feat: Implement console session management with tenant and profile handling

- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.

docs/ops/authority-key-rotation.md

@@ -81,3 +81,14 @@ Treat these as examples; real environments must maintain their own PEM material.
 - `docs/11_AUTHORITY.md` – Architecture and rotation SOP (Section 5).
 - `docs/ops/authority-backup-restore.md` – Recovery flow referencing this playbook.
 - `ops/authority/README.md` – CLI usage and examples.
+- `scripts/rotate-policy-cli-secret.sh` – Helper to mint new `policy-cli` shared secrets when policy scope bundles change.
+
+## 7. Appendix — Policy CLI secret rotation
+
+Scope migrations such as AUTH-POLICY-23-004 require issuing fresh credentials for the `policy-cli` client. Use the helper script committed with the repo to keep secrets deterministic across environments.
+
+```bash
+./scripts/rotate-policy-cli-secret.sh --output etc/secrets/policy-cli.secret
+```
+
+The script writes a timestamped header and a random secret into the target file. Use `--dry-run` when generating material for external secret stores. After updating secrets in staging/production, recycle the Authority pods and confirm the new client credentials work before the next release freeze.