feat: Implement Scheduler Worker Options and Planner Loop

- Added `SchedulerWorkerOptions` class to encapsulate configuration for the scheduler worker.
- Introduced `PlannerBackgroundService` to manage the planner loop, fetching and processing planning runs.
- Created `PlannerExecutionService` to handle the execution logic for planning runs, including impact targeting and run persistence.
- Developed `PlannerExecutionResult` and `PlannerExecutionStatus` to standardize execution outcomes.
- Implemented validation logic within `SchedulerWorkerOptions` to ensure proper configuration.
- Added documentation for the planner loop and impact targeting features.
- Established health check endpoints and authentication mechanisms for the Signals service.
- Created unit tests for the Signals API to ensure proper functionality and response handling.
- Configured options for authority integration and fallback authentication methods.

docs/cli/cli-reference.md

@@ -11,8 +11,9 @@ Both commands are designed to enforce the AOC guardrails documented in the [aggr
 
 - CLI version: `stella` ≥ 0.19.0 (AOC feature gate enabled).
 - Required scopes (DPoP-bound):
-  - `advisory:verify` for Concelier sources.
-  - `vex:verify` for Excititor sources (optional but required for VEX checks).
+  - `advisory:read` for Concelier sources.
+  - `vex:read` for Excititor sources (optional but required for VEX checks).
+  - `aoc:verify` to invoke guard verification endpoints.
   - `tenant:select` if your deployment uses tenant switching.
 - Connectivity: direct access to Concelier/Excititor APIs or Offline Kit snapshot (see § 4).
 - Environment: set `STELLA_AUTHORITY_URL`, `STELLA_TENANT`, and export a valid OpTok via `stella auth login` or existing token cache.

docs/cli/policy.md

@@ -209,6 +209,13 @@ stella policy run cancel run:P-7:2025-10-26:auto
 
 Replay downloads sealed bundle for deterministic verification.
 
+### 4.4 Schema artefacts for CLI validation
+
+- CI publishes canonical JSON Schema exports for `PolicyRunRequest`, `PolicyRunStatus`, `PolicyDiffSummary`, and `PolicyExplainTrace` as the `policy-schema-exports` artifact (see `.gitea/workflows/build-test-deploy.yml`).
+- Each run writes the files to `artifacts/policy-schemas/<commit>/` and stores a unified diff (`policy-schema-diff.patch`) comparing them with the tracked baseline in `docs/schemas/`.
+- Schema changes trigger an alert in Slack `#policy-engine` via the `POLICY_ENGINE_SCHEMA_WEBHOOK` secret so CLI maintainers know to refresh fixtures or validation rules.
+- Consume these artefacts in CLI tests to keep payload validation aligned without committing generated files into the repo.
+
 ---
 
 ## 5 · Findings & Explainability
@@ -273,7 +280,7 @@ All non-zero exits emit structured error envelope on stderr when `--format json`
 
 - [ ] **Help text synced:** `stella policy --help` matches documented flags/examples (update during release pipeline).
 - [ ] **Exit codes mapped:** Table above reflects CLI implementation and CI asserts mapping for `ERR_POL_*`.
-- [ ] **JSON schemas verified:** Example payloads validated against OpenAPI/SDK contracts before publishing.
+- [ ] **JSON schemas verified:** Example payloads validated against OpenAPI/SDK contracts before publishing. (_CI now exports canonical schemas as `policy-schema-exports`; wire tests to consume them._)
 - [ ] **Scope guidance present:** Each command lists required Authority scopes.
 - [ ] **Offline guidance included:** Sealed-mode steps and bundle workflows documented.
 - [ ] **Cross-links tested:** Links to DSL, lifecycle, runs, and API docs resolve locally (`yarn docs:lint`).
@@ -281,4 +288,4 @@ All non-zero exits emit structured error envelope on stderr when `--format json`
 
 ---
 
-*Last updated: 2025-10-26 (Sprint 20).*
+*Last updated: 2025-10-27 (Sprint 20).*