feat: Implement console session management with tenant and profile handling

- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.

docs/cli/cli-reference.md

@@ -152,6 +152,8 @@ Replays the AOC guard against stored raw documents. By default it checks all adv
 | `--tenant <tenant-id>` | Overrides tenant context. Required for cross-tenant verifications when run by platform operators. |
 | `--no-color` | Disables ANSI colours. |
 
+`table` mode prints a summary showing the active tenant, evaluated window, counts of checked advisories/VEX statements, the active limit, total writes/violations, and whether the page was truncated. Status is colour-coded as `ok`, `violations`, or `truncated`. When violations exist the detail table lists the code, total occurrences, first sample document (`source` + `documentId` + `contentHash`), and JSON pointer path.
+
 ### 3.4 Report structure (JSON)
 
 ```json
@@ -182,7 +184,8 @@ Replays the AOC guard against stored raw documents. By default it checks all adv
   "metrics": {
     "ingestion_write_total": 557,
     "aoc_violation_total": 2
-  }
+  },
+  "truncated": false
 }
 ```
 
@@ -262,6 +265,24 @@ Use these codes in CI to map outcomes to build statuses or alert severities.
 
 ---
 
+## 4 · `stella vuln observations` (Overlay paging)
+
+`stella vuln observations` lists raw advisory observations for downstream overlays (Graph Explorer, Policy simulations, Console). Large tenants can now page through results deterministically.
+
+| Option | Description |
+|--------|-------------|
+| `--limit <count>` | Caps the number of observations returned in a single call. Defaults to `200`; values above `500` are clamped server-side. |
+| `--cursor <token>` | Opaque continuation token produced by the previous page (`nextCursor` in JSON output). Pass it back to resume iteration. |
+
+Additional notes:
+
+- Table mode prints a hint when `hasMore` is `true`:  
+  `[yellow]More observations available. Continue with --cursor <token>[/]`.
+- JSON mode returns `nextCursor` and `hasMore` alongside the observation list so automation can loop until `hasMore` is `false`.
+- Supplying a non-positive limit falls back to the default (`200`). Invalid/expired cursors yield `400 Bad Request`; restart without `--cursor` to begin a fresh iteration.
+
+---
+
 ## 5 · Related references
 
 - [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md)
@@ -282,4 +303,14 @@ Use these codes in CI to map outcomes to build statuses or alert severities.
 
 ---
 
-*Last updated: 2025-10-26 (Sprint 19).* 
+*Last updated: 2025-10-29 (Sprint 24).*
+
+## 13. Authority configuration quick reference
+
+| Setting | Purpose | How to set |
+|---------|---------|------------|
+| `StellaOps:Authority:OperatorReason` | Incident/change description recorded with `orch:operate` tokens. | CLI flag `--Authority:OperatorReason=...` or env `STELLAOPS_ORCH_REASON`. |
+| `StellaOps:Authority:OperatorTicket` | Change/incident ticket reference paired with orchestrator control actions. | CLI flag `--Authority:OperatorTicket=...` or env `STELLAOPS_ORCH_TICKET`. |
+
+> Tokens requesting `orch:operate` will fail with `invalid_request` unless both values are present. Choose concise strings (≤256 chars for reason, ≤128 chars for ticket) and avoid sensitive data.
+