feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration

- Add RateLimitConfig for configuration management with YAML binding support.
- Introduce RateLimitDecision to encapsulate the result of rate limit checks.
- Implement RateLimitMetrics for OpenTelemetry metrics tracking.
- Create RateLimitMiddleware for enforcing rate limits on incoming requests.
- Develop RateLimitService to orchestrate instance and environment rate limit checks.
- Add RateLimitServiceCollectionExtensions for dependency injection registration.

src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs

@@ -4750,6 +4750,50 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
         return result ?? new SdkListResponse { Success = false, Error = "Empty response" };
     }
 
+    /// <summary>
+    /// Get SARIF 2.1.0 output for a scan.
+    /// Task: SDIFF-BIN-030 - CLI option --output-format sarif
+    /// </summary>
+    public async Task<string?> GetScanSarifAsync(
+        string scanId,
+        bool includeHardening,
+        bool includeReachability,
+        string? minSeverity,
+        CancellationToken cancellationToken)
+    {
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("scan sarif");
+
+        var queryParams = new List<string>();
+
+        if (includeHardening)
+            queryParams.Add("includeHardening=true");
+
+        if (includeReachability)
+            queryParams.Add("includeReachability=true");
+
+        if (!string.IsNullOrWhiteSpace(minSeverity))
+            queryParams.Add($"minSeverity={Uri.EscapeDataString(minSeverity)}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/scans/{Uri.EscapeDataString(scanId)}/sarif{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+        httpRequest.Headers.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/sarif+json"));
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        response.EnsureSuccessStatusCode();
+        return await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+    }
+
     /// <summary>
     /// Exports VEX decisions as OpenVEX documents with optional DSSE signing.
     /// </summary>

src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs

@@ -133,4 +133,7 @@ internal interface IBackendOperationsClient
     // CLI-SDK-64-001: SDK update
     Task<SdkUpdateResponse> CheckSdkUpdatesAsync(SdkUpdateRequest request, CancellationToken cancellationToken);
     Task<SdkListResponse> ListInstalledSdksAsync(string? language, string? tenant, CancellationToken cancellationToken);
+
+    // SDIFF-BIN-030: SARIF export
+    Task<string?> GetScanSarifAsync(string scanId, bool includeHardening, bool includeReachability, string? minSeverity, CancellationToken cancellationToken);
 }