Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux

This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.

docs/security/authority-scopes.md

@@ -82,7 +82,7 @@ Authority issues short-lived tokens bound to tenants and scopes. Sprint 19 int
 - **`role/ui-console-admin`** → `ui.read`, `authority:tenants.read`, `authority:roles.read`, `authority:tokens.read`, `authority:clients.read` (paired with write scopes where required).  
 - **`role/orch-viewer`** *(Authority role: `Orch.Viewer`)* → `orch:read`.
 - **`role/orch-operator`** *(Authority role: `Orch.Operator`)* → `orch:read`, `orch:operate`.
-- **`role/orch-admin`** *(Authority role: `Orch.Admin`)* → `orch:read`, `orch:operate`, `orch:quota`.
+- **`role/orch-admin`** *(Authority role: `Orch.Admin`)* → `orch:read`, `orch:operate`, `orch:quota`, `orch:backfill`.
 - **`role/packs-runner`** → `packs.read`, `packs.run`.
 - **`role/packs-publisher`** → `packs.read`, `packs.write`.
 - **`role/packs-approver`** → `packs.read`, `packs.approve`.
@@ -133,6 +133,16 @@ tenants:
         scopes: [policy:operate, policy:run, policy:activate, policy:read, policy:simulate, findings:read]
       policy-auditor:
         scopes: [policy:audit, policy:read, policy:simulate, findings:read]
+      pack-viewer:
+        scopes: [packs.read]
+      pack-operator:
+        scopes: [packs.read, packs.run]
+      pack-publisher:
+        scopes: [packs.read, packs.write]
+      pack-approver:
+        scopes: [packs.read, packs.approve]
+      pack-admin:
+        scopes: [packs.read, packs.write, packs.run, packs.approve]
       policy-engine:
         scopes: [effective:write, findings:read]
       exceptions-service:

docs/security/console-security.md

@@ -52,7 +52,8 @@ The console client is registered in Authority as `console-ui` with scopes:
 | Policy approvals | `policy:read`, `policy:review`, `policy:approve`, `policy:operate`, `policy:simulate` | `policy:operate` (promote/activate/run) requires fresh-auth. |
 | Observability panes (status ticker, telemetry) | `ui.telemetry`, `scheduler:runs.read`, `advisory:read`, `vex:read` | `ui.telemetry` drives OTLP export toggles. |
 | Orchestrator dashboard (queues, workers, rate limits) | `orch:read` | Provision via `Orch.Viewer` role; read-only access to job state and telemetry. |
-| Orchestrator control actions (pause/resume, retry, sync-now, backfill) | `orch:operate` (plus `orch:read`) | CLI/Console must request tokens with `operator_reason` and `operator_ticket`; Authority denies issuance when either value is missing. |
+| Orchestrator control actions (pause/resume, retry, sync-now) | `orch:operate` (plus `orch:read`) | CLI/Console must request tokens with `operator_reason` and `operator_ticket`; Authority denies issuance when either value is missing. |
+| Orchestrator backfill runs | `orch:backfill` (plus `orch:read`, `orch:operate`) | Backfill tokens require `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority stores both alongside operator metadata in audit events. |
 | Orchestrator quota & burst controls | `orch:quota` (plus `orch:read`, `orch:operate`) | Tokens must include `quota_reason` (≤256 chars); optional `quota_ticket` (≤128 chars) is captured for audit. |
 | Downloads parity (SBOM, attestation) | `downloads:read`, `attestation:verify`, `sbom:export` | Console surfaces digests only; download links require CLI parity for write operations. |
 
@@ -60,8 +61,8 @@ Guidance:
 
 - **Role mapping**: Provision Authority role `role/ui-console-admin` encapsulating the admin scopes above.  
 - **Orchestrator viewers**: Assign Authority role `role/orch-viewer` (Authority role string `Orch.Viewer`) to consoles that require read-only access to Orchestrator telemetry.  
-- **Orchestrator operators**: Assign Authority role `role/orch-operator` (Authority role string `Orch.Operator`) to identities allowed to pause/resume or backfill. Tokens must include `operator_reason` (≤256 chars) and `operator_ticket` (≤128 chars); Authority records the values in audit logs.
-- **Orchestrator admins**: Assign Authority role `role/orch-admin` (Authority role string `Orch.Admin`) to the handful of identities permitted to raise/lower quotas or trigger bulk backfills. Tokens must include `quota_reason` (≤256 chars); provide `quota_ticket` (≤128 chars) when available so Authority audit streams capture the change record.
+- **Orchestrator operators**: Assign Authority role `role/orch-operator` (Authority role string `Orch.Operator`) to identities allowed to pause/resume jobs. Tokens must include `operator_reason` (≤256 chars) and `operator_ticket` (≤128 chars); Authority records the values in audit logs.
+- **Orchestrator admins**: Assign Authority role `role/orch-admin` (Authority role string `Orch.Admin`) to the handful of identities permitted to raise/lower quotas or trigger backfills. Tokens must include `quota_reason` (≤256 chars) and `backfill_reason` (≤256 chars), plus the corresponding ticket fields (`quota_ticket`, `backfill_ticket`, ≤128 chars each) so audit streams capture the change record.
 - **Tenant enforcement**: Gateway injects `X-Stella-Tenant` from token claims. Requests missing the header must be rejected by downstream services (Concelier, Excititor, Policy Engine) and logged.  
 - **Separation of duties**: Never grant `ui.admin` and `policy:approve`/`policy:operate` to the same human role without SOC sign-off; automation accounts should use least-privilege dedicated clients.