feat: Implement console session management with tenant and profile handling

- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.

docs/10_CONCELIER_CLI_QUICKSTART.md

@@ -167,8 +167,8 @@ rely on environment variables for ephemeral runners.
    dotnet run --project src/StellaOps.Cli -- db export --format json
 
    # Trivy DB (delta example)
-   dotnet run --project src/StellaOps.Cli -- db export --format trivy-db --delta
-   ```
+ dotnet run --project src/StellaOps.Cli -- db export --format trivy-db --delta
+ ```
 
    Concelier always produces a deterministic OCI layout. The first run after a clean
    bootstrap emits a **full** baseline; subsequent `--delta` runs reuse the previous
@@ -190,19 +190,58 @@ rely on environment variables for ephemeral runners.
 
    jq -r '.mode,.baseExportId' "$delta/metadata.json"
 
-   base_manifest=$(jq -r '.manifests[0].digest' "$base/index.json")
-   delta_manifest=$(jq -r '.manifests[0].digest' "$delta/index.json")
-   printf 'baseline manifest: %s\ndelta manifest:    %s\n' "$base_manifest" "$delta_manifest"
+ base_manifest=$(jq -r '.manifests[0].digest' "$base/index.json")
+ delta_manifest=$(jq -r '.manifests[0].digest' "$delta/index.json")
+ printf 'baseline manifest: %s\ndelta manifest:    %s\n' "$base_manifest" "$delta_manifest"
 
-   layer_digest=$(jq -r '.layers[0].digest' "$base/blobs/sha256/${base_manifest#sha256:}")
-   cmp "$base/blobs/sha256/${layer_digest#sha256:}" \
-       "$delta/blobs/sha256/${layer_digest#sha256:}"
-   ```
+ layer_digest=$(jq -r '.layers[0].digest' "$base/blobs/sha256/${base_manifest#sha256:}")
+ cmp "$base/blobs/sha256/${layer_digest#sha256:}" \
+     "$delta/blobs/sha256/${layer_digest#sha256:}"
+ ```
 
    `cmp` returning exit code `0` confirms the delta export reuses the baseline’s
    `db.tar.gz` layer instead of rebuilding it.
 
-4. **Manage scanners (optional)**
+4. **Verify guard compliance**
+
+   ```bash
+   export STELLA_TENANT="${STELLA_TENANT:-tenant-a}"
+
+   dotnet run --project src/StellaOps.Cli -- aoc verify \
+     --since 24h \
+     --format table \
+     --tenant "$STELLA_TENANT"
+
+   # Optional: capture JSON evidence for pipelines/audits
+   dotnet run --project src/StellaOps.Cli -- aoc verify \
+     --since 7d \
+     --limit 100 \
+     --format json \
+     --export artifacts/aoc-verify.json \
+     --tenant "$STELLA_TENANT"
+   ```
+
+   The CLI exits with `0` when no violations are detected. Guard failures map
+   to `ERR_AOC_00x` codes (`11…17`), while truncated results return `18`. Use
+   `--sources`/`--codes` to focus on noisy connectors and feed the exported JSON
+   into dashboards or evidence lockers for compliance reviews.
+
+5. **Pre-flight individual payloads**
+
+   ```bash
+   stella sources ingest --dry-run \
+     --source redhat \
+     --input ./fixtures/redhat/RHSA-2025-9999.json \
+     --tenant "$STELLA_TENANT" \
+     --format json \
+     --output artifacts/redhat-dry-run.json
+   ```
+
+   Exit code `0` confirms the candidate document is AOC compliant. Any guard
+   violation is emitted as deterministic `ERR_AOC_00x` exit codes (`11…17`);
+   reuse the exported JSON in PRs or incident timelines to show offending paths.
+
+6. **Manage scanners (optional)**
 
    ```bash
    dotnet run --project src/StellaOps.Cli -- scanner download --channel stable