feat: Implement approvals workflow and notifications integration

- Added approvals orchestration with persistence and workflow scaffolding.
- Integrated notifications insights and staged resume hooks.
- Introduced approval coordinator and policy notification bridge with unit tests.
- Added approval decision API with resume requeue and persisted plan snapshots.
- Documented the Excitor consensus API beta and provided JSON sample payload.
- Created analyzers to flag usage of deprecated merge service APIs.
- Implemented logging for artifact uploads and approval decision service.
- Added tests for PackRunApprovalDecisionService and related components.

docs/modules/concelier/README.md

@@ -18,19 +18,22 @@ Concelier ingests signed advisories from dozens of sources and converts them int
 - Policy Engine / Export Center / CLI for evidence consumption.
 - Notify and UI for advisory deltas.
 
-## Operational notes
-- Connector runbooks in ./operations/connectors/.
-- Mirror operations for Offline Kit parity.
-- Grafana dashboards for connector health.
-
-## Related resources
-- ./operations/conflict-resolution.md
-- ./operations/mirror.md
-
-## Backlog references
-- DOCS-LNM-22-001, DOCS-LNM-22-007 in ../../TASKS.md.
-- Connector-specific TODOs in `src/Concelier/**/TASKS.md`.
-
+## Operational notes
+- Connector runbooks in ./operations/connectors/.
+- Mirror operations for Offline Kit parity.
+- Grafana dashboards for connector health.
+- **Authority toggle rollout (2025-10-22 update).** Follow the phased table and audit checklist in `../../10_CONCELIER_CLI_QUICKSTART.md` when enabling `authority.enabled`/`authority.allowAnonymousFallback`, and cross-check the refreshed `./operations/authority-audit-runbook.md` before enforcement.
+
+## Related resources
+- ./operations/conflict-resolution.md
+- ./operations/mirror.md
+- ./operations/authority-audit-runbook.md
+- ../../10_CONCELIER_CLI_QUICKSTART.md (authority integration timeline & smoke tests)
+
+## Backlog references
+- DOCS-LNM-22-001, DOCS-LNM-22-007 in ../../TASKS.md.
+- Connector-specific TODOs in `src/Concelier/**/TASKS.md`.
+
 ## Epic alignment
 - **Epic 1 – AOC enforcement:** uphold raw observation invariants, provenance requirements, linkset-only enrichment, and AOC verifier guardrails across every connector.
 - **Epic 10 – Export Center:** expose deterministic advisory exports and metadata required by JSON/Trivy/mirror bundles.

docs/modules/concelier/TASKS.md

@@ -4,6 +4,6 @@
 
 | ID | Status | Owner(s) | Description | Notes |
 |----|--------|----------|-------------|-------|
-| CONCELIER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md |
+| CONCELIER-DOCS-0001 | DONE (2025-11-05) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | README now references the 2025-10-22 authority toggle rollout update (quickstart/runbook links). |
 | CONCELIER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md |
 | CONCELIER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow |

docs/modules/concelier/architecture.md

@@ -27,10 +27,12 @@
 3. **Mandatory provenance.** Collectors record `source`, `upstream` metadata (`document_version`, `fetched_at`, `received_at`, `content_hash`), and signature presence before writing.
 4. **Linkset only.** Derived joins (aliases, PURLs, CPEs, references) are stored inside `linkset` and never mutate `content.raw`.
 5. **Deterministic canonicalisation.** Writers use canonical JSON (sorted object keys, lexicographic arrays) ensuring identical inputs yield the same hashes/diff-friendly outputs.
-6. **Idempotent upserts.** `(source.vendor, upstream.upstream_id, upstream.content_hash)` uniquely identify a document. Duplicate hashes short-circuit; new hashes create a new version.
-7. **Verifier & CI.** `StellaOps.AOC.Verifier` processes observation batches in CI and at runtime, rejecting writes lacking provenance, introducing unordered collections, or violating the schema.
-
-### 1.1 Advisory raw document shape
+6. **Idempotent upserts.** `(source.vendor, upstream.upstream_id, upstream.content_hash)` uniquely identify a document. Duplicate hashes short-circuit; new hashes create a new version.
+7. **Verifier & CI.** `StellaOps.AOC.Verifier` processes observation batches in CI and at runtime, rejecting writes lacking provenance, introducing unordered collections, or violating the schema.
+
+> Feature toggle: set `concelier:features:noMergeEnabled=true` to disable the legacy Merge module and its `merge:reconcile` job once Link-Not-Merge adoption is complete (MERGE-LNM-21-002). Analyzer `CONCELIER0002` prevents new references to Merge DI helpers when this flag is enabled.
+
+### 1.1 Advisory raw document shape
 
 ```json
 {