feat: Implement console session management with tenant and profile handling

- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.

scripts/render_docs.py

@@ -29,14 +29,14 @@ import markdown
 
 # Enable fenced code blocks, tables, and definition lists. These cover the
 # Markdown constructs heavily used across the documentation set.
-MD_EXTENSIONS = [
-    "fenced_code",
-    "codehilite",
-    "tables",
-    "toc",
-    "def_list",
-    "admonition",
-]
+MD_EXTENSIONS = [
+    "markdown.extensions.fenced_code",
+    "markdown.extensions.codehilite",
+    "markdown.extensions.tables",
+    "markdown.extensions.toc",
+    "markdown.extensions.def_list",
+    "markdown.extensions.admonition",
+]
 
 HTML_TEMPLATE = """<!DOCTYPE html>
 <html lang=\"en\">

scripts/rotate-policy-cli-secret.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: rotate-policy-cli-secret.sh [--output <path>] [--dry-run]
+
+Generates a new random shared secret suitable for the Authority
+`policy-cli` client and optionally writes it to the target file
+in `etc/secrets/` with the standard header comment.
+
+Options:
+  --output <path>  Destination file (default: etc/secrets/policy-cli.secret)
+  --dry-run        Print the generated secret to stdout without writing.
+  -h, --help       Show this help.
+EOF
+}
+
+OUTPUT="etc/secrets/policy-cli.secret"
+DRY_RUN=0
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --output)
+      OUTPUT="$2"
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if ! command -v openssl >/dev/null 2>&1; then
+  echo "openssl is required to generate secrets" >&2
+  exit 1
+fi
+
+# Generate a 48-byte random secret, base64 encoded without padding.
+RAW_SECRET=$(openssl rand -base64 48 | tr -d '\n=')
+SECRET="policy-cli-${RAW_SECRET}"
+
+if [[ "$DRY_RUN" -eq 1 ]]; then
+  echo "$SECRET"
+  exit 0
+fi
+
+cat <<EOF > "$OUTPUT"
+# generated $(date -u +%Y-%m-%dT%H:%M:%SZ) via scripts/rotate-policy-cli-secret.sh
+$SECRET
+EOF
+
+echo "Wrote new policy-cli secret to $OUTPUT"

scripts/verify-policy-scopes.py

@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+"""Ensure Authority policy client configs use the fine-grained scope set."""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+EXPECTED_SCOPES = (
+    "policy:read",
+    "policy:author",
+    "policy:review",
+    "policy:simulate",
+    "findings:read",
+)
+
+
+def extract_scopes(lines: list[str], start_index: int) -> tuple[str, ...] | None:
+    for offset in range(1, 12):
+        if start_index + offset >= len(lines):
+            break
+        line = lines[start_index + offset].strip()
+        if not line:
+            continue
+        if line.startswith("scopes:"):
+            try:
+                raw = line.split("[", 1)[1].rsplit("]", 1)[0]
+            except IndexError:
+                return None
+            scopes = tuple(scope.strip().strip('"') for scope in raw.split(","))
+            scopes = tuple(scope for scope in scopes if scope)
+            return scopes
+    return None
+
+
+def validate(path: Path) -> list[str]:
+    errors: list[str] = []
+    try:
+        text = path.read_text(encoding="utf-8")
+    except FileNotFoundError:
+        return [f"{path}: missing file"]
+
+    if "policy:write" in text or "policy:submit" in text:
+        errors.append(f"{path}: contains legacy policy scope names (policy:write/policy:submit)")
+
+    lines = text.splitlines()
+    client_indices = [idx for idx, line in enumerate(lines) if 'clientId: "policy-cli"' in line]
+    if not client_indices:
+        errors.append(f"{path}: policy-cli client registration not found")
+        return errors
+
+    for idx in client_indices:
+        scopes = extract_scopes(lines, idx)
+        if scopes is None:
+            errors.append(f"{path}: unable to parse scopes for policy-cli client")
+            continue
+        if tuple(sorted(scopes)) != tuple(sorted(EXPECTED_SCOPES)):
+            errors.append(
+                f"{path}: unexpected policy-cli scopes {scopes}; expected {EXPECTED_SCOPES}"
+            )
+
+    return errors
+
+
+def main(argv: list[str]) -> int:
+    repo_root = Path(__file__).resolve().parents[1]
+    targets = [
+        repo_root / "etc" / "authority.yaml",
+        repo_root / "etc" / "authority.yaml.sample",
+    ]
+
+    failures: list[str] = []
+    for target in targets:
+        failures.extend(validate(target))
+
+    if failures:
+        for message in failures:
+            print(f"error: {message}", file=sys.stderr)
+        return 1
+
+    print("policy scope verification passed")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main(sys.argv))