Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.

docs/modules/scanner/design/surface-validation.md

@@ -13,32 +13,36 @@ Surface.Validation provides a shared validator framework to ensure all surface c
 ```csharp
 public interface ISurfaceValidator
 {
-    ValueTask<ValidationResult> ValidateAsync(SurfaceValidationContext context, CancellationToken ct = default);
+    ValueTask<SurfaceValidationResult> ValidateAsync(SurfaceValidationContext context, CancellationToken ct = default);
 }
 
-public sealed record SurfaceValidationContext
-(
-    SurfaceEnvironmentSettings Environment,
+public sealed record SurfaceValidationContext(
     IServiceProvider Services,
-    string ComponentName
-);
+    string ComponentName,
+    SurfaceEnvironmentSettings Environment,
+    IReadOnlyDictionary<string, object?> Properties)
+{
+    public static SurfaceValidationContext Create(
+        IServiceProvider services,
+        string componentName,
+        SurfaceEnvironmentSettings environment,
+        IReadOnlyDictionary<string, object?>? properties = null);
+}
 
-public sealed record ValidationResult
-(
-    bool IsSuccess,
-    IReadOnlyCollection<SurfaceValidationIssue> Issues
-);
+public interface ISurfaceValidatorRunner
+{
+    ValueTask<SurfaceValidationResult> RunAllAsync(SurfaceValidationContext context, CancellationToken ct = default);
+    ValueTask EnsureAsync(SurfaceValidationContext context, CancellationToken ct = default);
+}
 
-public sealed record SurfaceValidationIssue
-(
+public sealed record SurfaceValidationIssue(
     string Code,
     string Message,
     SurfaceValidationSeverity Severity,
-    string? Hint = null
-);
+    string? Hint = null);
 ```
 
-Validators register with DI (`services.AddSurfaceValidation()`). Hosts call `ISurfaceValidatorRunner.RunAllAsync()` during startup and periodically (optional) to re-check configuration.
+`Properties` carries optional context-specific metadata (e.g., `jobId`, `imageDigest`, cache paths) so validators can tailor diagnostics without pulling additional services. Validators register with DI (`services.AddSurfaceValidation()`). Hosts call `ISurfaceValidatorRunner.RunAllAsync()` during startup and before workload execution to capture misconfiguration early; `EnsureAsync()` rethrows when `Surface:Validation:ThrowOnFailure=true`.
 
 ## 3. Built-in Validators
 
@@ -76,6 +80,7 @@ Validators can access DI services (e.g., HttpClient, Authority token provider) t
 ## 6. Integration Guidelines
 
 - **Scanner Worker/WebService**: fail startup if any error-level issue occurs; log warnings but continue running.
+- **Scanner EntryTrace**: execute `RunAllAsync` for each scan job with properties `{imageDigest, jobId, configPath, rootPath}`. If the result contains errors, skip analysis and log the issue summary instead of failing the entire scan.
 - **Zastava Webhook**: treat validation errors as fatal (webhook should not enforce policies when surface preconditions fail). Display validation error summary in `/readyz` response to aid debugging.
 - **Analysers**: call `SurfaceValidation.Ensure()` before executing heavy work to catch misconfiguration during integration tests.