Align release create wizard with canonical bundle lifecycle

Wire orch:operate scope into console bootstrap so the browser token can
execute release-control actions. Replace the silent-redirect fallback
with the canonical createBundle → publishVersion → materialize flow and
surface truthful error messages on 403/409/503. Add focused Angular
tests and Playwright journey evidence for standard and hotfix paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/operations/deployment/console.md

@@ -55,7 +55,7 @@ Key sections in `devops/helm/stellaops/values-prod.yaml`:
 | `console.config.apiGateway.baseUrl` | Internal base URL the UI uses to reach the gateway (defaults to `https://stellaops-web`). |
 | `console.env.AUTHORITY_ISSUER` | Authority issuer URL (for example, `https://authority.example.com`). |
 | `console.env.AUTHORITY_CLIENT_ID` | Authority client ID for the console UI. |
-| `console.env.AUTHORITY_SCOPES` | Space-separated scopes required by UI (`ui.read ui.admin`). |
+| `console.env.AUTHORITY_SCOPES` | Space-separated scopes required by UI (`ui.read ui.admin`). Release-control create/materialize journeys also require `orch:operate`. |
 | `console.resources` | CPU/memory requests and limits (default 250m CPU / 512Mi memory). |
 | `console.podAnnotations` | Optional annotations for service mesh or monitoring. |
 
@@ -108,7 +108,7 @@ CONSOLE_PUBLIC_BASE_URL=https://console.acme.internal
 AUTHORITY_ISSUER=https://authority.acme.internal
 AUTHORITY_CLIENT_ID=console-ui
 AUTHORITY_CLIENT_SECRET=<if using confidential client>
-AUTHORITY_SCOPES=ui.read ui.admin
+AUTHORITY_SCOPES=ui.read ui.admin orch:operate
 CONSOLE_GATEWAY_BASE_URL=https://api.acme.internal
 ```
 
@@ -124,7 +124,7 @@ The compose bundle includes Traefik as reverse proxy with TLS termination. Updat
 | `CONSOLE_GATEWAY_BASE_URL` | URL of the web gateway that proxies API calls (`/console/*`). | Chart service name. |
 | `AUTHORITY_ISSUER` | Authority issuer (`https://authority.example.com`). | None (required). |
 | `AUTHORITY_CLIENT_ID` | OIDC client configured in Authority. | None (required). |
-| `AUTHORITY_SCOPES` | Space-separated scopes assigned to the console client. | `ui.read ui.admin`. |
+| `AUTHORITY_SCOPES` | Space-separated scopes assigned to the console client. | `ui.read ui.admin orch:operate`. |
 | `AUTHORITY_DPOP_ENABLED` | Enables DPoP challenge/response (recommended true). | `true`. |
 | `CONSOLE_FEATURE_FLAGS` | Comma-separated feature flags (`runs`, `downloads.offline`, etc.). | `runs,downloads,policies`. |
 | `CONSOLE_LOG_LEVEL` | Minimum log level (`Information`, `Debug`, etc.). | `Information`. |

docs/operations/deployment/docker.md

@@ -36,7 +36,7 @@ This guide focuses on the new **StellaOps Console** container. Start with the ge
    CONSOLE_GATEWAY_BASE_URL=https://api.dev.stella-ops.local
    AUTHORITY_ISSUER=https://authority.dev.stella-ops.local
    AUTHORITY_CLIENT_ID=console-ui
-   AUTHORITY_SCOPES="ui.read ui.admin findings:read advisory:read vex:read aoc:verify"
+AUTHORITY_SCOPES="ui.read ui.admin orch:operate findings:read advisory:read vex:read aoc:verify"
    AUTHORITY_DPOP_ENABLED=true
    ```
 
@@ -99,7 +99,7 @@ This guide focuses on the new **StellaOps Console** container. Start with the ge
          CONSOLE_GATEWAY_BASE_URL: "https://api.dev.stella-ops.local"
          AUTHORITY_ISSUER: "https://authority.dev.stella-ops.local"
          AUTHORITY_CLIENT_ID: "console-ui"
-        AUTHORITY_SCOPES: "ui.read ui.admin findings:read advisory:read vex:read aoc:verify"
+AUTHORITY_SCOPES: "ui.read ui.admin orch:operate findings:read advisory:read vex:read aoc:verify"
          AUTHORITY_DPOP_ENABLED: "true"
          CONSOLE_FEATURE_FLAGS: "runs,downloads,policies"
          CONSOLE_METRICS_ENABLED: "true"