v0.57.0
Run approval gate.
A run can be marked to require sign-off. It is held and never executes until an admin approves it, releasing it to run, or rejects it. An operator can request a run, but only an admin releases it, so duties are separated, and both the request and the decision are recorded in the tamper-evident audit trail. This is change control neither AWX nor Semaphore matches: guardrails on execution, not just execution.