Add draft skeletons for various documentation topics

- Created draft documentation for enabling reachability, CLI authentication, EntryTrace heuristics, Go stripped binaries, Java and Python lockfiles, Rust fingerprint enrichment, SAST integration, Windows/macOS analyzer coverage, scanner engine surface, multi-tenancy operations, RLS and data isolation, ABAC overlays, VEX trust model, VEX ops runbook, VEX mapping, scopes and roles, tenancy overview, VEX signatures, contract testing, VEX consensus algorithm, VEX consensus API, VEX consensus console, VEX consensus overview, and VEX issuer directory.
- Each document includes a status placeholder, purpose, and open TODOs for future updates.

docs/modules/cli/guides/authentication.md

@@ -0,0 +1,18 @@
+# CLI Authentication — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: DVDO0110 env vars, token formats, monitoring plan.
+
+## Supported Flows
+- Device/code, PAT, workload identity (to confirm).
+
+## Configuration
+- Env vars and flags (to be filled once finalized).
+
+## Multi-Tenant Considerations
+- Scope selection and defaults.
+
+## Troubleshooting
+- Common errors; log paths; retry/backoff guidance.
+
+## Open TODOs
+- Insert definitive env var list and examples when available.

docs/modules/scanner/benchmarks/entrytrace-heuristics.md

@@ -0,0 +1,15 @@
+# EntryTrace Heuristics Maintenance — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: replay hooks (RPRC0101).
+
+## Purpose
+- Explain EntryTrace heuristics and maintenance cycles.
+
+## Heuristic Catalog
+- Placeholder for rules with owners and review cadence.
+
+## Operations
+- How to update heuristics safely; replay/validation steps.
+
+## Open TODOs
+- Add concrete heuristics and replay examples when hooks arrive.

docs/modules/scanner/benchmarks/go-stripped-binaries.md

@@ -0,0 +1,12 @@
+# Go Stripped Binaries — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: Go analyzer results.
+
+## Fallback Enrichment
+- Techniques to enrich stripped Go binaries (to fill).
+
+## Policy Guidance
+- When to accept fallback; how to flag low-confidence matches.
+
+## Open TODOs
+- Add enrichment recipes and examples once analyzer outputs land.

docs/modules/scanner/benchmarks/java-lockfiles.md

@@ -0,0 +1,15 @@
+# Java Lockfile Ingestion — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: Java analyzer notes.
+
+## Lockfile Types
+- Maven/Gradle variants (to fill).
+
+## Ingestion Guidance
+- Normalization, version conflict handling.
+
+## Policy Templates
+- Sample allow/deny templates (placeholder).
+
+## Open TODOs
+- Add concrete examples and ingestion steps from analyzer notes.

docs/modules/scanner/benchmarks/python-lockfiles.md

@@ -0,0 +1,12 @@
+# Python Lockfiles & Editable Installs — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Depends on outcomes from Windows/macOS coverage (task 3) and Python analyzer guidance.
+
+## Lockfile Handling
+- Pip/Poetry/UV constraints; editable installs; markers (to fill).
+
+## Policy Guidance
+- What to enforce/allow; sample policy snippets.
+
+## Open TODOs
+- Insert concrete lockfile examples and policies once inputs arrive.

docs/modules/scanner/benchmarks/rust-fingerprint-enrichment.md

@@ -0,0 +1,15 @@
+# Rust Fingerprint Enrichment — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: SCSA0601 updated benchmarks.
+
+## Fingerprint Sources
+- Cargo metadata, debug info, symbol hashes (to fill).
+
+## Enrichment Steps
+- Mapping fingerprints to crates/versions; confidence scoring.
+
+## Policy Examples
+- Sample allow/deny/waiver patterns (placeholder).
+
+## Open TODOs
+- Add concrete examples from updated benchmarks.

docs/modules/scanner/benchmarks/sast-integration.md

@@ -0,0 +1,12 @@
+# SAST Integration — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: CLI samples (132_CLCI0110).
+
+## Connector Framework
+- How SAST connectors plug into scanner pipeline (to fill).
+
+## Policy Templates
+- Placeholder for SAST-specific policy examples.
+
+## Open TODOs
+- Add sample configs and flows once CLI samples are available.

docs/modules/scanner/benchmarks/windows-macos-coverage.md

@@ -0,0 +1,15 @@
+# Windows/macOS Analyzer Coverage — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: SCSA0301 customer demand signals.
+
+## Demand Signals
+- Customers requesting Windows/macOS analyzer coverage (to fill with SCSA0301 data).
+
+## Coverage Plan
+- Supported OS versions/builds; exclusions; offline posture.
+
+## Rollout & Monitoring
+- Enablement steps; metrics to watch.
+
+## Open TODOs
+- Add quantified demand, target milestones, and acceptance criteria once inputs land.

docs/modules/scanner/scanner-engine.md

@@ -0,0 +1,24 @@
+# Scanner Engine Surface FS/Env/Secrets — Draft Skeleton (2025-12-05 UTC)
+
+Status: draft placeholder. Inputs pending: SCANNER-SURFACE-04 emit notes, Zastava/Scheduler bindings, Ops runbook hooks.
+
+## Workflow Overview
+- Surface.FS, Surface.Env, Surface.Secrets capture points.
+- How Scanner orchestrates surface capture across jobs.
+
+## Data Flow
+- Scanner -> Zastava (signals/alerts pipeline).
+- Scanner -> Scheduler (job orchestration, retries, back-pressure).
+- Storage/retention expectations.
+
+## Policies & Safety Rails
+- Redaction rules, scope boundaries, tenant isolation.
+- Determinism/offline posture considerations.
+
+## Operations
+- How to enable/disable surface capture per tenant/workspace.
+- Observability: metrics, logs, traces to watch.
+
+## Open TODOs
+- Insert concrete emit schemas and example payloads when SCANNER-SURFACE-04 lands.
+- Add sequencing diagrams per module dossier once available.