docs: add service README.md files + update AGENTS.md decisions

- Create README.md for 25+ service modules with container info, API surface, storage
- Document attestor-tileproxy separation rationale (air-gap network isolation)
- Document opsmemory-advisoryai separation rationale (resource isolation, blast radius)
- Update Timeline AGENTS.md with merged indexer info

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Policy/README.md

@@ -0,0 +1,21 @@
+# Policy
+
+**Container(s):** stellaops-policy-engine
+**Slot:** 14  |  **Port:** 8080  |  **Consumer Group:** policy-engine
+**Resource Tier:** medium
+
+## Purpose
+The Policy Engine evaluates security policies against scan results, computes risk scores (CVSS v4, EPSS, EWS), manages exceptions with approval workflows, and produces go/no-go gate decisions for release promotions. It includes merged Policy Gateway functionality (delta computation, drift gates, unknowns gates, score-based gates, tool lattice access control).
+
+## API Surface
+- `policy-engine` (via Router) — policy compilation, evaluation, simulation, batch context, risk profiles, CVSS receipts, exception management, delta/snapshot endpoints, gate evaluation (drift, unknowns, score-based), overlay projection, trust weighting, advisory AI knobs, sealed-mode, air-gap bundle import/export, governance, tool lattice, verification policies, attestation reports, registry webhooks
+
+## Storage
+PostgreSQL schema `policy` (via `Postgres:Policy`); Valkey for cache
+
+## Background Workers
+- `ExceptionLifecycleWorker` — exception state machine transitions
+- `ExceptionExpiryWorker` — auto-expire stale exceptions
+- `IncidentModeExpirationWorker` — incident mode TTL enforcement
+- `PolicyEngineBootstrapWorker` — startup initialization
+- `GateEvaluationWorker` — async gate evaluation queue processing