feat(phase-28): add checklist item sign-offs and sign-off notes

[xiwuqi]

Summary

This PR completes Phase 28: Cross-Run Audit Catalog Checklist Item Sign-Offs and Sign-Off Notes.

Phase 28 has already passed stage review on this branch.
This is a direct-to-main PR from wuxi/phase-28-checklist-item-signoffs to main.
The branch is not stacked.

It adds:

• a shared audit-catalog checklist-item-signoff contract
• sign-off / list-signed-off / inspect-sign-off / clear-sign-off / apply paths through existing SDK / API / CLI / web seams
• inline-originated and queued-originated integration coverage
• Phase 28 docs, ADR, guide, and roadmap status sync

Scope boundaries

This PR does not change replay or approval source of truth.
It does not add full observability backend integration, dashboard or analytics or search productization, fine-grained RBAC, multi-tenant access, approval products, workflow gating, artifact vault behavior, copied artifact persistence, attachment-upload products, threaded collaboration, broader checklist orchestration, broader review workflow engines, broader SaaS concerns, or any Phase 29 work.
Provider-specific payloads, copied artifacts, and workflow-state snapshots do not enter the shared contract.

README is not a blocker for this PR, so this scope does not expand into README updates.
README.md line 19 has a non-blocking Current Status drift that is better handled as a later minimal docs-only sync.

Validation

• changed-files Biome check: passed
• git diff --check: passed
• pnpm typecheck: passed
• pnpm test: passed
• pnpm test:integration: passed
• pnpm build: passed

Lint note:

• repo-wide pnpm lint in the current Windows worktree still reports legacy CRLF / formatter drift outside the Phase 28 diff
• the Phase 28 diff has no overlap with those lint failure files
• repo-wide pnpm lint passes in clean LF clone D:\Runroot-phase28-lintcheck-signoffs-20260404-b