feat: Implement Runtime Facts ingestion service and NDJSON reader

- Added RuntimeFactsNdjsonReader for reading NDJSON formatted runtime facts.
- Introduced IRuntimeFactsIngestionService interface and its implementation.
- Enhanced Program.cs to register new services and endpoints for runtime facts.
- Updated CallgraphIngestionService to include CAS URI in stored artifacts.
- Created RuntimeFactsValidationException for validation errors during ingestion.
- Added tests for RuntimeFactsIngestionService and RuntimeFactsNdjsonReader.
- Implemented SignalsSealedModeMonitor for compliance checks in sealed mode.
- Updated project dependencies for testing utilities.

docs/modules/cli/guides/cli-reference.md

@@ -189,6 +189,137 @@ Replays the AOC guard against stored raw documents. By default it checks all adv
 }
 ```
 
+---
+
+## 4 · `stella node lock-validate`
+
+### 4.1 Synopsis
+
+```bash
+stella node lock-validate \
+  [--path <directory>] \
+  [--format table|json] \
+  [--verbose]
+```
+
+### 4.2 Description
+
+Runs the Node analyzer locally against a working directory to compare lockfiles (`package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`) with what is actually present in `node_modules`. The command is read-only and never schedules a scan; it reuses the same deterministic collector that powers Scanner so results match backend evidence. Output highlights two conditions that policy cares about:
+
+- **Declared Only** – packages present in lockfiles but missing from the filesystem or final image.
+- **Missing Lock** – packages discovered at runtime without corresponding lock metadata (no registry provenance, integrity hash, or repository information).
+
+This helps catch drift before images are built, keeps lockfiles trustworthy, and feeds policy predicates such as `node.lock.declaredMissing`.
+
+### 4.3 Options
+
+| Option | Description |
+|--------|-------------|
+| `--path`, `-p` | Directory containing `package.json` and lockfiles. Defaults to the current working directory. |
+| `--format table|json` | `table` (default) renders a Spectre table with status badges; `json` prints the underlying report for CI automation. |
+| `--verbose` | Enables detailed logging (shared root option). |
+
+### 4.4 Output & exit codes
+
+- `table` mode prints a summary row and two sections: `Declared Only` (red) and `Missing Lock` (yellow). Columns show package, version, lock source/locator, and filesystem path so engineers can reconcile quickly.
+- `json` mode emits `{ declaredOnly: [], missingLockMetadata: [], totalDeclared, totalInstalled }`, mirroring the analyzer telemetry.
+
+Exit codes:
+
+| Code | Meaning |
+|------|---------|
+| `0` | No inconsistencies detected. |
+| `1` | Declared-only or missing-lock packages were found. |
+| `71` | The requested directory could not be read (missing path, permissions, etc.). |
+
+The CLI also records `stellaops.cli.node.lock_validate.count{outcome}` so operators can monitor adoption in telemetry.
+
+### 4.5 Offline notes
+
+- Works entirely offline; point `--path` at a workspace checked out from an Offline Kit or build cache.
+- Honors the same `Surface.Validation` limits configured for Scanner once those knobs (`scanner.lockfiles.node.*`) are deployed cluster-wide.
+- Combine with `stella scan` by running lock validation in CI before images are built to fail fast on inconsistent manifests.
+
+---
+
+## 5 · `stella python lock-validate`
+
+### 5.1 Synopsis
+
+```bash
+stella python lock-validate \
+  [--path <directory>] \
+  [--format table|json] \
+  [--verbose]
+```
+
+### 5.2 Description
+
+Validates Python lockfiles (currently `requirements*.txt`, `Pipfile.lock`, and `poetry.lock`) against what exists in `site-packages`. It uses the same analyzer Scanner runs so declared-only packages, missing locks, and editable installs are detected deterministically and without internet access. This catches drift between lock manifests and baked images before scanners or policy gates fail later.
+
+### 5.3 Options
+
+| Option | Description |
+|--------|-------------|
+| `--path`, `-p` | Directory containing `lib/python*/site-packages` and lockfiles. Defaults to `$PWD`. |
+| `--format table|json` | `table` (default) prints a human summary; `json` emits the raw report for CI. |
+| `--verbose` | Enables detailed logging. |
+
+### 5.4 Output & exit codes
+
+Output shape mirrors the Node command: declared-only packages are shown with lock provenance, and runtime packages missing lock metadata are highlighted separately. JSON mode returns the same object schema `{ declaredOnly, missingLockMetadata, totalDeclared, totalInstalled }`.
+
+Exit codes follow the same contract (`0` success, `1` violations, `71` for unreadable path). Telemetry is published via `stellaops.cli.python.lock_validate.count{outcome}`.
+
+### 5.5 Offline notes
+
+- Works entirely offline—lockfiles and `site-packages` must already be present (from a venv snapshot, container rootfs, or Offline Kit).
+- Honors upcoming `scanner.lockfiles.python.*` guardrails once Surface.Validation is wired in so CLI + Scanner enforce the same registry/size limits.
+- Recommended CI flow: run `stella python lock-validate` before building containers and fail fast when declared-only packages remain.
+
+## 6 · `stella java lock-validate`
+
+### 6.1 Synopsis
+
+```bash
+stella java lock-validate \\
+  [--path <directory>] \\
+  [--format table|json] \\
+  [--verbose]
+```
+
+### 6.2 Description
+
+Executes the Java language analyzer locally so Gradle `gradle.lockfile`, `gradle/dependency-locks/**/*.lockfile`, and `pom.xml` declarations can be compared with the jars that actually ship in a workspace. The command reuses the new `JavaLockFileCollector` plus the `JavaLanguageAnalyzer` merge logic, so it emits the same `DeclaredOnly` and `Missing Lock` evidence that Scanner and Policy consume. Engineers can see which coordinates exist only in lockfiles (no jar on disk) and which installed jars lack lock metadata (no repository/provenance) before a scan ever runs.
+
+### 6.3 Options
+
+| Option | Description |
+|--------|-------------|
+| `--path`, `-p` | Directory containing jars (e.g., `build/libs`) and lockfiles. Defaults to the current working directory. |
+| `--format table|json` | `table` (default) renders the Spectre table; `json` outputs the raw `LockValidationReport`. |
+| `--verbose` | Enables detailed logging and surfaces the analyzer paths being inspected. |
+
+### 6.4 Output & exit codes
+
+Output mirrors the Node/Python verbs: `Declared Only` rows include the lock source/locator (e.g., `gradle.lockfile`, `gradle/dependency-locks/app.lockfile`) plus configuration/repository hints, while `Missing Lock` rows highlight jars that Scanner would tag with `lockMissing=true`. JSON responses return `{ declaredOnly, missingLockMetadata, totalDeclared, totalInstalled }`.
+
+Exit codes align with the other lock validators:
+
+| Code | Meaning |
+|------|---------|
+| `0` | No inconsistencies detected. |
+| `1` | Declared-only or missing-lock jars detected. |
+| `71` | Directory could not be read. |
+
+Telemetry is recorded via `stellaops.cli.java.lock_validate.count{outcome}` so adoption can be monitored alongside the Node/Python verbs.
+
+### 6.5 Offline notes
+
+- Works with any workspace (Gradle, Maven, or extracted container layers) – no network access or build tool metadata is required at runtime.
+- Honors forthcoming `scanner.lockfiles.java.*` Surface.Validation limits once they are deployed so CLI + Scanner stay in lockstep.
+- Recommended CI flow: run `stella java lock-validate` before packaging containers to surface missing locks/declared-only coordinates early.
+
 ### 3.5 Exit codes
 
 | Exit code | Meaning |