feat: Implement console session management with tenant and profile handling

- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.

docs/ui/policies.md

@@ -13,12 +13,13 @@ The Policies workspace centralises authoring, simulation, review, and promotion
   - `/console/policies` (list)  
   - `/console/policies/:policyId` (details)  
   - `/console/policies/:policyId/:revision` (editor, approvals, runs)  
-- **Scopes:**  
+- **Scopes / roles:**  
   - `policy:read` (list and details)  
-  - `policy:write` (edit drafts, run lint/compile)  
-  - `policy:submit`, `policy:review`, `policy:approve` (workflow actions)  
-  - `policy:runs` (view run history)  
+  - `policy:author` (edit drafts, run lint/compile)  
+  - `policy:review`, `policy:approve` (workflow actions)  
+  - `policy:operate` (promotions, run orchestration)  
   - `policy:simulate` (run simulations)  
+  - `policy:audit` (download audit bundles)  
   - `effective:write` (promotion visibility only; actual write remains server-side)  
 - **Feature flags:** `policy.studio.enabled`, `policy.simulation.diff`, `policy.runCharts.enabled`, `policy.offline.bundleUpload`.  
 - **Dependencies:** Policy Engine v2 APIs (`/policies`, `/policy/runs`, `/policy/simulations`), Policy Studio Monaco assets, Authority fresh-auth flows for critical operations.
@@ -112,10 +113,11 @@ The editor view reuses the structure documented in `/docs/ui/policy-editor.md` a
 
 | Role | Scopes | Capabilities |
 |------|--------|--------------|
-| **Author** | `policy:read`, `policy:write`, `policy:simulate` | Create drafts, run lint/simulations, comment. |
+| **Author** | `policy:read`, `policy:author`, `policy:simulate` | Create drafts, run lint/simulations, comment. |
 | **Reviewer** | `policy:read`, `policy:review`, `policy:simulate` | Leave review comments, request changes. |
-| **Approver** | `policy:read`, `policy:approve`, `policy:runs`, `policy:simulate` | Approve/promote, trigger runs, view run history. |
-| **Operator** | `policy:read`, `policy:runs`, `policy:simulate`, `effective:write` | Schedule promotions, monitor runs (no editing). |
+| **Approver** | `policy:read`, `policy:approve`, `policy:operate`, `policy:simulate` | Approve/promote, trigger runs, view run history. |
+| **Operator** | `policy:read`, `policy:operate`, `policy:simulate`, `effective:write` | Schedule promotions, monitor runs (no editing). |
+| **Auditor** | `policy:read`, `policy:audit`, `policy:simulate` | View immutable history, export audit bundles. |
 | **Admin** | Above plus Authority admin scopes | Manage roles, configure escalation chains. |
 
 UI disables controls not allowed by current scope and surfaces tooltip with required scope names. Audit log captures denied attempts (`policy.ui.action_denied`).
@@ -188,4 +190,3 @@ UI disables controls not allowed by current scope and surfaces tooltip with requ
 ---
 
 *Last updated: 2025-10-26 (Sprint 23).* 
-

docs/ui/policy-editor.md

@@ -10,11 +10,13 @@ The Policy Editor is the primary Console workspace for composing, simulating, an
 ## 1 · Access & Prerequisites
 
 - **Routes:** `/console/policy` (list) → `/console/policy/:policyId/:version?`.
-- **Scopes:** 
-  - `policy:write` to edit drafts, run lint/compile, attach simulations.
-  - `policy:submit` / `policy:review` / `policy:approve` for workflow actions.
-  - `policy:run` to trigger runs, `policy:runs` to inspect history.
-  - `findings:read` to open explain drawers.
+- **Scopes / roles:**
+  - `policy:author` (role `policy-author`) to edit drafts, run lint/compile, and execute quick simulations.
+  - `policy:review` (role `policy-reviewer`) to review drafts, leave comments, and request changes.
+  - `policy:approve` (role `policy-approver`) to approve or reject submissions.
+  - `policy:operate` (role `policy-operator`) to trigger batch simulations, promotions, and canary runs.
+  - `policy:audit` (role `policy-auditor`) to access immutable history and audit exports.
+  - `policy:simulate` to run simulations from Console; `findings:read` to open explain drawers.
 - **Feature flags:** `policyStudio.enabled` (defaults true once Policy Engine v2 API available).
 - **Browser support:** Evergreen Chrome, Edge, Firefox, Safari (last two versions). Uses WASM OPA sandbox; ensure COOP/COEP enabled per [UI architecture](../ARCHITECTURE_UI.md).
 
@@ -175,4 +177,3 @@ The Policy Editor is the primary Console workspace for composing, simulating, an
 ---
 
 *Last updated: 2025-10-26 (Sprint 20).*
-