feat: Implement Runtime Facts ingestion service and NDJSON reader

- Added RuntimeFactsNdjsonReader for reading NDJSON formatted runtime facts.
- Introduced IRuntimeFactsIngestionService interface and its implementation.
- Enhanced Program.cs to register new services and endpoints for runtime facts.
- Updated CallgraphIngestionService to include CAS URI in stored artifacts.
- Created RuntimeFactsValidationException for validation errors during ingestion.
- Added tests for RuntimeFactsIngestionService and RuntimeFactsNdjsonReader.
- Implemented SignalsSealedModeMonitor for compliance checks in sealed mode.
- Updated project dependencies for testing utilities.

src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs

@@ -20,7 +20,8 @@ using StellaOps.Auth.Client;
 using StellaOps.Cli.Configuration;
 using StellaOps.Cli.Services.Models;
 using StellaOps.Cli.Services.Models.AdvisoryAi;
-using StellaOps.Cli.Services.Models.Transport;
+using StellaOps.Cli.Services.Models.Ruby;
+using StellaOps.Cli.Services.Models.Transport;
 
 namespace StellaOps.Cli.Services;
 
@@ -858,9 +859,9 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
         return MapPolicyFindingExplain(document);
     }
 
-    public async Task<EntryTraceResponseModel?> GetEntryTraceAsync(string scanId, CancellationToken cancellationToken)
-    {
-        EnsureBackendConfigured();
+    public async Task<EntryTraceResponseModel?> GetEntryTraceAsync(string scanId, CancellationToken cancellationToken)
+    {
+        EnsureBackendConfigured();
 
         if (string.IsNullOrWhiteSpace(scanId))
         {
@@ -882,15 +883,46 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
             throw new InvalidOperationException(failure);
         }
 
-        var result = await response.Content.ReadFromJsonAsync<EntryTraceResponseModel>(SerializerOptions, cancellationToken).ConfigureAwait(false);
-        if (result is null)
-        {
-            throw new InvalidOperationException("EntryTrace response payload was empty.");
-        }
-
+        var result = await response.Content.ReadFromJsonAsync<EntryTraceResponseModel>(SerializerOptions, cancellationToken).ConfigureAwait(false);
+        if (result is null)
+        {
+            throw new InvalidOperationException("EntryTrace response payload was empty.");
+        }
+
         return result;
     }
 
+    public async Task<IReadOnlyList<RubyPackageArtifactModel>> GetRubyPackagesAsync(string scanId, CancellationToken cancellationToken)
+    {
+        EnsureBackendConfigured();
+
+        if (string.IsNullOrWhiteSpace(scanId))
+        {
+            throw new ArgumentException("Scan identifier is required.", nameof(scanId));
+        }
+
+        using var request = CreateRequest(HttpMethod.Get, $"api/scans/{scanId}/ruby-packages");
+        await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
+
+        using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        if (response.StatusCode == HttpStatusCode.NotFound)
+        {
+            return Array.Empty<RubyPackageArtifactModel>();
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var failure = await CreateFailureMessageAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new InvalidOperationException(failure);
+        }
+
+        var packages = await response.Content
+            .ReadFromJsonAsync<IReadOnlyList<RubyPackageArtifactModel>>(SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+
+        return packages ?? Array.Empty<RubyPackageArtifactModel>();
+    }
+
     public async Task<AdvisoryPipelinePlanResponseModel> CreateAdvisoryPipelinePlanAsync(
         AdvisoryAiTaskType taskType,
         AdvisoryPipelinePlanRequestModel request,