feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.

docs/modules/vuln-explorer/architecture.md

@@ -47,18 +47,25 @@ CLI mirrors these endpoints (`stella findings list|view|update|export`). Console
 - Scheduler integration triggers follow-up scans or policy re-evaluation when remediation plan reaches checkpoint.
 - Zastava (Differential SBOM) feeds runtime exposure signals to reprioritise findings automatically.
 
-## 5) Observability & compliance
-
-- Metrics: `findings_open_total{severity,tenant}`, `findings_mttr_seconds`, `triage_actions_total{type}`, `report_generation_seconds`.
-- Logs: structured with `findingId`, `artifactId`, `advisory`, `policyVersion`, `actor`, `actionType`.
-- Audit exports: `audit_log.jsonl` appended whenever state changes; offline bundles include signed audit log and manifest.
-- Compliance: accepted risk requires dual approval and stores justification plus expiry reminders (raised through Notify).
-
-## 6) Offline bundle requirements
-
-- Bundle structure:
-  - `manifest.json` (hashes, counts, policy version, generation timestamp).
-  - `findings.jsonl` (current open findings).
+## 5) Observability & compliance
+
+- Metrics: `findings_open_total{severity,tenant}`, `findings_mttr_seconds`, `triage_actions_total{type}`, `report_generation_seconds`.
+- Logs: structured with `findingId`, `artifactId`, `advisory`, `policyVersion`, `actor`, `actionType`.
+- Audit exports: `audit_log.jsonl` appended whenever state changes; offline bundles include signed audit log and manifest.
+- Compliance: accepted risk requires dual approval and stores justification plus expiry reminders (raised through Notify).
+
+## 6) Identity & access integration
+
+- **Scopes** – `vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit` map to read-only, triage, workflow, and audit experiences respectively. The deprecated `vuln:read` scope is still honoured for legacy tokens but is no longer advertised.
+- **Attribute filters (ABAC)** – Authority enforces per-service-account filters via the client-credential parameters `vuln_env`, `vuln_owner`, and `vuln_business_tier`. Service accounts define the allowed values in `authority.yaml` (`attributes` block). Tokens include the resolved filters as claims (`stellaops:vuln_env`, `stellaops:vuln_owner`, `stellaops:vuln_business_tier`), and tokens persisted to Mongo retain the same values for audit and revocation.
+- **Audit trail** – Every token issuance emits `authority.vuln_attr.*` audit properties that mirror the resolved filter set, along with `delegation.service_account` and ordered `delegation.actor[n]` entries so Vuln Explorer can correlate access decisions.
+- **Permalinks** – Signed permalinks inherit the caller’s ABAC filters; consuming services must enforce the embedded claims in addition to scope checks when resolving permalinks.
+
+## 7) Offline bundle requirements
+
+- Bundle structure:
+  - `manifest.json` (hashes, counts, policy version, generation timestamp).
+  - `findings.jsonl` (current open findings).
   - `history.jsonl` (state changes).
   - `actions.jsonl` (comments, assignments, tickets).
   - `reports/` (generated PDFs/CSVs).

