# Pack RBAC Roles and CLI Profiles

## Module
Authority

## Status
IMPLEMENTED

## Description
Five Task Pack RBAC roles (pack-viewer, pack-operator, pack-publisher, pack-approver, pack-admin) with deterministic scope bundles, authorization policy helper (`AddPacksResourcePolicies`), and CLI profiles for role-based token acquisition.

## Implementation Details
- **Resource Server Policies**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerPolicies.cs` -- includes `AddPacksResourcePolicies` that registers authorization policies for each Pack RBAC role with deterministic scope bundles.
- **Authorization Policy Builder Extensions**: `src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsAuthorizationPolicyBuilderExtensions.cs` -- `RequireScope` and `RequireAnyScope` extension methods used by pack policies.
- **Scopes**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs` -- defines pack-specific scopes (`packs:read`, `packs:execute`, `packs:publish`, `packs:approve`, `packs:admin`).
- **Claim Types**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsClaimTypes.cs` -- custom claim types including pack role claims.
- **Auth Client (CLI Profiles)**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs` -- CLI profile configuration specifying the scope bundle for each role.
- **Token Client**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs` -- acquires tokens with the correct scope bundle for the configured CLI profile/role.
- **File Token Cache**: `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs` -- persists per-profile tokens to disk for CLI session continuity.
- **Role Repository**: `src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/RoleRepository.cs` -- stores role definitions including pack roles.
- **Tests**: `src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/RoleBasedAccessTests.cs`, `RoleRepositoryTests.cs`

## E2E Test Plan
- [ ] Register the five pack RBAC roles and verify each has the correct deterministic scope bundle (e.g., pack-viewer gets `packs:read` only)
- [ ] Authenticate as pack-viewer and attempt to publish a pack; verify access is denied with 403
- [ ] Authenticate as pack-publisher and verify publishing is allowed but approval is denied
- [ ] Authenticate as pack-admin and verify all pack operations are allowed
- [ ] Configure a CLI profile with the pack-operator role and verify `StellaOpsTokenClient` requests the correct scope set
- [ ] Verify `FileTokenCache` stores the profile-specific token and a different profile does not reuse it
- [ ] Verify the `AddPacksResourcePolicies` helper registers all five policies in the ASP.NET authorization system