docs: add service README.md files + update AGENTS.md decisions

- Create README.md for 25+ service modules with container info, API surface, storage
- Document attestor-tileproxy separation rationale (air-gap network isolation)
- Document opsmemory-advisoryai separation rationale (resource isolation, blast radius)
- Update Timeline AGENTS.md with merged indexer info

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Findings/README.md

@@ -0,0 +1,19 @@
+# Findings
+
+**Container(s):** stellaops-findings-ledger-web, stellaops-riskengine-web, stellaops-riskengine-worker, stellaops-api (VulnExplorer)
+**Slot:** 25 (ledger), 16 (riskengine), 13 (vulnexplorer)  |  **Port:** 8080  |  **Consumer Group:** findings-ledger, riskengine, vulnexplorer
+**Resource Tier:** medium (ledger, riskengine), light (vulnexplorer, riskengine-worker)
+
+## Purpose
+The Findings module provides an append-only event ledger for security findings, a risk scoring engine with pluggable providers (CVSS/KEV/EPSS/VEX/fix-exposure), and a vulnerability explorer API. The Ledger tracks finding lifecycle with Merkle-tree integrity, incident management, and scoring APIs. The RiskEngine computes risk scores via job queue. VulnExplorer provides the UI-facing query API.
+
+## API Surface
+- `findings-ledger` (via Router) — finding event ingestion, queries, export, incident management, EWS scoring, Merkle proofs, attachment management
+- `riskengine` (via Router) — risk score providers listing, job submission, simulation, exploit maturity
+- `vulnexplorer` (via Router) — vulnerability search and investigation queries
+
+## Storage
+PostgreSQL (`ConnectionStrings:Default` / `ConnectionStrings:FindingsLedger`); RiskEngine supports PostgreSQL or in-memory
+
+## Background Workers
+- `riskengine-worker` — background risk score computation (`Worker` hosted service)