feat: Implement policy attestation features and service account delegation

- Added new policy scopes: `policy:publish` and `policy:promote` with interactive-only enforcement.
- Introduced metadata parameters for policy actions: `policy_reason`, `policy_ticket`, and `policy_digest`.
- Enhanced token validation to require fresh authentication for policy attestation tokens.
- Updated grant handlers to enforce policy scope checks and log audit information.
- Implemented service account delegation configuration, including quotas and validation.
- Seeded service accounts during application initialization based on configuration.
- Updated documentation and tasks to reflect new features and changes.

src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/StellaOpsScopesTests.cs

@@ -24,8 +24,10 @@ public class StellaOpsScopesTests
     [InlineData(StellaOpsScopes.PolicyAuthor)]
     [InlineData(StellaOpsScopes.PolicySubmit)]
     [InlineData(StellaOpsScopes.PolicyApprove)]
-    [InlineData(StellaOpsScopes.PolicyReview)]
-    [InlineData(StellaOpsScopes.PolicyOperate)]
+    [InlineData(StellaOpsScopes.PolicyReview)]
+    [InlineData(StellaOpsScopes.PolicyOperate)]
+    [InlineData(StellaOpsScopes.PolicyPublish)]
+    [InlineData(StellaOpsScopes.PolicyPromote)]
     [InlineData(StellaOpsScopes.PolicyAudit)]
     [InlineData(StellaOpsScopes.PolicyRun)]
     [InlineData(StellaOpsScopes.PolicySimulate)]
@@ -72,6 +74,8 @@ public class StellaOpsScopesTests
     [InlineData(" Signals:Write ", StellaOpsScopes.SignalsWrite)]
     [InlineData("AIRGAP:SEAL", StellaOpsScopes.AirgapSeal)]
     [InlineData("Policy:Author", StellaOpsScopes.PolicyAuthor)]
+    [InlineData("Policy:Publish", StellaOpsScopes.PolicyPublish)]
+    [InlineData("Policy:PROMOTE", StellaOpsScopes.PolicyPromote)]
     [InlineData("Export.Admin", StellaOpsScopes.ExportAdmin)]
     [InlineData("Advisory-AI:Operate", StellaOpsScopes.AdvisoryAiOperate)]
     [InlineData("Notify.Admin", StellaOpsScopes.NotifyAdmin)]