Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

src/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs

@@ -24,29 +24,125 @@ public static class StellaOpsScopes
     public const string AuthorityUsersManage = "authority.users.manage";
 
     /// <summary>
-    /// Scope granting administrative access to Authority client registrations.
-    /// </summary>
-    public const string AuthorityClientsManage = "authority.clients.manage";
-
-    /// <summary>
-    /// Scope granting read-only access to Authority audit logs.
-    /// </summary>
-    public const string AuthorityAuditRead = "authority.audit.read";
-
-    /// <summary>
-    /// Synthetic scope representing trusted network bypass.
-    /// </summary>
-    public const string Bypass = "stellaops.bypass";
-
-    private static readonly HashSet<string> KnownScopes = new(StringComparer.OrdinalIgnoreCase)
-    {
-        ConcelierJobsTrigger,
-        ConcelierMerge,
-        AuthorityUsersManage,
-        AuthorityClientsManage,
-        AuthorityAuditRead,
-        Bypass
-    };
+    /// Scope granting administrative access to Authority client registrations.
+    /// </summary>
+    public const string AuthorityClientsManage = "authority.clients.manage";
+
+    /// <summary>
+    /// Scope granting read-only access to Authority audit logs.
+    /// </summary>
+    public const string AuthorityAuditRead = "authority.audit.read";
+
+    /// <summary>
+    /// Synthetic scope representing trusted network bypass.
+    /// </summary>
+    public const string Bypass = "stellaops.bypass";
+
+    /// <summary>
+    /// Scope granting read-only access to raw advisory ingestion data.
+    /// </summary>
+    public const string AdvisoryRead = "advisory:read";
+
+    /// <summary>
+    /// Scope granting write access for raw advisory ingestion.
+    /// </summary>
+    public const string AdvisoryIngest = "advisory:ingest";
+
+    /// <summary>
+    /// Scope granting read-only access to raw VEX ingestion data.
+    /// </summary>
+    public const string VexRead = "vex:read";
+
+    /// <summary>
+    /// Scope granting write access for raw VEX ingestion.
+    /// </summary>
+    public const string VexIngest = "vex:ingest";
+
+    /// <summary>
+    /// Scope granting permission to execute aggregation-only contract verification.
+    /// </summary>
+    public const string AocVerify = "aoc:verify";
+
+    /// <summary>
+    /// Scope granting permission to create or edit policy drafts.
+    /// </summary>
+    public const string PolicyWrite = "policy:write";
+
+    /// <summary>
+    /// Scope granting permission to submit drafts for review.
+    /// </summary>
+    public const string PolicySubmit = "policy:submit";
+
+    /// <summary>
+    /// Scope granting permission to approve or reject policies.
+    /// </summary>
+    public const string PolicyApprove = "policy:approve";
+
+    /// <summary>
+    /// Scope granting permission to trigger policy runs and activation workflows.
+    /// </summary>
+    public const string PolicyRun = "policy:run";
+
+    /// <summary>
+    /// Scope granting read-only access to effective findings materialised by Policy Engine.
+    /// </summary>
+    public const string FindingsRead = "findings:read";
+
+    /// <summary>
+    /// Scope granted to Policy Engine service identity for writing effective findings.
+    /// </summary>
+    public const string EffectiveWrite = "effective:write";
+
+    /// <summary>
+    /// Scope granting read-only access to graph queries and overlays.
+    /// </summary>
+    public const string GraphRead = "graph:read";
+
+    /// <summary>
+    /// Scope granting read-only access to Vuln Explorer resources and permalinks.
+    /// </summary>
+    public const string VulnRead = "vuln:read";
+
+    /// <summary>
+    /// Scope granting permission to enqueue or mutate graph build jobs.
+    /// </summary>
+    public const string GraphWrite = "graph:write";
+
+    /// <summary>
+    /// Scope granting permission to export graph artefacts (GraphML/JSONL/etc.).
+    /// </summary>
+    public const string GraphExport = "graph:export";
+
+    /// <summary>
+    /// Scope granting permission to trigger what-if simulations on graphs.
+    /// </summary>
+    public const string GraphSimulate = "graph:simulate";
+
+    private static readonly HashSet<string> KnownScopes = new(StringComparer.OrdinalIgnoreCase)
+    {
+        ConcelierJobsTrigger,
+        ConcelierMerge,
+        AuthorityUsersManage,
+        AuthorityClientsManage,
+        AuthorityAuditRead,
+        Bypass,
+        AdvisoryRead,
+        AdvisoryIngest,
+        VexRead,
+        VexIngest,
+        AocVerify,
+        PolicyWrite,
+        PolicySubmit,
+        PolicyApprove,
+        PolicyRun,
+        FindingsRead,
+        EffectiveWrite,
+        GraphRead,
+        VulnRead,
+        GraphWrite,
+        GraphExport,
+        GraphSimulate
+    };
 
     /// <summary>
     /// Normalises a scope string (trim/convert to lower case).