Migrate from Jetty 11 to Jetty 12.1.9 using ee10 servlet compatibility layer:
- Update hypertrace-bom catalog version to 0.3.79 (includes Jetty 12.1.9)
- Update jakarta-servlet-api from 6.0.0 to 6.1.0
- Update servlet imports from o.e.j.servlet.* to o.e.j.ee10.servlet.*
- Update servlets imports from o.e.j.servlets.* to o.e.j.ee10.servlets.*
- Fix setVirtualHosts(String[]) to setVirtualHosts(List<String>)
- Remove setShowServlet(false) (method removed in 12.1.x, behavior is now default)
- Change ErrorHandler variable type to ErrorHandler from ee10 package
- Regenerate all gradle lock files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CVE-2026-42154 (CVSS 7.5) is a DoS vulnerability in the Prometheus
server's /api/v1/read remote read endpoint (Go binary, fixed in
v3.5.3 and v3.11.3). OWASP dependency-check incorrectly matches
io.prometheus:simpleclient* Java jars against the same CPE
(cpe:2.3:a:prometheus:prometheus) due to the shared "prometheus" name.

The Java simpleclient library is a metrics instrumentation library
and does not contain the affected remote read endpoint. This is a
confirmed false positive per NVD (https://nvd.nist.gov/vuln/detail/CVE-2026-42154)
which lists only the prometheus/prometheus Go server as affected.

References:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42154
- Fix PRs: prometheus/prometheus#18584, prometheus/prometheus#18585
- Advisory: GHSA-8rm2-7qqf-34qm

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…mpleclient"

This reverts commit f95e9d0.