docs: add service README.md files + update AGENTS.md decisions

- Create README.md for 25+ service modules with container info, API surface, storage
- Document attestor-tileproxy separation rationale (air-gap network isolation)
- Document opsmemory-advisoryai separation rationale (resource isolation, blast radius)
- Update Timeline AGENTS.md with merged indexer info

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Concelier/README.md

@@ -0,0 +1,20 @@
+# Concelier
+
+**Container(s):** stellaops-concelier, stellaops-excititor, stellaops-excititor-worker
+**Slot:** 9 (concelier), 10 (excititor)  |  **Port:** 8080  |  **Consumer Group:** concelier, excititor
+**Resource Tier:** medium
+
+## Purpose
+Concelier is the advisory feed aggregator and SBOM correlation engine. It ingests, normalizes, and merges security advisories from multiple sources, manages advisory linksets, and supports air-gap mirror exports/imports. Excititor is the VEX (Vulnerability Exploitability eXchange) processing engine that normalizes CSAF, CycloneDX, and OpenVEX documents, verifies signatures and attestations, and maintains consensus projections across providers.
+
+## API Surface
+- `concelier` (via Router) — advisory queries, SBOM correlation, federation, observation management, canonical advisory views, mirror export/import, AoC (Attestation of Conformity) endpoints
+- `excititor` (via Router) — VEX document ingestion, normalization, provider management, signature verification, graph queries, policy integration, export
+
+## Storage
+PostgreSQL (`concelier` schema via `PostgresStorage:ConnectionString`; `vex` schema for Excititor via `Postgres:Excititor`); RustFS/S3 for artifact storage; Valkey for cache
+
+## Background Workers
+- `VexWorkerHostedService` (excititor-worker) — background VEX provider polling and document ingestion
+- `VexConsensusRefreshService` (excititor-worker) — periodic consensus recalculation
+- `VexWorkerHeartbeatService` (excititor-worker) — orchestrator heartbeat