- Added `spl-secret-block@1.json` to block deployments with critical or high severity secret findings.
- Introduced `spl-secret-warn@1.json` to warn on secret findings without blocking deployments.
- Created `SecretSignalBinder.cs` to bind secret evidence to policy evaluation signals.
- Developed unit tests for `SecretEvidenceContext` and `SecretSignalBinder` to ensure correct functionality.
- Enhanced `SecretSignalContextExtensions` to integrate secret evidence into signal contexts.
VexDecisionStore: Added TimeProvider and IGuidProvider injection for deterministic
ID generation and timestamps in Create/Update methods.
Added StellaOps.Determinism.Abstractions project reference.
Refactored 8 files across StellaOps.Provcache, StellaOps.Provcache.Postgres, and StellaOps.Provcache.Valkey:
Core Provcache library:
- EvidenceChunker: Added IGuidProvider for ChunkId generation in ChunkAsync/ChunkStreamAsync
- LazyFetchOrchestrator: Added IGuidProvider for ChunkId generation when storing fetched chunks
- MinimalProofExporter: Added IGuidProvider for ChunkId generation in ImportAsync
- FeedEpochAdvancedEvent: Added optional eventId/timestamp parameters to static Create()
- SignerRevokedEvent: Added optional eventId/timestamp parameters to static Create()
Postgres implementation:
- PostgresProvcacheRepository: Added TimeProvider and IGuidProvider for IncrementHitCountAsync,
GetStatisticsAsync, LogRevocationAsync, and MapToEntity
- PostgresEvidenceChunkRepository: Added TimeProvider and IGuidProvider for GetManifestAsync and MapToEntity
Valkey implementation:
- ValkeyProvcacheStore: Added TimeProvider for TTL calculations in GetAsync, SetAsync, SetManyAsync
All constructors use optional parameters with defaults to system implementations for backward compatibility.
Added StellaOps.Determinism.Abstractions project references where needed.
- 242 production APPLY tasks: TreatWarningsAsErrors=true applied
- 144 production MAINT tasks: deferred determinism to SPRINT_20260104
- 144 production TEST tasks: deferred coverage to SPRINT_20260104
- 290 test project tasks: waived per decision (test projects excluded)
Created new SPRINT_20260104_001_BE_determinism_timeprovider_injection.md
for systematic TimeProvider/IGuidProvider refactoring (~1526 instances)
Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests
Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9)
Changes:
- Set TreatWarningsAsErrors=true for all production .NET projects
- Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence,
Scheduler.Worker, Concelier connectors, and other modules
- Injected TimeProvider/IGuidProvider for deterministic time/ID generation
- Added path traversal validation in AirGap.Bundle
- Fixed NULL handling in various cursor classes
- Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original)
- Test projects excluded per user decision (rejected decision 10)
Note: All 17 ACSC connector tests pass after snapshot fixture sync
Introduces CGS determinism test runs to CI workflows for Windows, macOS, Linux, Alpine, and Debian, fulfilling CGS-008 cross-platform requirements. Updates local-ci scripts to support new smoke steps, test timeouts, progress intervals, and project slicing for improved test isolation and diagnostics.
