feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.

src/Api/StellaOps.Api.OpenApi/authority/openapi.yaml

@@ -86,9 +86,13 @@ components:
             signals:write: Publish Signals events or mutate state.
             stellaops.bypass: Bypass trust boundary protections (restricted identities only).
             ui.read: Read Console UX resources.
-            vex:ingest: Submit VEX ingestion payloads.
-            vex:read: Read VEX ingestion data.
-            vuln:read: Read vulnerability permalinks and overlays.
+            vex:ingest: Submit VEX ingestion payloads.
+            vex:read: Read VEX ingestion data.
+            vuln:view: Read vulnerability overlays and issue permalinks.
+            vuln:investigate: Perform vulnerability triage actions (assign, comment, annotate).
+            vuln:operate: Execute vulnerability workflow transitions and remediation tasks.
+            vuln:audit: Access vulnerability audit ledgers and exports.
+            vuln:read: Read vulnerability permalinks and overlays. (legacy compatibility; prefer vuln:view)
         authorizationCode:
           authorizationUrl: /authorize
           tokenUrl: /token
@@ -150,9 +154,13 @@ components:
             signals:write: Publish Signals events or mutate state.
             stellaops.bypass: Bypass trust boundary protections (restricted identities only).
             ui.read: Read Console UX resources.
-            vex:ingest: Submit VEX ingestion payloads.
-            vex:read: Read VEX ingestion data.
-            vuln:read: Read vulnerability permalinks and overlays.
+            vex:ingest: Submit VEX ingestion payloads.
+            vex:read: Read VEX ingestion data.
+            vuln:view: Read vulnerability overlays and issue permalinks.
+            vuln:investigate: Perform vulnerability triage actions (assign, comment, annotate).
+            vuln:operate: Execute vulnerability workflow transitions and remediation tasks.
+            vuln:audit: Access vulnerability audit ledgers and exports.
+            vuln:read: Read vulnerability permalinks and overlays. (legacy compatibility; prefer vuln:view)
     OAuthClientCredentials:
       type: oauth2
       description: Client credential exchange for machine-to-machine identities.
@@ -213,9 +221,13 @@ components:
             signals:write: Publish Signals events or mutate state.
             stellaops.bypass: Bypass trust boundary protections (restricted identities only).
             ui.read: Read Console UX resources.
-            vex:ingest: Submit VEX ingestion payloads.
-            vex:read: Read VEX ingestion data.
-            vuln:read: Read vulnerability permalinks and overlays.
+            vex:ingest: Submit VEX ingestion payloads.
+            vex:read: Read VEX ingestion data.
+            vuln:view: Read vulnerability overlays and issue permalinks.
+            vuln:investigate: Perform vulnerability triage actions (assign, comment, annotate).
+            vuln:operate: Execute vulnerability workflow transitions and remediation tasks.
+            vuln:audit: Access vulnerability audit ledgers and exports.
+            vuln:read: Read vulnerability permalinks and overlays. (legacy compatibility; prefer vuln:view)
   schemas:
     TokenResponse:
       type: object