Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.

etc/authority.yaml

@@ -152,13 +152,15 @@ clients:
 
 tenants:
   - name: "tenant-default"
-    roles:
-      orch-viewer:
-        scopes: [ "orch:read" ]
-      orch-operator:
-        scopes: [ "orch:read", "orch:operate" ]
-      export-viewer:
-        scopes: [ "export.viewer" ]
+    roles:
+      orch-viewer:
+        scopes: [ "orch:read" ]
+      orch-operator:
+        scopes: [ "orch:read", "orch:operate" ]
+      orch-admin:
+        scopes: [ "orch:read", "orch:operate", "orch:quota" ]
+      export-viewer:
+        scopes: [ "export.viewer" ]
       export-operator:
         scopes: [ "export.viewer", "export.operator" ]
       export-admin:
@@ -169,10 +171,24 @@ tenants:
         scopes: [ "policy:review", "policy:read", "policy:simulate", "findings:read" ]
       policy-approver:
         scopes: [ "policy:approve", "policy:review", "policy:read", "policy:simulate", "findings:read" ]
-      policy-operator:
-        scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
-      policy-auditor:
-        scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
+      policy-operator:
+        scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
+      policy-auditor:
+        scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
+      advisory-ai-viewer:
+        scopes: [ "advisory-ai:view" ]
+      advisory-ai-operator:
+        scopes: [ "advisory-ai:view", "advisory-ai:operate" ]
+      advisory-ai-admin:
+        scopes: [ "advisory-ai:view", "advisory-ai:operate", "advisory-ai:admin" ]
+      observability-viewer:
+        scopes: [ "obs:read", "timeline:read", "evidence:read", "attest:read" ]
+      observability-investigator:
+        scopes: [ "obs:read", "timeline:read", "timeline:write", "evidence:read", "evidence:create", "attest:read" ]
+      observability-legal:
+        scopes: [ "evidence:read", "evidence:hold" ]
+      observability-incident-commander:
+        scopes: [ "obs:read", "obs:incident", "timeline:read", "timeline:write", "evidence:create", "evidence:read", "attest:read" ]
 
 security:
   rateLimiting:
@@ -191,17 +207,23 @@ security:
     memorySizeInKib: 19456
     iterations: 2
     parallelism: 1
-  senderConstraints:
-    dpop:
-      enabled: true
-      proofLifetime: "00:05:00"
-      allowedClockSkew: "00:00:10"
-      replayWindow: "00:10:00"
-      nonce:
-        enabled: false
-    mtls:
-      enabled: false
-
-bypassNetworks:
-  - "127.0.0.1/32"
-  - "::1/128"
+  senderConstraints:
+    dpop:
+      enabled: true
+      proofLifetime: "00:05:00"
+      allowedClockSkew: "00:00:10"
+      replayWindow: "00:10:00"
+      nonce:
+        enabled: false
+    mtls:
+      enabled: false
+
+advisoryAi:
+  remoteInference:
+    enabled: false
+    requireTenantConsent: true
+    allowedProfiles: []
+
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"