docs consolidation

docs/security/authority-scopes.md

@@ -143,7 +143,7 @@ Authority issues short-lived tokens bound to tenants and scopes. Sprint 19 int
 - **`role/exceptions-service`** → `exceptions:read`, `exceptions:write`.
 - **`role/exceptions-approver`** → `exceptions:read`, `exceptions:approve`.
 
-Full module role bundle catalog (Console, Scanner, Scheduler, Policy, Graph, Observability, etc.) is maintained in `docs/architecture/console-admin-rbac.md` and is the reference for Console admin UI and Authority seeding.
+Full module role bundle catalog (Console, Scanner, Scheduler, Policy, Graph, Observability, etc.) is maintained in `docs/technical/architecture/console-admin-rbac.md` and is the reference for Console admin UI and Authority seeding.
 
 Roles are declared per tenant in `authority.yaml`:
 

docs/security/pack-signing-and-rbac.md

@@ -73,7 +73,7 @@ Roles are tenant-scoped; cross-tenant access requires explicit addition.
   - `stella pack push` → `packs.write`.
   - `stella pack approve` → `packs.approve`.
 - Offline tokens must include same scopes; CLI warns if missing.
-- Approval flows must also pass `pack_run_id`, `pack_gate_id`, and `pack_plan_hash` when requesting `packs.approve`. The CLI exposes these via `stella pack approve --pack-run-id ... --pack-gate-id ... --pack-plan-hash ...` (see `docs/task-packs/runbook.md#4-approvals-workflow` for the full procedure). Authority rejects approval grants that omit or truncate any of these fields and tags the audit record with `pack.*` metadata for replay audits.
+- Approval flows must also pass `pack_run_id`, `pack_gate_id`, and `pack_plan_hash` when requesting `packs.approve`. The CLI exposes these via `stella pack approve --pack-run-id ... --pack-gate-id ... --pack-plan-hash ...` (see `docs/modules/packs-registry/guides/runbook.md#4-approvals-workflow` for the full procedure). Authority rejects approval grants that omit or truncate any of these fields and tags the audit record with `pack.*` metadata for replay audits.
 
 ---