Vuln Explorer analytics pipeline plan (DEVOPS-VULN-29-003)

Goals: instrument analytics ingestion (query hashes, privacy/PII guardrails), update observability docs, and supply deployable configs.

Instrumentation tasks

Expose Prometheus counters/histograms in API:
- vuln_query_hashes_total{tenant,query_hash} increment on cached/served queries.
- vuln_api_latency_seconds histogram (already present; ensure labels avoid PII).
- vuln_api_payload_bytes histogram for request/response sizes.
Redact/avoid PII:
- Hash query bodies server-side (SHA256 with salt per deployment) before logging/metrics; store only hash+shape, not raw filters.
- Truncate any request field names/values in logs to 128 chars and drop known PII fields (email/userId).
Telemetry export:
- OTLP metrics/logs via existing collector profile; add service=\"vuln-explorer\" resource attrs.

Grafana dashboard will read from Prometheus metrics already defined in ops/devops/vuln/dashboards/vuln-explorer.json.
Alert rules already in ops/devops/vuln/alerts.yaml; ensure additional rules for PII drops are not required (logs-only).

Update deploy docs (deploy/README.md) to mention PII-safe logging in Vuln Explorer and query-hash metrics.
Add runbook entry under docs/modules/vuln-explorer/observability.md (if absent, create) summarizing metrics and how to interpret query hashes.

Unit test to assert logging middleware hashes queries and strips PII (to be implemented in API tests).
Add static check in pipeline ensuring vuln_query_hashes_total and payload histograms are scraped (Prometheus snapshot test).