docs/modules/vuln-explorer/implementation_plan.md

@@ -1,70 +1,70 @@
-# Implementation plan — Vulnerability Explorer
-
-## Delivery phases
-- **Phase 1 – Findings Ledger & resolver**  
-  Create append-only ledger, projector, ecosystem resolvers (npm/Maven/PyPI/Go/RPM/DEB), canonical advisory keys, and provenance hashing.
-- **Phase 2 – API & simulation**  
-  Ship Vuln Explorer API (list/detail/grouping/simulation), batch evaluation with Policy Engine rationales, and export orchestrator.
-- **Phase 3 – Console & CLI workflows**  
-  Deliver triage UI (assignments, comments, remediation plans, simulation bar), keyboard accessibility, and CLI commands (`stella vuln ...`) with JSON/CSV output.
-- **Phase 4 – Automation & integrations**  
-  Integrate Advisory AI hints, Zastava runtime exposure, Notify rules, Scheduler follow-up scans, and Graph Explorer deep links.
-- **Phase 5 – Exports & offline parity**  
-  Generate deterministic bundles (JSON, CSV, PDF, Offline Kit manifests), audit logs, and signed reports.
-- **Phase 6 – Observability & hardening**  
-  Complete dashboards (projection lag, MTTR, accepted-risk cadence), alerts, runbooks, performance tuning (5M findings/tenant), and security/RBAC validation.
-
-## Work breakdown
-- **Findings Ledger**
-  - Define event schema, Merkle root anchoring, append-only storage, history tables.
-  - Projector to `finding_records` and `finding_history`, idempotent event processing, time travel snapshots.
-  - Resolver pipelines referencing SBOM inventory deltas, policy outputs, VEX consensus, runtime signals.
-- **API & exports**
-  - REST endpoints (`/v1/findings`, `/v1/findings/{id}`, `/actions`, `/reports`, `/exports`) with ABAC filters.
-  - Simulation endpoint returning diffs, integration with Policy Engine batch evaluation.
-  - Export jobs for JSON/CSV/PDF plus Offline Kit bundle assembly and signing.
-- **Console**
-  - Feature module `vuln-explorer` with grid, filters, saved views, deep links, detail tabs (policy, evidence, paths, remediation).
-  - Simulation drawer, delta chips, accepted-risk approvals, evidence bundle viewer.
-  - Accessibility (keyboard navigation, ARIA), virtualization for large result sets.
-- **CLI**
-  - Commands `stella vuln list|show|simulate|assign|accept-risk|verify-fix|export`.
-  - Stable schemas for automation; piping support; tests for exit codes.
-- **Integrations**
-  - Conseiller/Excitator: normalized advisory keys, linksets, evidence retrieval.
-  - SBOM Service: inventory deltas with scope/runtime flags, safe version hints.
-  - Notify: events for SLA breaches, accepted-risk expiries, remediation deadlines.
-  - Scheduler: trigger rescans when remediation plan milestones complete.
-- **Observability & ops**
-  - Metrics (open findings, MTTR, projection lag, export duration, SLA burn), logs/traces with correlation IDs.
-  - Alerting on projector backlog, API 5xx spikes, export failures, accepted-risk nearing expiry.
-  - Runbooks covering recompute storms, mapping errors, report issues.
-
-## Acceptance criteria
-- Ledger/event sourcing reproduces historical states byte-for-byte; Merkle hashes verify integrity.
-- Resolver respects ecosystem semantics, scope, and runtime context; path evidence presented in UI/CLI.
-- Triage workflows (assignment, comments, accepted-risk) enforce justification and approval requirements with audit records.
-- Simulation returns policy diffs without mutating state; CLI/UI parity achieved for simulation and exports.
-- Exports and Offline Kit bundles reproducible with signed manifests and provenance; reports available in JSON/CSV/PDF.
-- Observability dashboards show green SLOs, alerts fire for projection lag or SLA burns, and runbooks documented.
-- RBAC/ABAC validated; attachments encrypted; tenant isolation guaranteed.
-
-## Risks & mitigations
-- **Advisory identity collisions:** strict canonicalization, linkset references, raw evidence access.
-- **Resolver inaccuracies:** property-based tests, path verification, manual override workflows.
-- **Projection lag/backlog:** autoscaling, queue backpressure, alerting, pause controls.
-- **Export size/performance:** streaming NDJSON, size estimators, chunked downloads.
-- **User confusion on suppression:** rationale tab, explicit badges, explain traces.
-
-## Test strategy
-- **Unit:** resolver algorithms, state machine transitions, policy mapping, export builders.
-- **Integration:** ingestion → ledger → projector → API flow, simulation, Notify notifications.
-- **E2E:** Console triage scenarios, CLI flows, accessibility tests.
-- **Performance:** 5M findings/tenant, projection rebuild, export generation.
-- **Security:** RBAC/ABAC matrix, CSRF, attachment encryption, signed URL expiry.
-- **Determinism:** time-travel snapshots, export manifest hashing, Offline Kit replay.
-
-## Definition of done
-- Services, UI/CLI, integrations, exports, and observability deployed with runbooks and Offline Kit parity.
-- Documentation suite (overview, using-console, API, CLI, findings ledger, policy mapping, VEX/SBOM integration, telemetry, security, runbooks, install) updated with imposed rule statement.
-- ./TASKS.md and ../../TASKS.md reflect active progress; compliance checklists appended where required.
