2025-10-31 — Console Security Docs Refresh

Summary

Documented the new Authority /console endpoints (/tenants, /profile, /token/introspect) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
Updated Console security guidance to cover the newly issued orch:read scope and clarified session inactivity expectations.
Annotated authority.yaml.sample and the Authority ops runbook so operators forward X-Stella-Tenant and understand fresh-auth prompts.

Console release notes now reference the dedicated /console endpoints and their audit identifiers.
Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.