Tenant scoping and approvals (NR2)

All Notify APIs require tenant_id in request and ledger records.
High-impact actions (escalations, PII-bearing templates, cross-tenant fan-out) need N-of-M approvals: default 2 of 3 approvers with Notify.Approver role.
Approvals captured as DSSE-signed records (future hook) and stored alongside rule change requests.
Rejection reasons must be logged and returned in error payloads; audit log keeps requester, approver IDs, timestamps, and rule/template IDs.