphJobCompletionRequest
        {
@@ -60,10 +61,10 @@ public sealed class GraphJobServiceTests
        var initial = CreateBuildJob();
        await store.AddAsync(initial, CancellationToken.None);

-        var clock = new FixedClock(FixedTime);
+        var timeProvider = new FakeTimeProvider(FixedTime);
        var publisher = new RecordingPublisher();
        var webhook = new RecordingWebhookClient();
-        var service = new GraphJobService(store, clock, publisher, webhook);
+        var service = new GraphJobService(store, timeProvider, publisher, webhook);

        var request = new GraphJobCompletionRequest
        {
@@ -95,10 +96,10 @@ public sealed class GraphJobServiceTests
        var initial = CreateBuildJob();
        await store.AddAsync(initial, CancellationToken.None);

-        var clock = new FixedClock(FixedTime);
+        var timeProvider = new FakeTimeProvider(FixedTime);
        var publisher = new RecordingPublisher();
        var webhook = new RecordingWebhookClient();
-        var service = new GraphJobService(store, clock, publisher, webhook);
+        var service = new GraphJobService(store, timeProvider, publisher, webhook);

        var firstRequest = new GraphJobCompletionRequest
        {
@@ -140,10 +141,10 @@ public sealed class GraphJobServiceTests
    public async Task CreateBuildJob_NormalizesSbomDigest()
    {
        var store = new TrackingGraphJobStore();
-        var clock = new FixedClock(FixedTime);
+        var timeProvider = new FakeTimeProvider(FixedTime);
        var publisher = new RecordingPublisher();
        var webhook = new RecordingWebhookClient();
-        var service = new GraphJobService(store, clock, publisher, webhook);
+        var service = new GraphJobService(store, timeProvider, publisher, webhook);

        var request = new GraphBuildJobRequest
        {
@@ -161,10 +162,10 @@ public sealed class GraphJobServiceTests
    public async Task CreateBuildJob_RejectsDigestWithoutPrefix()
    {
        var store = new TrackingGraphJobStore();
-        var clock = new FixedClock(FixedTime);
+        var timeProvider = new FakeTimeProvider(FixedTime);
        var publisher = new RecordingPublisher();
        var webhook = new RecordingWebhookClient();
-        var service = new GraphJobService(store, clock, publisher, webhook);
+        var service = new GraphJobService(store, timeProvider, publisher, webhook);

        var request = new GraphBuildJobRequest
        {
@@ -253,14 +254,4 @@ public sealed class GraphJobServiceTests
            return Task.CompletedTask;
        }
    }
-
-    private sealed class FixedClock : ISystemClock
-    {
-        public FixedClock(DateTimeOffset utcNow)
-        {
-            UtcNow = utcNow;
-        }
-
-        public DateTimeOffset UtcNow { get; set; }
-    }
 }