Fix live evidence and registry auth contracts

devops/compose/docker-compose.stella-ops.yml

@@ -353,7 +353,7 @@ services:
       Platform__EnvironmentSettings__TokenEndpoint: "https://stella-ops.local/connect/token"
       Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
       Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
-      Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate timeline:read timeline:write"
+      Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate registry.admin timeline:read timeline:write"
       STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
       STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
       STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
@@ -452,6 +452,14 @@ services:
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
       STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__ClientId: "stella-ops-ui"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__DisplayName: "Stella Ops Console"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedGrantTypes: "authorization_code refresh_token"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedScopes: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate registry.admin timeline:read timeline:write"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RedirectUris: "https://stella-ops.local/auth/callback https://stella-ops.local/auth/silent-refresh https://127.1.0.1/auth/callback https://127.1.0.1/auth/silent-refresh"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__PostLogoutRedirectUris: "https://stella-ops.local/ https://127.1.0.1/"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RequirePkce: "true"
+      STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowPlainTextPkce: "false"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
       STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"

devops/compose/postgres-init/04-authority-schema.sql

@@ -654,9 +654,8 @@ VALUES
             'vuln:view', 'vuln:investigate', 'vuln:operate', 'vuln:audit',
             'platform.context.read', 'platform.context.write',
             'doctor:run', 'doctor:admin', 'ops.health',
-            'integration:read', 'integration:write', 'integration:operate',
+            'integration:read', 'integration:write', 'integration:operate', 'registry.admin',
             'timeline:read', 'timeline:write'],
      ARRAY['authorization_code', 'refresh_token'],
      false, true, '{"tenant": "demo-prod"}'::jsonb)
 ON CONFLICT (client_id) DO NOTHING;
-

devops/compose/router-gateway-local.json

@@ -489,6 +489,12 @@
                                        "TranslatesTo":  "https://vexhub.stella-ops.local/api/vex",
                                        "PreserveAuthHeaders":  true
                                    },
+                                   {
+                                       "Type":  "Microservice",
+                                       "Path":  "/api/admin/plans",
+                                       "TranslatesTo":  "http://registry-token.stella-ops.local/api/admin/plans",
+                                       "PreserveAuthHeaders":  true
+                                   },
                                    {
                                        "Type":  "Microservice",
                                        "Path":  "/api/admin",

devops/compose/router-gateway-local.reverseproxy.json

@@ -448,6 +448,12 @@
                                        "TranslatesTo":  "https://vexhub.stella-ops.local/api/vex",
                                        "PreserveAuthHeaders":  true
                                    },
+                                   {
+                                       "Type":  "ReverseProxy",
+                                       "Path":  "/api/admin/plans",
+                                       "TranslatesTo":  "http://registry-token.stella-ops.local/api/admin/plans",
+                                       "PreserveAuthHeaders":  true
+                                   },
                                    {
                                        "Type":  "ReverseProxy",
                                        "Path":  "/api/admin",