feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.

etc/authority.yaml.sample

@@ -80,6 +80,10 @@ delegation:
         - "findings:read"
       authorizedClients:
         - "export-center-worker"
+      attributes:
+        env: [ "prod", "stage" ]
+        owner: [ "secops" ]
+        business_tier: [ "tier-1" ]
     # - accountId: "svc-airgap-import"
     #   tenant: "tenant-default"
     #   displayName: "Airgap Import Service Account"
@@ -242,7 +246,7 @@ clients:
     displayName: "StellaOps Console"
     grantTypes: [ "authorization_code", "refresh_token" ]
     audiences: [ "console" ]
-    scopes: [ "openid", "profile", "email", "ui.read", "authority:tenants.read", "advisory:read", "vex:read", "exceptions:read", "exceptions:approve", "aoc:verify", "findings:read", "airgap:status:read", "obs:read", "obs:incident", "timeline:read", "evidence:read", "attest:read", "orch:read", "vuln:read" ]
+    scopes: [ "openid", "profile", "email", "ui.read", "authority:tenants.read", "advisory:read", "vex:read", "exceptions:read", "exceptions:approve", "aoc:verify", "findings:read", "airgap:status:read", "obs:read", "obs:incident", "timeline:read", "evidence:read", "attest:read", "orch:read", "vuln:view", "vuln:investigate", "vuln:operate", "vuln:audit" ]
     # exceptions:approve is elevated via fresh-auth and requires an MFA-capable identity provider.
     tenant: "tenant-default"
     senderConstraint: "dpop"
@@ -391,7 +395,7 @@ clients:
     displayName: "Vuln Explorer UI"
     grantTypes: [ "client_credentials" ]
     audiences: [ "api://vuln-explorer" ]
-    scopes: [ "vuln:read" ]
+    scopes: [ "vuln:view", "vuln:investigate", "vuln:operate", "vuln:audit" ]
     tenant: "tenant-default"
     senderConstraint: "dpop"
     auth:
@@ -473,6 +477,30 @@ tenants:
         scopes: [ "advisory-ai:view", "advisory-ai:operate" ]
       advisory-ai-admin:
         scopes: [ "advisory-ai:view", "advisory-ai:operate", "advisory-ai:admin" ]
+      vuln-viewer:
+        scopes: [ "vuln:view" ]
+        attributes:
+          env: [ "*" ]
+          owner: [ "*" ]
+          business_tier: [ "*" ]
+      vuln-investigator:
+        scopes: [ "vuln:view", "vuln:investigate" ]
+        attributes:
+          env: [ "*" ]
+          owner: [ "*" ]
+          business_tier: [ "*" ]
+      vuln-operator:
+        scopes: [ "vuln:view", "vuln:investigate", "vuln:operate" ]
+        attributes:
+          env: [ "*" ]
+          owner: [ "*" ]
+          business_tier: [ "*" ]
+      vuln-auditor:
+        scopes: [ "vuln:view", "vuln:audit" ]
+        attributes:
+          env: [ "*" ]
+          owner: [ "*" ]
+          business_tier: [ "*" ]
     advisoryAi:
       remoteInference:
         consentGranted: false

etc/issuer-directory.yaml.sample

@@ -1,4 +1,6 @@
 IssuerDirectory:
+  # Override connection secrets via environment variables (ISSUERDIRECTORY__MONGO__*)
+  # rather than editing this file for production.
   telemetry:
     minimumLogLevel: Information
   authority: