feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.

src/Web/StellaOps.Web/src/app/core/auth/dpop/dpop.service.spec.ts

@@ -16,7 +16,7 @@ describe('DpopService', () => {
       authorizeEndpoint: 'https://auth.stellaops.test/connect/authorize',
       tokenEndpoint: 'https://auth.stellaops.test/connect/token',
       redirectUri: 'https://ui.stellaops.test/auth/callback',
-      scope: 'openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:read',
+      scope: 'openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:view vuln:investigate vuln:operate vuln:audit',
       audience: 'https://scanner.stellaops.test',
     },
     apiBaseUrls: {

src/Web/StellaOps.Web/src/config/config.json

@@ -7,7 +7,7 @@
     "logoutEndpoint": "https://authority.local/connect/logout",
     "redirectUri": "http://localhost:4400/auth/callback",
     "postLogoutRedirectUri": "http://localhost:4400/",
-    "scope": "openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:read",
+    "scope": "openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:view vuln:investigate vuln:operate vuln:audit",
     "audience": "https://scanner.local",
     "dpopAlgorithms": ["ES256"],
     "refreshLeewaySeconds": 60

src/Web/StellaOps.Web/src/config/config.sample.json

@@ -7,7 +7,7 @@
     "logoutEndpoint": "https://authority.example.dev/connect/logout",
     "redirectUri": "http://localhost:4400/auth/callback",
     "postLogoutRedirectUri": "http://localhost:4400/",
-    "scope": "openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:read",
+    "scope": "openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:view vuln:investigate vuln:operate vuln:audit",
     "audience": "https://scanner.example.dev",
     "dpopAlgorithms": ["ES256"],
     "refreshLeewaySeconds": 60

src/Web/StellaOps.Web/tests/e2e/auth.spec.ts

@@ -9,8 +9,8 @@ const mockConfig = {
     logoutEndpoint: 'https://authority.local/connect/logout',
     redirectUri: 'http://127.0.0.1:4400/auth/callback',
     postLogoutRedirectUri: 'http://127.0.0.1:4400/',
-    scope:
-      'openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:read',
+    scope:
+      'openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read vuln:view vuln:investigate vuln:operate vuln:audit',
     audience: 'https://scanner.local',
     dpopAlgorithms: ['ES256'],
     refreshLeewaySeconds: 60,