feat: Implement Scheduler Worker Options and Planner Loop

- Added `SchedulerWorkerOptions` class to encapsulate configuration for the scheduler worker.
- Introduced `PlannerBackgroundService` to manage the planner loop, fetching and processing planning runs.
- Created `PlannerExecutionService` to handle the execution logic for planning runs, including impact targeting and run persistence.
- Developed `PlannerExecutionResult` and `PlannerExecutionStatus` to standardize execution outcomes.
- Implemented validation logic within `SchedulerWorkerOptions` to ensure proper configuration.
- Added documentation for the planner loop and impact targeting features.
- Established health check endpoints and authentication mechanisms for the Signals service.
- Created unit tests for the Signals API to ensure proper functionality and response handling.
- Configured options for authority integration and fallback authentication methods.

docs/cli/cli-reference.md

@@ -11,8 +11,9 @@ Both commands are designed to enforce the AOC guardrails documented in the [aggr
 
 - CLI version: `stella` ≥ 0.19.0 (AOC feature gate enabled).
 - Required scopes (DPoP-bound):
-  - `advisory:verify` for Concelier sources.
-  - `vex:verify` for Excititor sources (optional but required for VEX checks).
+  - `advisory:read` for Concelier sources.
+  - `vex:read` for Excititor sources (optional but required for VEX checks).
+  - `aoc:verify` to invoke guard verification endpoints.
   - `tenant:select` if your deployment uses tenant switching.
 - Connectivity: direct access to Concelier/Excititor APIs or Offline Kit snapshot (see § 4).
 - Environment: set `STELLA_AUTHORITY_URL`, `STELLA_TENANT`, and export a valid OpTok via `stella auth login` or existing token cache.