feat(secrets): Implement secret leak policies and signal binding

- Added `spl-secret-block@1.json` to block deployments with critical or high severity secret findings.
- Introduced `spl-secret-warn@1.json` to warn on secret findings without blocking deployments.
- Created `SecretSignalBinder.cs` to bind secret evidence to policy evaluation signals.
- Developed unit tests for `SecretEvidenceContext` and `SecretSignalBinder` to ensure correct functionality.
- Enhanced `SecretSignalContextExtensions` to integrate secret evidence into signal contexts.

src/Scheduler/StellaOps.Scheduler.WebService/EventWebhooks/InMemoryWebhookRateLimiter.cs

@@ -7,9 +7,15 @@ namespace StellaOps.Scheduler.WebService.EventWebhooks;
 internal sealed class InMemoryWebhookRateLimiter : IWebhookRateLimiter, IDisposable
 {
     private readonly MemoryCache _cache = new(new MemoryCacheOptions());
+    private readonly TimeProvider _timeProvider;
 
     private readonly object _mutex = new();
 
+    public InMemoryWebhookRateLimiter(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
     public bool TryAcquire(string key, int limit, TimeSpan window, out TimeSpan retryAfter)
     {
         if (limit <= 0)
@@ -19,7 +25,7 @@ internal sealed class InMemoryWebhookRateLimiter : IWebhookRateLimiter, IDisposa
         }
 
         retryAfter = TimeSpan.Zero;
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();
 
         lock (_mutex)
         {