feat: Enhance traceability and logging in Risk and Vulnerability clients

- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls.
- Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method.
- Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size.
- Enhanced logging payloads in PackRun to include artifact digests and sizes.
- Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string.
- Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient.
- Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards.
- Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/PackRunContracts.cs

@@ -284,6 +284,8 @@ public sealed record LogEntryResponse(
     string Level,
     string Source,
     string Message,
+    string Digest,
+    long SizeBytes,
     DateTimeOffset Timestamp,
     string? Data)
 {
@@ -293,6 +295,8 @@ public sealed record LogEntryResponse(
         log.Level.ToString().ToLowerInvariant(),
         log.Source,
         log.Message,
+        log.Digest,
+        log.SizeBytes,
         log.Timestamp,
         log.Data);
 }

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/PackRunEndpoints.cs

@@ -535,6 +535,15 @@ public static class PackRunEndpoints
         var artifactIds = new List<Guid>();
         if (request.Artifacts is { Count: > 0 })
         {
+            if (request.Artifacts.Any(a => string.IsNullOrWhiteSpace(a.Digest) || a.SizeBytes is null or <= 0))
+            {
+                return Results.BadRequest(new PackRunErrorResponse(
+                    "invalid_artifact",
+                    "All artifacts must include digest and positive sizeBytes.",
+                    packRunId,
+                    null));
+            }
+
             var artifacts = request.Artifacts.Select(a => new Artifact(
                 ArtifactId: Guid.NewGuid(),
                 TenantId: tenantId,
@@ -616,7 +625,9 @@ public static class PackRunEndpoints
                 packVersion = packRun.PackVersion,
                 exitCode = request.ExitCode,
                 durationMs,
-                artifactCount = artifactIds.Count
+                artifactCount = artifactIds.Count,
+                artifactDigests = request.Artifacts?.Select(a => a.Digest).ToArray() ?? Array.Empty<string>(),
+                artifactSizes = request.Artifacts?.Select(a => a.SizeBytes ?? 0).ToArray() ?? Array.Empty<long>()
             }));
         await eventPublisher.PublishAsync(envelope, cancellationToken);
 

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs

@@ -282,6 +282,8 @@ internal sealed record PackRunLogPayload(
     string Level,
     string Source,
     string Message,
+    string Digest,
+    long SizeBytes,
     DateTimeOffset Timestamp,
     string? Data)
 {
@@ -290,6 +292,8 @@ internal sealed record PackRunLogPayload(
         log.Level.ToString().ToLowerInvariant(),
         log.Source,
         log.Message,
+        log.Digest,
+        log.SizeBytes,
         log.Timestamp,
         log.Data);
 }