docs consolidation work

docs/modules/notify/security/README.md

@@ -0,0 +1,3 @@
+# Notify Security Notes
+
+Holds NR2, NR6, and NR7 artefacts: tenant/RBAC approval matrix, webhook/ack hardening policy (HMAC/mTLS/DPoP + signed acks), and redaction/PII catalog with sanitized fixture samples.

docs/modules/notify/security/redaction-catalog.md

@@ -0,0 +1,6 @@
+# Redaction and PII catalog (NR7)
+
+- Classify merge fields: identifiers (hash), secrets (strip), PII (mask), operational metadata (retain).
+- Storage and previews must use redacted forms by default; full bodies allowed only with `Notify.Audit` permission.
+- Log payloads must omit secrets; hashes use BLAKE3-256 over UTF-8 normalized values.
+- Fixtures under `docs/modules/notify/fixtures/redaction/` show expected redacted shapes for templates and receipts.

docs/modules/notify/security/tenant-approvals.md

@@ -0,0 +1,6 @@
+# Tenant scoping and approvals (NR2)
+
+- All Notify APIs require `tenant_id` in request and ledger records.
+- High-impact actions (escalations, PII-bearing templates, cross-tenant fan-out) need N-of-M approvals: default 2 of 3 approvers with `Notify.Approver` role.
+- Approvals captured as DSSE-signed records (future hook) and stored alongside rule change requests.
+- Rejection reasons must be logged and returned in error payloads; audit log keeps requester, approver IDs, timestamps, and rule/template IDs.

docs/modules/notify/security/webhook-ack-hardening.md

@@ -0,0 +1,6 @@
+# Webhook and ack security (NR6)
+
+- Webhooks must use HMAC-SHA256 with per-tenant rotating secrets or mTLS/DPoP. `hmac_id` maps to secret material.
+- Ack URLs carry signed tokens (nonce, audience, tenant_id, delivery_id, expires_at) and are single-use. Reject replay or expired tokens.
+- Enforce allowlists for domains and paths per tenant; deny wildcards.
+- Capture failures in observability pipeline and DLQ with redrive after investigation.