feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration

- Add RateLimitConfig for configuration management with YAML binding support.
- Introduce RateLimitDecision to encapsulate the result of rate limit checks.
- Implement RateLimitMetrics for OpenTelemetry metrics tracking.
- Create RateLimitMiddleware for enforcing rate limits on incoming requests.
- Develop RateLimitService to orchestrate instance and environment rate limit checks.
- Add RateLimitServiceCollectionExtensions for dependency injection registration.

src/Cli/StellaOps.Cli/Commands/CommandFactory.cs

@@ -54,6 +54,7 @@ internal static class CommandFactory
         root.Add(BuildAdviseCommand(services, options, verboseOption, cancellationToken));
         root.Add(BuildConfigCommand(options));
         root.Add(BuildKmsCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildKeyCommand(services, loggerFactory, verboseOption, cancellationToken));
         root.Add(BuildVulnCommand(services, verboseOption, cancellationToken));
         root.Add(BuildVexCommand(services, options, verboseOption, cancellationToken));
         root.Add(BuildDecisionCommand(services, verboseOption, cancellationToken));
@@ -292,6 +293,56 @@ internal static class CommandFactory
 
         scan.Add(entryTrace);
 
+        // SARIF export command (Task SDIFF-BIN-030)
+        var sarifExport = new Command("sarif", "Export scan results in SARIF 2.1.0 format for CI/CD integration.");
+        var sarifScanIdOption = new Option<string>("--scan-id")
+        {
+            Description = "Scan identifier.",
+            Required = true
+        };
+        var sarifOutputOption = new Option<string?>("--output", new[] { "-o" })
+        {
+            Description = "Output file path (defaults to stdout)."
+        };
+        var sarifPrettyOption = new Option<bool>("--pretty")
+        {
+            Description = "Pretty-print JSON output."
+        };
+        var sarifIncludeHardeningOption = new Option<bool>("--include-hardening")
+        {
+            Description = "Include binary hardening flags in SARIF output."
+        };
+        var sarifIncludeReachabilityOption = new Option<bool>("--include-reachability")
+        {
+            Description = "Include reachability analysis in SARIF output."
+        };
+        var sarifMinSeverityOption = new Option<string?>("--min-severity")
+        {
+            Description = "Minimum severity to include (none, note, warning, error)."
+        };
+
+        sarifExport.Add(sarifScanIdOption);
+        sarifExport.Add(sarifOutputOption);
+        sarifExport.Add(sarifPrettyOption);
+        sarifExport.Add(sarifIncludeHardeningOption);
+        sarifExport.Add(sarifIncludeReachabilityOption);
+        sarifExport.Add(sarifMinSeverityOption);
+
+        sarifExport.SetAction((parseResult, _) =>
+        {
+            var scanId = parseResult.GetValue(sarifScanIdOption) ?? string.Empty;
+            var output = parseResult.GetValue(sarifOutputOption);
+            var pretty = parseResult.GetValue(sarifPrettyOption);
+            var includeHardening = parseResult.GetValue(sarifIncludeHardeningOption);
+            var includeReachability = parseResult.GetValue(sarifIncludeReachabilityOption);
+            var minSeverity = parseResult.GetValue(sarifMinSeverityOption);
+            var verbose = parseResult.GetValue(verboseOption);
+            return CommandHandlers.HandleScanSarifExportAsync(
+                services, scanId, output, pretty, includeHardening, includeReachability, minSeverity, verbose, cancellationToken);
+        });
+
+        scan.Add(sarifExport);
+
         scan.Add(run);
         scan.Add(upload);
         return scan;
@@ -638,6 +689,18 @@ internal static class CommandFactory
         return kms;
     }
 
+    /// <summary>
+    /// Builds key rotation and management commands.
+    /// Sprint: SPRINT_0501_0008_0001_proof_chain_key_rotation
+    /// Task: PROOF-KEY-0011
+    /// </summary>
+    private static Command BuildKeyCommand(IServiceProvider services, ILoggerFactory loggerFactory, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var keyLogger = loggerFactory.CreateLogger<Proof.KeyRotationCommandGroup>();
+        var keyCommandGroup = new Proof.KeyRotationCommandGroup(keyLogger);
+        return keyCommandGroup.BuildCommand();
+    }
+
     private static Command BuildDatabaseCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
     {
         var db = new Command("db", "Trigger Concelier database operations via backend jobs.");