feat: Implement approvals workflow and notifications integration

- Added approvals orchestration with persistence and workflow scaffolding.
- Integrated notifications insights and staged resume hooks.
- Introduced approval coordinator and policy notification bridge with unit tests.
- Added approval decision API with resume requeue and persisted plan snapshots.
- Documented the Excitor consensus API beta and provided JSON sample payload.
- Created analyzers to flag usage of deprecated merge service APIs.
- Implemented logging for artifact uploads and approval decision service.
- Added tests for PackRunApprovalDecisionService and related components.

docs/modules/signer/README.md

@@ -1,21 +1,32 @@
 # StellaOps Signer
 
-Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.
+Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.
+
+## Latest updates (Sprint 11 · 2025-10-21)
+- `/sign/dsse` pipeline landed with Authority OpTok + PoE enforcement, Fulcio/KMS signing modes, and deterministic DSSE bundles ready for Attestor logging.
+- `/verify/referrers` endpoint exposes release-integrity checks against scanner OCI referrers so callers can confirm digests before requesting signatures.
+- Plan quota enforcement (QPS/concurrency/artifact size) and audit/metrics wiring now align with the Sprint 11 signing-chain release.
 
-## Responsibilities
-- Enforce plan quotas and PoE before signing artifacts.
-- Support keyless and keyful signing backends.
-- Emit DSSE payloads consumed by Attestor and downstream bundles.
-- Maintain audit trails for all signing operations.
+## Responsibilities
+- Enforce Proof-of-Entitlement and plan quotas before signing artifacts.
+- Support keyless (Fulcio) and keyful (KMS/HSM) signing backends.
+- Verify scanner release integrity via OCI referrers prior to issuing signatures.
+- Emit DSSE payloads consumed by Attestor/Export Center and maintain comprehensive audit trails.
 
 ## Key components
 - `StellaOps.Signer` service host.
 - Crypto providers under `StellaOps.Cryptography.*`.
 
-## Integrations & dependencies
-- Authority for OpTok validation.
-- Attestor for transparency logging.
-- Export Center and CLI for artifact signing flows.
+## Integrations & dependencies
+- Authority for OpTok + PoE validation.
+- Licensing Service for entitlement introspection.
+- OCI registries (Referrers API) for scanner release verification.
+- Attestor for transparency logging and Rekor ingestion.
+- Export Center and CLI for artifact signing flows.
+
+## API quick reference
+- `POST /api/v1/signer/sign/dsse` — validate OpTok/PoE, enforce quotas, return DSSE bundle with signing identity metadata.
+- `GET /api/v1/signer/verify/referrers` — report scanner release signer and trust verdict for a supplied image digest.
 
 ## Operational notes
 - Key management via Authority/DevOps runbooks.

docs/modules/signer/TASKS.md

@@ -4,6 +4,6 @@
 
 | ID | Status | Owner(s) | Description | Notes |
 |----|--------|----------|-------------|-------|
-| SIGNER-DOCS-0001 | DOING (2025-10-29) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | See ./AGENTS.md |
+| SIGNER-DOCS-0001 | DONE (2025-11-05) | Docs Guild | Validate that ./README.md aligns with the latest release notes. | README now highlights Sprint 11 signing-chain release (sign/dsse, verify/referrers, quota enforcement). |
 | SIGNER-OPS-0001 | TODO | Ops Guild | Review runbooks/observability assets after next sprint demo. | Sync outcomes back to ../../TASKS.md |
 | SIGNER-ENG-0001 | TODO | Module Team | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md`. | Update status via ./AGENTS.md workflow |