+# Implementation plan — Vulnerability Explorer
+
+## Delivery phases
+- **Phase 1 – Findings Ledger & resolver**  
+  Create append-only ledger, projector, ecosystem resolvers (npm/Maven/PyPI/Go/RPM/DEB), canonical advisory keys, and provenance hashing.
+- **Phase 2 – API & simulation**  
+  Ship Vuln Explorer API (list/detail/grouping/simulation), batch evaluation with Policy Engine rationales, and export orchestrator.
+- **Phase 3 – Console & CLI workflows**  
+  Deliver triage UI (assignments, comments, remediation plans, simulation bar), keyboard accessibility, and CLI commands (`stella vuln ...`) with JSON/CSV output.
+- **Phase 4 – Automation & integrations**  
+  Integrate Advisory AI hints, Zastava runtime exposure, Notify rules, Scheduler follow-up scans, and Graph Explorer deep links.
+- **Phase 5 – Exports & offline parity**  
+  Generate deterministic bundles (JSON, CSV, PDF, Offline Kit manifests), audit logs, and signed reports.
+- **Phase 6 – Observability & hardening**  
+  Complete dashboards (projection lag, MTTR, accepted-risk cadence), alerts, runbooks, performance tuning (5M findings/tenant), and security/RBAC validation.
+
+## Work breakdown
+- **Findings Ledger**
+  - Define event schema, Merkle root anchoring, append-only storage, history tables.
+  - Projector to `finding_records` and `finding_history`, idempotent event processing, time travel snapshots.
+  - Resolver pipelines referencing SBOM inventory deltas, policy outputs, VEX consensus, runtime signals.
+- **API & exports**
+  - REST endpoints (`/v1/findings`, `/v1/findings/{id}`, `/actions`, `/reports`, `/exports`) with ABAC filters.
+  - Simulation endpoint returning diffs, integration with Policy Engine batch evaluation.
+  - Export jobs for JSON/CSV/PDF plus Offline Kit bundle assembly and signing.
+- **Console**
+  - Feature module `vuln-explorer` with grid, filters, saved views, deep links, detail tabs (policy, evidence, paths, remediation).
+  - Simulation drawer, delta chips, accepted-risk approvals, evidence bundle viewer.
+  - Accessibility (keyboard navigation, ARIA), virtualization for large result sets.
+- **CLI**
+  - Commands `stella vuln list|show|simulate|assign|accept-risk|verify-fix|export`.
+  - Stable schemas for automation; piping support; tests for exit codes.
+- **Integrations**
+  - Conseiller/Excitor: normalized advisory keys, linksets, evidence retrieval.
+  - SBOM Service: inventory deltas with scope/runtime flags, safe version hints.
+  - Notify: events for SLA breaches, accepted-risk expiries, remediation deadlines.
+  - Scheduler: trigger rescans when remediation plan milestones complete.
+- **Observability & ops**
+  - Metrics (open findings, MTTR, projection lag, export duration, SLA burn), logs/traces with correlation IDs.
+  - Alerting on projector backlog, API 5xx spikes, export failures, accepted-risk nearing expiry.
+  - Runbooks covering recompute storms, mapping errors, report issues.
+
+## Acceptance criteria
+- Ledger/event sourcing reproduces historical states byte-for-byte; Merkle hashes verify integrity.
+- Resolver respects ecosystem semantics, scope, and runtime context; path evidence presented in UI/CLI.
+- Triage workflows (assignment, comments, accepted-risk) enforce justification and approval requirements with audit records.
+- Simulation returns policy diffs without mutating state; CLI/UI parity achieved for simulation and exports.
+- Exports and Offline Kit bundles reproducible with signed manifests and provenance; reports available in JSON/CSV/PDF.
+- Observability dashboards show green SLOs, alerts fire for projection lag or SLA burns, and runbooks documented.
+- RBAC/ABAC validated; attachments encrypted; tenant isolation guaranteed.
+
+## Risks & mitigations
+- **Advisory identity collisions:** strict canonicalization, linkset references, raw evidence access.
+- **Resolver inaccuracies:** property-based tests, path verification, manual override workflows.
+- **Projection lag/backlog:** autoscaling, queue backpressure, alerting, pause controls.
+- **Export size/performance:** streaming NDJSON, size estimators, chunked downloads.
+- **User confusion on suppression:** rationale tab, explicit badges, explain traces.
+
+## Test strategy
+- **Unit:** resolver algorithms, state machine transitions, policy mapping, export builders.
+- **Integration:** ingestion → ledger → projector → API flow, simulation, Notify notifications.
+- **E2E:** Console triage scenarios, CLI flows, accessibility tests.
+- **Performance:** 5M findings/tenant, projection rebuild, export generation.
+- **Security:** RBAC/ABAC matrix, CSRF, attachment encryption, signed URL expiry.
+- **Determinism:** time-travel snapshots, export manifest hashing, Offline Kit replay.
+
+## Definition of done
+- Services, UI/CLI, integrations, exports, and observability deployed with runbooks and Offline Kit parity.
+- Documentation suite (overview, using-console, API, CLI, findings ledger, policy mapping, VEX/SBOM integration, telemetry, security, runbooks, install) updated with imposed rule statement.
+- ./TASKS.md and ../../TASKS.md reflect active progress; compliance checklists appended where required.