Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

etc/authority.yaml

@@ -0,0 +1,151 @@
+# StellaOps Authority configuration (dev profile)
+# Derived from etc/authority.yaml.sample; trimmed to the services needed for local
+# stacks and kept under version control so compose/helm bundles mount a working config.
+
+schemaVersion: 1
+
+issuer: "https://authority.localtest.me"
+
+accessTokenLifetime: "00:15:00"
+refreshTokenLifetime: "30.00:00:00"
+identityTokenLifetime: "00:05:00"
+authorizationCodeLifetime: "00:05:00"
+deviceCodeLifetime: "00:15:00"
+
+storage:
+  connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority"
+  databaseName: "stellaops_authority"
+  commandTimeout: "00:00:30"
+
+signing:
+  enabled: true
+  activeKeyId: "authority-signing-dev"
+  keyPath: "../certificates/authority-signing-dev.pem"
+  algorithm: "ES256"
+  keySource: "file"
+
+bootstrap:
+  enabled: false
+  apiKey: "change-me"
+  defaultIdentityProvider: "standard"
+
+pluginDirectories:
+  - "../StellaOps.Authority.PluginBinaries"
+
+plugins:
+  configurationDirectory: "../etc/authority.plugins"
+  descriptors:
+    standard:
+      type: "standard"
+      assemblyName: "StellaOps.Authority.Plugin.Standard"
+      enabled: true
+      configFile: "standard.yaml"
+      capabilities:
+        - password
+        - bootstrap
+        - clientProvisioning
+      metadata:
+        defaultRole: "operators"
+
+clients:
+  - clientId: "policy-engine"
+    displayName: "Policy Engine Service"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://policy-engine" ]
+    scopes: [ "policy:run", "findings:read", "effective:write" ]
+    tenant: "tenant-default"
+    properties:
+      serviceIdentity: "policy-engine"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/policy-engine.secret"
+
+  - clientId: "cartographer-service"
+    displayName: "Cartographer Service"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://cartographer" ]
+    scopes: [ "graph:write", "graph:read" ]
+    tenant: "tenant-default"
+    properties:
+      serviceIdentity: "cartographer"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/cartographer-service.secret"
+
+  - clientId: "graph-api"
+    displayName: "Graph API Gateway"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://graph-api" ]
+    scopes: [ "graph:read", "graph:export", "graph:simulate" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/graph-api.secret"
+
+  - clientId: "concelier-ingest"
+    displayName: "Concelier Ingestion"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://concelier" ]
+    scopes: [ "advisory:ingest", "advisory:read" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/concelier-ingest.secret"
+
+  - clientId: "excitor-ingest"
+    displayName: "Excititor VEX Ingestion"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://excitor" ]
+    scopes: [ "vex:ingest", "vex:read" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/excitor-ingest.secret"
+
+  - clientId: "graph-api-cli"
+    displayName: "Graph Explorer CLI"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://graph-api" ]
+    scopes: [ "graph:read", "graph:export" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/graph-api-cli.secret"
+
+security:
+  rateLimiting:
+    token:
+      enabled: true
+      permitLimit: 30
+      window: "00:01:00"
+      queueLimit: 0
+    authorize:
+      enabled: true
+      permitLimit: 60
+      window: "00:01:00"
+      queueLimit: 10
+  passwordHashing:
+    algorithm: "Argon2id"
+    memorySizeInKib: 19456
+    iterations: 2
+    parallelism: 1
+  senderConstraints:
+    dpop:
+      enabled: true
+      proofLifetime: "00:05:00"
+      allowedClockSkew: "00:00:10"
+      replayWindow: "00:10:00"
+      nonce:
+        enabled: false
+    mtls:
+      enabled: false
+
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"