feat: Implement console session management with tenant and profile handling

- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.

etc/authority.yaml.sample

@@ -11,7 +11,7 @@ schemaVersion: 1
 issuer: "https://authority.stella-ops.local"
 
 # Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
-accessTokenLifetime: "00:15:00"
+accessTokenLifetime: "00:02:00"
 refreshTokenLifetime: "30.00:00:00"
 identityTokenLifetime: "00:05:00"
 authorizationCodeLifetime: "00:05:00"
@@ -151,12 +151,39 @@ clients:
     displayName: "Policy Automation CLI"
     grantTypes: [ "client_credentials" ]
     audiences: [ "api://policy-engine" ]
-    scopes: [ "policy:write", "policy:submit", "policy:run", "findings:read" ]
+    scopes: [ "policy:read", "policy:author", "policy:review", "policy:simulate", "findings:read" ]
     tenant: "tenant-default"
     senderConstraint: "dpop"
     auth:
       type: "client_secret"
       secretFile: "../secrets/policy-cli.secret"
+  - clientId: "exceptions-service"
+    displayName: "Policy Engine Exceptions Worker"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://policy-engine" ]
+    scopes: [ "exceptions:read", "exceptions:write" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/exceptions-service.secret"
+  - clientId: "console-web"
+    displayName: "StellaOps Console"
+    grantTypes: [ "authorization_code", "refresh_token" ]
+    audiences: [ "console" ]
+    scopes: [ "openid", "profile", "email", "ui.read", "authority:tenants.read", "advisory:read", "vex:read", "exceptions:read", "exceptions:approve", "aoc:verify", "findings:read", "orch:read", "vuln:read" ]
+    # exceptions:approve is elevated via fresh-auth and requires an MFA-capable identity provider.
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    redirectUris:
+      - "https://console.stella-ops.local/oidc/callback"
+    postLogoutRedirectUris:
+      - "https://console.stella-ops.local/"
+    # Gateway must forward X-Stella-Tenant for /console endpoints; fresh-auth window (300s)
+    # returned by /console/profile governs admin actions in the Console UI.
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/console-web.secret"
   - clientId: "cartographer-service"
     displayName: "Cartographer Service"
     grantTypes: [ "client_credentials" ]
@@ -179,6 +206,26 @@ clients:
     auth:
       type: "client_secret"
       secretFile: "../secrets/graph-api.secret"
+  - clientId: "export-center-operator"
+    displayName: "Export Center Operator"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://export-center" ]
+    scopes: [ "export.viewer", "export.operator" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/export-center-operator.secret"
+  - clientId: "export-center-admin"
+    displayName: "Export Center Admin"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://export-center" ]
+    scopes: [ "export.viewer", "export.operator", "export.admin" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/export-center-admin.secret"
   - clientId: "vuln-explorer-ui"
     displayName: "Vuln Explorer UI"
     grantTypes: [ "client_credentials" ]
@@ -189,6 +236,53 @@ clients:
     auth:
       type: "client_secret"
       secretFile: "../secrets/vuln-explorer-ui.secret"
+  # Signals sensors must request aoc:verify alongside write scope.
+  - clientId: "signals-uploader"
+    displayName: "Signals Sensor"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "api://signals" ]
+    scopes: [ "signals:write", "signals:read", "aoc:verify" ]
+    tenant: "tenant-default"
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/signals-uploader.secret"
+
+tenants:
+  - name: "tenant-default"
+    roles:
+      orch-viewer:
+        scopes: [ "orch:read" ]
+      orch-operator:
+        scopes: [ "orch:read", "orch:operate" ]
+      policy-author:
+        scopes: [ "policy:author", "policy:read", "policy:simulate", "findings:read" ]
+      policy-reviewer:
+        scopes: [ "policy:review", "policy:read", "policy:simulate", "findings:read" ]
+      policy-approver:
+        scopes: [ "policy:approve", "policy:review", "policy:read", "policy:simulate", "findings:read" ]
+      policy-operator:
+        scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
+      policy-auditor:
+        scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
+      export-viewer:
+        scopes: [ "export.viewer" ]
+      export-operator:
+        scopes: [ "export.viewer", "export.operator" ]
+      export-admin:
+        scopes: [ "export.viewer", "export.operator", "export.admin" ]
+
+# Exception approval routing templates used by Policy Engine and Console.
+exceptions:
+  routingTemplates:
+    - id: "secops"
+      authorityRouteId: "approvals/secops"
+      requireMfa: true
+      description: "Security Operations approval chain"
+    - id: "governance"
+      authorityRouteId: "approvals/governance"
+      requireMfa: false
+      description: "Governance review (non-production)"
 
 # CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
 # Keep the list tight: localhost is sufficient for most air-gapped installs.