Harden artifact privacy, downloads, callbacks, and CI

[gateway]

Summary

• default artifact bundles to a dashboard-safe redacted mode and add explicit full-trace opt-in
• harden downloads with trusted-host checks, HTTPS-only policy, size limits, temp-file writes, and optional output-root enforcement
• add stricter callback verification helpers for freshness, conflicting task ids, and trusted output URLs
• make artifact indexing more resilient with locked append, atomic rebuild, malformed-line tolerance, and index-first lookup
• add GitHub Actions test coverage for PRs and pushes

Why

This closes the review findings around artifact overexposure, unsafe download behavior, weak callback handling, and fragile index maintenance while keeping compatibility paths available where needed.

Verification

• ./.venv/bin/python scripts/sync_packaged_specs.py --check
• ./.venv/bin/python -m pytest -q
• GitHub Actions Tests workflow on Python 3.9 and 3.11

Checklist

• Artifact bundles are redacted by default
• Full internal traces require explicit opt-in
• Download and callback hardening have regression tests
• Artifact index behavior has regression coverage
• Remote CI is running on the PR

Notes

• The separate local change in src/kie_api/models.py was intentionally left out of this PR because it is unrelated to the hardening pass and should land separately.